Tuesday, August 19, 2014

From the Book: .NET Framework 3.5, Windows 8 and AutoCAD 2015 Deployments

That title is not long enough.  If I want to provide product titles to Microsoft as a possible side business, I need to make the titles longer.  Like that will ever happen.  Anyhow, this post is based on a part of my recent ebook "The AutoCAD 2015 Network Administrator's Bible", and focuses on dealing with one particular road bump in deploying AutoCAD 2015 to Windows 8.x clients.

Windows 8 and .NET Framework 3.5

If you read through the documentation, one of the requirements for installing on Windows 8.x is to have the .NET Framework 3.5 feature enabled.  This feature is *not* enabled by default.  You can enable it via the Control Panel route, or from a command-line, via a script, or as part of your imaging process using MDT or SCCM as well.  Choices, choices, choices.

Why is this a big deal?  Maybe for you and your environment ,it's not a big deal at all.  But what if you want to deploy AutoCAD 2015 to 500, 1,000 or 10,000 computers, all of which are running Windows 8.1, but not all of them have .NET Framework 3.5 enabled?  Still feel excited about running around to touch each machine?  Even remoting into each one?  How about the time to concoct (or steal) a script to batch enable all of them?  Yes, you can do any or all of these.  The short story is:  There is no "one-size-fits-all" solution.

Option 1 - Scripting and Command-Line

If you don't have the luxury of using MDT or SCCM to do some of your heavy-lifting, you can still make-do with free features provided within Windows itself.  

But before I jump into this I would like to mention that unlike some other .NET Framework versions, 3.5 is a "feature" within Windows 8, rather than a downloaded update or service pack.  The binaries which are required to enable it are already embedded in the "\sources\sxs" folder beneath the Windows home directory.  The challenge tends to be that the contents of that folder within the original installation media, and the final result do not often match.  That's because Microsoft has opted to follow an admirable "reduced attack surface area" approach, which translates into putting the least amount of bits on the client as are needed.  The less code laying around, the fewer potential targets exist to be exploited.

So, how do you enable it?  DISM is one good day.

DISM, or Deployment Image Servicing Management command, is part of Windows 7 and 8.  It actually began life earlier, but has been fine-tuned with each new Windows release.  Among it's many features, are options to enable and disable Windows features. The most-basic form of the command for this topic is:

dism /OnLine /Enable-Feature /FeatureName:NetFx35 /All

However, you may want to tack on a few extra optional parameters (or "switches" as some prefer to say) to provide more control over how it behaves.

/LimitAccess - this option tells DISM *not* to try to reach out to an internal WSUS server to find the source binarines, but instead to look somewhere locally.

/Source - this option tells DISM that you are going to provide a specific path from which to load the source binaries.  Actually, it should read "/Source:" where "" is something that actually contains the correct files, like "c:\temp\sxs" or "\\SERVER1\sharename\files\sxs", etc.

If you're not really familiar with how the "side-by-side" (i.e. "sxs") folder works, and what it means, be careful!  If you are, then ignore the next sentence, but I know you'll read it anyway just to make sure I'm not incorrect and you can't wait to pounce all over me for screwing up.  The "sxs" folder uses special file links to avoid duplicating a lot of redundant bits. This is somewhat like how a .ZIP or .7Z or .TAR file works, in that it tries to reduce the overall amount of disk space used for storing the data.

Anyhow, beyond that, the "sxs" folder contents MUST match the same Windows version and skew that you intend to use them on.  So if you make a "sources\sxs" copy from a Windows 8.1 Professional disk or ISO image, and try to reference it for a Windows 8.1 Enterprise client, it's probably not going to work.  In most cases, it will chug away until around 60-65% and then crash with the error message:

"The source files could not be found."

Bummer. If the folder path is wrong and there are no files at all, that's one thing, but it usually bombs out sooner than 60% of the way through.

Option 2 - Imaging

Other options include bundling the feature (okay, "enabling" the feature) during the Windows installation process.  This is fine for provisioning new computers, or reimaging, but not so ideal for updating computers which are already part of the production environment.  You can however employ parts of MDT or SCCM to deploy to those computers, but that's technically not imaging then, is it?

Even within just one option such as MDT 2013, you have several routes you could take, from using a Custom Command-Line task, to employing a script, to setting a Task Sequence Variable to identify the sources folder path, and then use the Add Roles and Features task to handle the feature.  Who says the IT world is boring, huh?

