O R G A N I C / F E R T I L I Z E R: 08.05

Aug 26, 2005

esbot dcom problems...

i ran into this same problem w/ dcom. it wasn't a mom issue... but it was the same condition as blake posted about. if you have odd connectivity problems, read his post.

delegating lcs administration for users...

when i was told that user administration couldn't be delegated to just the domain, i refused to take that for an answer. this is Live Communications Server 2005! that means two full product releases from exchange im. if you recall, there was a lcs 2003 as well, but it didn't get quite that much play. after a few rounds, microsoft came back with an answer. admittedly, it was a little difficult to understand in the context they provided. let me see if i can make it a little easier. kind in mind, these steps are for a multi-domain forest. high-level steps:
  • create root domain universal group
  • delegate access to msRTCSIP objects
  • delegate access to computer objects
  • grant access to RTC Local User Administrators
  • delegate access to user objects
in this example, we'll use a root domain global group called RTCPerms. we need to give RTCPerms some object-level access so in order to do this, go to your root domain and navigate to dc=root,cn=system,cn=microsoft,cn=rtc service.
  • msRTCSIP-Pool objects
    • Read All Properties
  • msRTCSIP-PoolService objects
    • Read All Properties
  • msRTCSIP-Service objects
    • List Contents, Read All Properties
  • msRTCSIP-GlobalContainer objects
    • List Contents, Read All Properties
not done quite yet. connect back to the domain where your lcs servers reside. switch aduc to list users, groups, and computers as objects. go to your lcs servers and drop them down. you'll see a microsoft container. drop it down to see the rtc services container. remember the RTCPerms universal group in the root domain? okay, good. grant it Read All Properties rights to container. alright one more thing, then you're on your own. add the RTCPerms to the "RTC Local User Administrators" on your lcs server. assuming you're using a pool, add it to the same local group on each pool member. now you're on your own. however you want to delegate permissions to your users, do it that way. whether you delegate full control, read/write all properties, or RTC specific properties it will all work now. all you have to do is add the group to the RTCPerms universal group that sits in the root domain. ah, more for the gray matter. time to drop another childhood memory.

Aug 24, 2005

mom server performance advisor mp - first thoughts

i've read over the readme for the spa mp. my first thoughts are that it sounds fairly intriguing. looks like it can be set to kick off a spa data collection whenever an event is detected, such as cpu sustained busy for x minutes. also could be useful to kickoff an active directory collection whenever lsass exponential memory usage is detected, for example. the only suggestion i'd have to the mp authors is... where is the task to deploy spa? certainly there must be some way to do this since it's a msi. i suppose i could hack and slash my way through the mbsa mp (do not recommend using unless you have no other vuln mgmt tool) to look at their script code to see how they setup the deployment tasks - or the exbpa mp (very noisy, also not recommended).

my gaim messenger is going to explode...

have you seen that google has released their own messenger? i'm very pleased that a friend of mine referred me to using gaim. it's modular enough to handle the jabber protocol that new google talk users will be using. guess that means i have to setup gaim for google talk. sigh. this is getting crazy. i have a messenger id on nearly every system, maintain severe overlap for IM friends that use two or three different types. it's always left to third-parties to join these homogenous systems together. however, that doesn't mean you can just have one messenger id and talk to someone else. you have maintain an id on every system. try to convince your friends to move off aol to msn or vice versa. whatever.

Aug 23, 2005

what's for dinner? i'm hungry!

i just discovered this site called restaurant.com. the motto is "eat. drink. save money". i'm cool with that. most of the certificates don't cover drinks as it turns out, though. so maybe the motto should be "eat. save money."? there's a few other gotchas. you can only use one certificate per party. you can only use a certificate at that particular restaurant once per month. there's some great restaurants on this site though... most $25 certificates cost $10. $10 certificates cost $3, etc. the certificates have stipulations like having to order $35 worth of food for the $25 certificate. anyway, i ran into this a LONG time ago but wasn't sure if it was legitimate. however, after running across this coupon code... i had to try it! anyway, it's 73639 in case you get an itch to try it yourself.

tracking inefficient queries...

