SQL SPNs can really bite you in the you know what
I was moving some databases from local SQL servers to one remote SQL server. The new Remote box is a SQL 2008 R2 box and I do have to say I like SQL 2008 and R2 a lot. Anyway I was moving a SCCM 2007 R2 SP2 Site database and the VMM 2008 R2 database to this server and nothing was quite working right. It for some reason was trying to authenticate with NT Anonymous logon which I of course didn't wnat to open up my database to everybody and their brother. So i researched a bit and found this article:
http://poseidom.wordpress.com/2007/12/16/set-spn-for-sql-2005-sccm-remote-sql-fix/
I know it is for SQL 2005 however it works on SQL 2008 and R2 just as well and I would actually say you should do that with every SQL server, that uses a domain service account, you got because sooner or later you will run into that problem.
I actually did the Method 2 on his blog because i might want some more instances and i don't want to worry about SPNs any more! (also for teh 2nd Method you don't need the port numbers)
Method 1: The “Right” way
- Install the Windows 2003 support tools somewhere on a machine in the domain
- Login as a Domain Admin
- Run setspn -A MSSQLSvc/<FQDN> <SQL_Service_Account> Note YOU MUST USE THE FQDN
- Run setspn -A MSSQLSvc/<FQDN>:<Port> <SQL_Service_Account> Note YOU MUST USE THE FQDN, and the most common port is 1443
- Run setspn -L <SQL_Service_Account> validate that “servicePrincipalName:” has been set like you expect
- Restart the SQL server after AD replication has completed
- Run the following query on the SQL server; this MUST return KERBEROS:
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
Method 2: The “easy” way
In adsiedit grant the service account the ability to write the servicePrincipalName to “SELF”
Taken from: http://support.microsoft.com/kb/319723
-
- Click Start, click Run, type Adsiedit.msc, and then click OK.
- Note The ADSIEdit tool is included in the Windows Support Tools. To obtain the Windows Support Tools, visit the following Microsoft Web site: http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
- In the ADSI Edit snap-in, expand Domain [DomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= AccountName , and then click Properties.
- DomainName is a placeholder for the name of the domain.
- RootDomainName is a placeholder for the name of the root domain.
- AccountName is a placeholder for the account that you specify to start the SQL Server service.
- If you specify the Local System account to start the SQL Server service, AccountName is a placeholder for the account that you use to log on to Microsoft Windows.
- If you specify a domain user account to start the SQL Server service, AccountName is a placeholder for the domain user account.
- In the CN= AccountName Properties dialog box, click the Security tab.
- On the Security tab, click Advanced.
- In the Advanced Security Settings dialog box, make sure that SELF is listed under Permission entries.
- If SELF is not listed, click Add, and then add SELF.
- Under Permission entries, click SELF, and then click Edit.
- In the Permission Entry dialog box, click the Properties tab.
- On the Properties tab, click This object only in the Apply onto list, and then click to select the check boxes for the following permissions under Permissions:
- Read servicePrincipalName
- Write servicePrincipalName
- Click OK two times.
- Click Start, click Run, type Adsiedit.msc, and then click OK.
Of course the first method is more secure and probably better for most environments but if your environment is like mine where stuff changes every week I would go with Method 2.
Anyway now both SCCM and VMM are happy like never before. They like not having a SQL server on the same box.
Andreas
Silently deploy Adobe CS5 (or CS4)
Just the other day my company bought a few volume licenses for Adobe Illustrator CS5. So I thought hey lets do a silent deployment through SCCM.
After looking up some things on google I came across the Adobe Developer Connection site where I found a nice little toolkit that can create silent installs:
http://www.adobe.com/devnet/creativesuite/enterprisedeployment.html
By the way there is one for the CS4 version as well and if your company doesn't have a volume key you can still customize the install and have it ask for a serial.
Have fun,
Andreas
Customize OSD deployments in SCCM
OSD in SCCM is great and can be customized very easily.
I first ran across a great HTA script written by Nick Mosely. With this script you are able to add in a selection for different applications. I then edited the script to suit my needs:
This script will only run properly inside the OSD PXE environment (it might run inside OSD before the restart as well but I didn't test that)
My script sets a bunch of OSD variables that then install the applications. In order to set the computer name and if needed add a user to the Administrators group I use:
With this little tool you can use regex to check and make sure that the computer name follows the corporate standards (if any).
Recently I have also discovered a nice little program that might soon replace the HTA script because it just looks so much better:
With this program the really cool thing is that you can create application sets in order to force applications for certain sites. You can also enforce certain applications but leave others open for selection/deselection.
If I actually have some time I might end up redoing my script inside the OSDAppChooser. We will see.
And actually before I forget about it. Here is my script to add a user to the local Admin group. I kind of added the script together from several different places and added my own touches to it. It might not be pretty but it works. This script has to be run during the last part of the OSD setup phase (when it installs the software as well) I first grab the user name from the OSD variable Local_Admin then I add it to that admin group:
Later,
Andreas