O R G A N I C / F E R T I L I Z E R: 2005

Dec 30, 2005

how to decipher sddl for useful stuff

i was counting my lucky stars that i never had to give any thought to deciphering SDDLs (security descriptor definition language). some people have written entire diatribes on the subject. for me, i just need a reference. hence, my posting... sddl is broken down into four parts:
sddl string is easier to look at like this since there are no spaces or visible terminators other than the colon:
it's important to note the format of the ace string is broken down like this:
  • [ace_type];[ace_flags];[rights];[object_guid];[inherit_object_guid];[account_sid]
i created a file called text.txt in my c:\temp directory. in the GUI, it's expressed as this:
  • Administrators - Full Control
  • SYSTEM - Full Control
  • Users - Read & Execute
in sddl, it's expressed as:
O:BAG:DUD:ARAI(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;BU)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)

from this, we know that the first segment is for owner:
  • O:BA - builtin administrators
the second segment is for primary group:
  • G:DU - domain users
the third segment is the dacl, including the dacl flag that precedes the value in parenthesis:
  • D:ARAI - basically inheritance
the value in parenthesis is the ace string. it's broken down like this:
  • A; - allow type
  • ; - ace flag
  • FA; - file access all
  • ; - object guid
  • ; - inherit object guid
  • BA - builtin administrators

Dec 29, 2005

how to reset machine account passwords

member servers (utilize one of the methods below):
  • nltest /sc_change_pwd:
  • change the following registry value to 0: hklm\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage - restart netlogon
domain controllers:
  • netdom resetpwd
thanks joe & steve.

Dec 2, 2005

monad dependencies

if you're upgrading to the newest version of monad that runs on the .net framework 2.0 production release, make sure that you remove monad prior to uninstalling .net framework 2.0 beta 2. otherwise, you won't be able to uninstall monad to install the new version. so here's the steps:
  1. uninstall monad
  2. uninstall .net framework 2.0 beta 2
  3. install .net framework 2.0 (production release)
  4. install monad

Nov 16, 2005

sms 2003 desired configuration monitoring released!

in case you missed it (and I did as well -- recurring theme?) the desired configuration monitoring component for sms 2003 has been released. download it here.

exchange sla scorecard released!

in case you missed it (i know i did), the exchange sla scorecard has been officially released. if you have MOM 2005 and a reporting server, download your copy now!

Nov 14, 2005

free resource for MVPs

this is pretty cool. the other day, i stumbled across a posting stating that eventid.net gives out free subscriptions to MVPs. i emailed their sales alias and received an email today. sure enough, it's true. :) here's the link to the page if you want to read more about it: http://www.eventid.net/freeformvp.asp. thanks EventID.Net!

Nov 10, 2005

get with the times, dude - setting an external time sync

while i was at the mvp summit, i was talking to a friend and fellow mvp, rory mccaw. he made mention that he discovered in windows server 2003, that net time was a deprecated command. he came across this when he found he was having an extremely difficult time getting the server to accept the time sync sources. minasi's latest post (issue #52) reminded me of this - especially since minasi himself is a mvp. i guess if he had been in that conversation, he'd have known this too.

Nov 9, 2005

sony digital rights management

for those of you that have been following along with russinovich's expose on sony's digital right's management copy protection scheme, this article from techdirt regarding npr's recent interview with hesse is a must read. is this guy for real?! here's a quote from the article.
After taking issue with anyone using the terms "spyware, malware or rootkit," Thomas Hesse, President of Sony's Global Digital Business, literally says: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
click here to listen to the full story.

mom 2005 agent - port requirements

here's some good, general information on mom agent port requirements over a firewall. someone posted this on the msmom mailing list.
MOM agents can communicate with the MOM Management Server if the MOM agent computer is behind a firewall. However, you must open TCP port 1270 and UDP port 1270. Additionally, you must manually install and update MOM agents that are behind a firewall. If you cannot enable access to port 1270 through the firewall, you must install a MOM management group inside the perimeter network. You can separately monitor the perimeter network management group. Or, you can enable alert forwarding from the perimeter network management group to the internal MOM management group by using port 1271. If the managed computers belong to the internal domain, the following conditions are true:
  • Mutual authentication is available.
  • Signed and encrypted communications are available.
  • The following ports are open so that the managed computer can authenticate the MOM management domain and communicate with the domain:
    • UDP port 53 to support Domain Name System (DNS) queries and dynamic registrations
    • UDP port 123 to support Network Time Protocol (NTP)
    • TCP port 135 to support remote procedure calls (RPC)
    • UDP port 389 and TCP port 389 to support Lightweight Directory Access Protocol (LDAP)
    • TCP port 445 to support server message block (SMB)
    • All ports over 1024 for RPC communication and for response to dynamic source ports on the MOM agent computer.
If the managed computers belong to a perimeter network domain, the following conditions are true:
  • If a full Active Directory directory service trust relationship exists between the Management Server domain and the agent domain, the following options are available:
    • Mutual authentication
    • Signed and encrypted communications
  • If a full Active Directory trust relationship does not exist, only signed and encrypted communications are available. Mutual authentication is not available.

Nov 8, 2005

mom 2005 agent - existing connection was forcibly closed

are you familiar with this error message? you've probably applied the hotfix to correct it, if you are. when you apply this hotfix, you have to add a new dword value called ServerIOTimeoutMS under this path: HKEY_LOCAL_MACHINE\Software\Mission Critical Software\OnePoint\Configurations\configuration group name\Operations\Consolidator what you may not know is that when you apply mom 2005 sp1, though this hotfix is applied with it, the dword value still needs to be created. if you find yourself in a scenario where you're building a new mom server, keep this in mind. by the way, most people have success by setting this value somewhere between 30000 and 45000.

