Skip to main content

Posts

Showing posts from 2005

how to decipher sddl for useful stuff

i was counting my lucky stars that i never had to give any thought to deciphering SDDLs (security descriptor definition language). some people have written entire diatribes on the subject. for me, i just need a reference. hence, my posting... sddl is broken down into four parts:
object primary group daclsacl sddl string is easier to look at like this since there are no spaces or visible terminators other than the colon:
o:[sid_string]g:[sid_string]d:[dacl_flags](ace_string) it's important to note the format of the ace string is broken down like this:
[ace_type];[ace_flags];[rights];[object_guid];[inherit_object_guid];[account_sid] i created a file called text.txt in my c:\temp directory. in the GUI, it's expressed as this:
Administrators - Full Control SYSTEM - Full Control Users - Read & Execute in sddl, it's expressed as:
O:BAG:DUD:ARAI(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;BU)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)
from this, we know that the fir…

monad dependencies

if you're upgrading to the newest version of monad that runs on the .net framework 2.0 production release, make sure that you remove monad prior to uninstalling .net framework 2.0 beta 2. otherwise, you won't be able to uninstall monad to install the new version. so here's the steps: uninstall monaduninstall .net framework 2.0 beta 2install .net framework 2.0 (production release)install monad

get with the times, dude - setting an external time sync

while i was at the mvp summit, i was talking to a friend and fellow mvp, rory mccaw. he made mention that he discovered in windows server 2003, that net time was a deprecated command. he came across this when he found he was having an extremely difficult time getting the server to accept the time sync sources. minasi's latest post (issue #52) reminded me of this - especially since minasi himself is a mvp. i guess if he had been in that conversation, he'd have known this too.

sony digital rights management

for those of you that have been following along with russinovich's expose on sony's digital right's management copy protection scheme, this article from techdirt regarding npr's recent interview with hesse is a must read. is this guy for real?! here's a quote from the article. After taking issue with anyone using the terms "spyware, malware or rootkit," Thomas Hesse, President of Sony's Global Digital Business, literally says: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"click here to listen to the full story.

mom 2005 agent - port requirements

here's some good, general information on mom agent port requirements over a firewall. someone posted this on the msmom mailing list. MOM agents can communicate with the MOM Management Server if the MOM agent computer is behind a firewall. However, you must open TCP port 1270 and UDP port 1270. Additionally, you must manually install and update MOM agents that are behind a firewall. If you cannot enable access to port 1270 through the firewall, you must install a MOM management group inside the perimeter network. You can separately monitor the perimeter network management group. Or, you can enable alert forwarding from the perimeter network management group to the internal MOM management group by using port 1271. If the managed computers belong to the internal domain, the following conditions are true: Mutual authentication is available.Signed and encrypted communications are available.The following ports are open so that the managed computer can authenticate the MOM management…

mom 2005 agent - existing connection was forcibly closed

are you familiar with this error message? you've probably applied the hotfix to correct it, if you are. when you apply this hotfix, you have to add a new dword value called ServerIOTimeoutMS under this path: HKEY_LOCAL_MACHINE\Software\Mission Critical Software\OnePoint\Configurations\configuration group name\Operations\Consolidator what you may not know is that when you apply mom 2005 sp1, though this hotfix is applied with it, the dword value still needs to be created. if you find yourself in a scenario where you're building a new mom server, keep this in mind. by the way, most people have success by setting this value somewhere between 30000 and 45000.

sharing code - mom 2005

looking for a place to share some of your favorite mom scripts, management packs, reports, etc? looks like this went live recently... http://www.gotdotnet.com/codegallery/featuredgroups.aspx. this is a supplemental site to some of your favorites like momsolutions.org, myitforum.com, smsmom.com, momanswers.com ... here's some of the stuff you can expect to get at gotdotnet: license controldownload countssearchdiscussions

updated exchange 2000/2003 management pack for mom 2005 released

in case you missed it, the exchange mp for mom 2005 was updated and released, along with an updated configuration tool. if you did, don't think you've been living under a rock. with the state of mp notifier updates and the management pack catalog, it's not surprising very few people know about these releases. at the moment, the exchange mp doesn't seem to be available: The download you requested is unavailable. If you continue to see this message when trying to access this download, go to the "Search for a Download" area on the Download Center home page. yeah, right. if you ever see this error, don't presume you'll be able to find it on your own. :) also, the mom summary reporting pack came out of beta. one gotcha. you have to be at mom 2005 sp1 to utilize it. i'll post more about my experiences with it soon.

