SCCM 2012 Migration

This page answers frequently-asked questions about the migration from the SCCM 2007r3 environment to the SCCM 2012 environment.  Click on a link below to jump to that section.

 

What is the timeline for the migration?

  • Thursday, November 1st – SCCM 2007r3 environment frozen (permissions removed), WDS clients changed to 2012
  • Friday, November 2nd – Migration Begins: Engineering, Domain-level Servers, CHASS, Textiles
  • Saturday, November 3rd – Migration: CNR, PAMS, STUAFF, ITD\DUAP, DESIGN, COM, DELTA, EHPS, RESEARCH
  • Sunday, November4th – Migration: CALS, CED, CVM, LIB
  • Monday, November 5th – Migration: OIT
  • Tuesday, November 6th-Friday, November 9th – Resolve any lingering client migration issues
  • Monday, November 12th – SCCM 2007r3 environment decommissioned

What additional information is available about the migration?

The migration checklist includes all sorts of extra notes, and is viewable here: Production SCCM 2012 Migration Checklist

What does SCCM do again?

System Center Configuration Manager does software deployment, patch deployment, operating system deployment, inventory, and client configuration management tasks like power management, maintenance windows, and so forth.  Currently SCCM handles the vast majority of software deployment at NCSU.  SCCM also is used heavily in OS deployment for lab reinstalls and is in testing for patch deployment.

How do I get access to the SCCM 2012 Console?

Note: The 2012 Console can be installed side by side with the 2007r3 console. During the migration, you will probably reference both consoles to be able to track the status of your clients through the migration.

  1. Install the SCCM 2012 Console from here:
    \\wolftech.ad.ncsu.edu\engr\coedean\ou_admins\SCCM 2012 Console\AdminConsoleSetup\ConsoleSetup.exe
  2. Enter: OIT200SCCM-SS.OIT.NCSU.EDU for the Site Server
  3. Install the Configuration Manager Toolkit from here (optional):
    \\wolftech.ad.ncsu.edu\engr\coedean\ou_admins\SCCM 2012 Console\AdminConsoleSetup\ConfigMgrTools.msi
    Note that you should only install the client portion of the toolkit!
  4. Install the SCCM 2012 Right Click Tools from here (may not be updated for SP1):
    \\wolftech\engr\coedean\ou_admins\SCCM 2012 Console\ConfigMgr-2012-Right-Click-Tools\Right Click Tools Install.cmd
    Right Click Tools for 2012 currently require the Powershell Execution Policy to be set to RemoteSigned in order to function as it generates a Powershell script on the fly as part of its execution.
  5. If you skipped installing the Configuration Manager Toolkit, Get a copy of cmtrace (replacement for trace32):
    \\wolftech\engr\coedean\ou_admins\SCCM 2012 Console\cmtrace.exe
  6. SCCM Client Center has been updated for SCCM 2012.  It is installable from http://sccmclictr.codeplex.com/ as a ClickOnce package.  This will ensure that you get the latest version available each time you launch the application.

What is the best way to get help post server migration?

Please direct any questions via the activedirectory@lists.ncsu.edu mailing list or the activedirectory@jabber.eos.ncsu.edu chat room.  SCCM project team members will be monitoring both locations during the migration. If you have a question, there are probably more people who also have or will have that same question. Additionally, there are many other IT staff on campus who can and will provide community support in those locations.

What differences will the End Users see?

First off, this SCCM upgrade will not affect the users ability to login, access drive, printers, and so forth. Overall, end users have little impact from SCCM, but the following things will happen:

  • The “Run Advertised Programs” Control Panel Applet will be removed and replaced by the “Software Center” which will be in the Start Menu
  • Deployments of Applications and Operating Systems will reach the computer much faster due to changes in Delta Discovery
  • The local client cache (where it downloads packages before installing them) will be invalidated (as it references the old 2007r3 environment), so any downloaded, but not yet installed applications will be downloaded again

Where can I find the various client components?