Nov 7, 2005

sharing code - mom 2005

looking for a place to share some of your favorite mom scripts, management packs, reports, etc? looks like this went live recently... http://www.gotdotnet.com/codegallery/featuredgroups.aspx. this is a supplemental site to some of your favorites like momsolutions.org, myitforum.com, smsmom.com, momanswers.com ... here's some of the stuff you can expect to get at gotdotnet:
  • license control
  • download counts
  • search
  • discussions

updated exchange 2000/2003 management pack for mom 2005 released

in case you missed it, the exchange mp for mom 2005 was updated and released, along with an updated configuration tool. if you did, don't think you've been living under a rock. with the state of mp notifier updates and the management pack catalog, it's not surprising very few people know about these releases. at the moment, the exchange mp doesn't seem to be available:
The download you requested is unavailable. If you continue to see this message when trying to access this download, go to the "Search for a Download" area on the Download Center home page.
yeah, right. if you ever see this error, don't presume you'll be able to find it on your own. :) also, the mom summary reporting pack came out of beta. one gotcha. you have to be at mom 2005 sp1 to utilize it. i'll post more about my experiences with it soon.

winternals presentation - understanding malware

recently, i attended a presentation by Winternals called "Understanding Malware: Spyware, Viruses, and Rootkits". from what i understand, it was an abbreviated version of the presentation at teched. for what it was worth (free), it was pretty good. it was a couple of days after russinovich's blog about sony's drm rootkit. timing couldn't have been more perfect. it was more or a less a pitch for recovery manager. it's a pretty cool tool by its own right. as a mvp, i received a free copy to try out. i wasn't really inspired to do it until i saw their demo... anyway, i thought it was pretty cool that at the end of the slidedeck, one of the many resource links they listed was the microsoft mvp site! scoring even higher, they sent a trial key and slidedeck the next day. to top it all off, i received a package today from winternals. it was completely unexpected. it's a large, black tin box. i took the lid off to read "Relax, Marcus". kudos to their marketing. that was clever. underneath the pamphlets and thank you note (for attending the presentation) was a hammock. :) nice stuff. wish all vendors were that creative and thoughtful. anyway, if you get a chance to attend this presentation in your city, be sure not to miss it.

momsolutions.org

i stumbled across this site today. has some interesting utilities and scripts to help augment a stock mom installation. good stuff!

Oct 18, 2005

restricted groups - adding to members

for a long time, it's been thought that restricted groups in a group policy would only perform a wipe and replace of members of a local group. let's dispel this myth. what seems to be fairly unknown is that restricted groups is capable of adding members to a group without removing the existing members. for instance, let's assume we have a group called MyGroupA that needs to be in the administrators group of a set of workstations. there are two methods we can do this. the first, you're probably familiar with, which is to replace anything in the administrators group with a new set of groups or users. where is this useful? if you want to make sure that any accounts that are mysteriously added to the local admins group are removed and replaced with your set of users/groups, use this method. i won't elaborate on this since this is fairly common and understood. the other method is adding users/groups to local admins without removing the users/groups that exist. back to MyGroupA. here's how to set it up.
  1. open up the group policy you want to effect
  2. under computer configuration, navigate to windows settings\security settings
  3. locate the restricted groups folder. right-click on the folder and choose add group...
  4. add in the group - domain\MyGroupA, for instance
  5. in the configure membership for dialog, there are two panes. in the bottom pane labeled this group is a member of, click add
  6. type in administrators. click ok
  7. click ok to close the dialog
that's it. now refresh the policy on a workstation. it should have added the group specified into the administrators group.

Oct 14, 2005

exchange mp - check mailbox store availability - mapi logon test

you know, i thought... while i'm on the issue of dumb event rules, this one came up. this rule kicks off the exchange 2003 - mapi logon verification script. there's nothing wrong with the idea of this rule... the problem is wholly in the execution. for example, you probably want to know when an error occurs right? so you leave this on... the logperfdata parameter in the script allows for three different values:
  • "0" - logs success events
  • "1" - logs information into a performance counter
  • "-1" - does not log
so what's the problem? if you set this value to something other than 0, the exchange service availability report will not have any data when it runs. nice.

iis management pack - useless rules

i was running a couple of mom sql scripts that generate most common events and most common alerts. (if you're not doing this yet, you probably should make a point of doing this about once a week or so... just to make sure you're not getting any event storms.) anyway, turns out two rules were generating about 80,000 events in a 4 day window on one management group. it generated about 750,000 events on another management group. that's right - 750,000. i would categorize that as a complete and ridiculous oversight when MS was building this particular MP. these were picked up as "informational". i'm going to equate that to useless in this case. if you load up the IIS MP, i strongly suggest disabling the following two rules:
  • All HTTP 400 Errors
  • All HTTP 500 Errors
you can locate these rules under this path: microsoft windows internet information services\internet information services x.x\core services\world wide web publishing service. note that the x.x represents 5.0 and 6.0. needs to be disabled in both places.

Oct 9, 2005

interesting search engine...

i ran across this on one of my own google ads on my blog page. has anyone used this search engine? seems interesting... http://www.microsoftsearchengine.com/search/search.php/search::cat/category::4737

system center stuff is available...

it's interesting how three different products in the system center suite hit different levels of beta nearly all at once. it's actually pretty cool... unless you're beta testing all of them... got some work cut out for you. mom 2005 summary reporting pack - release candidate system center reporting manager 2005 - beta system center capacity planner 2006 - public beta summary reporting pack aggregates information that exists in your mom warehouse database and essentially improves performance. reporting manager 2005 is an integration of sms and mom data into one warehouse. i don't have much experience with this or the reporting pack yet. i'll post more of my findings as i come across them. i can probably speak to capacity planner 2006 best. i attended the airlift in redmond and saw the product, talked to the product group, and in general had a very good experience over all. this version works for planning mom and exchange deployments. essentially, it comes with lots of performance statistics. you supply the infrastructure and data about your environment or potential environment... the planner tells you if it's going to work. there's a certain bit of fluff you have to accommodate for, obviously. it takes you a long way from having to plan this stuff on paper, basically guessing at the stuff... happy planning.

Oct 6, 2005

john hann's articles resurface

looks like some of hann's articles are coming back ... on his blog. here's the post... maybe i won't have to repost his stuff. :)

Availability MP

so it turns out (sorry been in seattle too long where every sentence starts with "so") the availability mp has some issues. hence it's been pulled from the microsoft website. if you have the exchange mp installed, do not install the availability mp (yet). It's going to be updated soon, though... keep your eyes open. anyway, the current version pulls out the following groups:
  • Microsoft Exchange Server 2000 Backend
  • Microsoft Exchange Server 2003 Backend
it replaces it with the following groups:
  • Microsoft Exchange Server 2000
  • Microsoft Exchange Server 2003
the only workaround right now is to re-import the exchange mp. fun.

Sep 27, 2005

clearing the mom agent cache

i'm frequently asked how this is done. i thought i'd post it here for anyone that needs it. basically, you have to stop the mom service to do this properly. that's step one. delete the contents of the cache folder, then spin up the mom service. here's the contents of the batch file i use for this (watch for word wrap):

net stop mom

del "c:\documents and settings\all users\application data\microsoft\microsoft operations manager\%1\"*.* /s /q /f

net start mom


that's it.