Option 3 - Deployment Tools

This encompasses things like Packages or Applications within System Center Configuration Manager, as well as other tools like Altiris or what-have-you.  In short, you create a named instruction set that performs the desired tasks, and then target that to a group of computers to execute locally.  In SCCM, that could mean an Application with one or more Program entries, and a Deployment linked to a Collection.  You get the idea.  

It's not rocket science and it's not difficult to do, IF you have the environment up and running already.  The toughest part of these kinds of tools is standing them up.  Once they're operational (if designed and installed correctly), the rest is a matter of "using" the features.


I cover each one of these in far more detail within my book, and provide screen capture images of each step along the way.  I hope you will consider reading it and thank you for taking the time to read this!

Sunday, August 17, 2014

Random Thoughts: Evolutionary Obsolescence and Overlords

Sometimes when I've had enough coffee and/or beer, I drift off into thinking some concept "ahead" is it might likely evolve.  After reading a few articles about the arcane laws in the U.S. regarding personal use of solar energy, and others on 3D printing, it dawned on me that what we're seeing is the first inch of what will inevitably become a world in which we grow less dependent on the providings of others.

3D printing, for example, will enable us (in time) to create many of the things we have to purchase today.  Sure, we'll need to obtain the media from which the printer can generate objects.  But that's just for now.

The issue of solar energy for personal use, and the threat it poses to current energy companies like Dominion and Con-Ed sheds light on the concern they have that we (citizens) may not need their services in the future.  They are understandably worried, and are therefore busy lobbying our government folks to slow things down until they can figure a way to put a rope around it all, and remain relevant, and more importantly: remain in control of things.

But for now, we buy things made by others.  Imported from other places.  But someday, we will be able to make a lot of things ourselves, without leaving our homes.  As that situation evolves over decades and centuries, imagine where that might lead.  Imagine when we can truly make "anything" from some sort of device of our own control.  The power balances around the planet of "haves" and "have-nots" will surely shift in other directions.  In which directions we can't know at this point, but it will change for sure.

And when we can generate our own power, make our own contraptions, and not have to barter and trade for most things, what then?  What do humans do when they don't need other humans by necessity?  We will obviously still remain connected for social and personal reasons, but how about the impact that could have on incidental connections, such as getting to know the grocery store clerk, the bartender, the hair cutter, or the school teacher?  Even schools, and other places of collective presence may become obsolete, as we are increasingly able to get things like education at home.

Maybe some day, we will have developed the means to literally organize molecules to create anything we desire.  Alchemy realized.  We are already playing around with moving molecules without touching them (sort of), and moving beyond status quo measures of speed and velocity (link).  That means that it could be possible that even travel becomes advanced enough for us not to depend on airlines and passenger trains.  Who knows?

The more we evolve technologies, and the more they become increasingly affordable, the more scale this adds to the existing progressive curves of each.  The pace is getting faster with each turn.  What we once predicted to arrive in ten years, now arrives in five or six.  As another decade passes, that window shrinks even more, since the supporting technologies for generating new technologies are also improving. It's like a fire that feeds itself by feeding itself even faster.

Imagine a world where you won't *need* to leave your home to get food, water, or pay anyone else to get electricity, Internet connectivity (or whatever replaces the Internet by then), or to repair things that break around you?  Will we let that evolve on its own? Or will we see that coming and collectively work to install guardrails into this evolution so that we remain in "need" of each other to some extent?  Who knows.

Right now, you can build your own aircraft, but you must obtain a license and authorization to fly it, with some restrictions and allowances based on who you are, where you are, where you want to fly it, and what kind of aircraft you build.  Imagine the positive and negative implications if those restrictions and constraints were removed.

Time for a break.  Enjoy your weekend!


Coming Soon: The AutoCAD 2015 Network Administrator's Bible

It's long overdue.  I'm long overdue as well.  It's been a long time since I've devoted myself to writing anything about AutoCAD or network deployments.  I'm almost done with editing this book and it should be available for purchase on Amazon Kindle very soon.  Remember that you do not need a Kindle device to read Kindle books.  There are free Kindle reader apps for iOS, Android, Windows, Mac, and more.

Here's a summary of topics included:

  • Deploying with Scripts: Batch, VBScript, and PowerShell
  • Deploying with System Center Configuration Manager 2012
  • Deploying with MDT 2013
  • Using Task Sequences
  • Dealing with Requirements: .NET 3.5, using Global Conditions, etc.
  • ADNM
  • Deployment Shares
  • Network and Client Logs
  • Building a Virtual Test Environment with VMware Workstation
  • Stupid jokes.  Dumb comments.  Awkward silences.
  • And more!