winternals presentation - understanding malware

recently, i attended a presentation by Winternals called "Understanding Malware: Spyware, Viruses, and Rootkits". from what i understand, it was an abbreviated version of the presentation at teched. for what it was worth (free), it was pretty good. it was a couple of days after russinovich's blog about sony's drm rootkit. timing couldn't have been more perfect. it was more or a less a pitch for recovery manager. it's a pretty cool tool by its own right. as a mvp, i received a free copy to try out. i wasn't really inspired to do it until i saw their demo... anyway, i thought it was pretty cool that at the end of the slidedeck, one of the many resource links they listed was the microsoft mvp site! scoring even higher, they sent a trial key and slidedeck the next day. to top it all off, i received a package today from winternals. it was completely unexpected. it's a large, black tin box. i took the lid off to read "Relax, Marcus".…

restricted groups - adding to members

for a long time, it's been thought that restricted groups in a group policy would only perform a wipe and replace of members of a local group. let's dispel this myth. what seems to be fairly unknown is that restricted groups is capable of adding members to a group without removing the existing members. for instance, let's assume we have a group called MyGroupA that needs to be in the administrators group of a set of workstations. there are two methods we can do this. the first, you're probably familiar with, which is to replace anything in the administrators group with a new set of groups or users. where is this useful? if you want to make sure that any accounts that are mysteriously added to the local admins group are removed and replaced with your set of users/groups, use this method. i won't elaborate on this since this is fairly common and understood. the other method is adding users/groups to local admins without removing the users/groups that exist. back to…

exchange mp - check mailbox store availability - mapi logon test

you know, i thought... while i'm on the issue of dumb event rules, this one came up. this rule kicks off the exchange 2003 - mapi logon verification script. there's nothing wrong with the idea of this rule... the problem is wholly in the execution. for example, you probably want to know when an error occurs right? so you leave this on... the logperfdata parameter in the script allows for three different values: "0" - logs success events"1" - logs information into a performance counter"-1" - does not logso what's the problem? if you set this value to something other than 0, the exchange service availability report will not have any data when it runs. nice.

iis management pack - useless rules

i was running a couple of mom sql scripts that generate most common events and most common alerts. (if you're not doing this yet, you probably should make a point of doing this about once a week or so... just to make sure you're not getting any event storms.) anyway, turns out two rules were generating about 80,000 events in a 4 day window on one management group. it generated about 750,000 events on another management group. that's right - 750,000. i would categorize that as a complete and ridiculous oversight when MS was building this particular MP. these were picked up as "informational". i'm going to equate that to useless in this case. if you load up the IIS MP, i strongly suggest disabling the following two rules: All HTTP 400 ErrorsAll HTTP 500 Errorsyou can locate these rules under this path: microsoft windows internet information services\internet information services x.x\core services\world wide web publishing service. note that the x.x repres…

system center stuff is available...

it's interesting how three different products in the system center suite hit different levels of beta nearly all at once. it's actually pretty cool... unless you're beta testing all of them... got some work cut out for you. mom 2005 summary reporting pack - release candidate system center reporting manager 2005 - beta system center capacity planner 2006 - public beta summary reporting pack aggregates information that exists in your mom warehouse database and essentially improves performance. reporting manager 2005 is an integration of sms and mom data into one warehouse. i don't have much experience with this or the reporting pack yet. i'll post more of my findings as i come across them. i can probably speak to capacity planner 2006 best. i attended the airlift in redmond and saw the product, talked to the product group, and in general had a very good experience over all. this version works for planning mom and exchange deployments. essentially, it comes …

Availability MP

so it turns out (sorry been in seattle too long where every sentence starts with "so") the availability mp has some issues. hence it's been pulled from the microsoft website. if you have the exchange mp installed, do not install the availability mp (yet). It's going to be updated soon, though... keep your eyes open. anyway, the current version pulls out the following groups: Microsoft Exchange Server 2000 BackendMicrosoft Exchange Server 2003 Backendit replaces it with the following groups: Microsoft Exchange Server 2000Microsoft Exchange Server 2003the only workaround right now is to re-import the exchange mp. fun.