Sep 22, 2005

mom agents and mcafee 8.0i

if you've been getting alerts in mom like this one:
The response processor failed to execute a response. The response returned the error message: The remote procedure call failed.
then you may be experiencing what other administrators have experienced when using mom agents w/ mcafee 8.0i. apparently the scriptscan module is causing this behavior to occur. there are two workarounds so far to handle this problem.
  1. the first one requires unregistering the scriptproxy.dll component of mcafee 8.0i. this probably isn't a very savory workaround. it gets the job done though. you can find references to this stuff at microsoft or at mcafee.
  2. the second one is to apply the patch 11 from mcafee. if you look through the readme, you'll see this item referenced in issue #2
A third-party application working with scripts can encounter an access violation error if it passes a NULL pointer to the Script Scan module (SCRIPTPROXY.DLL). The Script Scan module does not refer a NULL pointer. BZ235573 RESOLUTION: The Script Scan module can now refer NULL pointers.
so we can all go back to thanking mcafee for getting off their ass and posting a fix for this problem.
:)

UPDATE: evidently mcafee posted some additional information. here's the link.

Sep 16, 2005

looking for john hann's articles?

don't worry. i'll be posting his article contents here. of course, since i didn't write them, i'm not going to support them in any way, shape, or form. :) the only service i'm going to do for ol' john is correcting his grammar and spelling (less uppercase, of course). keep checking back.

sms security - script

okay... as a follow up to my previous post, this script will set the permissions of a defined group to have read/modify/delete rights over the subcollections of a parent collection. i used this to set the subcollections of the master collection i talked about in my previous post. anyway, watch out for potential word wrap. oh, btw, this blogger likes to strip spaces. going to have to make your own formatting. here it is. (watch for word wrap!)

 

' Author:  Marcus C. Oh
' Date:    9/16/2005
' Purpose: Grants a group Read/Modify/Delete instance level
'          permissions to the child collections of a specified
'          parent collection.
' Credit:  I shamelessly ripped the connection string from Michael
'          Schultz and other variable/string logic from him.  :)
'          Permissions logic from the SMS Scripting Guide
'
'          Added subroutine logic sent up by a blog reader.  Now the
'          script parses subcollections.



'--------------------------------------------------------------------
' Modify the following values
mySiteServer =   "<Site Server Name>"
mySiteCode =     "<Site Code>"

' Modify the "mySMSGroup" here to the group you're giving permissions
'   Follow the Domain\GroupName convention

' Modify the "myCollectionID" to the parent collection ID
mySMSGroup =     "<DomainName\GroupName>"
myCollectionID = "<Parent Collection ID>"
'--------------------------------------------------------------------

' Connects to WMI
Set myLocator = CreateObject("WbemScripting.SWbemLocator")
Set myService = myLocator.ConnectServer(mySiteServer, "root/sms/site_" & mySiteCode)

If Err.Number <> 0 Then
    Wscript.Echo "WBemServices connection failed!"
    Wscript.Quit
End If

ProcessCollection(myCollectionID)


' Subroutines ------------------------------------------------------

Sub ProcessCollection(collectionID)
    ' Query to pull the child collections of a given Collection ID
    myQuery = "select coll.* " &_
              "from SMS_Collection as coll join SMS_CollectToSubCollect as assoc " &_
              "on coll.CollectionID=assoc.subCollectionID where " &_
              "assoc.parentCollectionID=" & Chr(34) & myCollectionID & Chr(34)
    
    Set myCollections = myService.ExecQuery(myQuery)
    For Each oCollection In myCollections
        WScript.Echo VbCrLf & "Collection Name: " & oCollection.Name &_
        VbCrLf & "Collection ID  : " & oCollection.CollectionID
        AlreadySet = False
        Set myRights = myService.ExecQuery("Select * From SMS_UserInstancePermissionNames WHERE ObjectKey=1 AND InstanceKey='" & oCollection.CollectionID & "'")
        WScript.Echo "The following groups already have these permissions:" & vbCrLf
        For Each oRight in myRights
            WScript.Echo "  " & oRight.Username + "  " & oRight.PermissionName
            If oRight.Username = mySMSGroup Then AlreadySet = True
        Next
        If Not AlreadySet Then
            Set myNewRight = myService.Get("SMS_UserInstancePermissions").SpawnInstance_()
            myNewRight.UserName = mySMSGroup
            myNewRight.ObjectKey = 1 'Object type is set to Collections
            myNewRight.InstanceKey = oCollection.CollectionID
            myNewRight.InstancePermissions = 1+2+3 'Grant Read, Modify, Delete
            myNewRight.Put_
            WScript.Echo vbCrLF & "The " & mySMSGroup & " users now have access to " &_
                oCollection.Name & "."
            ProcessCollection(oCollection.CollectionID)
        End If
    Next
End Sub

Sep 15, 2005

managing sms collection security

back in february, i posted about how useless sms security was for the enterprise. well, i have to repeal that comment now. yesterday, i received some information on how to setup sms to narrow down focus to a specific collection. this means you can separate administration for workstations to your client staff, servers to your server staff, domain controllers for your domain admins, etc. with this method, now you can setup secondary site servers and have that layer of useful granularity so that your site admins could have control of their own clients. enough prattling. on to the good stuff... in this example, we're going to setup security for client administrators.
  1. setup a collection of clients that are all workstations.
  2. grant the following rights only to the group or user (suggest using groups) on the class level to collections:
    • advertise
    • create
    • delegate
  3. if the group/user has any other permissions to the class level, make sure that gets removed.
  4. grant the group/user instance level permissions to the collection that you created in the first step with the following rights:
    • modify
    • read
    • read resource
    • use remote tools (where wanted/applicable)

i'll explain a few things here. what you've done is removed class level read permissions to any collection in sms. now any time the user creates a new collection, any membership has to be validated against a specific collection - be it static (direct) or dynamic (query). in this case, they only have rights to read the information from the collection created in step 1.

you don't have to grant "modify" rights as stipulated in step 4. do this only if you want the user to be able to create subcollections under the collection created in step 1. modify does not mean that they can change the membership in the master collection. even the membership rules of this collection require validation against the master collection. since the master collection is itself... the most they could do is remove items but not add any more than what's defined initially. cool stuff. thanks eric.

update: since having posted this, i've modified step 4 to add "read resource" and "use remote tools". a new member of my team pointed out that without "read resource" rights, advanced query functions like subselect are not available.

here's the link for the script: http://marcusoh.blogspot.com/2005/09/sms-security-script.html

Sep 14, 2005

purging unwanted dsuw data

just thought i'd give some service to one of my cohorts that put up this useful post on cleaning patch files out of the dsuw directories for sms. click the link to access his blog.