Friday, August 15, 2014

5 Creative Ways to Settle Office Disputes

We've all been in the situation where two people strongly disagree on which direction to take with regards to a business or technical strategy.  One vendor or another.  One process or another.  One policy or another.  It can become very emotional at times, and often leads to lost productivity and bad feelings that can linger on for days, months or even years.  In many cases, the lingering emotional scarring can impact productivity and quality of services for everyone involved.  Well, there are some semi-proven ways to deal with these situations in professional, productive and positive ways.  And who doesn't like a gosh-darn 3-P solution to a problem?  Huh?  Golly.

Here's a short list of five (5) suggestions that might help improve the situation and make everyone feel better enough to give each other a big sloppy kiss, without any hidden sharp objects.

Tip 1- Jello Wrestling with a New Twist

This one works great regardless of the gender bias that may exist in the room.  Everyone has to consume 1 gallon of Jello powder mix, then drink a 1 liter bottle of soda, and then get in a ring and beat the living crap out of each other.  First one to puke all over their opponent, wins.

Tip 2 - Paperwork Shuffle

Everyone in office environments likes to brag about how they suffer with the most paperwork, email, IM calls, voicemails, and so on.  Perfect examples of "first world problems" if ever there were any.  Imagine trying to elicit tears from a starving mother and her starving group of babies, too famished to swat away the incessant swarm of flies and mosquitoes.  They will pity you for sure.  So how about putting your money where your mouth is, and challenge the opponent to produce enough evidence to back it up?  The one who shows up with the most weight (use an approved scale obviously), wins.

Tip 3 - Marching Band

When the other person won't shut up, start humming the tune to something familiar like "Glory Glory Hallelujah".  Start quiet at first, then gradually bring up the volume until you can barely catch your breath in between gasps to belt out that next glorius bar.  Bonus points can be earned by pretending to march in formation, by yourself of course, around the conference room.

Tip 4 - Zen

When the other person continues to argue their point, refusing to hear your side at all, just stare at them without blinking as long as you can possibly manage.  Never, and I repeat NEVER, blink or look at anything else in the room besides their eyes.  They are like source of energy.  Feed off of them.  If you can stare at them long enough, one of two things are most likely to happen next: (1) they will call security for help, or (2) they will scream like a wounded baby and run down the hall as if zombies are trying to eat them.  Either way, the original problem should now become moot.

Tip 5 - Levity

When violence fails to solve a problem, humor often stands a small chance of working.  That's what most of the infamous world fascist dictators would say, or so I've heard.  Try this instead of a gun or knife:  When the opponent begins to raise their voice and shake their head in disagreement over some aspect of the topic at hand, start stripping off clothing until you're only in your underwear.  Not all at once, but remove one piece of clothing after each time they speak a phrase in disagreement.  When they finally realize what's happening, look at them and wait.  If they remain silent, offer this, "if you stop now, I win.  If you continue on, I will have to add whipped cream to this and keep moving."

If you try any of these out, be sure to post a comment below to let us all know how it worked out?  We'd love to hear your thoughts on this.  Have a swell weekend!

Friday, August 8, 2014

Identify IE Version Installs using SCCM, SQL, Chewing Gum and Coffee

You could hunt down the Add or Remove Programs list, or tunnel your way through v_GS_INSTALLED_SOFTWARE_CATEGORIZED, or walk around with a clipboard and a baseball bat, or you could do it the easy way:  a SQL query against v_GS_SoftwareFile.  Be sure to change the database name tag to whatever your site code is.

[begin code]

USE your_site_database_name


  a.netbios_name0 COMPUTER_NAME, 
    WHEN PATINDEX('%.%',b.fileversion) = 3 THEN 
    WHEN PATINDEX('%.%',b.fileversion) = 2 THEN 
    ELSE SUBSTRING(b.fileversion,1,1) 
  dbo.v_R_System a LEFT OUTER JOIN 
  dbo.v_GS_SoftwareFile b ON a.ResourceID=b.ResourceID 
  filename LIKE 'iexplore.exe' AND Active0=1
  LTRIM(fileversion) <> ''

[end code]


Thursday, August 7, 2014

How to Tell Real IT Pros from the Fakes

This post is aimed at folks that don't work in an office with an IT staff.  Maybe you're at home (working or otherwise) and need some help with your computer, printer, smartphone, Internet or wireless network, and you are concerned about how to find someone you can really trust to help. It's a big, scary world out there, and it's getting tougher to find people you can trust.  Fear not!  Here are some basic tips for separating the real from the fakes.

