A Holistic Approach to ConfigMgr Client and Server Health -- Johan and Anders

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay you guys see the the screen okay yep you can see it in your virtual machine beautiful well this is actually my hyper-v host but uh of course you have powerpoint on that one as you do these days all right then um thank you for the invitation thank you greg and josh and all the others across these three user groups to for for having me and others joining uh today talking about one of our absolute favorite talking topics uh making sure that the configman environment is as happy and healthy as it possibly can be it has been a long journey and even the product these days has a lot of built-in tools that that can help you keep the environment at the track it was more challenging back in the early days even back in the sms days to to keep stuff happy and healthy powershell and the spirit of other things yeah life is good um me and anders we both absolutely love questions so if you have any please use the chat and we'll be happy to answer them during the session we would love this to be an interactive discussion and again don't hesitate to to fire away those questions other than that my name is johan i'll be host for the next 50 minutes together with with anders and my premier home these days is a two-point software but i also have a another company i work with mirolus and that's where we do all the trainings and all the other fun stuff related to extra consulting gig and yeah you name it andres would you like to say a few words about yourself before we head on absolutely my name is alex rodlan and i'm very happy to be here again and as you once said it's like if you have any questions during this presentation please uh just fire them as we go we love to answer these questions um uh i will uh me anyone will share this presentation you one will start and i will go in and show demo of something i pre showed on the last session but i have a little bit different angle this time excellent all right let's do it so we have four main pillars prepared for this session um focusing a little bit on how design and infrastructure simplifying that can help a lot of of configuration issues and other things in the environment we added in a section of focusing on operations basically what your operations team if they're not already doing it what they should be doing on a sort of a daily weekly monthly basis etc we have a section covering the sort of server side of health and performance so managing point and distribution points and all the other side roles that you have in the environment and finally what to do on the client side for the client health and to get started it may surprise me but um not for sweden originally um but i actually played american football for a good five and a half years in in college one of their few teams in in sweden at that time uh i remember being like 12 teams in the country uh and it's a fairly long country there was a lot of buses or traveling by bus but our coach our head coach he has uh he kept saying kiss for everything keep things simple stupid that was his sort of go-to thing and i think that pretty much applies very very well to configman design as well uh back in the days when when configman 2012 came and and a lot of folks out there made the most interesting designs that i've ever seen like yeah we have a thousand clients let's have a cast with four primaries for those thousand clients like how about having a single primer in 1dp uh there's a lot of things you can do one organization i worked with they had 150 some secondary sites and that was a fun project to to having to deal with but these days even larger organizations uh one customer been working with out and they have their headquarter out in endure but they're a global customer um 5 000 some sites 55 000 clients single primary site bunch of distribution points but not too many they have like 16 or 17 now distribution points around the globe that to me is a simple design and it's quite easy to keep healthy as long as you start to complicate things like doing these really advanced setups that's also where you start to see it's going to be hard to maintain and troubleshoot and i have seen smaller customers like just a few thousand clients gonna yeah we're gonna have a sql cluster we're gonna put in high availability and it's like no you should not if it breaks restore it from the back up you also small so you can do that entire operation like two hours at most shorter if you practiced so to me config manager for most organizations is not as critical as say email is you can often reboot a config money the site server in the middle of the day nobody will even notice uh and if you plan for it maintenance that's usually not a problem i remember back in the days when if i wanted to upgrade a system we have to schedule that for off hours or weekends and whatnot these days when we do servicing our config manager we are often allowed to do a daytime even even if they know the service is going to be down for an hour or hour and a half maybe depending on your sites but that is that is okay and then of course uh we all love to do documentation but that is also part of being able to track things down when things change because you can simply compare stuff and in order to learn and play around with and getting to know your environment and getting to know conflict manager and what you can do in in terms of health is having the best tool available and in my opinion the best tool any sys admin or any configman admin can have is to have a lab environment where you can play around and test and learn things without necessarily breaking production there is a classic saying that every configmatic admin actually has a lab and the follow-up to that one is some are also lucky to have a production environment it doesn't have to be that way you can actually have a real production environment and you can have a simple hyper-v host where you do a lot of testing and things their organization had really large lab environments in qa and dev and tests and acceptance of whatever they call them but it doesn't have to be a massive one it can be a simple one too to do this so in terms of the infrastructure if you want to get something that helps you get going uh on my blog for years i have published various hydration kits and this is just powershell script that builds up the complete lab environment in just a few hours