|RSS | MY PROFILE | PRIVACY|
Save this newsletter so you can refer back to itand find helpful tips, tools and other resources that can help you when you face some planning decision, management task or troubleshooting headache!
From the Mailbag
A couple of issues ago in Apple in the Enterprise I asked readers for their thoughts and recommendations for managing Apple devices in Windows-centric environments. We received a number of responses, some short and some fairly long, and we're including a few of the shorter ones here while I'll probably include some of the longer ones in a future article on WindowsNetworking.com. If you still haven't sent us feedback on this topic and you'd like to do so, please go ahead and email me at firstname.lastname@example.org thanks!
One of the things I linked to in that issue was a blog post by James Bannan who demonstrated how to import Apple iOS and Android into SCCM 2012. James was kind enough to write to me with the following additional info:
Thanks for linking to my blog post. Admittedly, I wrote that before some further details about MDM in SCCM 2012 were known?.namely that there are "Depth Management" and "Light Management" approaches to mobile devices. Depth Management is anything using a native CM agent, but the only platforms supported are Windows Mobile (not Windows Phone) and Nokia Symbian. So really?who cares? Even MS acknowledge that. Light Management refers to CM12's ability to import anything which can talk against ActiveSync on an Exchange 2010 server (earlier versions of Exchange not supported). So, Exchange ActiveSync is the common management language, and therefore CM12 offers nothing extra to manage Android/iOS devices which Exchange can't already provide (except that your CM administrators can now do the work of your Exchange admins).
I work for an MS Gold partner in Australia, and we also partner with a number of companies who provide products which plug gaps in the various System Center products. One of them is Odyssey Athena, which is a native MDM solution for SCCM 2007 and 2012. We're the only Australian provider. It's a damn good product, especially as it makes use of the existing CM infrastructure (no extra servers needed) and all the management is handled via the CM Console, so the existing management environment is simply extended, rather than admins having to learn a completely new product. It doesn't have much traction in AU at the moment (it's a new product in this part of the world), but every customer we've shown it to has been very impressed, and we have some PoC's in the works.
Here's the link to Odyssey's product for those of you who would like further information about this product: http://www.wservernews.com/go/1330610307272
Iain from the UK also recommended some products:
Interesting article on Macs in a Windows environment. While we don't manage Macs per se here, but we do allow their use in a sandboxed fashion. For iPhones we have a product by Good Technology which allows users to get their corporate email on their iPhone (or iPad or Android device for that matter). This app is fully sandboxed - IE nothing on the device can touch the corporate environment - and the server side includes features like the ability to remotely kill devices that have been lost etc too. For iPads we use a Citrix Access Gateway which, through various policies, we have also sandboxed. The user can modify, send and receive documents from their personal folders, but again nothing on the device can leap off onto the corporate network. This means that we can let people use their own technology but at the same time ensure that no corporate data is stored on them. Loving the newsletter!
Thanks a lot! Here's a link to Good Technology:
Rene from the USA says:
I don't have any experience with this but just spotted an article: Chicago Public Schools is serious about protecting their IT budget, their assets and the data on them. Working closely with Absolute Software they're managing over 100,000 PCs, Macs, and iOS 4 devices and have recovered over 350 stolen computers allowing them to invest in the future (versus replacement computers).
Here's a link to a free whitepaper from Absolute Software titled "PCs, iPads, Macs - Managing Diversity on a School District Budget" (registration required):
And here's a webinar titled "23,000 Students, 7,000 iPads & iPhones - Lexington One School District Highlights Best Practices for Large-Scale iOS5 Rollouts" which hopefully will be recorded:
Keep it coming, people. With over 100,000 subscribers to this newsletter I'm sure there are more of you who have stories to tell or products to recommend for managing Apple devices in Windows-centric environments. Send me email at email@example.com
The Windows System Preparation Tool (Sysprep) is used to prepare a master Windows installation for disk imaging (cloning). You need to run Sysprep on your master or reference computer before you capture an image of that computer and then deploy the image to multiple destination computers in your environment. The reason you need to do this is because Sysprep removes the computer security identifier (SID) from the master image along with any other user- or computer-specific settings and data in the image. If you don't run Sysprep on your master Windows installation, all of your cloned images will have the same local machine SIDs and as a result your destination computers will have problems communicating with one another.
Now any IT pro worth his salt already knows all this, right? And yet...