Sep 13, 2005

dns aging and scavenging

if you're looking for my article, you can find it on myitforum.com - but... hey i just found it on searchwin2000.techtarget.com. pretty cool. click the link above...

useless mom trivia

question: in the Microsoft Windows Storage State Monitoring Script, there is a value called "MegaByteFreeSpaceThreshold". what is this value for? answer: absolutely nothing. in the script, the value for the parameter above gets set here:
THRESHOLD_MB = GetParam("MegaByteFreeSpaceThreshold")
here's the only section of the script that actually uses this value. notice that it's commented out:
'Commenting out Megabyte comparison alone 'If nMBFree < problemstate =" PROBLEMSTATE_RED" alertlevel =" ALERT_CRITICAL_ERROR">
by the way, i should mention that the mp guide actually states the MegaByteFreeSpaceThreshold as a valid parameter but don't discuss how it's valid to any detail. the lack of detail was what made me go snooping around. guess someone didn't do their homework.

Aug 26, 2005

esbot dcom problems...

i ran into this same problem w/ dcom. it wasn't a mom issue... but it was the same condition as blake posted about. if you have odd connectivity problems, read his post.

delegating lcs administration for users...

when i was told that user administration couldn't be delegated to just the domain, i refused to take that for an answer. this is Live Communications Server 2005! that means two full product releases from exchange im. if you recall, there was a lcs 2003 as well, but it didn't get quite that much play. after a few rounds, microsoft came back with an answer. admittedly, it was a little difficult to understand in the context they provided. let me see if i can make it a little easier. kind in mind, these steps are for a multi-domain forest. high-level steps:
  • create root domain universal group
  • delegate access to msRTCSIP objects
  • delegate access to computer objects
  • grant access to RTC Local User Administrators
  • delegate access to user objects
in this example, we'll use a root domain global group called RTCPerms. we need to give RTCPerms some object-level access so in order to do this, go to your root domain and navigate to dc=root,cn=system,cn=microsoft,cn=rtc service.
  • msRTCSIP-Pool objects
    • Read All Properties
  • msRTCSIP-PoolService objects
    • Read All Properties
  • msRTCSIP-Service objects
    • List Contents, Read All Properties
  • msRTCSIP-GlobalContainer objects
    • List Contents, Read All Properties
not done quite yet. connect back to the domain where your lcs servers reside. switch aduc to list users, groups, and computers as objects. go to your lcs servers and drop them down. you'll see a microsoft container. drop it down to see the rtc services container. remember the RTCPerms universal group in the root domain? okay, good. grant it Read All Properties rights to container. alright one more thing, then you're on your own. add the RTCPerms to the "RTC Local User Administrators" on your lcs server. assuming you're using a pool, add it to the same local group on each pool member. now you're on your own. however you want to delegate permissions to your users, do it that way. whether you delegate full control, read/write all properties, or RTC specific properties it will all work now. all you have to do is add the group to the RTCPerms universal group that sits in the root domain. ah, more for the gray matter. time to drop another childhood memory.

Aug 24, 2005

mom server performance advisor mp - first thoughts

i've read over the readme for the spa mp. my first thoughts are that it sounds fairly intriguing. looks like it can be set to kick off a spa data collection whenever an event is detected, such as cpu sustained busy for x minutes. also could be useful to kickoff an active directory collection whenever lsass exponential memory usage is detected, for example. the only suggestion i'd have to the mp authors is... where is the task to deploy spa? certainly there must be some way to do this since it's a msi. i suppose i could hack and slash my way through the mbsa mp (do not recommend using unless you have no other vuln mgmt tool) to look at their script code to see how they setup the deployment tasks - or the exbpa mp (very noisy, also not recommended).

my gaim messenger is going to explode...

have you seen that google has released their own messenger? i'm very pleased that a friend of mine referred me to using gaim. it's modular enough to handle the jabber protocol that new google talk users will be using. guess that means i have to setup gaim for google talk. sigh. this is getting crazy. i have a messenger id on nearly every system, maintain severe overlap for IM friends that use two or three different types. it's always left to third-parties to join these homogenous systems together. however, that doesn't mean you can just have one messenger id and talk to someone else. you have maintain an id on every system. try to convince your friends to move off aol to msn or vice versa. whatever.

Aug 23, 2005

what's for dinner? i'm hungry!

i just discovered this site called restaurant.com. the motto is "eat. drink. save money". i'm cool with that. most of the certificates don't cover drinks as it turns out, though. so maybe the motto should be "eat. save money."? there's a few other gotchas. you can only use one certificate per party. you can only use a certificate at that particular restaurant once per month. there's some great restaurants on this site though... most $25 certificates cost $10. $10 certificates cost $3, etc. the certificates have stipulations like having to order $35 worth of food for the $25 certificate. anyway, i ran into this a LONG time ago but wasn't sure if it was legitimate. however, after running across this coupon code... i had to try it! anyway, it's 73639 in case you get an itch to try it yourself.

tracking inefficient queries...

update: a fellow reader suggested i check out this article from tony murray. it's good stuff, so i thought i'd drop the link here: logging ldap searches: ad & adam.

so... a couple of domain controllers had runaway lsass processes today. i began to look further into the issue and figured out where excessive LDAP queries were being issued from. unfortunately, it didn't amount to anything... but the process in tracking them was pretty useful. the first thing i should point you to is Server Performance Advisor. just a fyi, as it turns out, there's a management pack that you can use with SPA... :) it's located here.

alright, so spa... you're on your own. it's a little kludgy, but once you have it down, it's extremely useful for providing information. i'm not really happy about the fact that it has to leave a footprint (installed) versus just running from an executable... but what do you do? anyway, the stuff i realized in spa is that it doesn't capture long-running or inefficient queries. i did some more digging and found that if you raise the 15 Field Engineering level to 4 or 5, you get logging down to the query. you can read the whole article here. here's a snippet from the article:

Tracking Expensive and Inefficient Searches

Expensive searches are searches that visit a large number of entries. The efficiency of a search is measured by the number of entries returned against the number of entries visited. For example, a search that goes through 500 entries could be considered an expensive search. If the search returns 500 entries after searching through 500 entries, then you have an efficient search. An inefficient search returns five entries after searching through 500 entries.

To track searches, you can enable the diagnostic event logging for Active Directory Services. Event logging allows you to determine if you have expensive or inefficient searches.

These event log messages are logged in the Directory Services event log using the Field Engineering category. The Directory Services event log is generated every time the garbage collector runs.

The following is an example of an event log message of an inefficient search:

Windows 2000 Server log

The Search operation based at DC=MyTest,DC=microsoft,DC=com 
using the filter:
(attr(0xd)=<substr>)
visited 237 entries and returned 6 entries.

Windows Server 2003 log

Internal event: A client issued a search operation with the following options.

Client:
127.0.0.1
Starting node:
 DC=MyTest,DC=microsoft,DC=com
Filter: 
  (objectCategory=<val>) Visited entries: 237 Returned entries: 6

This search is considered an inefficient search because only six entries are returned after going through 237 entries.

