O R G A N I C / F E R T I L I Z E R: 2006

Dec 28, 2006

ds: compacting the wins database...

i have been terrible about compacting the wins database. i think about it so infrequently. it's definitely the last thing on my mind. well, according to microsoft, you should compact your wins database when it grows over 30mb. well, it's time. if you want details on jetpack, here's the article. otherwise, here's a short summary:
  1. navigate to %systemroot%\system32\wins
  2. stop the wins service: net stop wins
  3. run jetpack: jetpack wins.mdb tmp.mdb
  4. start the wins service: net start wins
tmp.mdb can be named anything. it's used to replace the existing file when it finishes. i'm seeing about a 50% reduction in size when i do this. coincidentally, it's the same thing for dhcp except you point it to %systemroot%\system32\dhcp and the dhcp.mdb file. i wrote up this little script to use in mom. depending on the parameters you give, it will check either the wins or the dhcp database to see if it's above 30mb. if it is, it'll create an event. the parameters you need are:
  • Database Type
  • LogSuccessEvent
for database type, you specify either wins or dhcp. logsuccessevent ... well... logs events if it is successful as well. :) view this is in internet explorer. firefox truncates the lines when i use "pre" tags. watch for word wrap as well. here it is anyway:
'==========================================================================
'NAME        : MOM_WINSDHCP.vbs
'AUTHOR        : Marcus C. Oh
'DATE        : 12/28/2006
'COMMENT    : Checks the WINS or DHCP database file size to determine if it
'             needs to be compacted.
'==========================================================================

' Standard Event Type Numeric Values
Const EVENT_TYPE_SUCCESS = 0
Const EVENT_TYPE_ERROR   = 1
Const EVENT_TYPE_WARNING = 2
Const EVENT_TYPE_INFORMATION = 4

sComputer = "."

Set oShell = CreateObject("WScript.Shell")
Set oFSO = CreateObject("Scripting.FileSystemObject")
sSystemRoot = oShell.ExpandEnvironmentStrings("%SystemRoot%")
sSystemRoot = Left(sSystemRoot,InStr(sSystemRoot,"\")) & Mid(sSystemRoot,InStr(sSystemRoot,"\"))


'Retrieve MOM script parameters -------------------------------------------
sType = ScriptContext.Parameters.Get("Database Type")
bLogSuccessEvent = CBool(ScriptContext.Parameters.Get("LogSuccessEvent"))

If LCase(sType) = "dhcp" Then
DHCPCheck
ElseIf LCase(sType) = "wins" Then
WINSCheck
Else
CreateEvent 41004,EVENT_TYPE_WARNING,"WINS_DHCP Script","Incorrect script parameter.  Please specify either DHCP or WINS."
End If

'Check the WINS database file size ----------------------------------------
Sub WINSCheck
If oFSO.FileExists(sSystemRoot & "\system32\wins\wins.mdb") Then
   Set oWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & sComputer & "\root\cimv2")
   Set cFiles = oWMIService.ExecQuery("Select * from CIM_Datafile Where name = '"& sSystemRoot & "\\system32\\wins\\wins.mdb'")

   For Each oFile in cFiles
       If oFile.FileSize > 31450287 Then
           CreateEvent 41006,EVENT_TYPE_ERROR,"WINS_DHCP Script","WINS.MDB needs to be compacted.  Current size: " & oFile.FileSize & " bytes."
       Else
           If bLogSuccessEvent Then
               CreateEvent 41005,EVENT_TYPE_INFORMATION,"WINS_DHCP Script","WINS.MDB does not need to be compacted.  Size is " & oFile.FileSize & " bytes."
           End If
       End If
   Next
End If
End Sub

'Check the WINS database file size ----------------------------------------
Sub DHCPCheck
If oFSO.FileExists(sSystemRoot & "\system32\dhcp\dhcp.mdb") Then
   Set oWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & sComputer & "\root\cimv2")
   Set cFiles = oWMIService.ExecQuery("Select * from CIM_Datafile Where name = '"& sSystemRoot & "\\system32\\dhcp\\dhcp.mdb'")

   For Each oFile in cFiles
       If oFile.FileSize > 31450287 Then
           CreateEvent 41006,EVENT_TYPE_ERROR,"WINS_DHCP Script","DHCP.MDB needs to be compacted.  Current size: " & oFile.FileSize & " bytes."
       Else
           If bLogSuccessEvent Then
               CreateEvent 41005,EVENT_TYPE_INFORMATION,"WINS_DHCP Script","DHCP.MDB does not need to be compacted.  Size is " & oFile.FileSize & " bytes."
           End If
       End If
   Next
End If
End Sub

'Standard event subroutine for MOM ----------------------------------------
Sub CreateEvent(iEventNumber,iEventType,sEventSource,sEventMessage)
Set oEvent = ScriptContext.CreateEvent()
oEvent.EventNumber = iEventNumber
oEvent.EventType = iEventType
oEvent.EventSource = sEventSource
oEvent.Message = sEventMessage
ScriptContext.Submit oEvent
End Sub

misc: thanks eventid.net!

for those of you that are MVPs, the kind folks at eventid.net have once again renewed my one year subscription. for those of that are you not, eventid.net is an excellent resource when you want to find information relevant to event IDs.

Dec 27, 2006

mom: monitoring adam

this just came across. i thought it was interesting for anyone that is interested in monitoring adam. i haven't looked at it yet... i don't really have any adam instances to monitor. anyway, it's a free mp from quest. check it out: http://www.quest.com/management_pack_for_adam/.

Dec 21, 2006

sms: serial numbers with warranty expiration...

here's something fun to try over the holiday season. marry up serial numbers that you're already collecting from your dell systems and join them to expiration warranty data so that you can see when your systems will go out of warranty. anyway, i'm sure someone very versed in sql scripting can come up with something better than what i've illustrated. i'm using stock scripts from query analyzer. remember, this is completely unsupported by microsoft. :) there are a few things you're going to need to get this started:
  1. a csv containing serial numbers and warranty
  2. a new table to hold the information
  3. a view for the new table
  4. a method to get the information into the table
  5. a report to look at all the new data
for the csv, you're going to need to get this data from dell (or from whatever manufacturer you use). basically, you'll want the format to look like this:
ABC1234,12/04/2009
ABC2234,12/04/2008
...

on your sms server, create a new table. if you're going to use my script to push the data in, then create one like this:

column name         data type
--------------      -------------
SerialNumber        nvarchar(50)
ExpirationDate      smalldatetime 
 
note, in the above, you do not want to allow nulls. you also want to set the primary key on SerialNumber since theoretically it should be unique. you could also use this little sql script to create it.
 