But before we go any further, let's first ask the following question: Do you think we should CLONE A NEANDERTHAL? http://www.wservernews.com/go/1330610648630
And yet...some of us still try and get around running Sysprep on Windows installations which we then capture as a Windows image for deployment into our production environment. Why? Let's look at some cloning "experiments" I've heard of admins actually doing or at least seriously thinking of attempting, why they're not a good idea, and what they should have done instead.
Sysprepping a Domain-Joined Computer
Weird things can happen if you sysprep a Windows installation that is domain-joined. For example, you might discover that you can't log on to a computer on which the sysprepped image has been deployed. This can happen for example if your domain has a strong password policy and the password you specify for the local admin account is to short or insufficiently complex. What can be frustrating is that this may not always happen, and the reason for this is that when Sysprep runs on a system it executes about 44 different Sysprep providers to remove various kinds of machine- and user-specific settings and data on the system. Unfortunately Sysprep doesn't guarantee a specific order in which these provider should run, so if the provider that resets the admin password executes before the provider that disjoins the domain does, the existing domain password policy can get "burned into" the sysprepped image.
Moral of the story: Make sure you only run Sysprep on computers that belong to a workgroup, not a domain. If you want more, read what Microsoft MVP and deployment expert Johan Arwidmark says in the following thread in the Microsoft TechNet forums:
Running Sysprep Multiple Times
Running sysprep on a Windows installation resets the activation count and therefore reduces the number of times you can rearm the system using the slmgr.vbs /dlv command. If you think you need to sysprep a Windows installation multiple times, you could use the DISM.exe command to create a custom sysprep file that sets the SkipRearm setting. But is it a good idea to run Sysprep multiple times on a Windows installation? Ideally, only once. Why? Because running Sysprep multiple times on a master Windows installation can cause various random hard-to-troubleshoot issues on the computers to which you deploy your sysprepped master image. For example, I've heard stories of computers ending up with multiple local accounts named Administrator and other weird stuff. By the way, you can see the Admin Tools section of this newsletter for links to the command syntax of the above two commands.
But (you complain) that throws a monkey wrench into the process we use for building our master images. What we've been doing when we need to update our master image (and it's worked fine, you insist) is to deploy the master image to a system, make the additional configuration changes needed, and then re-sysprep the installation to create our updated master image. We then repeat this procedure (and it's worked every time, you insist) each time we need to update our master image.
Well, I'm afraid you need to upgrade your deployment skills (and tools) a bit because the image building and maintenance process you've just outlined may have been OK for Windows XP but it's certainly out of date as far as Windows 7 is concerned. Specifically, you should be using the Microsoft Deployment Toolkit (MDT) to build and maintain your master images. See this blog post by Scott McArthur, a Senior Support Escalation Engineer with Microsoft Enterprise Platforms Support, for a comparison of the old vs. new approach to maintaining reference images:
Can't I Just Run NewSID instead of Sysprep?
NewSID was a Sysinternals utility created by Mark Russinovich way back in 1997 to address some situations where running Sysprep didn't seem like a good idea by providing admins with a simple tool for changing the local machine SID of a Windows installation. But if you still have NewSID kicking around in your IT toolbox, you should get rid of it. Start by reading what Mark says about NewSID in his blog post The Machine SID Duplication Myth (and Why Sysprep Matters):
Now check out the follow-up post Machine SIDs and Domain SIDs on Aaron Margosis' Non-Admin and App-Compat blog:
Finally, make sure you read Sysprep, Machine SIDs and Other Myths by Michael Murgolo on The Deployment Guys blog:
I think by now you should be convinced that you should chuck out NewSID, but if you're not yet convinced then take a look at this cartoon video on YouTube:
See the Fave Links section of this issue if you want to make your own cartoon videos.
Sysprepping a Production System
So you have a Windows server that's been running on your production network for some time now, and you'd like to clone it and deploy several copies of it to scale out. Can you run Sysprep on your production system to generalize it, capture your master image, and deploy the image?
Unfortunately that's not a supported scenario. Sysprep is designed to prepare new installations of Windows (not existing installations) for deployment purposes and running Sysprep post deployment is not supported. There are also some other unsupported Sysprep scenarios you need to be aware of, and the following KB article outlines them for you and you should read it carefully:
If you ignore these recommendations you have two choices:
I always advise biting the bullet unless you wear dentures.