Potentially, there can be numerous event log messages, so the messages are masked by using a severity level other than the default:

  • DS_EVENT_SEV_VERBOSE
    To log a message about the number of expensive and inefficient search operations performed in the last collection period, set the Field Engineering logging severity level to 4 (DS_EVENT_SEV_VERBOSE).
  • DS_EVENT_SEV_INTERNAL
    To log a message about the number of expensive and inefficient search operations performed in individual searches, set the Field Engineering logging severity level to 5 (DS_EVENT_SEV_INTERNAL). This event logs the exact filter used for each search operation that was expensive or inefficient, immediately after any expensive or inefficient search completes.

You can set the severity levels by setting the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Diagnostics\15 Field Engineering

For information about how to enable diagnostic event logging for Active Directory Services, see the Microsoft Knowledge Base article Q314980 How to configure Active Directory diagnostic event logging in Windows Server Services.

To categorize search operations as expensive or inefficient, two DWORD registry keys are used:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold

These DWORD registry keys have the following default values:

  • Expensive Search Results Threshold: 10000
  • Inefficient Search Results Threshold: 1000

Using the default values, a search is considered expensive if it visits more than 10,000 entries. A search is considered inefficient if the search visits more than 1,000 entries and the returned entries are less than 10 percent of the entries that it visited.

congrats to jeanette!

she's been promising to answer questions on the momcommunity.com site. she delivered! let's celebrate her first answer post!

woohoo! halo movie...

check it out... a halo movie is a closed deal, planned for release in 2007! :) good stuff rod.

upcoming webcasts...

here's a few webcasts i'm probably going to catch... thought i'd post it up here for anyone's benefit who actually reads this thing.

TechNet Webcast: Mastering Windows Management Instrumentation (Level 200)

Tuesday, September 13, 2005 - 9:30 AM - 10:30 AM Pacific Time

Don Jones, Microsoft MVP, Book Author, and Founder of ScriptingAnswers.com

Windows Management Instrumentation (WMI) is a robust technology for administering Windows through scripts. In this webcast, we examine how WMI works and show you the wide variety of things it can do, such as collecting information from computers and reconfiguring systems. Learn a methodology for incorporating WMI into your scripts quickly and easily. You will find out how to use the tools and utilities that can make writing WMI scripts simple and painless.

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032276552&Culture=en-US

TechNet Webcast: What's New in SMS 2003 Service Pack 2 (Level 200)

Thursday, September 15, 2005 - 11:30 AM - 1:00 PM Pacific Time

Wally Mead, Program Manager, SMS, Microsoft Corporation

The next service pack for Microsoft Systems Management Server (SMS) 2003 is in development. If you want to see the new features this new service pack will provide to your SMS 2003 environment, this webcast is for you. Join us as we look at the new features and updates in the service pack, as well as how to upgrade to SMS 2003 Service Pack 2.

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032278629&Culture=en-US

Aug 22, 2005

lcscmd - help!

admittedly, i'm posting this for my own reasons. want to have a place i can reference whenever i need to know the lcscmd.exe feature set. if you try to look at help, it's fairly daunting. USAGE:
LcsCmd.exe /? LcsCmd.exe /batch:{input file} [/l:{log file}] LcsCmd.exe /forest[:{FQDN} /action:{action name} [Parameter 1] ... [Parameter N] LcsCmd.exe /domain[:{FQDN}] /action:{action name} [Parameter 1] ... [Parameter N] LcsCmd.exe /server[:{FQDN}] /action:{action name} [Parameter 1] ... [Parameter N]
EXAMPLES:
LcsCmd.exe /batch:MyBatch.xml LcsCmd.exe /forest /action:CheckForestPrepState /l:c:\LcsCmd.html LcsCmd.exe /domain /action:CheckDomainPrepState /l:c:\LcsCmd.xml /xml LcsCmd.exe /domain /action:CreateLcsOuPermissions /ou:CN=MyUsers /objectType:User LcsCmd.exe /server /action:Activate /role:SE /password:My$tr0ngPwd LcsCmd.exe /server /action:ExportServerConfig /role:SE /configFile:c:\HSConfig.xml LcsCmd.exe /server /action:ImportServerConfig /role:SE /configFile:c:\HSConfig.xml LcsCmd.exe /server /action:ImportServerConfig /role:SE /configFile:c:\HSConfig.xml /restore LcsCmd.exe /server /action:ExportServerConfig /role:EE /configFile:c:\FEConfig.xml LcsCmd.exe /server /action:ExportServerConfig /role:Proxy /configFile:c:\ProxyConfig.xml LcsCmd.exe /server /action:ExportServerConfig /role:AP /configFile:c:\EPConfig.xml LcsCmd.exe /forest /action:ExportPoolConfig /poolName:MyExportPool /configFile:c:\MyExportPoolConfig.xml LcsCmd.exe /forest /action:ImportPoolConfig /poolName:MyImportPool /configFile:c:\MyExportPoolConfig.xml LcsCmd.exe /forest /action:ExportGlobalConfig /configFile:c:\GlobalConfig.xml LcsCmd.exe /forest /action:ImportGlobalConfig /configFile:c:\GlobalPoolConfig.xml
BATCH MODE EXECUTIONS:
  • /batch:{input file} Switches the execution to batch mode. Specifies the input XML file to use for the actions and parameters.
  • /forest[:FQDN] Executes the action for the specified forest. If no fully qualified domain name (FQDN) is specified, current forest is used.
  • /domain[:FQDN] Executes the action for the specified domain. If no FQDN is specified, current domain is used.
  • /server[:FQDN] Executes the action for the specified server machine. If no FQDN is specified, current machine is used.
FOREST ACTIONS:
CheckSchemaPrepState: Checks Live Communications (LC) Active Directory (AD) schema state. SchemaPrep: Prepares LC AD schema by uploading LCS schema extensions. Uses the optional /ldf parameter. CheckForestPrepState: Checks whether forest was prepared to host LC. ForestPrep: Prepares the forest to host LC. ForestUnprep: Removes the preparation from forest to host LC. Also uses the optional /force switch. CheckAllDomainsPrepState: Checks all domains in the forest whether they were prepared to host LC. CheckAllPoolsState: Lists all pools in a forest. CheckPoolState: Checks the pool's state. Requires the /poolname parameter. CreatePool: Creates a pool for LCS Enterprise Edition servers in the forest. Requires the /poolname, /refdomain, /poolbe, /dbdatapath and /dblogpath parameters. Also uses the optional /dbsetupfilepath parameter and /clean switch. RemovePool: Removes a pool from the forest. Requires the /poolname parameter. Also uses the optional /force and /keepdb switches. UpdatePoolBackend: Updates the backend for a pool. Requires the /poolname and /poolbe parameters. ExportPoolConfig: Exports the pool-level configuration (shared between all front ends). It requires /poolName and /configFile. ImportPoolConfig: Imports the pool-level configuration (shared between all front ends). It requires /poolName and /configFile. ExportGlobalConfig Exports the global-level configuration. It requires /configFile. Giving an FQDN after /forest switch is not supported (it always takes the setting from the current forest.) ImportGlobalConfig Imports the global-level configuration. It requires /configFile. Giving an FQDN after /forest switch is not supported (it always applies the setting to the current forest.)
DOMAIN ACTIONS:
CheckDomainPrepState: Checks whether domain was prepared to host LC. DomainPrep: Prepares the domain to host LC. DomainUnprep: Removes the preparation from domain to host LC. Also uses the optional /force switch. CheckDomainAddState: Checks whether domainadd preparation was done on a domain for another domain. Requires the /refdomain parameter. Also uses the optional /usersonly switch. DomainAdd: Performs domainadd preparation on a domain for another domain. Requires the /refdomain parameter. Also uses the optional /usersonly switch. DomainRemove: Removes domainadd preparation on a domain for another domain. Requires the /refdomain parameter. Also uses the optional/usersonly and /force switch. CheckLcsOuPermissions: Checks whether permissions for LCS groups were set on the specified container for user, contact, inetOrgPerson or computer type objects. Requires /ou and /objectType parameters. /ou parameter specifies the container DN relative to the domain root container DN. /objectType parameter is used to specify the type of objects to verify the LCS permissions on. Also uses the optional /refDomain parameter. If /refDomain is specified, the LCS groups on this reference domain are used to verify the permissions instead of the LCS groups on the context domain. CreateLcsOuPermissions: Creates permissions for LCS groups on the specified container for user, contact, inetOrgPerson or computer type objects. Requires /ou and /objectType parameters. /ou parameter specifies the container DN relative to the domain root container DN. /objectType parameter is used to specify the type of objects to create the LCS permissions on. Also uses the optional /refDomain parameter. If /refDomain is specified, the LCS groups on this reference domain are used to create the permissions instead of the LCS groups on the context domain. RemoveLcsOuPermissions: Removes permissions for LCS groups on the specified container for user, contact, inetOrgPerson or computer type objects. Requires /ou and /objectType parameters. /ou parameter specifies the container DN relative to the domain root container DN. /objectType parameter is used to specify the type of objects to remove the LCS permissions from. Also uses the optional /refDomain parameter. If /refDomain is specified, the LCS groups on this reference domain are used to remove the permissions instead of the LCS groups on the context domain.
SERVER ACTIONS:
CheckLCServerState: Checks a server's state and role as an LC Server. Activate: Activates a machine as a LC Server. Requires the /role, /user and /password switches. /poolname parameter is required if the role is specified as 'EE'. /backend and /dbname parameters are required if the role is specified as 'Archiving'. Also uses the optional /unregspn and /nostart switches. /archserver and /queuename parameters can be used to activate IM Archiving Agent together with the server (when the role is 'EE', 'SE' or 'Proxy') and are optional. Deactivate: Deactivates a server activated as an LC Server in its domain. Also uses the optional /force switch. ExportServerConfig: Exports the machine-level configuration. It requires /role and /configFile. ImportServerConfig: Imports the machine-level configuration. It requires /role and /configFile. Also uses the optional /restore switch. When /restore switch is not specified or it is 'false' it only imports the classes that don't contain machine-specific information. Otherwise it will try to import everything. In order for the restore operation to succeed you need to make sure that all the machine specific settings from the XML file are valid. For example, the certificates that were configured when the ExportServerConfig was run need to exist and still be valid on the machine where the import happens.