SET ANSI_NULLS ON 
GO 
SET QUOTED_IDENTIFIER ON 
GO

CREATE TABLE [dbo].[DellWarranty]([SerialNumber] [nvarchar](50) 
COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL, 
[ExpirationDate] [smalldatetime] NOT NULL, 
CONSTRAINT [PK_DellWarranty] 
PRIMARY KEY CLUSTERED ( [SerialNumber] ASC )WITH 
(PAD_INDEX = OFF, IGNORE_DUP_KEY = OFF) ON [PRIMARY] ) ON [PRIMARY] 
 

now that we have a table to work with, we'll create a view so that things are like the way sms does it. here's a sql script to run that will create a view called v_R_DellWarranty:

SET ANSI_NULLS ON 
GO 
SET QUOTED_IDENTIFIER ON 
GO 
CREATE VIEW [dbo].[v_R_DellWarranty] AS 
SELECT SerialNumber, ExpirationDate FROM dbo.DellWarranty
 

once your table and view is setup, apply the proper permission. i've outlined it in this blog post: sms: adjust permissions when using new tables... let's get the data into the table. once you have your .csv file ready, rename it to serials.csv and place it in c:\temp. why? because i'm lazy and haven't updated the script.

modify the following values so that you can connect to the sms server:

  • "Server=SMSSERVER;" &_
  • "Database=SMSDB;" &_
  • Set oTextFile = oFSO.OpenTextFile("C:\temp\serials.csv", 1) - this is the file and location

here's the script you're going to need:

Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oTextFile = oFSO.OpenTextFile("C:\temp\serials.csv", 1)

Set oConnection = CreateObject("ADODB.Connection")
oConnection.ConnectionString = _
    "Driver={SQL Server};" &_
    "Server=<YOUR SMS SERVER>;" &_ 
    "Database=<YOUR SMS DATABASE>;" &_
    "Trusted_Connection=yes;"

oConnection.Open

Do While oTextFile.AtEndOfStream <> True
    sLine = oTextFile.ReadLine
    If inStr(sLine, ",") Then
        aSerialRecord = Split(sLine, ",")
        sQuery =    "INSERT INTO DellWarranty(SerialNumber,ExpirationDate) " &_
                    "VALUES('" & Trim(aSerialRecord(0)) & "','" & Trim(aSerialRecord(1)) & "')"
        oConnection.Execute sQuery
      End If
Loop

oConnection.Close
 
once you run that, you'll have values populated into your new table. here's a sql query that you can create a sms report with. it's just a small example of how to use this new data:
 
select SYS.Name0 AS [System], CS.Model0 AS [Model], SerialNumber0 AS [Serial],
       Convert(CHAR(11),ExpirationDate,111) AS [Expiration]
from   v_R_System SYS INNER JOIN
       v_GS_System_Enclosure SE ON SYS.ResourceID = SE.ResourceID INNER JOIN
       v_GS_Computer_System CS ON SYS.ResourceID = CS.ResourceID INNER JOIN
       v_R_DellWarranty DW ON SE.SerialNumber0 = DW.SerialNumber 
order by [System]

Dec 19, 2006

misc: atlanta smug coming up 1/31/07

southeast management user group it's that time again. i've put the agenda below and have provided the links to the event registration. hope to see you there! Event Overview 9:00-10:30 Technical discussion regarding Microsoft’s Desktop Optimization Pack and integration points with System Management Server (SMS) 2003 Service Pack 3 • Application Virtualization with Microsoft SoftGrid • Microsoft Asset Inventory Service • Microsoft Disaster Recovery Toolset • Microsoft Advance Group Policy Management 10:30-10:45 Break 10:45-12:00 Monitoring .NET Applications with Microsoft Operations Manager (MOM) & Avicode 12:00-1:00 Working Lunch Managing Mobile Devices with SMS 2003 & Odyssey Software 1:00-2:30 Monitoring SAP with Microsoft Operations Manager (MOM) & Tidalsoft 2:30-2:45 Break 2:45-3:30 SMS & MOM Top 10 issues delivered by PSS registration links: January 24th 2007 Event Title : Charlotte Southeast IT Management Meeting Event ID : 1032321549 http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032321549&Culture=en-US January 31st 2007 Event Title : Atlanta Southeast IT Management Meeting Event ID : 1032321546 http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032321546&Culture=en-US February 27th 2007 Event Title : Raleigh Southeast IT Management Meeting Event ID : 1032321551 http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032321551&Culture=en-US

Dec 12, 2006

miis: attribute not defined as source exception

i ran into this error recently which the fine folks @ mmsug@yahoogroups.com helped me clear up. i didn't find but one reference while googling. even though the reference was right, it made so sense to me. no surprise right? here's the error:
Microsoft.MetadirectoryServices.AttributeNotDefinedAsSourceException: Attribute "myAttribute" is not declared as a dependency. at Microsoft.MetadirectoryServices.Impl.MVEntryImpl.get_Item(String attributeName) at Mms_ManagementAgent_CCI_MA.MAExtensionObject.MapAttributesForExport(String FlowRuleName, MVEntry mventry, CSEntry csentry)
i was goofing around with this sample code. the only thing i did was wrap an additional logic to check myAttribute to see if it needed to be processed at all. basically if myAttribute is marked to a value of "A" then do not process the user object under any circumstances. it seems the problem is that i didn't bother to include myAttribute as part of the flow going through the rule extension. i was flowing employeeStatus to userAccountControl but didn't bother to include myAttribute. in identity manager, i needed to ctrl-click both attributes exported through the rule extension into userAccountControl. that took care of it. :)

Nov 20, 2006

mom: maintenance mode hta

in other words, a gui. matt broadstock was kind enough to notify us about this utility on the msmom list. it's a 1.0 version so there are plenty of things to improve, but this makes changing maintenance mode en masse a very simple task. check it out. it's labeled mom maintenance mode utility gui. send up your feedback.

ds: dumping all dns records

i've linked an interesting article on dumping out dns records. the one requirement is that zone transfers has to be turned on for the receiving client. in this case, it'd be your workstation... what fun. here are the steps, in short:
  1. nslookup
  2. set type=any
  3. ls -d domain.com > mydnsrecords.txt
  4. exit
read the full article if you want the details... :T or try this method with dnscmd.exe.