  • Cache: C:\Windows\ccmcache
  • Log Files: C:\Windows\CCM\Logs (Description of the different log files)
  • Software Center: Start Menu\All Programs\Microsoft System Center 2012\Configuration Manager\Software Center

Will software, patches, or OS’s previously deployed re-deploy to clients?

No. All assets that can be deployed by SCCM 2007r3 have a unique ID that is kept track of in the client computer’s registry.  These ID’s are preserved when migrated from 2007r3->2012. When evaluating the list of deployments assigned to the computer, it will see that these assets had previously been deployed and they will be skipped.

Keep in mind that this is only true if SCCM did the install.  If a local admin ran an installer out of the SCCM cache to install an application, then SCCM didn’t install it.  When migrating to 2012, it will look like a new distribution.  Most of the time this will not cause a problem because the installer will simply run through a second time and it will not change anything.  But a particularly badly written installer may cause issues.  Moral of the story is to let SCCM run an installer itself if it has a mandatory deployment to a computer.

Why doesn’t the number of computers in my collection match between 2007r3 and 2012?

SCCM 2012 System Discovery supports skipping computer objects where the lastlogintimestamp attribute shows that the computer has not logged into the domain in a long time.  We will be setting this setting to skip computers that haven’t talked to the domain in over 180 days.  This means that old computer objects for computers long gone will not show up.

Will I receive a report of skipped computers so I can attempt to track them down?

Not unless there are a significant percentage of your machines that are not migrating, even after the server push portion of the migration. You should be able to have both the 2007r3 and 2012 clients up and keep track of which clients have moved.

Is a reboot required to install the client?

No.  However, as with any software uninstall/install, there is the possibility that there are pending OS updates or file locks or such that will block any action until a reboot happens.  So while a reboot is not required, there is the possibility that individual machines will require one because of specific issues on that machine.  Since one of the installation methods we are using includes a startup script, rebooting any troublesome client should cause the SCCM 2012 agent install to progress immediately upon reboot.

As an OU admin what steps do I need to take in preparation for my department’s migration?

By reading this FAQ, you are positioning yourself well in terms of preparedness for the migration.  Watching this page, the activedirectory@lists.ncsu.edu email list, and the activedirectory jabber chat room will ensure that you have the latest information available.  Lastly, you may want to ensure that any custom software packages you have created with a source directory for data has the correct permissions to allow the 2012 environment to read those source directories.  In other words, if you have granted permissions to oit100sccm-ss on any of your file servers, you need to change those permissions to instead be granted to the OIT-Servers-SCCM group.

Help! Computer X has “Client: No” in the console!

This could be for a number of reasons:

  • The dnshostname attribute is not resolvable in DNS. This means the client cannot autoenroll for a certificate that is required for SCCM to function.  This requirement is unchanged from 2007r3.
  • The computer has not attempted the client upgrade from 2007r3->2012 for some reason (unplugged, lack of networking, hung/frozen at a bluescreen, etc)..
  • In the 2012 console, you can add a “Last Installation Error” column to help you diagnose installation issues.

List of Computers that talked to SCCM 2007 on 11/10/2012 – 11/12/2012

How do we fix failed installs?

This section will be populated as we encounter client installation issues during the migration. Check back later.

Certificate Still Required:

Similar to 2007r3, the client requires a cert in order to be able to talk to SCCM. And to get a cert, the client’s dnshostname attribute must be resolvable in DNS.  So if you have laptops not in DNS at all or computers with the wrong DNS suffix, they will not work with SCCM.

2012 Client won’t finish install:

The client upgrade process requires that certain values that we have assigned to the client via group policy in the past be removed.  If your machine has problems with group policy processing, you will have the client installed, but it won’t ever connect to the 2012 infrastructure, and thus show “Client: No” in the console.  This is exhibited on the machine as group policy processing errors that show up in the Application event log from the “Group Policy Registry” source with an event ID of 8194 (you will also see references to ‘NCS’, the old site code, in various logs located in c:\windows\ccm\logs).  This problem may be caused by other group policies that have registry preference settings that fail for some reason and may not be related in any way to SCCM.  The startup script that we have applied across the domain should fix this automatically the next time you reboot the computer, but if it doesn’t for some reason, you need to delete following registry keys from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client:

  • GPRequestedSiteAssignmentCode
  • GPSiteAssignmentRetryDuration(Hour)
  • GPSiteAssignmentRetryInterval(Min)

Off Campus:

One of the install methods we made use of was an SCCM package targeting off campus machines. There are two known issues with off campus installs.