Tip 1 - Find Them First

Real IT pros don't want to help.  That's right.  Younger, over-eager, inexperienced IT folks are usually quick to take on new challenges.  Older, seasoned pros however are over that crap.  They've been there, done that, got the t-shirt and the antibiotics too.  They're tired of the crap they deal with all day, every day.  Would a carpenter want to come home from work to build another cabinet at home every day?  I rest my case. So, if anyone jumps up to offer to help you with computer issues without hesitation: don't trust them.  A real IT pro will only be persuaded by compensation offerings (see tip 3).

Tip 2 - Attacking the Problem

This one is tricky.  If you already have something and it just needs fixing, that's one thing.  If you don't have it yet, and are looking for help deciding what to buy, that's another.

If you have issues with an existing contraption, the person helping should ask "when did it start happening?", and then continue from there.  If you're looking for help buying something new, they should ask "what is it that you are trying to do, exactly?"

Tip 3 - Compensation

If they insist on money (cash), counteroffer with pizza, beer or power tools.  Real IT pros will work for almost anything they can use to fix their own non-IT problems back home.  Food is usually very high on their list.  If they don't seem impressed with an offer of good food, they're fake.

Tip 4 - Self-Esteem

If you ask "how well do you know networking?" or "are you really good with servers?", and the other person answers with "I'm an expert at..." or "absolutely!", walk away fast!  I real IT pro will never admit to having knowledge about anything unless it's during a job interview.  Any other time, they will deny any and all knowledge about anything containing the letters "i" and "t" in close proximity.

There you have it.  Four easy tips you can remember that will help you identify, and bribe a good IT professional to help you solve your IT problems.

Good luck!

Sunday, July 20, 2014

5 Stupid IT Questions - Part 2 - The Electric Boogaloo

It's that time again.  Enjoy...

Question 1 - "I have about 50 to 60 desktops and laptops, and about 10 servers in my AD environment at work.  I don't have a patch management product yet, I currently patch my Windows machines manually or using scripts.  Is there a good reason *not* to use WSUS?"

Answer:  First off, you need to start drinking. Your doctor would agree with me.  I think.  Well, anyhow, if your environment is built on versions of Windows which can be supported by WSUS, then the answer is NO: there isn't a "good" reason to *not* use a free product that at least gets you closer to the goal line.  How's that for a double-double-double negative statement?  I should've been a politician.

Are there better products?  Sure.  For free?  Maybe.  Is WSUS "good enough" for most shops like yours?  Probably.

Question 2 - "My significant-other spends a lot of time reading, studying, and playing in a lab to stay current with his/her career.  Is there anything I can do for him/her?"

Answer: Yes!  Feed them.  Scratch their back.  Rub their feet. Make them laugh.  And most important, feed them some more. They need to be sure to return the favor though.  My wife is amazing, but I have to remember to rub her feet too (she deserves it).

Question 3 - "I have scheduled tasks running on computers which run under the local SYSTEM account, but when they try to execute commands or access resources from remote UNC shares, they are denied access.  What am I doing wrong?"

Answer:  Two things... the first problem is that you're not sending me cash to help me pay my bills.  Just kidding.  Second, you didn't grant sufficient permissions to the share and/or the underlying NTFS folder path.  Remember, the local SYSTEM account runs as a proxy for the computer itself (when operating in a domain context).  So, when it knocks on the door of a remote shared resource, that resource sees the domain computer account in the peep hole.  (you thought I was going to say glory hole, didn't you?  sick puppy you are).

For example, if one computer is "DT1234" and is running a task that requests a connection to server "FS0005", then that server will see "DT1234$" (they append the dollar sign to indicate you paid a lot of money for that license.  ha ha . kidding again).  Actually, if the domain is "constoso.com", then the server sees user "CONTOSO\DT1234$" (NetBIOS name + computer sAMAccountName) knocking at the door.

By default, domain-joined computer accounts are not members of the AD domain "everyone" or "domain users" security groups.  They're not even members of any group (by default) besides "Domain Computers".  Therefore, you need to grant rights on resources to that domain security group, and your domain-joined computers should be able to knock at the door and get some free food.

TIP: a simple way to test local SYSTEM access to remote shares, is to use the "psexec.exe" utility (Microsoft/Sysinternals) with the "/s" option to launch CMD.exe.  Then within the command console, running in the local SYSTEM context, try to connect or query remote resources to see what happens.

Question 4 - "I'm building a custom app/script that helps manage things within System Center Configuration Manager 2012 R2.  It needs to read and write information as well, but it looks like I can do that by ADO and SQL commands, or by WMI and WBEM commands. Which should I use?"