Nov 8, 2006

sms: itmu v3 installation failure

run into this error code with itmu v3?
error code: 0x80004005
this is because in order to successfully complete the install, you've got to rdp to the console session. as a reminder, in order to do this, from a run line type the following:
mstsc /v: /console
(by the way, the issue has been corrected in the newest bits. :)

Nov 6, 2006

os: time sync information

UPDATE: added some information regarding syncing to non-windows time sources.

i hate dealing with time synchronization. the tools for windows are so hokey. you know, little nuances like deprecating net time in favor of w32tm just doesn't get enough press. oh well. recently, i had to look through this stuff again. i decided i'd write up a little blog note as a reminder for myself the next time i have to look at this stuff. to start off with, very useful links.

how to turn on debug logging in the windows time service
how to configure an authoritative time server in windows server 2003
windows time server and internet communication
time synchronization may not succeed when you try to synchronize with a non-windows ntp server in windows server 2003

... and now, some very useful commands:

setting a time sync source:

w32tm /config /update /manualpeerlist:time.nist.gov time.windows.com /syncfromflags:MANUAL

verifying the settings:

w32tm /dumpreg /subkey:parameters
... following the commands above, if you're syncing time successfully, and you've turned on time sync debug logging as specified in the first link above, a successful entry in the log will look like the entry snippet below...
148232 19:09:40.0266456s - /-- NTP Packet: 
148232 19:09:40.0266456s - | LeapIndicator: 0 - no warning; VersionNumber: 3; Mode: 4 - Server; LiVnMode: 0x1C 
148232 19:09:40.0266456s - | Stratum: 2 - secondary reference (syncd by (S)NTP) 
148232 19:09:40.0266456s - | Poll Interval: 7 - 128s; Precision: -6 - 15.625ms per tick 
148232 19:09:40.0266456s - | RootDelay: 0x0000.1BFEs - 0.109344s; RootDispersion: 0x0000.CC68s - 0.798462s 
148232 19:09:40.0266456s - | ReferenceClockIdentifier: 0xC02BF412 - source IP: 192.168.1.1 
148232 19:09:40.0266456s - | ReferenceTimestamp: 0xC8FA05E75E673B78
148232 19:09:40.0266456s - - 12807313511368762700ns - 
148232 19:05:11.3687627s 
148232 19:09:40.0266456s - | OriginateTimestamp: 0xC8FA06F406D23EFC
148232 19:09:40.0266456s - - 12807313780026645600ns - 
148232 19:09:40.0266456s 
148232 19:09:40.0266456s - | ReceiveTimestamp: 0xC8FA06F406986261
148232 19:09:40.0266456s - - 12807313780025762700ns - 
148232 19:09:40.0257627s 
148232 19:09:40.0266456s - | TransmitTimestamp: 0xC8FA06F406986261
148232 19:09:40.0266456s - - 12807313780025762700ns - 
148232 19:09:40.0257627s 
148232 19:09:40.0266456s - >-- Non-packet info: 
148232 19:09:40.0266456s - | DestinationTimestamp: 
148232 19:09:40.0266456s - 0xC8FA06F406D23EFC
148232 19:09:40.0266456s - - 12807313780026645600ns
148232 19:09:40.0266456s - - 
148232 19:09:40.0266456s 
148232 19:09:40.0266456s - | RoundtripDelay: 000ns (0s) 
148232 19:09:40.0266456s - | LocalClockOffset: -882900ns - 0:00.000882900s 
148232 19:09:40.0266456s - \--
w32tm /config /update /manualpeerlist:mynonwindowstimesource.com,0x8 /syncfromflags:MANUAL

Nov 2, 2006

mom/sms: a couple of interesting articles...

i thought i'd point out a couple of interesting articles since the problem seems to surface on some of the listmail subscriptions i'm a part of. the first one is the neverending question... why do the active directory and exchange helper objects get installed on machines that aren't domain controllers or exchange servers? it's simple. the push installation does it automatically. here's the article that goes into detail about the asinine method to avoid this (manual installations or remove through arp). i included this one because it was something one of my coworkers discovered with microsoft (russ slaten to be exact). he's published a blog entry on it. here's the official article, however. basically it details how to get around (scripted or otherwise) the problem when you try to import a report, and it mercilessly tacks your cpu. basically the import object wizard can't handle large sql queries. :)

mom: securevantage directory services management pack

you're probably quite familiar w/ securevantage by now. if you don't, they produce management packs focused on security. it works right in mom... and is pretty wicked stuff. anyway, they offer a free directory services mp which does some basic functionality. if you don't have it, check it out... anyway, the really cool part is they mention me in the management pack description! nice! here's a snippet:
Management Pack
Purpose
The Directory Services Controls MP (DCMP) provides low-level auditing for all types of objects in Active Directory. Directory Services events not only identify the object that was accessed and by whom but also document exactly which object properties were accessed.
Features
The Secure Vantage DSMP provides detailed OU auditing on user, group, gpContainer, dnsDomain and organizational units. The MP provides base event collection, control alerting, operational views, a forensic analysis report and KB content from Microsoft Security MVP Randy Franklin Smith and MOM MVP Rory McCaw. Additional acknowledgement goes to Marcus Oh, fellow MOM guru.
Configuration

Directory Service Access events work a lot like Object Access events because you must first enable the audit policy at the system level, the activate auditing on the specific objects you want to monitor. To enable auditing on a file, open the file's properties dialog box from within Windows Explorer, select the Security tab, click Advanced and then select the Auditing tab on the Advanced Security Settings dialog box. To enable auditing on an AD object, follow the same path but from within the Active Directory Users and Computers snap-in (rather than Windows Explorer). Then specify the permissions you want to audit when users request access to the object.

Nov 1, 2006

mom: evaluate all criteria

ever wonder how to get an event rule to evaluate all of the criteria that you specify? add this as part of the criteria set:

Message DLL - matches wildcard - * 


make sure this goes to the top of the list (or second to the top anyway).

Oct 27, 2006

sms: adjust permissions when using new tables...

okay, here's a little tidbit the next time you go messing around with creating new tables in sms. (uh, not that i have any knowledge of doing that.) if you've seen this error in web reports, then you'll know what i'm talking about. basically, in this scenario, you create a table, populate the data, match it up to something and everything works in query analyzer. the second you move it to a sms report... you get this:
An error occurred when the report was run. The details are as follows: SELECT permission denied on object 'myNewTable', database 'mySMSDB', schema 'dbo'.