update: a fellow reader suggested i check out this article from tony murray. it's good stuff, so i thought i'd drop the link here: logging ldap searches: ad & adam.

so... a couple of domain controllers had runaway lsass processes today. i began to look further into the issue and figured out where excessive LDAP queries were being issued from. unfortunately, it didn't amount to anything... but the process in tracking them was pretty useful. the first thing i should point you to is Server Performance Advisor. just a fyi, as it turns out, there's a management pack that you can use with SPA... :) it's located here.

alright, so spa... you're on your own. it's a little kludgy, but once you have it down, it's extremely useful for providing information. i'm not really happy about the fact that it has to leave a footprint (installed) versus just running from an executable... but what do you do? anyway, the stuff i realized in spa is that it doesn't capture long-running or inefficient queries. i did some more digging and found that if you raise the 15 Field Engineering level to 4 or 5, you get logging down to the query. you can read the whole article here. here's a snippet from the article:

Tracking Expensive and Inefficient Searches

Expensive searches are searches that visit a large number of entries. The efficiency of a search is measured by the number of entries returned against the number of entries visited. For example, a search that goes through 500 entries could be considered an expensive search. If the search returns 500 entries after searching through 500 entries, then you have an efficient search. An inefficient search returns five entries after searching through 500 entries.

To track searches, you can enable the diagnostic event logging for Active Directory Services. Event logging allows you to determine if you have expensive or inefficient searches.

These event log messages are logged in the Directory Services event log using the Field Engineering category. The Directory Services event log is generated every time the garbage collector runs.

The following is an example of an event log message of an inefficient search:

Windows 2000 Server log

The Search operation based at DC=MyTest,DC=microsoft,DC=com 
using the filter:
visited 237 entries and returned 6 entries.

Windows Server 2003 log

Internal event: A client issued a search operation with the following options.

Starting node:
  (objectCategory=<val>) Visited entries: 237 Returned entries: 6

This search is considered an inefficient search because only six entries are returned after going through 237 entries.

Potentially, there can be numerous event log messages, so the messages are masked by using a severity level other than the default:

    To log a message about the number of expensive and inefficient search operations performed in the last collection period, set the Field Engineering logging severity level to 4 (DS_EVENT_SEV_VERBOSE).
    To log a message about the number of expensive and inefficient search operations performed in individual searches, set the Field Engineering logging severity level to 5 (DS_EVENT_SEV_INTERNAL). This event logs the exact filter used for each search operation that was expensive or inefficient, immediately after any expensive or inefficient search completes.

You can set the severity levels by setting the following registry key:

Diagnostics\15 Field Engineering

For information about how to enable diagnostic event logging for Active Directory Services, see the Microsoft Knowledge Base article Q314980 How to configure Active Directory diagnostic event logging in Windows Server Services.

To categorize search operations as expensive or inefficient, two DWORD registry keys are used:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold

These DWORD registry keys have the following default values:

  • Expensive Search Results Threshold: 10000
  • Inefficient Search Results Threshold: 1000

Using the default values, a search is considered expensive if it visits more than 10,000 entries. A search is considered inefficient if the search visits more than 1,000 entries and the returned entries are less than 10 percent of the entries that it visited.

congrats to jeanette!

she's been promising to answer questions on the momcommunity.com site. she delivered! let's celebrate her first answer post!

woohoo! halo movie...

check it out... a halo movie is a closed deal, planned for release in 2007! :) good stuff rod.

upcoming webcasts...

here's a few webcasts i'm probably going to catch... thought i'd post it up here for anyone's benefit who actually reads this thing.

TechNet Webcast: Mastering Windows Management Instrumentation (Level 200)

Tuesday, September 13, 2005 - 9:30 AM - 10:30 AM Pacific Time

Don Jones, Microsoft MVP, Book Author, and Founder of ScriptingAnswers.com

Windows Management Instrumentation (WMI) is a robust technology for administering Windows through scripts. In this webcast, we examine how WMI works and show you the wide variety of things it can do, such as collecting information from computers and reconfiguring systems. Learn a methodology for incorporating WMI into your scripts quickly and easily. You will find out how to use the tools and utilities that can make writing WMI scripts simple and painless.


