Problem
Running the install for SCCM Current Branch (1702) and the Prerequisite Checker was failing on an issue with admin rights on the target SCCM Site Server. This one was really annoying as I had double-checked everything before running the installer.
Fix
The appropriate accounts had been given admin rights to all the SCCM Site System Servers using the Restricted Groups Active Directory Group Policy setting (under Security Settings, under Windows Settings, under Computer Policies) . The SCCM server had not been restarted since the policy was applied.
Restarting the server fixed the issue!
Problem
Attempting to automate some maintenance schedules using the new SCOM 2016 functionality and received the following error:
The Execute Permission Was Denied For Object ‘sp_help_jobactivity’.
Fix
Assign the following rights for the SCOM Data Access Service account (SDK service) against the msdb database:
- SQLAgentOperatorRole
- SQLAgentReaderRole
- SQLAgentUserRole
As always many thanks to Kevin Holman – more info about this issue here: https://blogs.technet.microsoft.com/kevinholman/2016/10/22/enabling-scheduled-maintenance-in-scom-2016-ur1/
SCCM Current Branch (1702).
Problem
Automatic Deployment Rule was running without error but not doing anything. Downloading updates manually was working so not a problem with Internet connection etc.
Fix
The share/folder on the SCCM Site Server where the software updates were meant to download to (the Package Source folder) needed a tweak to the permissions.
Add the server SYSTEM account to the permissions for the folder and the share with the appropriate rights to be able to write to both.
See a full list of Windows Server 2016 and/or Windows 10 maintenance tasks using the following command run from an admin command prompt:
schtasks /query
Somebody somewhere thought not having the WindowsUpdate.log in a human readable format that could be viewed in real-time was a really good idea.
To read the logs now you have to use a PowerShell command.
Open PowerShell using Run As Administrator and run the following.
Wait patiently for the now out-of-date log to save to your desktop.
Don’t get involved with Exchange too much but thought this was a cool command to use to stop all Exchange services in one (or maybe two) attempts.
The scenario was a test Exchange server with all services running on a single machine and needed to stop all services to perform a recovery operation.
Open PowerShell using Run as Administrator and then run this command.
- get-service | ?{$_.Name -ilike “MSexch*”} | stop-service
If some services fail to stop because dependent services are running just run the command a second time straightaway.
To disable the services run this:
- get-service | ?{$_.Name -ilike “MSexch*”} | set-service -StartupType Disabled
No unusual to get the occasional moody WSUS managed-device that will not report and/or update using a correctly configured WSUS server. The link below is the one I like to use to test the connection from the WSUS managed device to the WSUS web site.
Note: The test URL below uses my-wsus-box as the server name and 8530 as the configured port for the WSUS web site – change as appropriate.
Note: If the connection to the WSUS web site is good then a prompt to download wuident.cab should be presented.
http://my-wsus-box:8530/selfupdate/wuident.cab.
Windows Server 2016 would not download updates from WSUS server running WSUS v4.0. Viewing the WindowsUpdate.log the following error was noted:
- HTTP/1.1 403 Forbidden by proxy
Unable to easily view the IE proxy settings as IE had been disabled by Group Policy on the server. Fix was to reset the proxy settings using the following command:
- netsh winhttp reset proxy
Real world sys admin – getting the job done without the need to stroke your own ego