Error Number: -2147217911
Source: Microsoft OLE DB Provider for SQL Server
Native Error: 229
essentially, the problem is the table lacks the correct permissions. it seems the best way to go about doing this is first to create a view off the table you've made. afterwards, apply these permissions to the view:
smsschm_users select
webreport_approle select

after that, your report should run just fine... i'll post more on what i was working on later... that is consequently not something i am doing in production or would ever, ever, ever recommend. :D

Oct 26, 2006

misc: they say that time changes things...

... but you actually have to change them yourself... -warhol you may have heard that daylight saving time is changing some of its parameters. in case you haven't heard, you should read more about it. in summary, we'll get four more weeks of daylight saving time: three weeks earlier (second sunday in march) and one week later (first sunday in november). go thank your congressman and the energy policy act. just so we're all on the same page, a computer keeps time in gmt format and uses the time zone offset to display the correct time. this means, you can't just sync time on a client and expect that the client will know about the new time zone parameters. the pertinence of a change of this magnitude is that your windows systems contain timezone data that is coded to increase/decrease the time by an hour based on currently known parameters. the other real problem is that microsoft (to date) has no plans to release a patch to address windows 2000 systems for the adjustments in dst. don't think it's a problem? wait until you see how outlook behaves... (think back to the australian 2006 commonwealth games). after november 6, 2006 ... for all of your systems above version 2000, apply the patch (once tested thoroughly, etc, etc, etc). for your windows 2000 systems, try one of these: using tzedit and create a .reg file of the dst changes outlined in this kb article and distribute. the folks at eeye have posted the contents of a .reg file which can also be used to accomplish the same thing. i'm not sure how long it'll stay around, so i've posted the contents of it below. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TimeZones\Alaskan Standard Time] "TZI"=hex:1c,02,00,00,00,00,00,00,c4,ff,ff,ff,00,00,0b,00,00,00,01,00,02,\ 00,00,00,00,00,00,00,00,00,03,00,00,00,02,00,02,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TimeZones\Central Standard Time] "TZI"=hex:68,01,00,00,00,00,00,00,c4,ff,ff,ff,00,00,0b,00,00,00,01,00,02,\ 00,00,00,00,00,00,00,00,00,03,00,00,00,02,00,02,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TimeZones\Eastern Standard Time] "TZI"=hex:2c,01,00,00,00,00,00,00,c4,ff,ff,ff,00,00,0b,00,00,00,01,00,02,\ 00,00,00,00,00,00,00,00,00,03,00,00,00,02,00,02,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TimeZones\Mountain Standard Time] "TZI"=hex:a4,01,00,00,00,00,00,00,c4,ff,ff,ff,00,00,0b,00,00,00,01,00,02,\ 00,00,00,00,00,00,00,00,00,03,00,00,00,02,00,02,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TimeZones\Pacific Standard Time] "TZI"=hex:e0,01,00,00,00,00,00,00,c4,ff,ff,ff,00,00,0b,00,00,00,01,00,02,\ 00,00,00,00,00,00,00,00,00,03,00,00,00,02,00,02,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation] "DaylightStart"=hex:00,00,03,00,02,00,02,00,00,00,00,00,00,00,00,00 "StandardStart"=hex:00,00,0b,00,01,00,02,00,00,00,00,00,00,00,00,00 if you copy paste the snippet above and don't have any leading spaces on the lines that start with "00," (underneath "TZI"), put two spaces before "00,". i'm not sure if it's actually necessary... but blogger loves to strip off leading spaces.

Oct 18, 2006

ds: useraccountcontrol passwd notreqd

sometimes when something gets far enough under your skin, you have to go looking for an answer. i've seen this flag come up quite a few times running oldcmp dumps. well, i finally got sick of just saying... "i don't know" and started looking for the answer. also, i couldn't really find any sources of information that specified conditions or anything like that. so ... it made a perfect topic. many thanks to the brilliant minds on the activedir.org mailing list and at microsoft.

alright, so when does this occur? you can't set a user account this way through aduc so you can rule out that someone accidentally did this mousing around. it seems that if you create an account through adsi and don't specify a password, you'll end up with a uac value of 546. (if you don't understand uac values, skim over this article.)

546 basically translates to:

  • normal user (512)
  • disabled account (2)
  • password not required (32)

it seems kind of odd not to require a password in this scenario. it was done, from what i gather, for ease of use. well, don't be terribly alarmed. the security risk isn't as great as you may think, though it does still exist. so at this point, the account cannot be enabled without a password. if the user tries to change their password, they'll be subject to domain policy. as long as there's a minimum character requirement, the password can't be a null value. sounds fine so far. the problem is, anyone with access to reset/change the user's password, can set the value to null. here's a useful adfind/admod command to remove the passwd_notreqd flag (courtesy of activedir grey matter):

adfind -default -bit -f "(&(objectCategory=person)(objectClass=user)(userAccountControl:AND:=32))" userAccountControl -adcsv | admod userAccountControl::{{userAccountControl::CLR::32}} -unsafe
make sure to view this page in ie. it won't show up right in firefox.

Oct 12, 2006

os: what not to do when using environment variables...

let's say you want to set a value to foo. so, you do something like this:

C:\>set foo = geniusboy

(you probably already see the mistake i just made.) so, now you want to retrieve the variable to use somewhere. you try to get it back by using this:

C:\>echo %foo% 
%foo%


instead of getting back geniusboy, you get back %foo%. hmmm. where did it go? now you run this command just to list all the environment variables that start with f:

C:\>set f 
foo = geniusboy 
FP_NO_HOST_CHECK=NO

so alright, it looks like it took. why doesn't it come back with the first echo command? notice the spaces in the variable? try echoing %foo %.
C:\>echo %foo % 
geniusboy

even the value returned has a space. apparently, it is quite literal about those spaces. :) clear the value and try again (don't forget the space). now it works fine:
C:\>set foo = 
C:\>set foo=geniusboy 
C:\>echo %foo% 
geniusboy

mom: good resolutions are ...

...simply checks that men draw on a bank where they have no account.

so with that in mind, since there are obviously no good resolutions... don't you wish mom 2005 came with some manner of auto-resolving alerts? this has been something that has annoyed me for quite some time. i don't see the purpose of letting alerts linger in the wild for the expanse of eternity when most administrators don't bother using the mom console. they just want stuff in their mailbox.

here's a little script to do just that. i just took the scripts you can find all over the internet for resolving all alerts and added a date check so that only things over 5 days old are resolved. running this once a day by scheduled task helps keep things clean. the other benefit is that once the alert is resolved, the suppression goes away and notification fires again if the same problem is detected. just make sure to run it on the mom server.

if you want to change it to look for things even older than 5 days, modify this line:

If DateDifference(CDate(WMIDateStringToDate(objitem.TimeofFirstEvent))) > 5 Then 


change the value "5" to whatever amount days old you want. here's the script.