TechNet Webcast: What's New in SMS 2003 Service Pack 2 (Level 200)

Thursday, September 15, 2005 - 11:30 AM - 1:00 PM Pacific Time

Wally Mead, Program Manager, SMS, Microsoft Corporation

The next service pack for Microsoft Systems Management Server (SMS) 2003 is in development. If you want to see the new features this new service pack will provide to your SMS 2003 environment, this webcast is for you. Join us as we look at the new features and updates in the service pack, as well as how to upgrade to SMS 2003 Service Pack 2.


Aug 22, 2005

lcscmd - help!

admittedly, i'm posting this for my own reasons. want to have a place i can reference whenever i need to know the lcscmd.exe feature set. if you try to look at help, it's fairly daunting. USAGE:
LcsCmd.exe /? LcsCmd.exe /batch:{input file} [/l:{log file}] LcsCmd.exe /forest[:{FQDN} /action:{action name} [Parameter 1] ... [Parameter N] LcsCmd.exe /domain[:{FQDN}] /action:{action name} [Parameter 1] ... [Parameter N] LcsCmd.exe /server[:{FQDN}] /action:{action name} [Parameter 1] ... [Parameter N]
LcsCmd.exe /batch:MyBatch.xml LcsCmd.exe /forest /action:CheckForestPrepState /l:c:\LcsCmd.html LcsCmd.exe /domain /action:CheckDomainPrepState /l:c:\LcsCmd.xml /xml LcsCmd.exe /domain /action:CreateLcsOuPermissions /ou:CN=MyUsers /objectType:User LcsCmd.exe /server /action:Activate /role:SE /password:My$tr0ngPwd LcsCmd.exe /server /action:ExportServerConfig /role:SE /configFile:c:\HSConfig.xml LcsCmd.exe /server /action:ImportServerConfig /role:SE /configFile:c:\HSConfig.xml LcsCmd.exe /server /action:ImportServerConfig /role:SE /configFile:c:\HSConfig.xml /restore LcsCmd.exe /server /action:ExportServerConfig /role:EE /configFile:c:\FEConfig.xml LcsCmd.exe /server /action:ExportServerConfig /role:Proxy /configFile:c:\ProxyConfig.xml LcsCmd.exe /server /action:ExportServerConfig /role:AP /configFile:c:\EPConfig.xml LcsCmd.exe /forest /action:ExportPoolConfig /poolName:MyExportPool /configFile:c:\MyExportPoolConfig.xml LcsCmd.exe /forest /action:ImportPoolConfig /poolName:MyImportPool /configFile:c:\MyExportPoolConfig.xml LcsCmd.exe /forest /action:ExportGlobalConfig /configFile:c:\GlobalConfig.xml LcsCmd.exe /forest /action:ImportGlobalConfig /configFile:c:\GlobalPoolConfig.xml
  • /batch:{input file} Switches the execution to batch mode. Specifies the input XML file to use for the actions and parameters.
  • /forest[:FQDN] Executes the action for the specified forest. If no fully qualified domain name (FQDN) is specified, current forest is used.
  • /domain[:FQDN] Executes the action for the specified domain. If no FQDN is specified, current domain is used.
  • /server[:FQDN] Executes the action for the specified server machine. If no FQDN is specified, current machine is used.
CheckSchemaPrepState: Checks Live Communications (LC) Active Directory (AD) schema state. SchemaPrep: Prepares LC AD schema by uploading LCS schema extensions. Uses the optional /ldf parameter. CheckForestPrepState: Checks whether forest was prepared to host LC. ForestPrep: Prepares the forest to host LC. ForestUnprep: Removes the preparation from forest to host LC. Also uses the optional /force switch. CheckAllDomainsPrepState: Checks all domains in the forest whether they were prepared to host LC. CheckAllPoolsState: Lists all pools in a forest. CheckPoolState: Checks the pool's state. Requires the /poolname parameter. CreatePool: Creates a pool for LCS Enterprise Edition servers in the forest. Requires the /poolname, /refdomain, /poolbe, /dbdatapath and /dblogpath parameters. Also uses the optional /dbsetupfilepath parameter and /clean switch. RemovePool: Removes a pool from the forest. Requires the /poolname parameter. Also uses the optional /force and /keepdb switches. UpdatePoolBackend: Updates the backend for a pool. Requires the /poolname and /poolbe parameters. ExportPoolConfig: Exports the pool-level configuration (shared between all front ends). It requires /poolName and /configFile. ImportPoolConfig: Imports the pool-level configuration (shared between all front ends). It requires /poolName and /configFile. ExportGlobalConfig Exports the global-level configuration. It requires /configFile. Giving an FQDN after /forest switch is not supported (it always takes the setting from the current forest.) ImportGlobalConfig Imports the global-level configuration. It requires /configFile. Giving an FQDN after /forest switch is not supported (it always applies the setting to the current forest.)