Sysprepping an OEM System
You just got a nice shiny new OEM system delivered to your office, and you want to clone it so you can deploy the captured image to some plain vanilla white-box systems down the hall. You haven't even used the new OEM system yet, so you might consider it "freshly deployed." Does this mean you can sysprep it?
The previously referenced KB article says "Microsoft does not support the use of Sysprep to create a new image of a system that was originally created by using a custom OEM installation image or by using OEM installation media. Microsoft only supports such an image if the image was created by the OEM manufacturer." The reason for this is not technical but legal--you are not allowed from a licensing perspective to deploy an OEM-created image in your organization because the OEM image is tied to the specific computer you purchased. So if you did this you'd be violating both the Windows EULA and your OEM agreement.
Cloning a Hyper-V Host
Can you install Windows Server 2008 R2 on a box, add the Hyper-V role, create a bunch of virtual machines and install guest operating systems in them, shut down all the VMs, sysprep the box to create a master image, and then deploy that image to other boxes?
You could, but you won't want to because the cloned boxes are going to have virtual networking problems because running Sysprep on your box will remove its current networking configuration. So a better approach would be to install Windows Server 2008 R2 on the box, add the Hyper-V role, create a bunch of virtual machines and install guest operating systems in them, shut down all the VMs, export the VMs and their configurations and then delete the VMs, and finally sysprep the box to create a master image. Then you can deploy the sysprepped image to other boxes and import the VMs and their configurations into these boxes using PowerShell scripts.
The Bottom Line
So what's the bottom line concerning not running Sysprep on your images?
What, you still don't believe me? Check out the Microsoft support policy for disk duplication in this KB article:
Tip of the Week
Here's a tip about using Sysprep that I recently had published in the Admin Knowledge Base on WindowsNetworking.com:
How to troubleshoot a problem where your KMS server is not reporting the correct number of KMS clients on your network
Scenario: You are using KMS to manage activation of volume-licensed Windows 7 computers on your networks. To deploy these computers, you've created a master installation and then cloned the master image using third-party tools. The cloned images were then applied to the client computers to deploy Windows to them. You now have 25 client computers deployed, but your KMS server is only reporting one activated Windows installation. What's wrong?
Resolution: You either forgot to run sysprep /generalize on your master installation before you cloned it to the computers on your network, or you set
Do not try to fix the situation by running the slmgr.vbs /rearm command on each computer, for while doing this will provide each computer with a unique CMID, running this command will leave your computers in an unsupported state as it doesn't have the same result as running sysprep /generalize on the computers. The only supported way of resolving with this problem is to run sysprep /generalize on your master installation and then clone the generalized image and redeploy it to your computers. And either set
Here's a link to the above tip:
And here's a link to the entire Admin Knowledge Base section of WindowsNetworking.com:
Recommended for Learning
I'll begin this week with one title that I highly recommend:
Microsoft OneNote 2010 Plain & Simple from Microsoft Press is exactly the book I need to read. OneNote has become a bigger part of my life of late as I try and use it to manage research that I collect for various projects I'm working on, but I've never actually sat down and tried to learn the product from scratch. Instead, I've just fumbled around and tried different things out, and there's probably a lot of obvious tips and tricks that I'm missing as a quick and cursory browse of this book suggests to me. This book should help fill in the gaps in my understanding of how to effectively use OneNote, so I'm bumping it up to the top of my must-read pile and will spend a free hour zipping thru it in the very near future. And the colorful, clearly labeled screenshots mean I can read it without having to actually sit at my computer, yay! In fact, I'm going to start reading it right now while I eat my lunch... [half an hour later] Wow, this is a terrific book. I've learned a LOT about working with OneNote from reading the first five chapters and can't wait to read the rest of the book!
Here are a couple of other books I've recently had a chance to review:
Data Architecture: From Zen to Reality from Morgan Kaufmann gives you a bird's-eye view of data storage concepts and architectures. The various topic aren't covered in a lot of depth, but the way they are presented can be valuable to organizations planning on rethinking their data storage strategy. Unfortunately that sort of situation is common nowadays since the amount of data most companies need to process and store has been growing astronomically. So if you're just at the stage of beginning to realize you need to rethink your data architecture before your company gets overwhelmed, it might be a good idea to get hold of this book and read it through.