we would have loved being able to offer ready-made kits for downloads like like microsoft can but if i would i would have lawyers on the phone like right away so we built powershell scripts that basically take a folder structure with content that you downloaded that you accept the license agreement for and then it just sets up everything for you fully automated so all in all the technician time is maybe half an hour the build time it's maybe three hours in total but these kiss basically allows you to build a bunch of vms that has a full site server implementation and you can add as many additional servers and clients that you want to that mix but you have to start somewhere if you haven't got a lab i highly recommend to to check this out and play around with it it's not the only kit available but it's a kit and having a lab environment these days to me is absolutely absolutely key hardware-wise don't have to go overboard you'll be just fine with any pc usually a desktop these days but it can be a laptop i see a lot of photoshoots and laptops for lab environments these days but as long as you can get something that has 32 gig of ram have an i7 cpu or equivalency on or shinier of course uh and a one terabyte nvme uh ssd uh you're usually good and if you're on low on budget you can find such a machine on ebay for about three four hundred dollars these days not that big of a deal if you can get a new machine from work fantastic one of the companies i actually worked for back in the day is knowledge factory they were based out in over in europe they actually had in their employee agreement that every consultant that was brought on board would get their own lab machine and now we weren't talking desktop or laptop anymore each consultant got their own real lab server like a massive hp server with lots of disks cpu and memory and that was just a genius move from that manager there was a manager that actually got it it's like yeah if you give them this they will not only learn stuff but they also play around on their spare time just for fun because that's what we end up doing usually so anyhow having a lab environment to me is absolutely key keeping things simple uh makes anything health related much much simpler and documenting is something we often leave behind but these days it doesn't have to be too difficult there is a gentleman paul vetter he has written a downright amazing documentation script it was based on the earlier projects from david o'brien but this this script is just uh amazing i think i said a copy of it here somewhere here we go so uh if you do a bit of a creative search all better whoops there you go documentation script right here download run it in my environment i have a few hundred clients maybe 25 servers or so uh it takes about five minutes to run but what i get after running it is a report a nice formatted html file and if i open up that in edge this is just an end-to-end documentation of your entire site server history from updates you can see this one has been around for a while uh everything you can think of in a configman environment every role every server every configuration every script every sequence every application every package every everything is in this documentation and it's not that hard to run it and then at least you have it because all this information is quite useful to have if you end up having to do a restore at some point so quite quite useful script and how he finds time to write it i i don't know because that's a that's a heck of an effort to to put together documentation scripts it's just a lot of a lot of code all right then of course we have the operations and me and my good friend jordan bensing we actually set out a while ago after being asked from one of our customers to provide to their operations team some tasks that that they could do so on my blog we put together a little practical guide to two operations and that's basically things that the ops team would have to do every now and then this list is far from a complete list but this is a great starting point if you don't have one already and what this customer ended up doing was actually for most of these tasks that were on these lists they actually schedule tickets especially for the weekly ones so that servicenow portal would every week create the ticket for one of the tasks assign it to whoever's supposed to fix it or or do it and then they would have to close that ticket and say yeah we we finished it off but there are just simple things like making sure you don't have a massive backlog in your inboxes because that indicates server issues make sure that you're this i've seen this so many times just making sure there is free disk space available on all such systems it's not too hard to check simple powershell script and you're good verify that backups are going verify that the configman database is not going out of proportion because that could be an indication that something is fishy checking event logs um just doing regular things this one i've i lost count a number of times i've seen distribution points basically filling up the entire c drive because nobody bothered to check the log files and it's so easy to put in routines to do that another script that you can download from from my blog is researcher housekeeping um i have a post about that but this one i think is the more interesting one here you find a little powershell script that you can simply schedule on your servers that have is that every day will run and clean out the log file for older is log files um if a distribution points are having problems you can actually this can grow quite rapidly i've seen environment with several gigs per day in these load files and simply have to do the math all right i have 60 gigs free in my c drive they're growing by 5 gig per day 60 divided by 5 12. all right it's going to run for almost two weeks and then it's going to die at that server or you get creative and you download a ci that you deploy or create a baseline and deploy through config monitor and have it run every day or every second day on all your is servers especially distribution points because the usual one that that creates these massive log files but simple things that you can do uh from an operations point of view weekly stuff is usually making sure that you catch up that you actually did all the daily ones and then you start to figuring out trends and and just started studying patterns in the environment and and conflict