Maintaining WSUS 3.0 with scripts

Every month we have more and more updates to download to our servers and the result is more and more space used. This is why we must frequently and automatically take care of our system.

To free some space with the deletion of unused and unneeded updates, exist on TechNet a script and you can automate this step using a scheduled task and a batch file. A sample of bat file is attached.

On TechNet is also available a script to maintain health status of the SUSDB database. As in previous suggestion, I recommend to execute this step with a scheduled task and a command like:
sqlcmd -S “SQL_Server/Instance” -E -i”<Location>Script.sql” -o “<Location>DB_Output.txt”
If you have a SBS server or another system, based on Windows internal database, the correct syntax is:
sqlcmd -S ” np:.pipeMSSQL$MICROSOFT##SSEEsqlquery ” -E -i”<Location>Script.sql” -o “<Location>DB_Output.txt”
This line will establish a trusted connection to SQL Server,execute the script and write all outputs to the DB_Output.txt file. Switches are case sensitive!

This operation will maintain your server in good conditions and always clear, without unneeded updates. I recommend to run this scripts every two or three months, it’s not necessary to run them more frequently.

CleanWSUS.bat (228.00 bytes).

Add send on Behalf on Distribution grous

Many users want to send E-Mail from a distribution group. By default in Exchange 2010 is this disabled, but we can enable this function form Exchange Management Shell with only one command:
Set-DistributionGroup GroupName -GrantSendOnBehalfTo UserName
This will enable user with UserName to choice to send mail from his personal account or from GroupName account. Of course you must run PowerShell as administrator..

MDT 2010 Things to have in mind

The first thing we must know is if we would like to install systems for other customers, is the page with the KMS Client keys. Here are listed all the keys needed for installing systems without prompting to type them (but we will have to change them later).

The second good thing to do is updating images. This is simple to do with ImagePatcher, which is a free download PowerShell script from CodePlex. It is also easy to use, all we must to do is open PowerShell as Administrator and run ImagePacher script in this mode is to type:
imagepatcher.ps1 -dbg:yes -imagefile:”E:DeployOperating SystemsWindows 7 x86sourcesinstall.wim” -patchimages:”all”
Of course the ImageFile parameter depends on your deployment share path.

The third thing is the Administrator account. I can’t see the reason why is it there (I know, that is DISABLED in Windows 7 by default). After I saw this, I wrote a PowerShell script, which disables Administrator account and creates a new account for administration with password. The script is available to download here (attachment).

The fourth thing is usable if you want to update installations with WSUS and this computer will leave your organization. In this case you must correct some values in the registry:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
Set parameter UseWUServer to 0.

CreateUser.ps1 (434.00 bytes).

SCE and worgroup hosts

In SCE sometimes happens, that you lose the connection with the workgroup managed computer. In  this case you are unable to repair the connection or in some way reinstall the agent. This is another scenario connected to certificate and password communications between machines. The only solution is to establish again the connection from zero.
First we must uninstall the agent from the workgroup machine. We have to do this from the Control Panel by removing the SCVMM2008R2 agent.
The second step is to install the agent once again from the source media (setupvmmamd64SetupVMM.exe) with this options:

  • in the wizard option select This is a host on perimeter network,
  • insert a password for encryption file and do not select Use the CA certificate,
  • select Use local computer name,
  • install the agent,
  • copy SecurityFile.txt to the SCE computer.

Now is time to logon on the SCE server. You have to use the PowerShell. Open Start menu and navigate to All Programs > Microsoft System Center >  Virtual Machine Manager 2008R2 and open Windows PowerShell – Virtual Machine Manager (Open it as Administrator).
Now you must connect to the SCE server with the command Get-VMMServer –ComputerName “FQDN of SCE Server”
The first thing to do if the Host is already present in SCE is to remove it. This is easy to do with the command Remove-VMHost “Hostname”. The hostname here is, in most cases, without domain (it is situated in the workgroup).
Now we add a host to SCE with this commands:

  • first we put in the credentials (the same username and password as you specified it in the Host machine): $Pass = Get-Credential,
  • now we add a Host to SCE: Add-VMHost “HostName” –Description “My host” –RemoteConnectEnabled $False –PerimeterNetworkHost –SecurityFile “D:SecurityFile.txt” -EncryptionKey $Pass. Note the location of the Security file and the fact that the description is optional.

Now we can open the SCE console and host is there, but when we try to connect to host (screen below), we are prompted for credentials and we will see, that there is the problem with certificate of the host machine. At this point we have to find which certificate is required (look the dates and the certificate properties in the popup window), export it from the host computer trusted certificate store and import in on the SCE computer to Trusted Root Certification Authorities store (Computer).
That’s all.

.

Agent not reachable in DPM 2010 and workgroup protected member

If you have a workgroup computer protected with DPM 2010, you will receive an “Agent not reachable” sometimes. This happens because the password, used for communication between DPM and protected host, expires. So, you must renew the password.

To do this, you first have to change the password at the protected host:

  • Navigate to folder C:Program FilesMicrosoft Data Protection ManagerDPMbin
  • Execute the command SetDpmServer.exe -dpmServerName <HostName> -isNonDomainServer -userName <UserName>
    HostName is the name of the protected host (it colud be a Netbios or a FQDN name)
    UserName is the user, the one who is used for communication between Host and DPM

After this, you must logon to the DPM server, start DPM Management Shell and write a command:
Update-NonDomainServerInfo –PSName <HostName> –dpmServerName <DPMServer>
(also here HostName is the name of the protected host and DPMServer is the name of the DPM server – FQDN or Netbios name).

Now you will be prompted for the password and you must specify the same password as in the protected host.

That”s all. Now the servers will communicate without any problems. To be sure, you can refresh the agent state in the DMP console (you will see, that the agent is reachable).

.

WP to LinkedIn Auto Publish Powered By : XYZScripts.com