List of Computers talking to the Fallback Status point (as of 10:00AM UTC 11/7/2012) – Check the client in the console before assuming a machine on this list is not working.  The fallback status point is contacted by any client that can’t talk to the management points for whatever reason, even well after successfully migrating.  So if you have a machine that you know is not migrated and is off campus, this might be able to tell you why.

  • Client successfully upgraded, but can’t talk to SCCM – You can tell by the fact that Software center is present in Start Menu and the client is in C:\windows\CCM). Some off campus clients can’t locate the Management Point to complete the install.  Have the user log in to the VPN.  If they are admin, have them go to Control Panel->System And Security->Configuration Manager->Site->Configure Settings->Find Site.  If they are not admin, then if they simply wait for a while on the VPN, the ccmexec service will poll AD to pull the site info.
  • Client still 2007r3 – The scheduled task setup by the SCCM package was missing the “run task as soon as possible after a scheduled task is missed” therefore a number of off-campus clients missed their migration window.  The end user can login to the VPN and run the task by hand out of the Task Scheduler (in Start Menu->Programs->Accessories->System Tools) under “Task Scheduler Library\SCCM 2012 Upgrade”. Additionally, we’ll be pushing out a modified package in the 2007r3 environment on Monday or Tuesday with a recurring schedule and hardcoding the location of a Management Point for the client to talk to.

Server Push:

There are some columns in the 2012 console that are populated with messages generated only by the server push installation method.  This is being used in conjunction with WoL to install clients that have missed both the GPO and SCCM package scheduled task upgrade times. Here are some pages that have SCCM-specific Error Codes that can be used with the “Last Installation Error” column or when looking in the C:\Windows\ccmsetup\ccmsetup.log file:

Here is the list of Error Codes from the “Last Installation Error” column.

  • 2 – The system cannot find the file specified.
  • 5 – Access denied.
  • 52 – You were not connected because a duplicate name exists on the network. Make sure there is not a duplicate name in DNS and that 2 machines don’t have the same IP in DNS.
  • 53 – Unable to locate – Likely just off.  If its on the network check http://support.microsoft.com/kb/920852 – cannot connect to admin$ – Computer Browser not started – add File/print sharing to Exceptions in Firewall – turn file and print on.
  • 58 – The specified server cannot perform The requested operation
  • 64 – The specified network name is no longer available. Source: Windows
  • 67 – network name cannot be found.
  • 86 – network password is not correct? Machine Name <> resolved name.
  • 112 – Not enough disk space
  • 1003 – Cannot complete this function.
  • 1040 – Ending a Windows Installer transaction: <> Client Process Id: <>.  Likely that two ccmsetup.exe were launched, both are running, creating a race condition.  Use task manager to kill one of the running ccmsetup.exe processes and monitor the ccmsetup.log file to confirm the other setup process continues to successful completion.
  • 1053 – The service did not respond to the start or control request in a timely fashion.
    1068 – The dependency service or group failed to start
  • 1130 – Not enough server storage is available to process this command. Source: Windows
  • 1203 – The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator.
  • 1208 – An extended error has occurred. Source: Windows
  • 1326 – Logon failure: unknown user name or bad password. Source: Windows
  • 1385 – Logon failure: the user has not been granted the requested logon type at this computer. Source: Windows – The site server was not allowed to install the client. Likely a reboot will install the client via the startup script.
  • 1396 – Logon Failure: The target account name is incorrect. (NBTSTAT -a reverse lookup, duplicate IP address)
  • 1450 – Insufficient system resources exist to complete the requested service. Source: Windows
  • 1789 – The trust relationship between this workstation and the primary domain failed. Source: Windows – use “netdom /reset” to fix the trust relationship
  • WMI-related – http://www.microsoft.com/en-us/download/details.aspx?id=7684 and http://windowsxp.mvps.org/repairwmi.htm:
    • 2147749889 – Generic WMI failure (Broken WMI)
    • 2147749890 – not found – Source: Windows Management (WMI)
    • 2147749904 – Invalid class – Source: Windows Management (WMI)
    • 2147749908 – Initialization failure – Source: Windows Management (WMI)
    • Computers with suspected WMI issues 11/7/2012 11:00am
  • 2147942405 – Access is Denied (Firewall rule? / Antivirus?)
  • 2147942487 – The parameter is incorrect. Source: Windows
  • 2147944122 – The RPC server is unavailable. (DCOM is possibly miss-configured for security .  http://support.microsoft.com/kb/899965 )
  • 2147944225 – A security package specific error occurred. Source: Windows
  • 2148007941 – Server Execution Failed