manager these days actually has um quite a decent number of built-in things that help you monitor the server side of things so we have what i refer to as old-school tools meaning if you go to your site server and you pick in the installation folder i happen to have mine on the e drive here check the tools folder and the server tools you have the classic collection evaluation viewer and now built into the console but this one still works you can still use it if you feel like it you can see your various collection times validations and if these values are not in in seconds but rather many minutes or even hours something is not good that means sometimes someone has been extremely creative creating nested select queries and whatever they have on their collections do you have the good old db job manager where you can track all traffic between the the site server and all the distribution points you to reprioritize jobs and manage them and you know cancel them if needed etc i don't have any going right now but this one is usually pretty busy in a production environment but then of course we have all the stuff that is now built into the console itself so if you go to the monitoring workspace i know that can't last i would say last week but last meeting uh he went through some of the scenario health items has been added and they can be run and reviewed and you can get a history and then current one or the earlier ones and it's just a lot of useful information in the environment and then of course you have each and every status you have distribution status for all your distribution points etc you have your client status you have your system status and these have been around for a long time but they're still valuable when trying to verify that the server health is is good enough so if i would go to component status um i actually had an issue earlier this week and see if i can still pick it up it's okay now but that one is gone all right i had a few packages where i accidentally deleted the um source folder uh so that would give me a lot of grief and and whining about it then of course you have the dashboards even for the client etc but what you can also do is something that i started to do more and more also on the server side and that is having something else then config monitor checking config manager and in this case a bit of powershell so on my blog i have a let's say else i have a little post called holistic approach to configment to client health but this one also applied for servers the very concept here is having something that gathers information that makes sense for you to gather so as an example one of the customers i've been working with they were constantly running into issues of their distribution points so we started to figure out okay what data can we collect on each distribution point that will help us fix stuff before they actually became a problem and most of these solutions they work very similar so here i have a powershell script that simply first of all connects to the site server and get me all distribution points very quick and dirty w my method but it works i could have used the conflict and the command and said well i had this snippets i used to i'm copying out a script to every distribution point i run it and i collect information and summarize that back in the port on the server in this case i'm not depending on the configment your client because for that one to be able to be healthy it needs to work i mean it has to be helpful to actually run the script for me so i prefer to use a different methods for running these scripts i'm starting to poke around what type of information that that we are getting this is an earlier example same script but it's basically we are collecting data points that helped us making sure that these distribution points they were up to the task of what they're supposed to do they were not running out of disk space uh this is just some extra code they had the branch cache configuration done the publication cache the way it's supposed to be services running uh the network you were supposed to have and this is not so big of a deal when you use servers as dps for good luck in finding a server on wireless but when using clients as distribution point it may very well be the case but just different values that it made sense to us to to gather summarize and bring into excel because the thing is even if you have thousands of servers or tens of thousands of clients you can actually drill down into that data through excel pretty quickly pretty accurate and immediately start to see trends things that are okay so here we are about to run out of disk space the following machines does not have the right services running these clients are not talking to the right distribution point stuff like that because it all comes down to just and this is for both server and client but but basically with a bit of powershell or whatever script method you prefer i happen to like powershell you can collect data that that helps you see what's about to happen in the in the environment uh before jumping into the to the client side um are there any questions worthy of um bringing up and chat about have you seen anything in the chat anders that that made sense to you or appeal to you should i say uh it's good if i'm not muted yeah so far excellent i mean greg and josh uh if you stumble upon something that that you see feel free to to interrupt and then you'll say hey we have this amazing question here uh what are your thoughts on this one so that will work thanks excellent all right so uh on the client side of things it's very similar because like we can collect data points on a distribution point we can do that on clients but it's usually different values we want to collect so in this example here um also checking things like what type of connection do they have punching or or collecting a lot of conflict manager related info like the client version how they're doing on cache how they're doing on the boundary group are they assigned to the right boundary group but they don't have a boundary group at all or are they assigned to multiple boundary groups what was the last distribution point they were using this one has helped me a lot over the years because on customers they have clients in argentina connecting to distribution points in germany and that was not the closest dp for those clients put it that way but without gathering that information and presented nicely in an excel