Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Business & Enterprise Computing

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old 11th January 2017, 2:42 PM   #286
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 22,800
Default

Quote:
Originally Posted by freaky_beeky View Post
But you have ADRs configured to automatically patch your WIMs right? So it shouldn't really matter.
unfortunately not.
i have ADR's configured to patch existing machines, but i'm not able to use SCCM for image deployment.
we just don't have the bandwidth.

we do builds offline using MDT.
the image is built, WSUS runs and then the image is syprep'd and captured for deployment via MDT.
looktall is offline   Reply With Quote

Join OCAU to remove this ad!
Old 11th January 2017, 2:47 PM   #287
elvis
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,479
Default

Quote:
Originally Posted by looktall View Post
https://technet.microsoft.com/en-us/.../ms17-jan.aspx



how the hell did they manage to do that?
L33t Hax0rz gave up and spent Christmas with their families instead of infront of a computer?
__________________
Play old games with me!
elvis is online now   Reply With Quote
Old 11th January 2017, 2:51 PM   #288
Dukey
Member
 
Dukey's Avatar
 
Join Date: Dec 2002
Posts: 305
Default

Quote:
Originally Posted by XtehseA View Post
Has anyone had issues with ADAC or the SCCM management console?

Apparently December's patches break it.

https://www.askwoody.com/2016/decemb...ts-properties/
Good find, thanks for that.
Will do some testing this week on this (sccm console)
Dukey is offline   Reply With Quote
Old 11th January 2017, 3:17 PM   #289
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 875
Default

Quote:
Originally Posted by looktall View Post
unfortunately not.
i have ADR's configured to patch existing machines, but i'm not able to use SCCM for image deployment.
we just don't have the bandwidth.

we do builds offline using MDT.
the image is built, WSUS runs and then the image is syprep'd and captured for deployment via MDT.
Hows does MDT save you bandwidth compared to having it in SCCM? I remember reading about your network topology before, but can't seem to think of it now.
__________________
i own a pc
freaky_beeky is offline   Reply With Quote
Old 11th January 2017, 3:29 PM   #290
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 22,800
Default

Quote:
Originally Posted by freaky_beeky View Post
Hows does MDT save you bandwidth compared to having it in SCCM? I remember reading about your network topology before, but can't seem to think of it now.
the links between our sites aren't particularly high.
pushing content out to the DP's from the primary site server is a slow process that is often needed to be done out of standard business hours (and considering most of our sites run 24/7 even that can have a large impact).

instead we have a dedicated build server at about 8 sites configured with MDT, WSUS etc.
the images are built on and deployed from those servers to their respective sites, by the local onsite IT support.

drivers complicate matters too.
we don't run a fleet pc's consisting of only 2-3 models, that get replaced every x years.
instead it is a lists of various models as long as your arm dating back to the dawn of time.
managing the driver content on the DP's would be a fucking nightmare.
instead the drivers are managed on the MDT build servers by the local onsite IT support.
looktall is offline   Reply With Quote
Old 12th January 2017, 1:34 PM   #291
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 875
Default

Quote:
Originally Posted by looktall View Post
the links between our sites aren't particularly high.
pushing content out to the DP's from the primary site server is a slow process that is often needed to be done out of standard business hours (and considering most of our sites run 24/7 even that can have a large impact).

instead we have a dedicated build server at about 8 sites configured with MDT, WSUS etc.
the images are built on and deployed from those servers to their respective sites, by the local onsite IT support.

drivers complicate matters too.
we don't run a fleet pc's consisting of only 2-3 models, that get replaced every x years.
instead it is a lists of various models as long as your arm dating back to the dawn of time.
managing the driver content on the DP's would be a fucking nightmare.
instead the drivers are managed on the MDT build servers by the local onsite IT support.
I think if you looked at the situation again you might reconsider your approach (depending on how many models you really have and how long it would take to test them).

If you enable binary differential replication on your WIM file you may be surprised at how little information ends up being transferred to your remote sites, (although this definitely increases the compute load at the other end).

Management of your WSUS/SUP would be very similar to what it is now.

The issue of requiring updates to content (pushing out things from the "central DP or DPs to remote DPs) can be managed all via the Rate Limits tab within SCCM. You could throttle during "peak times" (or disable it completely, which is the option I have taken in most sites) and increase the rate for "off peak" times.

The drivers would be the hardest part, but with SCCM 2012, the driver management is *significantly* easier than 2007 (if that's what has raised your concern). You could just import them all into SCCM 2012 and just create a per site package (temporarily until you work out how best to organise them). Then you could just use an Auto Apply Driver step, rather than what I assume you're doing, which is apply each "models" or each "sites" driver pack to their respective build.

These driver packages can also be deployed to remote sites with binary differential compression to minimise the impact to your links.

I imagine if you started to centrally mange your drivers, you would find that it actually isn't that hard to mange for wide and varying degrees of hardware. For example if you split the categories into video, system, network etc... If you pull down the current versions for the major vendors I think you will find it easy to manage new version upgrades, as well as reduce the overall size of the driver store. The tough part of finding the odds and bobs for weird devices around the place has already been done for you, you simply need to find which of these (from you collection of drivers from sites) are actually required.

Some of the benefits of this system would be the automated deployment of updates to all your machines centrally, the automated and centralised maintenance of your "SOE" WIM and the reduced overhead from having to manage all the individual instances, not to mention the centralised reporting of it all.