 

id = 255
Set objMOM = GetObject("winmgmts:!root\mom")
Set colItems = objMOM.ExecQuery("Select * from MSFT_alert where ResolutionState <> " & id & "",,48)

For Each objItem in colItems
    If DateDifference(CDate(WMIDateStringToDate(objitem.TimeofFirstEvent))) > 5 Then
        WScript.Echo objitem.name
        ResolveAlertObject(objItem)
     End If
Next

Function WMIDateStringToDate(dtmDate)
    WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
    Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
    & " " & Mid(dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
End Function

Function DateDifference(myDate)
    DateDifference = DateDiff("d",myDate,Now)
End Function

Sub ResolveAlertObject(objItem)
    If (Not(objItem Is Nothing)) Then
        If (objItem.ResolutionState <> id) Then
            objItem.ResolutionState = id
            Call objItem.Put_
        End If
    End If
End Sub

Oct 4, 2006

os: dhcp ras leases?

if you've found your dhcp scopes full of addresses that specify:
  • type: DHCP
  • unique id: RAS
and want to get rid of them, try this command: netsh ras ip set addrassign pool

Sep 28, 2006

misc: displaying dell warranty data

might find this useful. took a very long time to get this... but now that i have it, i thought i'd share. using the following url, you can simply supply the service tag of a system to the end of the url. it'll take you right to the warranty page of a dell system.

https://support.dell.com/support/topics/global.aspx/support/my_systems_info/en/details? c=us&cs=555&l=en&s=biz&amp;amp;~tab=2&ServiceTag= 


(it's all one long string; had to line break it) implications being, you could use this in your sms reports. you could also write a script to go to the site, pull down the data you need and write it back to something. hmmm...

Sep 20, 2006

mom: the absolute value of negativity...

i spent the better part of an afternoon writing a script to pick up some events in the event (ha?) that a machine had antivirus problems: dats too old, version too old, or antivirus not installed. i don't think that anyone would disagree with me on this one bit. scripting something like this is pretty straightforward... until you introduce it to mom. at that point, it's easy to get entrenched in stupidity. won't bore you with the details of all the iterations i spent writing in goofy lines of debug to figure out why it wasn't working. anyway, turns out the problem had a lot to do with this little bit of script. all the other stuff about version and existence worked fine.
If DateDifference(CDate(sAVDate)) < sDaysBehind Then CreateEvent 41102,EVENT_WARN,"Antivirus Health Check","DATs are old." End If
i've condensed the createevent line for brevity (and since brevity is the soul of wit, i should make this post small, right? actually... hmmm.). anyway, the output would look something like the following:
DATs are greater than [15] days old! Version: 7.1 DAT Date: 9/12/2006 -7 < -10
now substitute DateDifference(CDate(sAVDate)) with -7 and sDaysBehind with -10. in this dimension of earth, i believe that -7 is greater -10. in the world that mom exists, i don't think this is the case. an if/then evaluation like that would have returned a boolean value of false which means: do not proceed to the next line. just end. it doesn't matter. i found where the evaluation was true, like -19 < -10 and the process went through the same way. before i put this in mom, the evaluations worked each time. i digress. i don't think it's fair to say that in mom's world this expression would be true. i think it probably means it didn't like the negative values. i'm not sure if it didn't like it in the parameter or in the script. either way, it was too late to keep trying to figure it out. to fix it, i ended up using absolute values (abs function). so now it looks more like:
DATS are greater than [15] days old! Version: 7.1 DAT Date: 9/12/2006 17 > 15
one caveat about this script, if you were curious... it is meant for mcafee viruscan enterprise. i'm sure changing around the registry key locations to find what you want wouldn't be problematic at all. there are some parameters to be aware of. i'll list them here:
  • Current Version - three character version that the client should meet (e.g. 7.0, 7.1, 8.0)
  • Days Behind - number of days that a client can lapse dat updates (looks at the virus definition date on the client)
  • LogSucessEvent - standard [true/false] input to note whether to log for successes
i've posted the script [mom_antivirus.txt] if you want a copy ... usual places: momresources.org and myitforum.com. the moral of the story is mom does not like you to be negative. be absolute, instead.

Sep 13, 2006

mom: if it keeps up, man will atrophy all his limbs...

...but the push-button finger. and aren't we better creatures for it, mr. frank lloyd wright? by the way, pass me the remote. i'm already starting off on a very bad note. blogger just ate my homework so to speak. i was nearly done with this post when it decided to go rabid and eat the whole thing before my eyes. oh spare me the virtues of saving often. i'm quite annoyed. oh well. i hear that you actually write better when you write the same thing twice... uh huh. so to get started, recently the idea was tossed around that if we lost our management packs because of some errant corruption, we'd most likely have to reimport the stock management packs, trudge through the years of change data, and reset everything back to the way it was. either that or we have to restore the database. since neither of these options are really any better than eating a handful of chalk, we decided we should export management packs as a part of a weekly process. this way, if anything is corrupted, we've only lost a week's worth of changes. so since it was my buddy's brilliant idea, i told him to go ahead and get started. after two hours of teeth grinding and mouse-clicking, he was finally done with the mountain of management packs he had to export. at that point, i decided i should write a script. partly because i felt sorry for the guy, and mostly because i didn't want to go through that exercise myself. i would liked to have used managementmoduleutil.exe as it came from the factory, but alas, it's missing some parts that are simply required to be categorized under "automated". first of all, you have to direct the utility to the processing rule group that you want to export. i suppose you could export your list of top-level PRGs and feed it to the utility in some kind of inelegant for loop. however, if you add a management pack, that list will have to be updated each time. so, i set off to find where this data was held. turns out, it's in the database... in the most unintuitive way. (i want to quietly thank all of those that helped me with this that i can't mention their names for one reason or another...) rory alluded to a procedure on the database server that would do exactly what i was looking for. i found it. :) in case you're interested, the name of the stored procedure is ProcessRuleSelectAllTopLevelGroups. i took the relevant query from the procedure and put it in the script. now i get a dynamic list of all the top-level processing rule groups on a given management group that can be fed into the managementmoduleutil.exe. push-button that, wright. now, it'll export .AKM files to a share. that wasn't enough for me. i wanted that information on both of my management servers. in order to do this i dropped a line in to copy the AKM file to the same share on the other management server. oh by the way, it'll create a folder with the current date in case you want to run it every day and keep a rolling log of AKMs (more or less). it's a really simple script. i'm sure it's inefficient as hell so please do liberally modify it to suit your needs. be warned, there is barely a hint of error checking. these are the things you'll need. i put them all in the same directory.
  • mom_MPBackup.vbs
  • ManagementModuleUtil.exe
  • MOMCommon.dll
the script, unmodified, requires three arguments in this format:
cscript.exe mom_MPBackup.vbs databaseserver mgmtserver1 mgmtserver2
if your database server is on an instance, just specify it like [databasename\instance]. i've uploaded it to momresources.org and myitforum.com if you want a copy.