spreadsheet it's really hard to to figure out because it works but it's just extremely inefficient from a networking point of view and all these scripts are up on github if you want to play around with them uh feel free to steal borrow etc uh this is our own little agent so that's gonna skip that for now but just getting stuff i mean this one here if there is one thing that will break a configman to client upgrade it's going to be this one i think it's been fixed now but for the longest time when you started to hit 75 000 client of files in the temp folder the config manager client upgrade would not be happy would basically fail to compile the mod files record so far we had one customer with a client in in in asia 1.3 million files in the temp folder that's personal best so far and i would have to say i was a little bit concerned even connecting to that machine through a like whack you can see type connection i didn't dare to log into it because i kind of expected that something going on on that particular computer that that was not happy for this customer we also gathered the dotnet framework version uh etc and just again gathering all this information summarizing them uploading them actually as csv files uh to the server uh just for folder just dump them in summarize them into excel spreadsheet and that was our little health check but it turned out that you can do much better than just a little powershell snippet and that's where mr anders come into the picture because he's done that he's got above and far beyond other little tiny attempts with powershell scripts and implemented and created a complete uh health check platform and the price for that one is just right as well it's free it always has been so anders would you be so kind absolutely and it always will be free too i it was released to the community that was the best decision i ever did for that solution because uh the community embraced it and they started providing additional fixes for uh like my coffee manager client would break so that was a very good decision for the customers that i was working with because they also ended up with a better solution that would fix that so let me take over the screen share here really quick thank you so much yuan hey once one question for you guys while you transition here johan there was a question in the chat about lab environment and networking are there any type of caveats to be aware of with how you configure that networking or having the primary on the same network as managed clients well from a there's an excellent question so first of all lab environments you usually have a complete setups you have the nsdsp and everything stuff like that and if we just take those vms and put them out on the production network you would usually upset your networking folks so that is not recommended so what i recommend having is basically i may have a few extra but a bunch of different internal networks and then when needed to route them out to production to get like internet access etc but a favorite of mine is is using virtual routers uh p of sense happened to be the router on my choice i i just like it but this one for example is one one main routers and this one has one network that provides internet access through hyper-v net feature and then a bunch of other networks that are routed through this little thing allowing me to simulate a fairly large distributed environment on just a single hyper-v host so what i have here is i have uh a bunch of clients they they are in different sites in chicago they are throttled because pfsense can throttle traffic i have a bunch of machines in uh new york they're not thought at all they have a bunch of machines in seattle they are behind a 45 megabit link and and in these platforms you can actually um see if i can connect one of them here uh you can create limiters so so uh traffic shapers so i can introduce latency i can introduce package laws i can do all these things that a normal production network would but i have that on a single hype host so this is a bit of a more extreme lab host and i have a few of these but these are hp workstations lots of memory lots of cpu uh this one was a christmas gift but there were another bought we got was about 200 on ebay and that was like sure it's a lot of money but dang what a host to get for that kind of money but keep them isolated route only out traffic when needed keep the rest inside your lab network because should you want to be able to play with production type network but you don't want to be on the production network that would be my my take on it great thanks and i see somebody uh added to the chat as well linked to uh your networking so um that's always been a struggle with me on set up labs so yeah thanks welcome all right anders absolutely thank you for that um i'll go ahead and share my screen and so i'm not going to repeat everything i i said because i did present config manager client health on the previous user group session pad here so i'm just going to do a quick recap for those who miss that coffee management client health it's a powershell script powershell solution that i wrote what is it now five six years ago i think i um it was it came as the result of a large patch incident we had with a customer where we were managing the clients for a customer and i was responsible for the conflict manager side and when we brought that customer in we realized that we are we're only able to manage about uh six sixty percent of their devices it's like six percent of the devices were able to successfully install patches on an update the remaining we they just failed i spent a lot of time investigating why it turned out to be the conflict manager client was the reason for a lot of those issues it was a bit of an extreme case and and you can't really tell a customer to uh here's a list of 5000 machines that you need to reinstall you know because i because the content manager client doesn't work that that doesn't really fly so um i wrote that solution uh call it conf manager client health it will just go in and look for all those specific items that we found and then it would implement the fixes for them then i decided to take it further and i uh started to i did a lot of research in the community for other people in the community around conflict manager had found issues with the client and how they fixed that and i started i started to implement prop detection methods for these errors i tested it and then tested