using multiple email servers

some members of the mom community have expressed an interest in using multiple smtp destinations for failover in case one or the other becomes unavailable. to my surprise, the people complaining have been mail admins! now in order to have failover, you have to have at least two instances of something running. so going on that assumption, you could do either of these bullets...
  • bring up a load-balancer and put your smtp servers behind it. mask the name or IP to something virtual.
  • create multiple entries in dns with the same name. point each record to a different mail server. poor man's load-balancer using round-robin records.

another stimulating thought...

so hann writes about something that a lot of people have expressed interest in... not just in MOM 2005... but during MOM 2000 days. the inherent problem is that if you modifed the DB to support triggers on certain conditions, you'd most likely lose support. the other problem is that full table scans suck. having a script running looking for changes to open alerts constantly... sounds like bad mojo.

Aug 19, 2005

your home is where your heart is...

i think mosby's post is insinuating that moving a blog means that you've left your home. au contraire. i've been a member of myITforum.com since swynk.com. so in case he missed my reference to moving my blog for usability reasons, i'll state it again. i moved to blogger.com because the site is functionally much better than the blog services offered on msmvps.com or myitforum.com. it'd be pretty silly to think that i've formed some kind of "home" on blogger.com. i would venture a guess that this site has no vendor allegiances and is technology agnostic. besides which, i still write articles for myitforum.com and am an active member of the email lists. what you do think?

mp notifier released ...

hann posted this little gem today. ms recently decided to release MPNotifier as a release to web. i think the original was floating around in newsgroups. anyway, for everyone's enjoyment... check the link. don't be alarmed though that mpnotifier doesn't find everything. the xml doesn't get updated like it should. eventually they get around to it though...

Aug 18, 2005

changing sms default behavior...

here's an interesting thing richard found. thought i'd share it. you can change the default behavior of remote roaming boundary clients... check out the link. he's always coming up with hacks like this... of course supportability is always questioned. might be on your own if you do something wrong... :)

testing the email posting feature...

just wanted to see how well this works… :)

moving my blog...

just a note that i'm moving my blog from myitforum.com/blog/moh to here! :) if you're wondering why i moved my blog, it's because blogger.com rules. the feature set is much richer and functionally, very cool. anyway, i moved all the blog content and stuff. retained the original dates... but can't say the timestamp is the same. still very much a part of the myITforum.com mailing lists and will continue to contribute articles to the site.

mom team rules...

john and i were hashing around how to submit an update to an alert object since the submit function seemed to work only when it was coupled with a create method. turns out you don't have to submit at all... you simply set the new field for the alert. check out the sample script that hann posted:

http://msmvps.com/jfhann/archive/2005/08/18/63176.aspx

linking to my blog...

hann is linking to my blog again. he made some commentary about my post on update or replace MPs. i concur with his thoughts. you can check them out here: http://msmvps.com/jfhann/archive/2005/08/17/63139.aspx.

