...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Active Directory
System Center

Keeping the TS Media Current: 3 ways, or 1?

Monday, June 17, 2013 in System Center (Views: 2441)
Just something that came up in conversation on how to keep the TS Media current. So, here's a few ideas, but also some pluses and minuses to each.

There are a few ways to keep TS media current:
1. Logic bomb (VBScript/Powershell) to say nothing older than xx days will run, throw an error and kill the TS
2. PXE Service Point / Boot / TS Media Certificates
3. The Network Access Account (NAA)

So, 1 and 2 are vastly the same - here's some weaknesses:
For #1, the PC clock can be changed temporarily since Kerberos time differences wouldn't apply, causing the script to succeed when it should in theory fail. This would allow old media to live on the network. Also, if the script says "Nothing older than January 1, 2013 + 180 days", then who says a new TS is available July 1, or even sooner?

For #2, Certificates are problematic like #1. Just because a cert is set to expire, it's really a "wild guess" and doesn't really coordinate with anything. Sure, you can set a boot media to expire in 2035 with no real consequences other than it missing some things such as drivers which are baked in, but for the most part, the TS media has nothing coinciding with a change to the TS.

For #3, Changing the name and password of the NAA makes the most sense. You can update the TS and NAA, say today. Call the NAA TS130617. You then know when it was last updated. Also, by disabling/deleting/expiring old accounts, you can always insure using the most current boot media available.

Even though it's a little more work on the AD side for #3, it makes a lot more sense in the long term success on the OSD scope.


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.