tested a fix so what i ended up with was a pretty extensive powershell script that uh it runs on the client it's initially client so it doesn't depend upon config manager to start anything because if manager loses management of a device it's not going to be able to fix that device so yeah the publisher script it yeah it's initiated by the client or by the end point itself it runs a long list of tests just to detect if something is broken and some other easy to fix other requires the that we reinstall the client itself and then it reads a config file from a centralized location and and by deploying like a scheduled task that can that will start this publisher script you'll end up with um uh yeah you end up with with something on all your endpoints that where it runs a proper health check if the client is broken it will fix it and for this customer that i mentioned right we were only patching about 60 percent when we implemented this it's like it's skyrocketed it went up to something somewhere like 97 98 percent like um like on the next patch cycle it was everybody were amazed i went from being the one everybody were upset with to i became the hero and not meet them so that was a lot of fun so very quickly what is this um how does this process works right the coffee manager client help it executes it's a powershell script it executes locally on on the endpoint it detects and remediates any errors that it it finds and then there is a database uh and the database can run on either it needs sql server but it works to run it on sql express so it doesn't require a fully licensed sql server and you can put a web service in the middle between the script between the client and the sql server so you don't expose your your sql server to the clients and then then the result of the health check is sent to the web service using uh http ht https and then the web service have a service account that it will connect to the database and update the database with and i'm hoping everybody's still here my mouse froze a little bit there and the requirements for configuration manager one of those uh for the end points we require powershell 5.1 or a newer version of that and uh coffee manager client help it ideally you wanted to execute with system privileges and you can you achieve that by having a scheduled task start the config manager client health and the schedule task you can create that using group policy another web service uh what do that require it requires dotnet framework 4.8 version the original version i had of this was built on dot net core 2 which was a uh which became depreciated and there was security hole of security vulnerabilities so i i rewrote that using a version of.net framework that it looks like microsoft will support for a lot good amount of time so that that should be much safer and i looked through the documentation i actually realized that i never documented this but the web service do require the windows server feature asp.net 4.7 uh it do require that in order to execute this it requires internet information services and it also requires a server service account with permissions on the database and then you need the sql server in the backend and that's about all the powerpoint that i have because i'm not really a powerpoint man i do prefer to use a virtual machine i do prefer uh looking into the actual technology itself so i gave an overview of copy manager clientele and the last user group this uh this time i'll focus my configuration and we'll look a little bit more into the web service itself because i do realize that that is where most people have issues um when it comes to implementing this it's like getting the script up and running is fine getting the uh creating the group policy that that creates the scheduled tasks that see people seems to to get that fine but i get a lot of question about the web service so we're gonna we're gonna look deeper into that um but really quick how it works and uh the coffee manager client health you extract it into a location you start a simple folder but how i have chosen to donate is i have created a folder on uh this e-column client helder this is on my company manager server this one is shared out so i'm sharing it as a client outdoor you do want to put permissions on how you don't want let me see if i have done this correctly i haven't this is part of me you don't want people to change this you want you want to lock it down you also want to want to lock it down on the security how you want to make sure that you don't want many people to be able to make changes uh to this folder right because if you think about it you have a social script executing a system on all your endpoints you don't want people to just come in and make changes to the script and you also want to sign the script so that's it there is config file i have this convex ml this is where you configure uh client health how it will behave right we have here like a a version this is like the minimum version of the config manager client if if the client help determines that i need to reinstall the config manager client on this endpoint or if it detects that you are below this version right in the in this i have 85 53 0006 so if if it would detect that the version of the copy manager client installed on this machine is an older version of what i specified here it will automatically tag the client and client help will reinstall it and upgrade the client for you then we also have some um information here right i can configure the caches size and how large do i want the ca the cache size or the config manager client to be it will run a check on it to see if that if it's properly configured to this size or not uh here we will define the installation parameters if config manager client health determines i need to i need to install uh the config manager client it will use the uh the install properties that we define here so you can add more or you can remove this according to your preference but you want to find something that you're confident with that with these installation properties it will always succeed installing upgrading the client are more options in here like we can configure different uh health checks if i want to enable them or or not and some of them it can run in remedy it can run i have the tag fixed equals true that means that it will actually if it breaks it'll actually fix it if i change that to false it's not going to fix it but it's going to report back to the