Here is an explanation of the “Last Status” column.

  • Started – Server Push has been enabled for the client
  • Retry – Server Push has attempted to install the client once and will retry later
  • Complete – Server Push installed the client successfully

What are the SCCM client distribution methods?

  • GPO-based startup script – This is currently default and will persist post-migration (Friday: 5pm)
  • GPO-based scheduled task (Friday: 3pm, Saturday: 7am, Sunday:7am, Monday: 8am)
  • WDS centrally-provided domain join images have the client preinstalled in the image – This is currently default and will persist post-migration (Thursday: 5pm)
  • SCCM Package-based scheduled task (Friday: 5pm, Saturday: 10am, Sunday:10am, Monday: 10am)
  • SCCM Server Push (Friday: 7pm, Saturday: 12pm, Sunday:12pm, Monday: 12pm)
  • If needed, we may additionally perform a SUP-based client install by moving the WSUS DNS alias to the 2012 SUP server

Why are my machines all turning back on?

The Windows Task Scheduler has the ability to schedule BIOS timers to wake the machine up for specific tasks.  We will be setting all scheduled task-based client distribution methods to wake the machine up so that the client installation can occur. We will also be issuing Wake on Lan (WoL) packets to machines.

Wasn’t this migration scheduled for later?

Originally the migration from SCCM 2007r3 to 2012 was planned for late November. Due to upcoming personnel changes and the fact that other projects had dependencies (Secunia installation, migration off of WSUS and KBox) on this migration, the decision was made to accelerate the timeline and migrate at the beginning of November.  The dates for migration were unanimously approved at the October 26th AD Policy Subcommittee meeting.

What are the differences in the 2012 console?

  • The UI of the 2012 console has been changed to be consistent with other Microsoft products. Namely: The Ribbon.
  • The list of nodes from the 2007r3 console have been put into 4 categories: Assets and Compliance, Software Library, Monitoring, Administration. Each of these categories has sections that correspond to the nodes in the 2007r3 console.
  • While the 2007r3 console had long lists or nested folders or collections, the 2012 console is built around searching and filtering results.
  • Two people cannot edit the same object at the same time. If a second administrator attempts to edit the same object, they will receive an error.
  • Folders in SCCM 2012 are globally visible, so every folder will appear for all users in the console.  It is therefore requested that you do not create folders to keep the administration interface sane for other users.
  • There will be only two folders present in the 2012 environment after the migration is complete: Software Package Collections and Operating System Collections.  All collections that are used for software package deployment or operating system deployment should be created in these two folders. The reason for this is that there is a bug in the SCCM 2012 permissions, in that you must have the Modify Folder permission to create a Collection. And all Folders are seen by all users. This means you cannot delete these folders, but you can rename them. If you rename them, you will be warned… Once.
  • Historical inventory data does not migrate. So all inventory will begin at migration time.
  • The 2012 console will report that it is operating in evaluation mode until after we decommission the 2007r3 environment and migrate the license over to the 2012 environment.
  • The ability to “group by” certain fields and then followed by collapsing some and sorting within the groups makes getting useful info much faster.
  • Removing computer objects from a collection is something that can only be performed upon an object that has been added to the collection through a direct membership rule.  Memberships granted through a query or an include rule will not allow objects to remove themselves.  Most of the time, this functionality was needed to remove computer objects that had become obsolete.  We are therefore setting permissions that will allow you to delete computer objects from your OU root collection.  Remember: deleting an object will remove it from the console, and you will have to wait for it to re-register with SCCM in order for it to become manageable again.