Answer:  (long, long inhale.... get ready, here it comes...)  Okay.  Both.  No, wait.  Neither.  No, wait, that's wrong.  Both.  Sort of.  Hold on.  This may seem a little complicated. And even if it wasn't complicated, I'm a professional, and complicating things is what I get paid to do.  That's not true either.  Just a minute. Okay. So drink up, strap in, or strap on, or buckle up, whatever...

You know how they say "never say never"?  Well, NEVER, yes, that's right, I just said "NEVER", ever write to a System Center Configuration Manager database directly.  All "write" (aka update/insert/delete) operations should be done through WMI/WBEM statements. I'll get to the "why" in a minute.

First things first:  While you absolutely can request information from the database using WMI/WBEM queries, I recommend that you do your read operations directly from the SQL Server database, rather than via WMI/WBEM.  The reason is that they're going to perform faster than WMI/WBEM requests (assuming you know how to form proper T-SQL statements).  More importantly: WMI/WBEM query statements are way more limited than T-SQL as far as what kinds of operations you can perform.  For example COALESCE, TRY_CONVERT and CASE statements, to name a few. And I won't even get into things like DATEDIFF, CAST or SUBSTRING.

Next, the reason you shouldn't push anything into the database directly is that SCCM relies on a delicate, complicated and, let's be honest, confusing-as-hell sequential process for handling change requests.  That is, updates, additions, deletions, and so on.  Each request is queued, prioritized, processed and logged.  The "processed" part involves even more sequential handling with triggers and more logging, and if you go around back, break open the window and climb in the back room, the alarm will go off and the SWAT team will repel down from helicopters and kill you.  Okay, not really.  But it will very likely break your SCCM site entirely.

When you submit requests properly using WMI/WBEM requests, they are like well-trained school kids lining up to go to the cafeteria.  They get their lunches, sit down, eat and smile the whole time.  When you shove them in directly via ADO/ADO.NET, shit will just break. Trust me. If you don't trust me, go ahead and setup a lab environment and kick those tires.  When the air blows out, don't come crying to me.

Finally, or thirdly? -  if you plan on making the same types of requests for information (read operations, that is) and they involve SQL "JOIN" statements, I recommend you create some VIEWs and apply indexing.  SQL will outperform application processing like Stephen Colbert having a debate with your dead cat.  If you've been strapping together messy "SELECT blah FROM whatever LEFT OUTER JOIN something  ON this = that..." and so on, in your script code, STOP!  Do that within the database (or create another database on the same server to pull data for abstraction and aggregation work, etc.).  So, to summarize all that blabber...

READ == Direct from the Database (SQL + ADO or ADO.NET)
WRITE ==  Through the WMI/WBEM interface

If you're thinking which is "faster": COM scripting or .NET scripting (e.g. VBScript vs. PowerShell), it depends on what you're doing, but for most things it's break-even.  The biggest factor will be where the bulk of logic handling and processing is being done:  in the database/WMI request itself, or on the information obtained therefrom.  I can already sense the .NET nerds flipping out right now. Spitting coffee through their nostrils.  Exclaiming "WTF?!!", knocking over their stacks of stale donuts and breaking pencils.   Oh well.

Question 5 - "My company is looking for a good service request ticketing system product. What products would you recommend?"

Answer: None of them.  Or all of them. The problem is that every organization that's existed for more than a few years, has evolved their own internal processes for handling requests.  Staffing varies.  Methods vary.  Resources vary.  The retail products you will try on will almost certainly be like a "one-size fits-all" suit.  Lot's of Velcro straps and adjuster things to help you pull in the tight spots to fit better.  But it's going to feel like that too.

Most off-the-shelf products will expect you to make some concessions with regards to "how" you do things.  That's not always bad, though.  Read up on ITIL, and even if you hate ITIL, it's good to have something to base your processes upon.  That or a suitcase full of drugs and a fast getaway car.  I have no idea what that's about though.

If your environment has implemented ITIL with gold medal effort, you may do really well with almost any off-the-shelf product.  However, I haven't seen an ITIL gold-medal shop in my lifetime.  I've heard stories of them, but I've never seen one.  Kind of like unicorns and leprechauns.

I see two options:  Build your own with whatever tools you have, or buy one and suck it up.  Just be warned:  The bigger your organization (staff and customer numbers), the more work it's going to be, for either direction you choose.  Be cautious of vendors offering "customization" services too.  That's their bread-and-butter.  Am I a bit pessimistic?  Yes.  It's a lot like shopping for document management solutions, or vacation homes.  I wish I could afford a vacation home.  Heck, I wish I could afford to take a vacation.