I don't expect that you'll do this, but just thought it might be some food for thought.
__________________
i own a pc
freaky_beeky is offline   Reply With Quote
Old 12th January 2017, 1:46 PM   #292
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 22,800
Default

Quote:
Originally Posted by freaky_beeky View Post
I don't expect that you'll do this, but just thought it might be some food for thought.
thanks for the advice and you're correct i won't be doing this but primarily because i'm looking for a new job elsewhere so i am disinclined to put any effort into the current situation.

hopefully wherever i end up working next has an existing setup in place that i can maintain and/or improve on.
if not, perhaps then i can look into building it all up from scratch in a better fashion than what i currently have.
looktall is offline   Reply With Quote
Old 12th January 2017, 3:09 PM   #293
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 875
Default

Quote:
Originally Posted by looktall View Post
thanks for the advice and you're correct i won't be doing this but primarily because i'm looking for a new job elsewhere so i am disinclined to put any effort into the current situation.

hopefully wherever i end up working next has an existing setup in place that i can maintain and/or improve on.
if not, perhaps then i can look into building it all up from scratch in a better fashion than what i currently have.
I've worked in quite a number of environments now, and I can't recall walking into one and thinking it couldn't use some improvements. With regards to SCCM specifically, it's almost like every business either Next Wizards the install, or gets an MSP to deploy a cookie cutter mould to their environment leading to all kinds of unreliability and general awkwardness. I'm sure if you find yourself a new environment you'll have plenty of work to do! (Best of luck on the job search front too)
__________________
i own a pc
freaky_beeky is offline   Reply With Quote
Old 12th January 2017, 6:19 PM   #294
tin
Member
 
tin's Avatar
 
Join Date: Jul 2001
Location: Narrabri NSW
Posts: 6,403
Default

Not very businessy, but last nights Win10 updates broke my "proper" sound card (an old SB X-Fi). The cheap Realtek HDA kept going though, so most business stuff should be fine based on that one anecdote....
Fix was to just remove the device in device manager (chose to delete the driver too - not sure if that was necessary). Worked straight away without reboot.

I'm starting to get sick of these "let's break shit" updates. Not looking forward to the update labelled "You didn't need that video card, right? (KB8403887762)".
__________________

The software required Win95 or better, so I installed Linux.
Question marks are the new full stop?
tin is offline   Reply With Quote
Old 27th January 2017, 9:04 AM   #295
PabloEscobar Thread Starter
Member
 
Join Date: Jan 2008
Posts: 9,100
Default

Win10 Update doesn't play nice with Wsus

https://support.microsoft.com/en-us/...-by-using-wsus
PabloEscobar is offline   Reply With Quote
Old 31st January 2017, 3:42 PM   #296
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 875
Default Root Certification Authorities - Missing Certs

Hey All,

Since January (as a result of what I presume was Microsoft's SHA1 expiration) any PC that we image up with our previously working Windows 10 build is missing a huge number of certificates from the Trusted Root Certification Authorities and Third-Party Root Certification Authorities. I've had a look on some of the older machines and confirmed they were signed with SHA1, but thought that they would be exempt.

We've disabled the following Group Policy:
Code:
Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings
Turn off Automatic Root Certificates Update
Which relates to the following reg key
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
This allows the certificate store to be updated from Microsoft via Windows Updates. This starts populating the store with certificates as you hit them, e.g. navigating to various websites adds the root cert to the trusted store, however it does not return them all to the store and is causing other issues for us.

The major issue is that it is preventing our internally hosted PAC file from functioning as expected, despite being hosted on HTTP (rather than HTTPS).

Anyone else run into this? I'm assuming this should be a relatively easy fix, however I just can't seem to work it out.
__________________
i own a pc
freaky_beeky is offline   Reply With Quote
Old 31st January 2017, 6:04 PM   #297
PabloEscobar Thread Starter
Member
 
Join Date: Jan 2008
Posts: 9,100
Default

May not be relevant, but I did notice

Addressed issue that loads websites that bypass the proxy server in the local intranet zone when the Intranet Sites: Include all sites that bypass the proxy server (Disabled) is set.

In the patch notes for the latest build, We've had some strangeness with what Windows determines as a "Local" site (anything with a (.) in it, was classed as not local). G fucking G.
PabloEscobar is offline   Reply With Quote
Old 31st January 2017, 7:06 PM   #298
rainwulf
Member
 
Join Date: Jan 2002
Location: bris.qld.aus
Posts: 3,891
Default

Quote:
Originally Posted by PabloEscobar View Post
May not be relevant, but I did notice

Addressed issue that loads websites that bypass the proxy server in the local intranet zone when the Intranet Sites: Include all sites that bypass the proxy server (Disabled) is set.

In the patch notes for the latest build, We've had some strangeness with what Windows determines as a "Local" site (anything with a (.) in it, was classed as not local). G fucking G.
Ran into that myself too. Thought it was bizarre. Had to pull a copy of the security zone information from a working machine.
__________________
derp
rainwulf is offline   Reply With Quote
Old 1st February 2017, 9:31 AM   #299
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 875
Default

Thanks for the suggestion. I used the short name rather than the FQDN for my PAC file path but unfortunately that had not effect.

If I image a new machine now, I cannot navigate to any website unless I explicitly specify the proxy rather than use the (working everywhere else) auto-configuration PAC.

Strangely enough if I leave the home page to load for an excessively long time (minutes) it will eventually load up as long as I have the aforementioned Group Policy configured to allow it pull down the certificate. This websites parent domain is also in the Local Intranet Zone via group policy as well.
__________________
i own a pc
freaky_beeky is offline   Reply With Quote
Old 1st February 2017, 10:23 AM   #300
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 22,800
Default

What if you use an IP address for your PAC file path?
looktall is offline   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 11:46 PM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!