What are the benefits of moving?

SCCM 2012 offers a number of benefits over 2007r3:

  • All components of the SCCM client and server support 64-bit natively.
  • The delta discovery now handles constructed attributes, like the memberOf attribute. This means that a group membership change will now show up in SCCM in minutes instead of hours.
  • Patch auto-approval will allow us to merge the current WSUS environment into SCCM giving better patch remediation and the ability to push custom or third-party patches.
  • Role-based access control allows for a much saner permissions model that also requires less custom scripting to be maintained.
  • Management points no longer require Network Load Balancing to function, thus simplifying the networking on the server side.
  • Certain client settings that were previously site-wide can now be packaged up and deployed to collections, allowing for greater flexibility.
  • The UI and functionality of the Software Center is greatly improved over the Run Advertised Programs control panel applet.
  • The upcoming SCCM 2012 service pack 1, due out in early 2013, has additional benefits:
    • a Powershell v3 module for SCCM
    • Limited support for Apple, Linux, and Windows embedded clients
    • Support for Metro application
    • Bitlocker support in task sequences

What is the impact of a client upgrade failing?

The SCCM agent is about deploying things. If the agent doesn’t get uninstalled for some reason, the computer will continue functioning in the 2007r3 environment until an IT person comes along to assist it.  If the 2007r3 agent uninstalls, but the 2012 agent fails to install, then the computer is essentially unmanaged by SCCM at that point and nothing happens.  It is nearly impossible for a client upgrade failure to negatively impact the end user with the possible exception of not receiving new software.

When will there be training?

After the migration. All of the SCCM classes that have been taught previously will be re-taught and re-recorded.

When is the point of no return?

Friday, November 2nd we will begin by migrating the 600 clients in ITECS. Once the success of migrating these clients is verified, the status will be communicated to the IT community and the rest of the College of Engineering will be moved. Once we have begun migrating CHASS, Textiles, and the Domain-level servers, the rest of the migration will continue.

Where are all of the new features that 2012 is supposed to bring?

The goal of this migration is maintain feature parity with the 2007r3 environment we are migrating away from.  While 2012 does have a number of new features, we will be working through the development and release of new features post-migration. It was decided not to complicate the migration by attempting to also introduce new functionality.

What OS’s are supported by SCCM 2012?

The list of supported client OS’s is here: Technet:Operating System Requirements for Configuration Manager Client Installation. The short of it is: You must have at least Windows XP sp3 and Windows 8/Server 2012 are not officially supported (though the client does install and works).  Windows 8/Server 2012 will be officially supported with SCCM 2012 SP1 (due out “early 2013”).

Will I be paged if I’m using OIT’s Nagios offering to monitor my servers?

While we can’t say with absolute certainty, there is a chance that you will be paged as a result of a client migration.  This is because there is a period where the SMS Agent Host [ccmexec.exe] service has to be shut down in order for the migration to proceed, and OIT’s service will send a page if a client check shows a service that is set to be automatically-run is not running.  The 2012 client will restart this service automatically once it is installed, which will correct the condition that caused the page in the first place.  This only applies to groups consuming the Nagios server monitoring service that the Office of Information Technology offers.

Who is involved with this project?

The principle project team is:

  • Gene Morse
  • Michael Underwood
  • Alan Gerber
  • Ryan Leap
  • Jonn Perry
  • Jeremy Brown
  • Billy Beaudoin

With significant assistance from:

  • Kevin Swann
  • David Mai
  • Delores Leonard
  • Patrick Williams