[Today’s post comes to us courtesy of Mark Stanfill]
System Center Essentials 2007 SP1 (SCE 2007) included with Essential Business Server 2008 now fully supports Windows 7 and Windows Server 2008 R2 clients, but there are a few manual steps that must be performed before these clients can be managed from the SCE Console. Because the SCE engine is derived from System Center Operations Manager (SCOM), it is important to be familiar with the supportability statement in KB 974722 as well.
Step 1: Install the SCE Management Packs
First download and install the Windows 7 and Windows Server 2008 R2 Management Packs. These are the same as the SCOM MPs. There are two MPs to download:
Windows Client 2000/XP/Vista/Windows 7 Operating System Management Pack for Operations Manager 2007
Windows Server Operating System Management Pack for Operations Manager 2007
Once you have downloaded and extracted the Management Packs, import them in the System Center Console under the Administration node (aka the gear icon) by select Management Packs and then clicking on Import Management Packs…, selecting the appropriate MP files (Microsoft.Windows.Client.Win7.* and Microsoft.windows.client.library.mp) and then choosing Open.
Step 2: Prepare the Client Deployment Folder
SCE 2007 does not support deploying 64-bit Windows 7 clients through the Discovery Wizard (see below). The clients must be deployed manually. 32-bit Windows 7 clients and down-level clients (i.e. Vista and below) can continue to be deployed through the Discovery Wizard.
To distribute the SCE Agent (System Center Operations Manager 2007 Agent), copy the following files to a new share on the Management Server:
- %ProgramFiles%\System Center Essentials 2007\AgentManagement\amd64\*
- %ProgramFiles%\System Center Essentials 2007\SCECertPolicyConfigUtil.exe
- %ProgramFiles(x86)%\System Center 2007 Hotfix Utility\Q954049 (Copy the entire directory)
Share the folder and ACL appropriately.
Step 3: Install the Agent on the Client Machine
Log on to a Windows 7 client machine using an account with rights to install the software. For the steps below, you will need to know the Management Group name for your installation. This will be the name of your EBS Management Server with _MG appended. For example, the Management Group for MGMT.contoso.local will be MGMT_MG. You can confirm this by opening the SCE Management Console and verifying the name after “System Center Essentials – “ in the title bar of the window.
Option 1 – Manual Install
- Connect to the share created in Step 2 above and double-click on MOMAgent.msi.
- Follow the prompts, using the appropriate Management Group name and Management Server name. Important: you must specify the FQDN (e.g. mgmt.contoso.local) for the Management Server name. Do not use the NetBIOS name or IP address.
- Use all the default values for the installation and complete the wizard.
- Double-click on SCECertPolicyConfig.msi to install it.
- Stop the OpsMgr Health Service service on the client machine.
- Install the SCE Agent KB hotfix by typing the command from an elevated command prompt:
- Follow the wizard’s prompts to install.
- Restart the OpsMgr Health Service.
- Optional: On the client, run “GPUpdate /force” from an elevated command prompt, reboot the client machine, run Control Panel\Windows Update\Check for updates, then run wuauclt /reportnow from an elevated command prompt to force the client to immediately register with SCE.
\\managementservername\share\Q954049\SetupUpdateOM.exe /amd64MSP:Q954049-x64.msp /agent
Where managementservername is the name of the server, and share is the name of the share.
Option 2 – Automated Install
The steps above can be automated for use in batch files or login scripts by specifying variables as command line-parameters. Use the following commands to automate the installation. The following variables are assumed:
- server – the NetBIOS name of the Management Server
- share – the name of the share created in step 2 above
- MG_Name – the Management Group specified above (server_MG by defualt)
- FQDN – the FQDN of the Management Server
The commands are long, so they will wrap. Individual commands are separated by a blank line:
msiexec /i \\server\share\MOMAgent.msi /qn MANAGEMENT_GROUP=MG_Name MANAGEMENT_SERVER_DNS=FQDN ACTIONS_USE_COMPUTER_ACCOUNT=1
msiexec /i \\server\share\SCECertPolicyConfig.msi /qn
\\server\share\Q954049\SetupUpdateOM.exe /silent /amd64MSP:Q954049-x64.msp /agent
Q: Can I deploy via a GPO?
A: Not easily. It is not possible to specify command line parameters through a GPO, so a transform would be required for a fully automated install.
Q: I successfully deployed the client to my 64-bit Win7 client, but it does not show up the Computers node or the operating system is not listed. What happened?
A: The client has not reported back to WSUS and SCE with its inventory yet. It will automatically report back to the server overnight. Alternatively, you can reboot the client and then manually trigger a Windows Update detection in order to force it to report back to SCE.
