Month: August 2011

Before You Install System Center … Clean Up Those Computer Accounts

First, I hope you’ve done some planning/architecture/proof of concept.  Next, clean up the environment.  Products that deploy agents, such as System Center Essentials (SCE), Configuration Manager (SCCM/ConfigMgr), and Operations Manager (SCOM/OpsMgr), will allow you to track the success of agent deployment.  And if your network is like most others I’ve encountered over the years, nobody has bothered to clean up the inactive/obsolete computer accounts.  The computer discovery process will use some sort of discovery process, most likely based on computer accounts found in Active Directory.  It may find computer accounts that have been there since 2000 and no longer are valid.  It may find 50% more computer accounts than actually exist.

Before you deploy agents you need to do some spring cleaning.

Computer Accounts

My favourite tool for this in the past was oldcmp.  The page doesn’t list Windows 2008 or 2008 R2.  I last used it with Windows Server 2008 in a lab and it worked fine.  It allowed you to work with user and computer accounts:

  • Report only
  • Disable
  • Move and disable (to a “disabled” OU)
  • Delete

The last time I was an admin of a large environment I was very fussy about inactive accounts.  We used to run oldcmp as a scheduled task on a monthly basis.

If you want something that is supported then try this.  Identify & disable computer accounts that were inactive for the last 4 weeks:

dsquery computer -inactive 4 | dsmod computer -disabled yes

Then you can identify and delete computer account that have been inactive for the last 8 weeks:

dsquery computer -inactive 8 | dsrm computer

Put that in a script and run it every month and you’ll automate the cleanup nicely.  Inactive machines for the last 4 weeks will be disabled and you can re-enable them if a user complains.  After 8 weeks, they get completely removed.  If you have people away for longer periods then you can extend this, e.g. disable after 26 weeks and delete after 52 weeks.  Or you might bundle that caution about deleting with a secure mindset, e.g. disable after 4 weeks and delete after 52 weeks.

Note: dsquery, dsmod, and dsrm can be easily used for lots more, e.g. user accounts. Check the help (at command prompt) and test-test-test before putting it into use.  You probably can do all of this with PowerShell and the useful –whatif flag.

DNS Records

I hate stale DNS records because they can lead to all sorts of false positives when there is IP address re-use, especially when trying to remotely manage/connect to PCs in a DHCP environment.  You can configure DNS scavenging of stale records on a DHCP server (for all zones) or on a per zone basis.

image

Be careful with this one.  I’ve been especially careful with the intervals since the 2003 days when I had a Premier support call open.  Scavenging didn’t like me using smaller intervals, even if they were correctly configured.

Once you have the environment cleaned up, you can start deploying agents.  Now when you see a “failed” message, you know you can take it seriously and schedule a human visit.

Note: I don’t think I’ve ever used ConfigMgr to build collections of users.  Users roam and I don’t want to install software needlessly.  But ConfigMgr 2012 will have a more reliable user-centric approach that detects a user’s primary PC.  Therefore, you’ll want to do a user clean up before deploying it … and that should be standard security practice anyway.

Book Review – Freedom ™ by Daniel Suarez

Freedom ™ (the tm mark is important!) is the sequel to the last book I reviewed, Daemon, also by Daniel Suarez.  The story continues and accelerates from the cliff hanger. 

I won’t give anything of the plot away.  This is a thriller.  IT and cyber security are mechanisms in the plot but they don’t dominate, and importantly, they don’t steal from it.  The tech does stretch a little further into the sci-fi realm than Daemon, but it’s grounded enough to not be a distraction. 

I’ll sum it up; the first thing I did when I reached the last page was check if the next book by Suarez was published yet.  I’d recommend Freedom ™ but only after you read Daemon.

Technorati Tags:

VMware Updates vSphere 5.0 Licensing

I guess 90 support forum pages of customers saying they’re going to dump your product and go to the competition really made an impression on VMware.  Trying to convince the world that VMware making more money from less was a good right-sizing process for their customers didn’t quite have the desired effect.

So VMware has responded:

  • They’ve increased the vRAM entitlements for “all” edition of vSphere.  Don’t plan your party yet (see below).  I don’t see any mention of the free edition being licensed to run more than the previously mentioned 8 GB RAM per physical CPU.
  • They’re not going to force you to buy multiple vSphere licenses for “monster” VMs.  The example they give is the 1 TB VM: 1 vSphere Enterprise Plus license (96 GB RAM now) will be enough for it.  Cos that will positively impact the vast majority of virtualisation customers!
  • Short term spikes in usage won’t be counted.  Instead, they’ll count “calculate a 12-month average of consumed vRAM to rather than tracking the high water mark of vRAM”.  Fair enough, that’s a good improvement.

EDIT: Marcel van den Berg let me know that it’s being blogged that vSphere 5.0 free is being increased to 32 GB.  It’s not on the VMware announcement but it’s on lots of blogs.

OK, let’s recalculate Hyper-V/System Center VS vSphere Standard + vOperations.  Last time with the original v5.0 licensing, Microsoft gave more virtualisation and systems management functionality at 52% of the cost of vSphere Standard + vOperations.  The scenario was a 2U host, with 2 CPUs, 92 GB RAM, with published retail licensing costs (both sides give discounts), and 40-50 VMs.

Product Microsoft VMware Comment
Virtualisation Free (guest licensing covers this cost) 6 * vSphere 5 Standard Plus $5,970 Hyper-V is included in Windows licensing so it’s free. The Microsoft option is already $5,970 ahead.
Windows for unlimited VMs

2 * Windows Server DC
$5,998

2 * Windows Server DC
$5,998

 This applies to anyone on any virtualisation platform.
Monitoring

System Center Management Suite DC
$5,240

vCenter Operations (25 VM pack) * 2

$7,564

 Not a good comparison: MSFT option includes licensing to use all of Microsoft’s System Center products and it’s still around 1/3 cheaper!
Total $11,238 $19,532 Now the MSFT option is only 57% of the cost of the VMware option, but thanks to System Center 2012, MSFT has some of those “critical” virtualisation features like power optimisation and DRS not in this vSphere 5 option.

Gee, thanks VMware, the comparative cost has improved 5% in your favour, and Hyper-V & System Center Management Suite (all of the Microsoft systems management products) actually has more virtualisation and systems management functionality.  Of course, I could be really mean, and price this up with System Center Essentials instead of System Center Management Suite.  I guess that would reduce the cost of the MSFT option by just over $4,000, and still leave it ahead of vSphere Standard/vOperations on all fronts.

I think it’s time once again to see if you’re still making carriages for horses.

Operations Manager 2007 R2 Downloads – RHEL 6 Support

Cumulative Update 5 for System Center Operations Manager (SCOM/OpsMgr) 2007 R2 was released last night.

And now RedHat Enterprise Linux 6 is supported (catching up with Hyper-V)!

There are more details on the CU5 support page.

A new Cross-Platforms management pack was also released.  Oddly, the download page mentions RHEL4 and 5 as supported but not the newly CU5 supported RHEL 6.  Don’t worry, the MP’s word document does mention that RHEL6 is actually supported by the new MP version.  It also mentions a few other fixes and new features of the MP.

VMM 2012 Beta Crash: VmmAdminUI has stopped working

I got this crash when trying to view the properties of a virtual machine in VMM 2012 beta console.  Fellow MVP, Mohamed Fawzi (Virtual Machine Manager), had the fix.

It’s a PowerShell command that you need to run from the VMM PowerShell window.  Before that will work, you need to run:

set-executionpolicy unrestricted

Technorati Tags: ,,