CheckDomainPrepState: Checks whether domain was prepared to host LC. DomainPrep: Prepares the domain to host LC. DomainUnprep: Removes the preparation from domain to host LC. Also uses the optional /force switch. CheckDomainAddState: Checks whether domainadd preparation was done on a domain for another domain. Requires the /refdomain parameter. Also uses the optional /usersonly switch. DomainAdd: Performs domainadd preparation on a domain for another domain. Requires the /refdomain parameter. Also uses the optional /usersonly switch. DomainRemove: Removes domainadd preparation on a domain for another domain. Requires the /refdomain parameter. Also uses the optional/usersonly and /force switch. CheckLcsOuPermissions: Checks whether permissions for LCS groups were set on the specified container for user, contact, inetOrgPerson or computer type objects. Requires /ou and /objectType parameters. /ou parameter specifies the container DN relative to the domain root container DN. /objectType parameter is used to specify the type of objects to verify the LCS permissions on. Also uses the optional /refDomain parameter. If /refDomain is specified, the LCS groups on this reference domain are used to verify the permissions instead of the LCS groups on the context domain. CreateLcsOuPermissions: Creates permissions for LCS groups on the specified container for user, contact, inetOrgPerson or computer type objects. Requires /ou and /objectType parameters. /ou parameter specifies the container DN relative to the domain root container DN. /objectType parameter is used to specify the type of objects to create the LCS permissions on. Also uses the optional /refDomain parameter. If /refDomain is specified, the LCS groups on this reference domain are used to create the permissions instead of the LCS groups on the context domain. RemoveLcsOuPermissions: Removes permissions for LCS groups on the specified container for user, contact, inetOrgPerson or computer type objects. Requires /ou and /objectType parameters. /ou parameter specifies the container DN relative to the domain root container DN. /objectType parameter is used to specify the type of objects to remove the LCS permissions from. Also uses the optional /refDomain parameter. If /refDomain is specified, the LCS groups on this reference domain are used to remove the permissions instead of the LCS groups on the context domain.
CheckLCServerState: Checks a server's state and role as an LC Server. Activate: Activates a machine as a LC Server. Requires the /role, /user and /password switches. /poolname parameter is required if the role is specified as 'EE'. /backend and /dbname parameters are required if the role is specified as 'Archiving'. Also uses the optional /unregspn and /nostart switches. /archserver and /queuename parameters can be used to activate IM Archiving Agent together with the server (when the role is 'EE', 'SE' or 'Proxy') and are optional. Deactivate: Deactivates a server activated as an LC Server in its domain. Also uses the optional /force switch. ExportServerConfig: Exports the machine-level configuration. It requires /role and /configFile. ImportServerConfig: Imports the machine-level configuration. It requires /role and /configFile. Also uses the optional /restore switch. When /restore switch is not specified or it is 'false' it only imports the classes that don't contain machine-specific information. Otherwise it will try to import everything. In order for the restore operation to succeed you need to make sure that all the machine specific settings from the XML file are valid. For example, the certificates that were configured when the ExportServerConfig was run need to exist and still be valid on the machine where the import happens.