Aug 17, 2005

import - update or replace?

we've thrashed around the topic today on the msmom mailing list today. turns out that copying an a rule does not preserve the content of the product knowledge tab.

other interesting thing to note is that the “update” feature of mp import does not retain the override criteria or threshold changes. the only thing is holds on to is disable/enable, company knowledge, and any rules you may have created for yourself.

the recommendation is still to copy any rules that you plan to modify and disable the original. as long as you're going to do that, you might as well move it into its own custom rule group so that you can export them at will and import at will w/out the fear of losing any of your work. i've been using sharepoint services to maintain a list of mom rules that i've modified over the course of my history with it.

oh, btw, you can copy the product knowledge to the company knowledge of a copied rule. not sure that it's the same effect... but at least you have something to reference. some of the tools for MP authors may allow some more indepth editing... who knows?

met with 1e today...

they have some pretty amazing tools. i am so impressed with where they've taken nomad since when i participated in their beta. they also have a lightweight desktop monitoring tool called deskmon which utilizes the sms status messages to send up info. of course smswakeup is always cool for WOL stuff. love the multi-slave model.

have you heard that THE john hann has moved his blog?

This is interesting. Hann has moved his page to http://msmvps.com/jfhann. I'm not sure what this means really. I'm sure it's nothing ominous about myITforum in general, but it is interesting, nonetheless.

Anyway, he's known to post some good things on occasion. Rare occasion.

Aug 11, 2005

mom reporting server - complicated layers (baking a tall cake)...

Ran into an issue on MOM Reporting Server. After some investigation, it was all the way down at the Framework layer. If you're not familiar with MOM Reporting, it's like the house that Jack built. It requires the following layers:

  • Windows (obviously)
  • SQL (obviously)
  • IIS .NET Framework
  • SQL Reporting Services
  • MOM Reporting Services

So... if you have a failure on any one of those layers, your little house is going to come apart. For my particular situation, as mentioned before, the problem was at the Framework layer. I couldn't figure out where it was failing or how to fix it. I did the only logical thing... reinstall.

Reinstalling made no changes, so I moved to the next logical step... uninstall.

I uninstalled everything down to IIS. Since there were other websites running, I knew that probably wasn't it. Also, SQL was healthy as well. DTS jobs were running. SQL queries worked fine. This is when I started packing back the required components. I got .NET Framework loaded, which seemed to go fine. At the last leg of the SQL Reporting Services install, it stated there was an error during the install. I looked up the error code... and it stated that I needed to run rsactivate. Here's what I got back:

C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer>rsactivate -c RSReportServer.config Failure starting the web service: The Report Server Web service has not generated a public key. The service may not have started successfully. Check the log files for more information.

Alright... that makes no sense to me. I looked up that error... and it stated I needed to run aspnet_regiis. Here's what I got back:

C:\WINNT\Microsoft.NET\Framework\v1.1.4322>aspnet_regiis -i Start installing ASP.NET (1.1.4322.0) without registering the scriptmap. An error has occurred (0x80070005). You must have administrative rights on this machine in order to run this tool.

After several aggrevating attempts to uninstall/install components again, I gave up and called India. Here's where the problem was... (don't laugh). That stupid error code above was partially accurate. Even though I have administrative rights, there was a corrupted registry which did not contain the proper permissions. :/

Here's the locations in case you run into this (and judging by some of the newsgroup posts, you have):

  • HKLM\System\CurrentControlSet\Services\EventLog\Application\ASP.NET 1.1.4322.0
  • HKLM\System\CurrentControlSet\Services\EventLog\Application

So first hurdle crossed. Granted access, ran aspnet_regiis -i, ran rsactivate... we're good. Now browsing to the web page brought another error:

The underlying connection was closed. Could not establish secure channel for SSL/TLS. HTTP Error 403 - Forbidden.

So the issue here was incorrect VDIR settings in IIS. This is what we changed to make it work:

REPORTS Virtual Directories tab

  • Verify the path is set to C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportManager
  • Verify the Application Name = "Report Server Interface"
  • Modify Execute permissions from "Scripts Only" to "Scripts and Executables" Documents tab
  • Remove all default documents .Add "Home.aspx" as default.

Directory Security tab

  • Uncheck "Enable Anonymous Access".

REPORTSERVER Virtual Directories tab

  • Verify the path is set to C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer
  • Verify the Application Name = "Report Server"
  • Modify Execute permissions from "Scripts Only" to "None"
  • (On IIS5.0) remove all Application Mappings and add Application Map with Executable set to "%WINDIR%\microsoft.net\framework\v1.1.4322\aspnet_isapi.dll"
  • Extension set to "*"
  • Verbs set to "All Verbs"
  • Select Script Engine checkbox Documents tab
  • Add the following default documents in this order: default.htm, default.asp, index.htm, iistart.asp, default.aspx Directory Security tab .Check "Enable Anonymous Access"

There were other problems after that. Paraphrasing, add the ASPNET account to the RSExecRole in SQL for the ReportServer and ReportServerTempdb database. If SQL Server is on the same server as Reporting Services, change the account being used from "Machine" to SYSTEM in machine.config (located under the field). After all that worked, I installed MOM Reporting. Of course, the catch here is that you don't want to lose all your data (won't let you continue without removing the db). So I did the following:

  • Detached the database.
  • Renamed the .ldf and .mdf files to something generic.
  • Ran through the installation.
  • Detached the new db. Deleted them. Renamed the old to the new.
  • Attached.

You'll lose all your MOM reports. I had to import all the report XMLs back in.

Jul 7, 2005

ms antispyware?

What's this say for Trustworthy Computing anyway? http://www.betanews.com/article/MS_AntiSpyware_Changes_Raise_Concern/1120753478

May 27, 2005

mom reporting article published...

As promised, I posted all the MOM Reporting jive into an article on myitforum.com. Here's the link: http://myitforum.com/articles/2/view.asp?id=8639.

May 19, 2005

diggin' reporting...

I think it's time to start digging into reporting. After all, this is what MOM should be able to deliver on with promises of System Center Reporting coming down the pipe. As I've begun looking ... it turns out that ADMP AD Replication Connection Object report doesn't like to run.
I get back an error stating:
Could not allocate ancillary table for view or function resolution. The maximum number of tables in a query (256) was exceeded.
Apparently, it's resolved in SQL Server 2000 SP4. Guess I'll be loading that up soon.

May 9, 2005

more info on mom grooming

don't worry... i plan to move all this to an article at some point in the future. :)

Anyway, going through the Ops Guide, chapter 4 outlines some other things you can do with the SystemCenterReportingDB to help shape the amount of data you want to retain in MOM 2005.

Regarding the Latency switch, look for the title “Moving a Large Amount of Data using DTS Latency” around page 30. BTW, I was given a new table to query for the LastDTSRunTime timestamp. I updated my previous post to reflect it. Anyway, interesting note here that explains it all:

The grooming for the MOM Database uses information in the Reporting DTS job to prevent the grooming from removing data that has not been transferred to the Reporting database. If the DTS job fails, MOM will not groom the MOM Database for the full 60 days, to avoid removing data that has not been transferred to the Reporting database.