Sep 7, 2006

mom: editing rules en masse

so john hann sent an email about a blog post that he wrote which is coincidentally about a blog entry that stefan stranger posted (and might be posted by pete zerger or rory mccaw) about a utility that michel kemp wrote to edit mom rules en masse. seriously, it's cool. go get it.

Aug 28, 2006

misc: registry keys to speed up terminal server

i'd link you directly to the article if i knew where it was. it might be somewhere on redmondmag.com. anyway, this is a summary of a pretty good article greg shields put together. i believe you can find this stuff from doug brown at dabcc.com if you're interested.
  • disable IE flickering:
    • hkcu\software\microsoft\internet explorer\main
      • Force Offscreen Composition
      • dword: 1
  • disable file locking (do not use with database apps):
    • hklm\system\currentcontrolset\services\lanmanworkstation\parameters
      • UseLockReadUnlock
      • dword: 1
  • disable ntfs last-accesed time stamping (use at your own risk):
    • hklm\system\currentcontrolset\control\filesystem
      • NtfsDisable LastAccessUpdated
      • word: 1
  • disable lazy rights:
    • hklm\system\currentcontrolset\services\lanmanserver\parameters
      • IRPStackSize
      • dword: 15
    • hklm\system\currentcontrolset\services\lanmanworkstation\parameters
      • UtilizeNT Caching
      • dword: 0
  • disable paging kernel mode drivers and system code to disk (improves kernel performance?):
    • hklm\system\currentcontrolset\services\currentcontrolset\control\session manager\memory management
      • DisablePagingExecutive
      • dword: 1
  • increase network request buffer size:
    • hklm\system\currentcontrolset\services\currentcontrolset\services\lanmanserver\parameters
      • SizReqBuf
      • dword: 1024 to 65535
  • increase available network buffers and open connections (may get rid of logoff session hangs):
    • hklm\system\currentcontrolset\services\currentcontrolset\services\lanmanserver\parameters
      • MaxWorkItems
      • dword: 8196
      • MaxMpxCt
      • dword: 2048
      • MaxRawWorkItems
      • dword: 512
      • MaxFreeConnections
      • dword: 100
      • MinFreeConnections
      • dword: 32
    • hklm\system\currentcontrolset\services\currentcontrolset\control\session manager\configuration manager
      • RegistryLazyFlushInterval
      • dword: 60
  • increase prefetcher value (pre-load commonly used files):
    • hklm\system\currentcontrolset\services\currentcontrolset\control\session manager\memory management\prefetch parameters
      • EnablePrefetcher
      • dword: 3
  • disable roaming profile caching:
    • hklm\software\microsoft\windows nt\current version\winlogon
      • DeleteRoamingCache
      • dword: 1
  • disable unused subsystems:
    • hklm\system\currentcontrolset\control\session manager\subsystems
      • Posix
      • delete this key
  • disable file indexing services:
    • properties of each drive, uncheck allow indexing service to index this disk for fast file searching

mom: jalasoft demonstration...

well, i met w/ jalasoft recently along with a couple of other community folks. the folks did a presentation on their xian product and integration with mom. if you're a mom shop, in need of rounding out your monitoring by tapping into your network devices, i would encourage taking a look at their product line. the first thing i'd like to address is the ui. it's, unfortunately, not wrapped into the mom console but modeled a lot like it. so, for usability factors (if you think the mom console is usable), it's at least not something so far out that you have to learn a whole new monitoring system. it seems fairly intuitive... but again, i was watching a guided demo. i'm not sure about the pricing. the product looks polished though. other than utilizing the administrative console separately, xian has a MP pack and reports that come with it. this makes the look and feel tie right into MOM. don't have to worry about having to look at a separate ops console to see the relevant data. speaking of data, i believe that the collection method is snmp. it picks up a robust amount of data. because of this, a lot of the rules for networking gear (pre-configured) have their rules disabled. this will require some activity (otherwise known as communication) between you and the network team to get the salient rules turned on. jalasoft's reasoning for this was pretty sound. there's so much data, you'll be overwhelmed if the rules came out of the box turned on. of course, in an act of spite, you could send all the emails to the networking group, who coincidentally don't think any problems are theirs. :) i guess that's all i have on that for now... at least until i get it in a lab.

Aug 24, 2006

mom: in the wild struggle for existence...

there's this little, seemingly trifling, setting in the context dialog box of a computer discovery rule. it reads like this: during computer discovery, contact each computer to verify that it exists.

if you're wondering what this setting does, it's been purported that when it's enabled, the management server attempts to connect to the machine defined in the rule through the ipc$. i haven't fired up a network sniffer to confirm this allegation. if anyone has, please do comment!

Aug 23, 2006

sms: mid pleasures and palaces though we may roam...

be it ever so humble, there's no place like home.

i am speaking of the advanced client, of course. i think i stumbled upon a scenario that seems undocumented. i've checked the following scenarios, both of which are good reads; neither of which discusses my scenario. anyway, here are the links, if you have interest.

how it works: roaming in sms 2003
how clients find and use site systems and domain controllers

 

since it's not mentioned, i'll describe mine.

i've a certain number of clients which are managed by the central site server. the reason for doing this is that the primary site server is shared. using the central server, allowed me some greater flexibility on access rights. the central site server has no distribution points since nor any boundaries. i can rely on the other site servers to handle the DP functions required for the clients reporting directly to central.

the clients themselves have their sitecode set to the central site server. this scenario works pretty well except when clients are sitting at a location where no site server is holding boundaries for that site. ordinarily, you shouldn't find yourself in this situation unless a site server goes south, which coincidentally happened to me. once the site server disappeared, so did the distribution point and any management of clients in that location. this does extend to the central site client that i referred to earlier - to some extent.

the client continues to function correctly since it can speak to the MP which is located at my office. the real problem is distributions are halted to this client. the missing piece of information is that if the client is in an area where no distribution points exist, it refers back to the assigned site to find distribution points to use as remote DPs. if you'll recall, the central site server has no DPs. at this point, the client simply stops any further searches.

thanks for the help wally.