Th-th-that's all for now, folks.  Have a good week!

Thursday, July 10, 2014

It's Time for 5 Stupid IT Questions

You got IT questions? I got stupid answers.  Pull up a chair, sit down, and destroy your precious little mind reading my stupid ramblings for a bit.  What else do you have to do?  Silly Earthling.

(Note:  This is going to be an ongoing series, I think.  It depends on feedback from folks like you)

Question 1 - "In VMware Workstation and VMware Player, it has an option to preallocate the virtual hard drives.  What does this do and why should I consider it?"

Answer: It carves out physical storage space (on whatever drive/disk/volume you have it pointed at) to store the disk .VMDK file before using it the first time.  Like most things in life, there's a trade-off...

On the good side, preallocating space avoids the need to incrementally allocate more space as needed.  The incremental growth usually happens while the VM guest is running, causing some delays and pauses at times.

On the bad side, preallocating space takes up designated storage space which may not be fully-used on the inside (guest VM referencing).  For example, if you specify a 60 GB disk, it will grab 60 (plus a little chump-change space for overhead) right away.  In the end, you may only end up filling 40 GB within the guest machine, leaving 20 (or thereabouts) unused but still occupied on the physical disk.

If space isn't a concern, preallocate it to squeeze a little more performance from your virtual toyland.

Question 2 - "If I want to roll out a new Group Policy ADMX template during production hours, what negative impact would that have?"

Answer: "Would" or "Could"?  The answer depends on several factors.  But starting at step 1:  deploying an ADMX template into an AD environment involves updating the SYSVOL on the first domain controller.  From there it replicates (because domain controllers like to replicate, as nasty as that sounds).

The factors that come into play after step 1 are like a Rubik's cube.  Site link configurations, replication schedules, the size of the ADMX files, the WAN links, the network configuration, the KCC mess in the background, the amount of drugs your engineers consume, the prevailing winds, the high tide, the... whatever.  Hopefully you get the idea.  I would recommend that (after you've tested them in a separate environment of course) that you deploy them during off-peak hours.  If that isn't possible, blame it on the last person to have quit.

Question 3 - "Will shifting my SCCM environment over to a user-demand, Application Catalog scheme fix all my problems with overseeing software deployments?"

Answer:  It depends.  In general, the answer is "no", it won't fix "all" of those "problems".  Can it lessen your workload?  At best: usually.  At worst:  it will replace one set of problems with another.

Will it eliminate some problems on the whole?  Sometimes.

It depends on how diverse your applications are and how diverse the target platforms are in your SCCM site.  If you support 4,000 products, but they are well-defined in terms of assigning one product+version for each business role, then you will be better off.  If you have a lot of alternatives for the same role/purpose, start drinking and get your Liver in good shape.

The surprise "gotchas" I've seen, or heard about, with handing over the role of installing applications to end users via a catalog shopping-cart concept, have been basically from two general areas.  Each of which breaks down into two more areas:

1. Setting up the catalog
2. Cleaning up messes

The first area (setting up the catalog), involves not only building the catalog, but assigning roles and permissions, but that's the easy part.  Then comes the spaghetti-like enigma of validating product licensing and usage terms, as well as planning out the potential conflicts.  Those are the nasty things like "Product A and Product B cannot exist on the same client or they break things." or "Product A only works with .NET 4.0 while Product B only works with .NET 4.5" and so on.

The second area (cleaning up messes) involves hand-holding users that mistakenly install things and run into problems with them.  Even if you teach them how to remove those mistakes, there are going to be the breaks that require rolling up your sleeves and taking time away from other work.

The secondary issues are delegation reliability, and platform resiliency.  Big words.  I like big words.

The former (delegation) involves how well your delegated staff hold up with handling rights and assignments, as well as tech support issues that arise.  The latter (resiliency) involves how mature your environment is with regards to platform standards and methods for repairing breaks in the assembly line.  How many versions of Windows you support, how many device types, models, vendors, component versions (JRE, .NET).  Good stuff for beer talk.

Question 4 - "Is it more important to have a college degree or a certification when entering the IT field?"

Answer:  My kids' friends and their friends hit me with this question a lot.  Usually after some introductory phrase like "Excuse me, old man?  Can I axe yuze a question about getting a computer job?".

From an entry perspective (first-time job seeker), it depends on what kind of IT job you're aiming for.  If you're looking for a fairly low to intermediate job, such as anything from Tier1/desktop support, to even Systems Admin or Systems Engineer, it helps to have a degree, but it really helps to have a lot of (current/recent/relevant) certifications.