SAP Basis Administration Handbook, NetWeaver Edition from Morgan Kaufmann is a quick guide to implementing, maintaining and supporting an ERP infrastructure based on SAP. The book includes procedures for tuning performance, configuring Oracle databases, performing backups, and lots more. I don't use SAP myself but if I did this looks like a pretty handy book to have on my shelf.
Quotes of the Week
"Standing up to bullies is not easy. The reason you do it early and resolutely is so you don't have to do it more than you should." --Rudolph Giuliani in Leadership
"You can't let anyone get to you. Believe in yourself even if no one else does -- that's how I was able to get where I am now." --2011 Arnold Classic winner Branch Warren in Muscular Development Magazine
Save this newsletter so you can refer back to it later for tips, tools and other resources you might need to do your job or troubleshoot some problem you're dealing with. And be sure to forward this newsletter to a friend or colleague who might find the tips and tools in it helpful for performing their job. Finally, if you have feedback concerning anything in this newsletter, feel free to send it to my mailbag at firstname.lastname@example.org
Cheers, Mitch Tulloch
New Top 10 free tools for IT pros. Audit changes in AD, servers, mailboxes; manage passwords and event log; monitor disc space usage; secure end-points, etc.
mPowerTools - an AD Admin essential! 200+ reports, bulk import/export, scheduling, GPO/File Share Reports. Eliminate scripting! Only $1499!
Odyssey Athena is a native MDM solution for SCCM 2007 and 2012:
Good Technology lets users to get their corporate email on their iPhone, iPad or Android device:
Conferences, Expos and Other Events
March 26 - 29, 2012 - SQL Server 2012 Launch Conference and Expo at the MGM Grand in Las Vegas:
April 16-20, 2012 - Microsoft Management Summit 2012 is where skilled IT professionals can meet to increase their technical expertise through hands-on training, breakout sessions and interacting with industry leaders in desktop and device management, datacenter, and cloud technologies:
Sign up for these and other Microsoft events and webcasts at:
Sign up these and other VMware webcasts at:
Sign up for these and other O'Reilly webcasts at:
Browse the Cisco Corporate Events Calendar to find Cisco at events, trade shows and conferences around the world:
Browse the Oracle Events page to find in-person events and live webcasts for your location:
Got any other IT events or webcasts you'd like to recommend our readers? Let me know at email@example.com
IBM announces support for System Center 2012
This whitepaper from IBM outlines VMM storage automation with the IBM XIV storage system using SMI-S:
Some Thoughts Buying State Of The Art Storage Solutions Anno 2012
A thought-provoking post from the blog Working Hard In IT:
Windows 8 Hyper-V Feature Glossary
Some helpful info from the blog of Aidan Finn, Microsoft MVP and IT infrastructure consultant lead in Dublin:
TechNet Wiki gets a facelift
Check out the new format and features here:
What?s stalling your enterprise?s private cloud adoption?
Enterprises often overestimate their cloud knowledge, and that?s causing many private clouds to stall before they even get off the ground. Learn how to ensure a successful deployment process with this expert tip.
Devising in-house workarounds to solve virtualization problems
Virtualization problems are bound to come up. But you don?t need a pricey product to solve your issues. This featured article details how to devise in-house workarounds for your virtualization problems.
Cloud-hosted VDI provides companies a way to deliver virtual desktops to remote employees on any device without incurring the infrastructure costs of an on-premises virtual desktop infrastructure. But cloud isn't appropriate for all types of desktops and applications. In this guide, learn about cloud-hosted virtual desktops versus VDI, using hosted applications and the integration of cloud-based technologies with enterprise desktops.
Top 10 reasons why you shouldn?t ignore mobile device security
How does your IT staff handle mobile device and tablet security? Does it use in-house security standards and policies? Or does your company have an ?anything goes? situation? Plenty of companies tell their employees there's no mobile computing at all. The point is, when it comes to mobile device security, businesses are all over the map -- and that's scary. Here?s ten reasons why you shouldn?t ignore mobile device security.
Create your own cartoon videos at Xtranormal.com simply by typing on your keyboard:
Discover Magazine questions whether the NFC might own the coin that's flipped at the start of each Super Bowl:
Windows7Hacker shows how to make your Windows 7 desktop look like Mac OS X Lion:
Check out Mitini, it's like Siri for Windows plus it's developed by a Canadian, eh?
Time-lapse footage from 179 different and beautiful places around the planet. Best viewed in Full Screen HD.
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.