database that it's broken so that's it that's the config file and then we have the copy manager client held the publisher script there and we have um a database i have a few more tables in my database than what you have in the version i released that's because i'm working on a pretty big um big upgrade for this but uh you'll see like i have the in the client health database on the sql server i have a table called clients and in here every endpoint that runs health and updates or sends the results to the database it will show up here as a line so this is where you can see the result of the health check and because this is a sql you can run sql reporting services or you can run power bi and you can create reports or dashboards on this as well so and one of the first thing that happened when i created this and i put this publicly it's like i had only tested this on windows 7 windows 8 and windows 10 when i released it and then i was a guy in india i replied back to me saying like thank you i have 16 000 servers so my heart jumped right i never tested it on a server so i immediately decided like i'm gonna make sure this works properly on the service ever since like version 042 or something i i i tested it on service so i'm just gonna run the health check right now on my configuration management just to to prove that point and i run it by the by the parameters right it's like uh the confirmation client held like the script file i run the dash config i point to the config xml i run the dash web service and i point it to the web service in this case my web service is https mcm android swordline.com conflict management client help then i just execute that and it's running i don't think it's going to fix anything because i ran this earlier today but you can see it ran through fairly quick and in the end here saying updated sql database with results using web servers and if i know go back here and we'll see before i execute this query query again we'll see my previous timestamp here it was today but it was a little bit earlier in the day but so i'll execute this again and now this one have uh let's see it's still there yeah now this one has updated with um on your time now so that was the last boost time and let's see the time step yeah here we go this one has now updated with a newer timer when i executed that so one of the things i wanted to focus on in today's session was uh the web service because i realized like a lot of people have issues with that that's where i get the most amount of questions like you're getting out of 500 internal web server i know something is wrong and it's give me a little bit difficult to troubleshoot so i'm just going to walk through the process of how would you configure the web service how do you make it work right the the first place you want to stop or you want to start would be your sql server right you need to make sure that you have the database installed client health you create that database by just running this database yeah um sort of interrupting but there was actually a few questions on that particular topic so first of all uh people want to know like quick overview where are the best guides to get through the installation step by step but also for migrating from an older implementation to using the new one with the web service if you have a chance to touch up on that a little bit absolutely so uh let me just go here um i open up here like coffee management client help i publish it on github people are contributing i'm happy to accept accept contributions i'm going to test them totally before i accept anything uh but to answer your question i have a blog post on my blog here anderswater.com gonna load it looks like taking a little bit of time i don't have as good web host as you want to have um but it's coming here this link here andoswada.com clienthealth uh it's going to it contains the latest documentation and and in there it also uh i see i need to update some things so when it comes to but we have here like the powershell it's like the command line how how you would um execute this um i have a link here to uh it's like i i'm saying how do you install it right you you uh you placed on a network share available to all clients where everyone has read access and only administrators have right access this will be the powershell command you executed with if you haven't signed the script i recommend you to sign the script so you don't have to run it in execution policy bypass and it also prevents people from making changes and i then recommend to create a group policy that creates a scheduled task that runs the the this powershell script on your endpoints uh and i have another uh blog post here how that details how you create uh how you create a scheduled task and this will go through i even use coffee manager client health as the example in this blog do post have another link for the reports did they migrate over to github as well so those reports that's a very good question i am not the author of those repos that was somebody else who created them so it's like i have them locally on my system i i don't have them uh i wouldn't have to reach out to that guy who originally created them because i probably shouldn't re publish them in my name when i'm not the author of them so there is actually a trick to that i've been using that a lot for the technic gallery that's going to the wayback machine because it's actually contained entire gallery in its repositories so if there is a script that was up there and you're missing we can still access it through the wayback machine and uh yeah i'll post that link in the chat thank you for that john that's actually a great point um because yeah it is should be available on the uh on the wayback machine that that report because that was a good uh good report in my in my opinion i'm not saying um i mean they have snapshots since since the beginning of time the techno gallery you can actually find some pretty good stuff there poke around yeah that's awesome and thank you for that you want um it's okay i'll continue a little better and yeah so i i ran the publishers script here on the config manager uh server it ran successfully so i just want to look at like how the web service is configured right where do we start um or like the prerequisites since i know a lot of it people have issues with it you want to make sure you have the database installed and you do that by executing create database dot sql it's provided in the package