So there you go. Now, there's some really interesting stuff on the “Grooming” section. Evidently MOM Warehouse grooms itself but on a time frame of 395 days (or 13 months). Thankfully this can be changed pretty easily by issuing this command:

exec p_updategroomdays 'TableName', DaysToRetainData
 

At any rate, you got to run this against all six tables if you want to modify them all. TableName and DaysToRetainData are variables of course. Here's a SQL script that Clive wrote to help address this:

-- Update the Datawarehouse Groom settings Declare @Groomdays int -- Retain data for 180 days Select @Groomdays=180

exec p_updateGroomDays 'SC_SampledNumericDataFact_Table', @Groomdays exec p_updateGroomDays 'SC_AlertFact_Table', @Groomdays exec p_updateGroomDays 'SC_EventParameterFact_Table', @Groomdays exec p_updateGroomDays 'SC_AlertToEventFact_Table', @Groomdays exec p_updateGroomDays 'SC_EventFact_Table', @Groomdays exec p_updateGroomDays 'SC_AlertHistoryFact_Table', @Groomdays


Just change the @Groomdays to something other than 180 if you want a different date set. Anyway, I found it on this post: http://www.momcommunity.com/ShowPost.aspx?PostID=83.


marcusoh.blogspot.com

May 3, 2005

miis - the promised code

Awhile back, I promised I'd post some sample code once I got the provisioning components working for simple sync for ADAM. I don't understand programming at all. I hack through scripts ... and that's about it. However, this isn't that far off from scripting I suppose. Most of the stuff you have to do is in the “Public Sub“ part. There's a simple select case statement to alter the container that the object is created in. That's really about it. Anyway, here it is:

Imports Microsoft.MetadirectoryServices

Public Class MVExtensionObject Implements IMVSynchronization

Public Sub Initialize() Implements IMvSynchronization.Initialize ' TODO: Add initialization code here End Sub

Public Sub Terminate() Implements IMvSynchronization.Terminate ' TODO: Add termination code here End Sub

Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision ' TODO: Remove this throw statement if you implement this method Dim container As String Dim rdn As String Dim FabrikamADMA As ConnectedMA Dim numConnectors As Integer Dim myConnector As CSEntry Dim csentry As CSEntry Dim dn As ReferenceValue

' Ensure that the cn attribute is present. If Not mventry("cn").IsPresent Then Throw New UnexpectedDataException("cn attribute is not present.") End If

' Determine the container and relative distinguished name ' of the new connector space entry.

Select Case mventry.ObjectType.ToLower() Case "person" container = "CN=users,CN=MailObjects,CN=ironadam1,DC=adam" Case "user" container = "CN=users,CN=MailObjects,CN=ironadam1,DC=adam" Case "contact" container = "CN=contacts,CN=MailObjects,CN=ironadam1,DC=adam" Case "publicfolder" container = "CN=publicFolders,CN=MailObjects,CN=ironadam1,DC=adam" Case Else Throw New UnexpectedDataException( _ "Unhandled object type in provision" _ & "called with mventry " & mventry.ToString) End Select

rdn = "CN=" & mventry("cn").Value

FabrikamADMA = mventry.ConnectedMAs("Ironmail ADAM") dn = FabrikamADMA.EscapeDNComponent(rdn).Concat(container)

numConnectors = FabrikamADMA.Connectors.Count

' If there is no connector present, create a new connector. If 0 = numConnectors Then csentry = FabrikamADMA.Connectors.StartNewConnector("user") csentry.DN = dn csentry.CommitNewConnector()

ElseIf 1 = numConnectors Then ' Check if the connector has a different DN and rename if necessary. ' Get the connector. myConnector = FabrikamADMA.Connectors.ByIndex(0)

' Microsoft Identity Integration Server 2003 will rename/move if different, if not, nothing will happen. myConnector.DN = dn Else Throw New UnexpectedDataException("multiple connectors:" + numConnectors.ToString) End If End Sub

Public Function ShouldDeleteFromMV(ByVal csentry As CSEntry, ByVal mventry As MVEntry) As Boolean Implements IMVSynchronization.ShouldDeleteFromMV ' TODO: Add MV deletion code here Throw New EntryPointNotImplementedException End Function End Class

problems with MOMma

update: this information has been posted to an article on myitforum.com. Since implementation, it seems like the database has done nothing but grow, grow, grow. I've blamed the Exchange guys relentlessly for having a very noisy environment. No matter how many times I ran the MOMX Partitioning and Grooming job, the database would not free up any space. It turns out there are some mechanisms tied directly into grooming if you have a MOM warehouse enabled.
Here's the details. If you want to know the last time your DTS job completed successfully, you can comb through the event log on the reporting server or you can issue this command to your OnePoint database:
select * from ReportingSettings
The first column labeled TimeDTSLastRan indicates the last successful marker. Turns out if this isn't current, your grooming jobs aren't doing anything. Mine was set to the end of February. Hmmm. That'd explain the obscene growth pattern. I've run the job 5 times using the latency switch. The time stamp hasn't moved.
By the way, the job is scheduled on the reporting server. It's executed as something like this:

MOM.Datawarehousing.DTSPackageGenerator.exe /latency:20 /srcserver:OnePointDBServer /srcdb:OnePoint /dwserver:WarehouseServer /dwdb:SystemCenterReporting /product:"Microsoft Operations Manager”.

It's in the %ProgramFiles%\Microsoft System Center Reporting directory.
If you notice, there's a /latency switch. This let's you specifies what items to transfer to the warehouse. For example, 20 means anything older than 20 days old. This is useful if your DTS job is timing out because of an exorbitantly large amount of data being transferred - potentially overwhelming the transaction log, etc. Also, there's a /silent switch that you're supposed to use when issued as a scheduled task. I pulled it out to see what this job was doing exactly. In the event of a successful execution, you should see an event message like this:

The execution of the following DTS Package succeeded: Package Name: SC_Inner_DTS_Package Package Description: This package transfers data from datafoo\foo.OnePoint to foo.SystemCenterReporting Package ID: {481AA51A-8C84-42E3-9879-D228290895D0} Package Version: {24A473AA-4C8A-486B-9ED4-970D35A70047} Package Execution Lineage: {55B111CE-72ED-4231-821B-AAE321763EC5}

Well, after going through many latency switches and kicking off the groom jobs (MOMX Partitioning and Grooming), I was able to get the 15 GB DB back down to 5 GB. Interesting though, the time stamp still hasn't changed. Hmmm...