using multiple email servers

some members of the mom community have expressed an interest in using multiple smtp destinations for failover in case one or the other becomes unavailable. to my surprise, the people complaining have been mail admins! now in order to have failover, you have to have at least two instances of something running. so going on that assumption, you could do either of these bullets...
  • bring up a load-balancer and put your smtp servers behind it. mask the name or IP to something virtual.
  • create multiple entries in dns with the same name. point each record to a different mail server. poor man's load-balancer using round-robin records.

another stimulating thought...

so hann writes about something that a lot of people have expressed interest in... not just in MOM 2005... but during MOM 2000 days. the inherent problem is that if you modifed the DB to support triggers on certain conditions, you'd most likely lose support. the other problem is that full table scans suck. having a script running looking for changes to open alerts constantly... sounds like bad mojo.

Aug 19, 2005

your home is where your heart is...

i think mosby's post is insinuating that moving a blog means that you've left your home. au contraire. i've been a member of myITforum.com since swynk.com. so in case he missed my reference to moving my blog for usability reasons, i'll state it again. i moved to blogger.com because the site is functionally much better than the blog services offered on msmvps.com or myitforum.com. it'd be pretty silly to think that i've formed some kind of "home" on blogger.com. i would venture a guess that this site has no vendor allegiances and is technology agnostic. besides which, i still write articles for myitforum.com and am an active member of the email lists. what you do think?

mp notifier released ...

hann posted this little gem today. ms recently decided to release MPNotifier as a release to web. i think the original was floating around in newsgroups. anyway, for everyone's enjoyment... check the link. don't be alarmed though that mpnotifier doesn't find everything. the xml doesn't get updated like it should. eventually they get around to it though...

Aug 18, 2005

changing sms default behavior...

here's an interesting thing richard found. thought i'd share it. you can change the default behavior of remote roaming boundary clients... check out the link. he's always coming up with hacks like this... of course supportability is always questioned. might be on your own if you do something wrong... :)

testing the email posting feature...

just wanted to see how well this works… :)

moving my blog...

just a note that i'm moving my blog from myitforum.com/blog/moh to here! :) if you're wondering why i moved my blog, it's because blogger.com rules. the feature set is much richer and functionally, very cool. anyway, i moved all the blog content and stuff. retained the original dates... but can't say the timestamp is the same. still very much a part of the myITforum.com mailing lists and will continue to contribute articles to the site.

mom team rules...

john and i were hashing around how to submit an update to an alert object since the submit function seemed to work only when it was coupled with a create method. turns out you don't have to submit at all... you simply set the new field for the alert. check out the sample script that hann posted:


linking to my blog...

hann is linking to my blog again. he made some commentary about my post on update or replace MPs. i concur with his thoughts. you can check them out here: http://msmvps.com/jfhann/archive/2005/08/17/63139.aspx.

Aug 17, 2005

import - update or replace?

we've thrashed around the topic today on the msmom mailing list today. turns out that copying an a rule does not preserve the content of the product knowledge tab.

other interesting thing to note is that the “update” feature of mp import does not retain the override criteria or threshold changes. the only thing is holds on to is disable/enable, company knowledge, and any rules you may have created for yourself.

the recommendation is still to copy any rules that you plan to modify and disable the original. as long as you're going to do that, you might as well move it into its own custom rule group so that you can export them at will and import at will w/out the fear of losing any of your work. i've been using sharepoint services to maintain a list of mom rules that i've modified over the course of my history with it.

oh, btw, you can copy the product knowledge to the company knowledge of a copied rule. not sure that it's the same effect... but at least you have something to reference. some of the tools for MP authors may allow some more indepth editing... who knows?

met with 1e today...

they have some pretty amazing tools. i am so impressed with where they've taken nomad since when i participated in their beta. they also have a lightweight desktop monitoring tool called deskmon which utilizes the sms status messages to send up info. of course smswakeup is always cool for WOL stuff. love the multi-slave model.

have you heard that THE john hann has moved his blog?

This is interesting. Hann has moved his page to http://msmvps.com/jfhann. I'm not sure what this means really. I'm sure it's nothing ominous about myITforum in general, but it is interesting, nonetheless.

Anyway, he's known to post some good things on occasion. Rare occasion.

Aug 11, 2005

mom reporting server - complicated layers (baking a tall cake)...