uh for conflict management client health it's just a sql query this sql query it's uh i created it in such a way that it will create the database if it does not exist if i make if i release a new version and i make any changes to the database you just run this query overly on the same server it will detect any changes that i made since the version that you're currently on and it will just upgrade it so that's just a simple sql query so you need that then you need a service account and in my case i call that client health that service account you need to give it the on the client health database you need to give data data reader and date of writer those are the permissions that you need to set that's all the permissions that need to have you need to have a public login on the sql server and then it needs to have the permission on the database like so that it can read and write and that's what you need from the sql site then the next thing you need to do is uh you need to extract the web service i'm using the latest one version 2.01 and this one is based upon dotnet framework 4.8 so yeah you need to install.net framework 4.8 uh you have the web config this is where you make changes it's not that i'm sorry this is actually not mine that was uh that was not my web service mine is and that was actually nikolai's that i entered this this is the one i have coffee manager client health so you go to the web.com in the bottom here there is a connection string yeah you point that to that your server like mcmanusweller.com in case the database and i have the trusted connection on that's because i'm used to integrated windows authentication and all it means is that the the application pool that we will run the web service under in iis that application pool will provide the credentials that the web service will use to login to the to the sql server so we have the web service we just extract the files there we edit webconfig.com just update the connection string so it points to your sql server you need to make sure if this if the sql database is located on a different server than the one you're on you need to make sure that port 1433 is open so that sql traffic uh can pass through so then we go to the internet information services i have an application pooler i created called config manager client health how this is configured as dotnet clr version this is set to 4.0 the old version used no managed code so this is actually a change from version one to version two when i changed the version of dotnet framework uh so we used version 4.0 i need to go down here identity i need to specify the credentials that i use i have a custom account there this is the my name client health that account that i show i've given permission to on the sql side and that's really all there is to it it's like as i said the big change from version one to version two here is that in in the app pool change it from no manage code to version 4.0 and here's a good question for you anders uh johnny asked if uh if the community donates would you consider signing that script with a public cert absolutely i can do that and i have thought about that that many times actually i've always learned lean back on on that when you're running a script on your endpoints a system you want to know what's happening right it's like ideally you want to take the time and read through what the script is script does understand what it does and then sign it and then sign it once you know what it does but yeah i would be willing to do something like that okay had a couple people asked too about um you know remote employees and not being able to get to file shares things like that uh i might have missed that i don't know if you tackled anything on that right any scenarios for how to use azure blob storage or other ways to potentially get to files when when you're not on network so that's a great question thank you for that and brian dam actually has a different version or different uh method of sharing this client health and he has a group policy that would copy the the client health from a share to locally on the machine that works works really well as well it just ensures that like if he if brian would make changes on on his share the gpo would update the files locally that would be one way but that but for remote workers that would require um that would require a vpn connection right you you may not always have that vpn connection so to get this to work remotely it is fully possible to do that you can put these files here you can put them uh or like the the files for for the client health you can put them on an azure blob and then the web service you could publish that externally using azure ad application proxy and that way the script can update the web service it's like because now now it's available publicly nice jose i see your hands up you have anything to uh to ask there or uh we'll take your hand down oh hand went down all good okay uh all right well thank you anders let me start to share my screen we'll pop here and see if anybody has any final questions lots of good nuggets in the in the chat so appreciate that and keep them coming really appreciate that okay and uh johan i was jumping around at the beginning here i think you did you have a chance to talk a little bit about our giveaways today i i did not but i i'll be happy to because this is something that i wanted to do for a very long time but finally got a chance to do this year um i mean i've been doing trainings all my life for since back in and the 3.51 classes but these classes are typically four or five days long and what we found was that not everybody on the this little planet either can afford or have the chance to stay away from work for five days or a combination of both so we we created these longer courses so they run for six weeks that are two hours each week and it's a bunch of different topics mdt config manager intune config manage operations and stuff like that so we wanted to to give you guys a chance to to uh raffle uh a few of these passes out um yeah that's pretty much it yeah this is huge we really appreciate this and we have three of these today so one after each session we're going to give away so let me do this we're going to do our first raffle

Info

Channel: Northwest System Center User Group

Views: 176

Rating: undefined out of 5

Keywords: ConfigMgr, MEMCM

Id: FKW8orGQxgU

Channel Id: undefined

Length: 55min 56sec (3356 seconds)

Published: Sat May 22 2021