clearing the mom agent cache

i'm frequently asked how this is done. i thought i'd post it here for anyone that needs it. basically, you have to stop the mom service to do this properly. that's step one. delete the contents of the cache folder, then spin up the mom service. here's the contents of the batch file i use for this (watch for word wrap):
net stop mom del "c:\documents and settings\all users\application data\microsoft\microsoft operations manager\%1\"*.* /s /q /f net start mom
that's it.

mom agents and mcafee 8.0i

if you've been getting alerts in mom like this one: The response processor failed to execute a response. The response returned the error message: The remote procedure call failed.then you may be experiencing what other administrators have experienced when using mom agents w/ mcafee 8.0i. apparently the scriptscan module is causing this behavior to occur. there are two workarounds so far to handle this problem. the first one requires unregistering the scriptproxy.dll component of mcafee 8.0i. this probably isn't a very savory workaround. it gets the job done though. you can find references to this stuff at microsoft or at mcafee.the second one is to apply the patch 11 from mcafee. if you look through the readme, you'll see this item referenced in issue #2A third-party application working with scripts can encounter an access violation error if it passes a NULL pointer to the Script Scan module (SCRIPTPROXY.DLL). The Script Scan module does not refer a NULL pointer. BZ23557…

looking for john hann's articles?

don't worry. i'll be posting his article contents here. of course, since i didn't write them, i'm not going to support them in any way, shape, or form. :) the only service i'm going to do for ol' john is correcting his grammar and spelling (less uppercase, of course). keep checking back.

sms security - script

okay... as a follow up to my previous post, this script will set the permissions of a defined group to have read/modify/delete rights over the subcollections of a parent collection. i used this to set the subcollections of the master collection i talked about in my previous post. anyway, watch out for potential word wrap. oh, btw, this blogger likes to strip spaces. going to have to make your own formatting. here it is. (watch for word wrap!)' Author: Marcus C. Oh' Date: 9/16/2005' Purpose: Grants a group Read/Modify/Delete instance level' permissions to the child collections of a specified' parent collection.' Credit: I shamelessly ripped the connection string from Michael' Schultz and other variable/string logic from him. :)' Permissions logic from the SMS Scripting Guide'' Added subroutine logic sent up by a blog reader. Now the' script parses subcollections.'---------------…

managing sms collection security

back in february, i posted about how useless sms security was for the enterprise. well, i have to repeal that comment now. yesterday, i received some information on how to setup sms to narrow down focus to a specific collection. this means you can separate administration for workstations to your client staff, servers to your server staff, domain controllers for your domain admins, etc. with this method, now you can setup secondary site servers and have that layer of useful granularity so that your site admins could have control of their own clients. enough prattling. on to the good stuff... in this example, we're going to setup security for client administrators. setup a collection of clients that are all workstations. grant the following rights only to the group or user (suggest using groups) on the class level to collections: advertise create delegate if the group/user has any other permissions to the class level, make sure that gets removed. grant the group/user instanc…

useless mom trivia

question: in the Microsoft Windows Storage State Monitoring Script, there is a value called "MegaByteFreeSpaceThreshold". what is this value for? answer: absolutely nothing. in the script, the value for the parameter above gets set here: THRESHOLD_MB = GetParam("MegaByteFreeSpaceThreshold") here's the only section of the script that actually uses this value. notice that it's commented out: 'Commenting out Megabyte comparison alone 'If nMBFree < problemstate =" PROBLEMSTATE_RED" alertlevel =" ALERT_CRITICAL_ERROR"> by the way, i should mention that the mp guide actually states the MegaByteFreeSpaceThreshold as a valid parameter but don't discuss how it's valid to any detail. the lack of detail was what made me go snooping around. guess someone didn't do their homework.

very helpful mom articles...

delegating lcs administration for users...