Ran into an issue on MOM Reporting Server. After some investigation, it was all the way down at the Framework layer. If you're not familiar with MOM Reporting, it's like the house that Jack built. It requires the following layers:

  • Windows (obviously)
  • SQL (obviously)
  • IIS .NET Framework
  • SQL Reporting Services
  • MOM Reporting Services

So... if you have a failure on any one of those layers, your little house is going to come apart. For my particular situation, as mentioned before, the problem was at the Framework layer. I couldn't figure out where it was failing or how to fix it. I did the only logical thing... reinstall.

Reinstalling made no changes, so I moved to the next logical step... uninstall.

I uninstalled everything down to IIS. Since there were other websites running, I knew that probably wasn't it. Also, SQL was healthy as well. DTS jobs were running. SQL queries worked fine. This is when I started packing back the required components. I got .NET Framework loaded, which seemed to go fine. At the last leg of the SQL Reporting Services install, it stated there was an error during the install. I looked up the error code... and it stated that I needed to run rsactivate. Here's what I got back:

C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer>rsactivate -c RSReportServer.config Failure starting the web service: The Report Server Web service has not generated a public key. The service may not have started successfully. Check the log files for more information.

Alright... that makes no sense to me. I looked up that error... and it stated I needed to run aspnet_regiis. Here's what I got back:

C:\WINNT\Microsoft.NET\Framework\v1.1.4322>aspnet_regiis -i Start installing ASP.NET (1.1.4322.0) without registering the scriptmap. An error has occurred (0x80070005). You must have administrative rights on this machine in order to run this tool.

After several aggrevating attempts to uninstall/install components again, I gave up and called India. Here's where the problem was... (don't laugh). That stupid error code above was partially accurate. Even though I have administrative rights, there was a corrupted registry which did not contain the proper permissions. :/

Here's the locations in case you run into this (and judging by some of the newsgroup posts, you have):

  • HKLM\System\CurrentControlSet\Services\EventLog\Application\ASP.NET 1.1.4322.0
  • HKLM\System\CurrentControlSet\Services\EventLog\Application

So first hurdle crossed. Granted access, ran aspnet_regiis -i, ran rsactivate... we're good. Now browsing to the web page brought another error:

The underlying connection was closed. Could not establish secure channel for SSL/TLS. HTTP Error 403 - Forbidden.

So the issue here was incorrect VDIR settings in IIS. This is what we changed to make it work:

REPORTS Virtual Directories tab

  • Verify the path is set to C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportManager
  • Verify the Application Name = "Report Server Interface"
  • Modify Execute permissions from "Scripts Only" to "Scripts and Executables" Documents tab
  • Remove all default documents .Add "Home.aspx" as default.

Directory Security tab

  • Uncheck "Enable Anonymous Access".

REPORTSERVER Virtual Directories tab

  • Verify the path is set to C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer
  • Verify the Application Name = "Report Server"
  • Modify Execute permissions from "Scripts Only" to "None"
  • (On IIS5.0) remove all Application Mappings and add Application Map with Executable set to "%WINDIR%\microsoft.net\framework\v1.1.4322\aspnet_isapi.dll"
  • Extension set to "*"
  • Verbs set to "All Verbs"
  • Select Script Engine checkbox Documents tab
  • Add the following default documents in this order: default.htm, default.asp, index.htm, iistart.asp, default.aspx Directory Security tab .Check "Enable Anonymous Access"

There were other problems after that. Paraphrasing, add the ASPNET account to the RSExecRole in SQL for the ReportServer and ReportServerTempdb database. If SQL Server is on the same server as Reporting Services, change the account being used from "Machine" to SYSTEM in machine.config (located under the field). After all that worked, I installed MOM Reporting. Of course, the catch here is that you don't want to lose all your data (won't let you continue without removing the db). So I did the following:

  • Detached the database.
  • Renamed the .ldf and .mdf files to something generic.
  • Ran through the installation.
  • Detached the new db. Deleted them. Renamed the old to the new.
  • Attached.

You'll lose all your MOM reports. I had to import all the report XMLs back in.