Aug 22, 2006

sms: sms_def.mof conversion to policy

some background: when a new sms_def.mof is placed in inboxes\clifiles.src\hinv data loader should pick it up, realize it's new, compile it, and convert it to a policy. i found something interesting. i use a different mof for my domain controllers since grabbing local accounts means grabbing all domain accounts. the reason i'm telling you this is because i moved the dc mof file into the \hinv directory then renamed it. it didn't do anything with the file. i tried again except this time, i copied the dc mof file locally, renamed it to sms_def.mof and dropped it in \hinv. this time, data loader did its work. hmmmm.

Aug 18, 2006

misc: psexec service is an incompatible version...?

i run into this problem often enough to have written a small batch file for it. it's really a pretty simple correction but quite irritating. anyway, this is the batch file contents. (this is the kind of stuff you can write before your first cup of coffee. funny how we have to get irritated enough times before doing something to make things easier.)

sc \\%1 stop psexesvc
del \\%1\admin$\psexesvc.exe
del \\%1\admin$\system32\psexesvc.exe
sc \\%1 delete psexesvc

stop the service.  (it's probably running). delete the psexesvc.exe files that are copied to the server when you initiate a psexec command, then remove the service entirely. once you run psexec again after these steps on the broken client, it should start working again.

c:\myBatchFile.bat [servername]

Aug 17, 2006

mom: remove computer groups from reporting server

i have been a slacker. don't have anything interesting to post lately. been doing some routine maintenace work and getting started on an upgrade. anyway, i won't hold you in suspense much longer... har. if you have computer groups in your drop-down selections of your mom reports, you can get rid of them if they annoy you that badly. it's unsupported but thought it was an interesting gem to capture. here's the details courtesy of a list member on msmom@lists.myitforum.com. issue this sql query against your mom reporting server database (systemcenterreporting):
delete from sc_computerruledimension_table where name = 'computergroupname'
just replace computergroupname with the name of the computer group you can't stand to look at.

Jul 30, 2006

sms: dcm - alpha tech solutions

a few folks have posted comments regarding training on dcm that's available from alpha tech solutions. i wasn't sure how seriously to take it since i'd never heard of it before ... but after talking to one of the dcm dev folks, i decided to look into it a little bit. i emailed their sales person and asked for an eval so that i could go through the training set and review it. to my surprise, they were more than willing. :) training is broken down into two parts. the first part covers the following:
  1. introduction
  2. installing the dcm authoring tool
  3. creating and customizing manifests
  4. customizing scenarios (part 1)
    • check service state
    • check file version
    • verify automatic updates
    • verify smtp default domain
    • verify minimum password length
the second section covers the following:
  1. customizing scenarios (part 2)
    • verify if a hotfix is installed
    • verify if a service exists
    • check file existence
    • number range
    • firewall status
  2. deployment and execution
  3. reporting
by the time you've gone through the training, if you follow along, you'll have built a decent manifest by which you should be able to go back and edit it for your own use. it's not necessary though since the manifest is available with the training material. there are a quite a few examples of advanced rule building that you will want to pay attention to such as the number range which can determine if a machine's memory is within a tolerable range to meet compliance. there are some assumptions about the level of knowledge the viewer should have. having sms knowledge is helpful since they don't cover any of the how-to parts on deploying packages, creating collections, etc, etc, etc. also, having some knowledge about wmi will be very helpful since most of the scenarios happen to use wmi. i haven't gone through the dcm documentation (the one released by microsoft) to any reasonable extent so i'm not sure how much overlap there is. however, i can say that it is much easier to watch the examples given in the demonstrations than read it on paper (or screen). there are some scenarios that i wished had been covered in greater detail such as the formulaic parts of an xpath expression and detail about the various query functions. none the less, it's more than you're going to find out there. by the way, the whole thing is done in flash so you can navigate around the topics, fast forward through scenarios to get to the part you want, reverse, stop, etc. if your organization is looking at using dcm for configuration monitoring, you may want to consider looking at this available training guide. much cheaper than sending someone to class since it runs a buck shy of $200. it's about two hours long so it can be consumed in the space of a couple of lunches. :) they seem to believe in this stuff. i say that because they've got a product called rulegen that apparently will build a manifest from a golden machine. kind of neat. check them out...

sms: start to finish guide to mof editing

i finished reading start to finish guide to mof editing: the definitive guide to systems management server hardware inventory customization last week but hadn't had a chance to write up my thoughts about it until now. i had decided to load up vista ... which is another story entirely. i met the author at a user group conference in atlanta (southeast management user group). if you know jeff gilbert, you know what a character he can be. i'll just ask you to keep that in mind as you read the book. i think his intent was to try to make the book as easy to read as possible. i mean, a book on mof editing, is not exactly exciting material. however, he does try to add a bit of humor to keep the reader interested. the examples he uses are also clever enough to help some of the providers make sense. i remember way back when michael schultz asked me to review and edit his original mof editing guide. around this time, the sms mailing list was pretty active with most of us trying to figure out the hell to extend the sms_def.mof. i was more than happy to go through it because it made a fantastic learning opportunity. i thought i had some idea of how it all worked but was amazed at how much he had managed to uncover about all the little secrets that went undocumented or was extremely difficult to find. good stuff... so present day, i feel like i know mof editing pretty well. so to me, reviewing another book on mof editing, i felt like i'd be happy if i could take away at least one good gem of knowledge. since the book is a start to finish, there are some parts i read through quickly (mostly the beginner stuff) but slowed down to absorb the information on the various providers and tapping into them. when i hit that part, i started making dog ears on the pages. i was pleasantly surprised to keep reading gems of useful information that i know i'll be using at some point in the future. it goes into much further detail than just extending sms_def.mof. it covers static inventory, scripted inventory, and cleaning up obsolete classes and data. clearly the guy has done his homework. there's not a whole lot that i'd have expected to see or have asked for. i do wish there was more detail about the tools that can help an administrator extract data out of wmi (namely so i can throw the book at people and tell them to do it themselves). oh... also, an index would have been nice. :) overall, it's a great book for beginners and advanced mof editors alike. this will definitely be sitting on my reference shelf! (i had my copy printed.) great job, jeff!