when i was told that user administration couldn't be delegated to just the domain, i refused to take that for an answer. this is Live Communications Server 2005! that means two full product releases from exchange im. if you recall, there was a lcs 2003 as well, but it didn't get quite that much play. after a few rounds, microsoft came back with an answer. admittedly, it was a little difficult to understand in the context they provided. let me see if i can make it a little easier. kind in mind, these steps are for a multi-domain forest. high-level steps: create root domain universal groupdelegate access to msRTCSIP objectsdelegate access to computer objectsgrant access to RTC Local User Administratorsdelegate access to user objectsin this example, we'll use a root domain global group called RTCPerms. we need to give RTCPerms some object-level access so in order to do this, go to your root domain and navigate to dc=root,cn=system,cn=microsoft,cn=rtc service. msRTCSIP-Po…

mom server performance advisor mp - first thoughts

i've read over the readme for the spa mp. my first thoughts are that it sounds fairly intriguing. looks like it can be set to kick off a spa data collection whenever an event is detected, such as cpu sustained busy for x minutes. also could be useful to kickoff an active directory collection whenever lsass exponential memory usage is detected, for example. the only suggestion i'd have to the mp authors is... where is the task to deploy spa? certainly there must be some way to do this since it's a msi. i suppose i could hack and slash my way through the mbsa mp (do not recommend using unless you have no other vuln mgmt tool) to look at their script code to see how they setup the deployment tasks - or the exbpa mp (very noisy, also not recommended).

my gaim messenger is going to explode...

have you seen that google has released their own messenger? i'm very pleased that a friend of mine referred me to using gaim. it's modular enough to handle the jabber protocol that new google talk users will be using. guess that means i have to setup gaim for google talk. sigh. this is getting crazy. i have a messenger id on nearly every system, maintain severe overlap for IM friends that use two or three different types. it's always left to third-parties to join these homogenous systems together. however, that doesn't mean you can just have one messenger id and talk to someone else. you have maintain an id on every system. try to convince your friends to move off aol to msn or vice versa. whatever.

what's for dinner? i'm hungry!

i just discovered this site called restaurant.com. the motto is "eat. drink. save money". i'm cool with that. most of the certificates don't cover drinks as it turns out, though. so maybe the motto should be "eat. save money."? there's a few other gotchas. you can only use one certificate per party. you can only use a certificate at that particular restaurant once per month. there's some great restaurants on this site though... most $25 certificates cost $10. $10 certificates cost $3, etc. the certificates have stipulations like having to order $35 worth of food for the $25 certificate. anyway, i ran into this a LONG time ago but wasn't sure if it was legitimate. however, after running across this coupon code... i had to try it! anyway, it's 73639 in case you get an itch to try it yourself.

tracking inefficient queries...

update: a fellow reader suggested i check out this article from tony murray. it's good stuff, so i thought i'd drop the link here: logging ldap searches: ad & adam.so... a couple of domain controllers had runaway lsass processes today. i began to look further into the issue and figured out where excessive LDAP queries were being issued from. unfortunately, it didn't amount to anything... but the process in tracking them was pretty useful. the first thing i should point you to is Server Performance Advisor. just a fyi, as it turns out, there's a management pack that you can use with SPA... :) it's located here. alright, so spa... you're on your own. it's a little kludgy, but once you have it down, it's extremely useful for providing information. i'm not really happy about the fact that it has to leave a footprint (installed) versus just running from an executable... but what do you do? anyway, the stuff i realized in spa is that it doesn't ca…

upcoming webcasts...

here's a few webcasts i'm probably going to catch... thought i'd post it up here for anyone's benefit who actually reads this thing. TechNet Webcast: Mastering Windows Management Instrumentation (Level 200)Tuesday, September 13, 2005 - 9:30 AM - 10:30 AM Pacific TimeDon Jones, Microsoft MVP, Book Author, and Founder of ScriptingAnswers.comWindows Management Instrumentation (WMI) is a robust technology for administering Windows through scripts. In this webcast, we examine how WMI works and show you the wide variety of things it can do, such as collecting information from computers and reconfiguring systems. Learn a methodology for incorporating WMI into your scripts quickly and easily. You will find out how to use the tools and utilities that can make writing WMI scripts simple and painless.http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032276552&Culture=en-USTechNet Webcast: What's New in SMS 2003 Service Pack 2 (Level 200)Thursday,…

lcscmd - help!