Q: I get an “RPC Server is not available” error when trying to install to a newly joined 32-bit Windows 7 client.
A: It’s possible the client has not yet applied Group Policy. Log on to the client, run gpupdate /force from an elevated command prompt, reboot the client, and try deploying the agent again.
Q: I’m running SCE in a non-EBS environment. Do the steps in this article apply to me?
A: In general, yes. All component products shipped with EBS are identical to the stand-alone versions.
Q: What hotfixes need to be installed on the Management Server?
A: KB 974722 details a number of hotfixes. KB 951327, KB 953290, and KB 954049 should already be installed if the server has been receiving updates via Windows Update (KB 954049 is installed during EBS setup). KB 952664 does not apply as it is x86 only. KB951116 is for SCOM only, and does not apply to SCE.
Q: The agent successfully deployed, but now my Win7 client shows up with an Operating System of Windows 0.0 under the All Clients group.
A: The client has not reported its inventory back to WSUS and SCE yet. Wait overnight or run wuauclt /detectnow && wuauclt /reportnow on the client to force it to update WSUS.
Q: The client MP has 9 .MP files in it. Which ones do I need to install?
A: You only need to install the Microsoft.Windows.Client.Win7.* and the Microsoft.windows.client.library.mp Management Packs. The other MPs are already installed. You won’t harm anything by re-importing the existing MPs, but it is an unnecessary step.
Q: Why can’t I connect via TS to my Win7 clients? XP and Vista clients work fine?
A: Although SCE creates a GPO to enable RDP access through the Windows Firewall, Win7 domain-joined clients do not have Remote Desktop enabled by default. To connect to these clients via RDP, you need to explicitly enable it either manually or through Group Policy (Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections\Allow users to connect remotely using Terminal Services). A logical place to enable this is on the “SCE Managed Computers Group Policy (SERVERNAME_MG)” policy.
Why this is necessary
The security hardening of Windows 7 won’t allow the MOMAgentInstaller executable to modify the Windows Firewall. Attempting to deploy the SCE Agent to a 64-bit Win7 client via the Discovery Wizard will result in the following error:
The MOM Server could not start the MOMAgentInstaller service on computer “<computername>” in the time.
This service is used to perform configuration operations on the computer before the Microsoft Operations Manager agent can be configured.
Operation: Agent Install
Error Code: 0x80070102
Error Description: The wait operation timed out.
On the client side, an error will be logged in the Application Log:
Log Name: Application
Source: Application Error
Date: 10/28/2009 1:47:38 PM
Event ID: 1000
Task Category: (100)
Faulting application name: MOMAgentInstaller.exe, version: 6.0.6278.0, time stamp: 0x47b70fc7
Faulting module name: ole32.dll, version: 6.1.7600.16385, time stamp: 0x4a5be01a
Exception code: 0xc0000005
Fault offset: 0x000000000003245a
Faulting process id: 0xbcc
Faulting application start time: 0x01ca580fe1ba652a
Faulting application path: C:\Windows\422C3AB1-32E0-4411-BF66-A84FEEFCC8E2\MOMAgentInstaller.exe
Faulting module path: C:\Windows\system32\ole32.dll
Report Id: 204e3708-c403-11de-8ed9-00155d44602d
The COMPUTERNAMEAgentMgmt.log in %ProgramFiles%\System Center Essentials 2007\AgentManagement\AgentLogs on the Management Server will show an entry similar to this (the HResult: 8000ffff entry is diagnostic):
05:34:41 PM : CServiceModule::Init : m_bService is set to true HResult: 0
05:34:41 PM : CServiceModule::Start : Service flag is set
05:34:41 PM : CServiceModule::SetServiceStatus : State: 2, Error: 0
05:34:41 PM : CServiceModule::SetServiceStatus : State: 2, Error: 0
05:34:41 PM : RegisterFile : Before LoadLibrary
05:34:41 PM : RegisterFile : After LoadLibrary
05:34:41 PM : RegisterFile : Before GetProcAddress
05:34:41 PM : RegisterFile : After GetProcAddress
05:34:41 PM : RegisterFile : After FreeLibrary
05:34:41 PM : RegisterFile : Success return
05:34:41 PM : RegisterFile : WaitForSingleObject return HResult: 0
05:34:42 PM : ConfigureWindowsFirewallExceptionForApp : AddRemoveAppForWindowsFirewallException failed: HResult: 8000ffff
05:34:42 PM : CServiceModule::SetServiceStatus : State: 1, Error: 0
05:34:42 PM : CServiceModule::Handler : ConfigureWindowsFirewallExceptionForApp failed while adding exception HResult: 8000ffff