Many entry level IT jobs only require A+, Network+ and Security+ certifications, unless you start getting into VMware or Cisco type stuff (and so on).  Even then, having a Microsoft MCSA/MCSE will help a lot.

If the job your aiming for is "senior research scientist" or "database architect", well, start filling out those college enrollment applications.  It won't hurt to have your CCNA or MCSE/MCwhatever, but most high-level, expert type fields within IT expect more educational background.  And don't forget those Analysts and Project Managers, who may need a mix of schooling and certs like PMP, ITIL, etc.  Just poke around the job postings online and you'll see what I mean. (Not that I've been looking of course, cough-cough.  That's just what I've been told).

Question 5 - "What is the toughest part of getting technology to work well?"

Answer:   People.  It's just human nature to try to pound nails using a wrench.

(Thank you for reading!  Stay tuned for more IT stupidity coming soon...)

Thursday, June 26, 2014

Random SCCM Database Thoughts

I ran these on a SCCM 2007 environment, but most of them should work in 2012 R2 as well.

Crack open your SSMS console, swallow your entire Espresso, crack your knuckles, inhale deep and slow, and let it out deep and slow.  Then scream something stupid and look serious.  Now, let's get started...

List the computers in a particular AD Site, and identify their makes, models, and BIOS serial numbers...

  • Join v_R_System with v_GS_Computer_System and v_GS_System_Enclosure on ResourceID (using LEFT joins to avoid dropping those which don't report inventory yet).  Then group by the AD_Site_Name0 field.
  • Step 1, filter on the following view-joins to see the general scope of data...

   dbo.v_R_System.ResourceID, dbo.v_R_System.AD_Site_Name0, 
   dbo.v_R_System.Name0, dbo.v_GS_COMPUTER_SYSTEM.Manufacturer0, 
   dbo.v_GS_COMPUTER_SYSTEM ON dbo.v_R_System.ResourceID =

   dbo.v_GS_SYSTEM_ENCLOSURE ON dbo.v_R_System.ResourceID =

  • Step 2, hone it down...

         dbo.v_R_System.ResourceID, dbo.v_R_System.AD_Site_Name0, 
         dbo.v_R_System.Name0, dbo.v_GS_COMPUTER_SYSTEM.Manufacturer0, 
      FROM dbo.v_R_System LEFT OUTER JOIN
         dbo.v_GS_COMPUTER_SYSTEM ON dbo.v_R_System.ResourceID =
         dbo.v_GS_SYSTEM_ENCLOSURE ON dbo.v_R_System.ResourceID =
      WHERE dbo.v_R_System.AD_Site_Name0 = 'DOUBLE_HEADED_DONG_FACTORY'

      Find all clients which are assigned to a particular IPv4 gateway...
      • Step 1, just for fun, filter and browse the results of round 1, using v_Network_Data_Serialized
         DNSHostName0, ResourceID, IPSubnet0, MACAddress0, 
         IPAddress0, DHCPEnabled0, DHCPServer0, DNSDomain0, DefaultIPGateway0
      FROM dbo.v_Network_DATA_Serialized
      WHERE (IPSubnet0 IS NOT NULL)
         AND (DHCPEnabled0 = 1)
         AND (IPAddress0 NOT LIKE 'f%')

      • Step 2, go in for the kill.  Find all that are using gateway
         DNSHostName0, ResourceID, IPSubnet0, MACAddress0, 
         IPAddress0, DHCPEnabled0, DHCPServer0, DNSDomain0, 
      FROM dbo.v_Network_DATA_Serialized
      (IPSubnet0 IS NOT NULL) 
         AND (DHCPEnabled0 = 1) 
         AND (DefaultIPDGateway0='')
      ORDER BY DNSHostName0

      List the unique AD Site Names for all computers in a given Collection...
      • Join v_R_System with a sub-query on the desired Collection "ABC12345".
      SELECT DISTINCT AD_Site_Name0 dbo.v_R_System
      WHERE dbo.v_R_System.ResourceID IN
         (SELECT ResourceID FROM dbo.v_CM_RES_COLL_ABC12345)

      List all of the Distribution Point Servers in site "ABC"...
      • Filter on View named v_SystemResourceList...
      SELECT SiteCode,ServerName
      FROM dbo.v_SystemResourceList
      WHERE SiteCode='ABC' AND RoleName='SMS Distribution Point'