admittedly, i'm posting this for my own reasons. want to have a place i can reference whenever i need to know the lcscmd.exe feature set. if you try to look at help, it's fairly daunting. USAGE: LcsCmd.exe /? LcsCmd.exe /batch:{input file} [/l:{log file}] LcsCmd.exe /forest[:{FQDN} /action:{action name} [Parameter 1] ... [Parameter N] LcsCmd.exe /domain[:{FQDN}] /action:{action name} [Parameter 1] ... [Parameter N] LcsCmd.exe /server[:{FQDN}] /action:{action name} [Parameter 1] ... [Parameter N] EXAMPLES: LcsCmd.exe /batch:MyBatch.xml LcsCmd.exe /forest /action:CheckForestPrepState /l:c:\LcsCmd.html LcsCmd.exe /domain /action:CheckDomainPrepState /l:c:\LcsCmd.xml /xml LcsCmd.exe /domain /action:CreateLcsOuPermissions /ou:CN=MyUsers /objectType:User LcsCmd.exe /server /action:Activate /role:SE /password:My$tr0ngPwd LcsCmd.exe /server /action:ExportServerConfig /role:SE /configFile:c:\HSConfig.xml LcsCmd.exe /server /action:ImportServerConfig /role:SE /configFile:c:\HSConfig.x…

using multiple email servers

some members of the mom community have expressed an interest in using multiple smtp destinations for failover in case one or the other becomes unavailable. to my surprise, the people complaining have been mail admins! now in order to have failover, you have to have at least two instances of something running. so going on that assumption, you could do either of these bullets... bring up a load-balancer and put your smtp servers behind it. mask the name or IP to something virtual.create multiple entries in dns with the same name. point each record to a different mail server. poor man's load-balancer using round-robin records.

another stimulating thought...

so hann writes about something that a lot of people have expressed interest in... not just in MOM 2005... but during MOM 2000 days. the inherent problem is that if you modifed the DB to support triggers on certain conditions, you'd most likely lose support. the other problem is that full table scans suck. having a script running looking for changes to open alerts constantly... sounds like bad mojo.

your home is where your heart is...

i think mosby's post is insinuating that moving a blog means that you've left your home. au contraire. i've been a member of myITforum.com since swynk.com. so in case he missed my reference to moving my blog for usability reasons, i'll state it again. i moved to blogger.com because the site is functionally much better than the blog services offered on msmvps.com or myitforum.com. it'd be pretty silly to think that i've formed some kind of "home" on blogger.com. i would venture a guess that this site has no vendor allegiances and is technology agnostic. besides which, i still write articles for myitforum.com and am an active member of the email lists. what you do think?

mp notifier released ...

hann posted this little gem today. ms recently decided to release MPNotifier as a release to web. i think the original was floating around in newsgroups. anyway, for everyone's enjoyment... check the link. don't be alarmed though that mpnotifier doesn't find everything. the xml doesn't get updated like it should. eventually they get around to it though...

changing sms default behavior...

here's an interesting thing richard found. thought i'd share it. you can change the default behavior of remote roaming boundary clients... check out the link. he's always coming up with hacks like this... of course supportability is always questioned. might be on your own if you do something wrong... :)

moving my blog...

just a note that i'm moving my blog from myitforum.com/blog/moh to here! :) if you're wondering why i moved my blog, it's because blogger.com rules. the feature set is much richer and functionally, very cool. anyway, i moved all the blog content and stuff. retained the original dates... but can't say the timestamp is the same. still very much a part of the myITforum.com mailing lists and will continue to contribute articles to the site.

import - update or replace?

we've thrashed around the topic today on the msmom mailing list today. turns out that copying an a rule does not preserve the content of the product knowledge tab.other interesting thing to note is that the “update” feature of mp import does not retain the override criteria or threshold changes. the only thing is holds on to is disable/enable, company knowledge, and any rules you may have created for yourself.the recommendation is still to copy any rules that you plan to modify and disable the original. as long as you're going to do that, you might as well move it into its own custom rule group so that you can export them at will and import at will w/out the fear of losing any of your work. i've been using sharepoint services to maintain a list of mom rules that i've modified over the course of my history with it.oh, btw, you can copy the product knowledge to the company knowledge of a copied rule. not sure that it's the same effect... but at least you have somethi…

met with 1e today...

they have some pretty amazing tools. i am so impressed with where they've taken nomad since when i participated in their beta. they also have a lightweight desktop monitoring tool called deskmon which utilizes the sms status messages to send up info. of course smswakeup is always cool for WOL stuff. love the multi-slave model.

mom reporting server - complicated layers (baking a tall cake)...

Ran into an issue on MOM Reporting Server. After some investigation, it was all the way down at the Framework layer. If you're not familiar with MOM Reporting, it's like the house that Jack built. It requires the following layers:Windows (obviously)SQL (obviously)IIS .NET FrameworkSQL Reporting ServicesMOM Reporting ServicesSo... if you have a failure on any one of those layers, your little house is going to come apart. For my particular situation, as mentioned before, the problem was at the Framework layer. I couldn't figure out where it was failing or how to fix it. I did the only logical thing... reinstall.Reinstalling made no changes, so I moved to the next logical step... uninstall.I uninstalled everything down to IIS. Since there were other websites running, I knew that probably wasn't it. Also, SQL was healthy as well. DTS jobs were running. SQL queries worked fine. This is when I started packing back the required components. I got .NET Framework loaded, which s…

diggin' reporting...

I think it's time to start digging into reporting. After all, this is what MOM should be able to deliver on with promises of System Center Reporting coming down the pipe. As I've begun looking ... it turns out that ADMP AD Replication Connection Object report doesn't like to run. I get back an error stating: Could not allocate ancillary table for view or function resolution. The maximum number of tables in a query (256) was exceeded. Apparently, it's resolved in SQL Server 2000 SP4. Guess I'll be loading that up soon. http://support.microsoft.com/default.aspx?scid=kb;en-us;828269

more info on mom grooming

don't worry... i plan to move all this to an article at some point in the future. :) Anyway, going through the Ops Guide, chapter 4 outlines some other things you can do with the SystemCenterReportingDB to help shape the amount of data you want to retain in MOM 2005. Regarding the Latency switch, look for the title “Moving a Large Amount of Data using DTS Latency” around page 30. BTW, I was given a new table to query for the LastDTSRunTime timestamp. I updated my previous post to reflect it. Anyway, interesting note here that explains it all:The grooming for the MOM Database uses information in the Reporting DTS job to prevent the grooming from removing data that has not been transferred to the Reporting database. If the DTS job fails, MOM will not groom the MOM Database for the full 60 days, to avoid removing data that has not been transferred to the Reporting database. So there you go. Now, there's some really interesting stuff on the “Grooming” section. Evidently MOM Wa…

miis - the promised code

Awhile back, I promised I'd post some sample code once I got the provisioning components working for simple sync for ADAM. I don't understand programming at all. I hack through scripts ... and that's about it. However, this isn't that far off from scripting I suppose. Most of the stuff you have to do is in the “Public Sub“ part. There's a simple select case statement to alter the container that the object is created in. That's really about it. Anyway, here it is: Imports Microsoft.MetadirectoryServicesPublic Class MVExtensionObject Implements IMVSynchronization Public Sub Initialize() Implements IMvSynchronization.Initialize ' TODO: Add initialization code here End Sub Public Sub Terminate() Implements IMvSynchronization.Terminate ' TODO: Add termination code here End Sub Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision ' TODO: Remove this throw statement if you implement th…

problems with MOMma

update: this information has been posted to an article on myitforum.com. Since implementation, it seems like the database has done nothing but grow, grow, grow. I've blamed the Exchange guys relentlessly for having a very noisy environment. No matter how many times I ran the MOMX Partitioning and Grooming job, the database would not free up any space. It turns out there are some mechanisms tied directly into grooming if you have a MOM warehouse enabled. Here's the details. If you want to know the last time your DTS job completed successfully, you can comb through the event log on the reporting server or you can issue this command to your OnePoint database: select * from ReportingSettings The first column labeled TimeDTSLastRan indicates the last successful marker. Turns out if this isn't current, your grooming jobs aren't doing anything. Mine was set to the end of February. Hmmm. That'd explain the obscene growth pattern. I've run the job 5 times using the latenc…