      ORDER BY ServerName

      List distinct Site Server Role type/names in the database, along with counts of servers for each role (keep in mind that servers can provide multiple roles, so don't sum the totals and think that's an accurate count of total site servers)
      • Filter on View named v_SystemResourceList...
      SELECT DISTINCT RoleName, COUNT(*) AS ServerCount
      FROM dbo.v_SystemResourceList
      GROUP BY RoleName

      ORDER BY RoleName

      List User Account status values and counts for each.
      • Start with a basic SQL query to identify the unique values for column User_Account_Control0 from view named v_R_User
      SELECT DISTINCT User_Account_Control0, COUNT(*) AS UserCount
      FROM dbo.v_R_User
      GROUP BY User_Account_Control0

      • Then add a dash of SQL "CASE" statement with some Oregano and Basil (for other values to match up, check out Rajnish's blog post here)...
      COUNT(*) AS UserCount, 
      CASE User_Account_Control0 
      WHEN 512 THEN 'Enabled' 
      WHEN 514 THEN 'Disabled' 
      WHEN 544 THEN 'Enabled Must Change Password' 
      WHEN 66048 THEN 'Enabled Password Never Expires' 
      ELSE 'You can code the others...' 
      END AS UAC_Name 
      FROM dbo.v_R_User 
      GROUP BY User_Account_Control0

      List computers a particular AD user has logged onto within the past 30 days...

      • Find logins for user "doofus" on domain "contoso".  Join v_R_System with v_GS_SYSTEM_CONSOLE_USER on ResourceID and filter on the SystemConsoleUser0 column.  Then add a DateDiff() filter to restrict on logons within the last 30 days...

         dbo.v_R_System.Name0 AS ComputerName, 
         dbo.v_GS_SYSTEM_CONSOLE_USER.LastConsoleUse0 AS LastLogon,
         dbo.v_GS_SYSTEM_CONSOLE_USER.NumberOfConsoleLogons0 AS NumberLogons,
         dbo.v_GS_SYSTEM_CONSOLE_USER.SystemConsoleUser0 AS UserID,
         dbo.v_GS_SYSTEM_CONSOLE_USER.TotalUserConsoleMinutes0 AS LogonTotalTime
         dbo.v_R_System ON dbo.v_GS_SYSTEM_CONSOLE_USER.ResourceID =
         (dbo.v_GS_SYSTEM_CONSOLE_USER.SystemConsoleUser0 = 'contoso\doofus')
         (DATEDIFF(dd, dbo.v_GS_SYSTEM_CONSOLE_USER.LastConsoleUse0, GETDATE()) < 30)

      Need to identify Advertisements pointed at Direct-membership Collections?
      • Join v_Advertisement to v_Package, and v_Collection, and sub-query against v_CollectionRuleDirect using CollectionID as the filtering column...
         dbo.v_Collection.Name AS CollectionName
      FROM dbo.v_Advertisement INNER JOIN
         dbo.v_Collection ON dbo.v_Advertisement.CollectionID =

            dbo.v_Collection.CollectionID INNER JOIN 
         dbo.v_Package ON dbo.v_Advertisement.PackageID =
      WHERE (dbo.v_Collection.CollectionID IN
         (SELECT DISTINCT CollectionID FROM dbo.v_CollectionRuleDirect)) 

      ORDER BY 

                    Need to computers with every version of Internet Explorer?
                    • Well, you might expect to query v_GS_Installed_Software_Categorized or the ARP tables, but remember that IE10 and 11 came out as KB updates for some platforms.  So best to query v_GS_Software_Product.  Note the some entries (ProductName0 LIKE 'Internet Explorer%') OR (ProductName0 LIKE 'Windows%Internet Explorer%') will produce the version within the product name, while others will only show "Internet Explorer" and the version in the ProductVersion0 column.  Drink plenty of coffee and enjoy that.  Don't forget to filter out the double counted items (yes. they are hiding there).  Don't be surprised if you need to crack open your dusty T-SQL book and brush up on the CASE statement.  I'll let you have fun with this one, and I'll post my take on it later.
                    If I get more coffee in me and feel motivated, I may post more.  Let me know if these are helpful?

                    Wednesday, June 25, 2014

                    Software Vendor Product Names 2.0 R2 Update 2, Release 1.1

                    What would your vendor name the next cool app that calculates bodily waste based on a hypothetical wrist-attached food consumption detection device (Bluetooth connected, of course)?

                    Microsoft Active System Center Excrement Analysis Server, Ultimate Extras Premium Enterprise DataCenter Edition 2015 R2



                    Bouncing Bowelbuster or Fancy Fudgeflinger


                    Mmmm.  I can almost smell the improvements.