Jul 27, 2006

mom: memory processes

NOTE: this script is deprecated. feel free to use it, but you should refer to this post, which actually has a newer, cooler script.

this is kind of a follow on to my earlier post regarding cpu processes.

this time, it detects memory processes. anyway, the thing works pretty much the same way. the logic is a bit different in the way it returns information, only because i didn't want to figure out how to do a bubble sort in vbscript and finding a threshold marker ... wasn't too sure about that either.

i don't profess to be a script guru. what i did was tally up the total process workingsetsize by the number of total processes. using that as a kind of median value, the script returns anything above that threshold line. workingsetsize divided by 1024 gives you the same thing as task manager, in case you were wondering about that.

if you have better suggestions, please do rewrite or modify and let me know! :) it's posted to the usual places: momresources.org myitforum.com

Jul 26, 2006

misc: atlanta smug coming up 9/20 8.5 - 3.00

hey folks, there's another southeast management user group coming up september 20, 2006. it'll run from about 8:30 to 3:00 at the sanctuary park facilities up here in alpharetta. if you remember, these run about every quarter or so. looks like a great lineup ... try to be there! the user group section on myitforum.com will be updated soon to reflect the new agenda. if you can't make it, as usual, the presentations will be posted to the site. look forward to seeing you all there. Agenda
  8:30am - 9:00am  Breakfast
 9:00am - 10:15am  Server and Desktop Deployment Methodologies with SMS 2003 Part 1
10:15am - 10:30am  Break
10:30am - 11:00am  SMS Admin Roundtable
11:00am - 12:00pm  System Center Operation Manager Beta 2 via Webast in Atlanta
  12:00 - 12:45pm  Working Lunch Data Protection Manager Today and Beyond
   12:45 - 2:00pm  Server and Desktop Deployment Methodologies with SMS 2003 Part 2
  2:00pm - 2:15pm  Break
  2:15pm - 3:00pm  MOM and SMS Top 10 issues

Jul 25, 2006

sms: stopping errant package from sending to distribution points

not real sure how else to put it. this came up on the myitforum sms discussion list today. an administrator inadvertently created a very large patch package and replicated it to all of his distribution points. there's a few things to be aware of here:
  • distribution points off of the site server are not governed by lan sender, hence have no bandwidth throttling
  • distribution manager will attempt to complete the cycle before attempting to stop the cycle
i'm not sure what his lan senders were set to ... but distribution manager sending this humongous package out to 20 or so distribution points (which only a few were local) was choking his wan links. how did he stop it? here's the steps:
  1. delete the package off the source site server
  2. execute stopjob.exe against all destination site servers

Jul 21, 2006

sms: itmu cannot start updates installation due to install window violation

don't inadvertently make this happen. it's pretty silly...

inside the dsuw, you probably recall being presented with the option to force installations to comply to a window for advanced clients only. this setting is nearly useless if you're using dsuw the way it was intended (as in reoccurring schedules). it's also useless if you're forcing package download and execute instead of running from a remote distribution point.

the window that is specified uses the advertisement start time as its beginning marker. this means if you set an early start time to make sure your clients downloaded this month's patches and then a mandatory execution 3 days later, your advertisement would fail. why?

well, going on the default setting of 90 minutes, by the time the execution fires, you've already long lapsed that install window. you'll get an error in patchinstall.log that reads:

cannot start updates installation due to install window violation. 

 

if you've already setup dsuw this way, don't waste time going back through the wizard. instead, remove the /l:[time] switch from the program command line. something like this...

before:

PatchInstall.exe /n /z:ws /l:90 /s /q /c:5 /p /t:30 /m:"PatchAuthorize.xml"

 

after:

PatchInstall.exe /n /z:ws /s /q /c:5 /p /t:30 /m:"PatchAuthorize.xml" 

Jul 19, 2006

mom: monitoring cpu spikes the right way

NOTE: this script is deprecated. feel free to use it, but you should refer to this post, which actually has a newer, cooler script.

one of the things i can't stand about most monitoring systems nowadays is that they're not really designed to be viewed by an operator. i think we've diluted that term. we don't enable "operators" to really do much of anything. we give them a little console they can stare at and hope that if they see some alert pop up, they'll wake up and dial someone. how does that translate into a successful use of technology? i think we've all been around a phone long enough to know how to dial it. so ... why not take some baby steps and move forward?

here's my baby step. i don't really do things out of my own volition because unless it's making my life easier, it's hard to be inspired. anyway, a fellow coworker received an alert on a cpu spike and asked the obvious question. what's making the condition occur? this raises interesting questions on its own because in order for anyone to answer this, they'd have to be at the machine at the time the problem occurred...

or at least in spirit, proxy, or whatever. then, you've armed your operator with at least a tad more information than what they had before. for mom anyway, the best way to do this is letting the agent handle it.

i wrote up a script that was bastardized out of microsoft windows base operating system state monitoring script. it's the one used to detect cpu spike conditions. that script returns a list of processes utilizing more than 10% of the cpu. so... i took most of the pieces, rearranged them, added a parameter for threshold ... and have added it our environment. aforementioned, it doesn't make sense to use this as a task or anything like that since you'd have to be sitting there glaring at the console, waiting for a cpu spike, and then executing, to get the problem occurance. just add the script as a response to an event or maybe a threshold rule.

it'll create an event so make sure you have an alert that'll pick it up. now, i suppose things that happen over a duration, the information returned may be pointless... since there could be multiple things going on over that duration. oh well... it's a start.

for my sample setup, i created a performance threshold rule that would alert on processor % time utilization. i set it to continously fire just for my test. appended to that, i created a response to run the script to return processes. since the script writes an event, i setup an event rule to grab the event and generate an informational alert. anyway, here's the details:

script properties:
  • name: Top Processes
  • parameters: Percentage
  • value: 5
threshold rule properties:
  • rule name: [Test Rule] Processor spike occurring!
  • provider: Processor-% Processor Time-_Total-2.0-minutes
  • threshold: the sampled value
  • match when: always
  • response: Top Processes
event rule properties:
  • rule name: [Test Rule] Pick up events for top processes.
  • source: Top Processes Script
  • event id: 40100
i've posted the script to momresources.org and myitforum.com. pete's usually great about getting back to me once the file has been posted so i'm sure it'll happen soon. have fun with it and let me know what you think. it's rough around the edges, but i think you get the idea.

Jul 11, 2006

os: kerberos maxtokensize giving you problems?

i experienced issues with this pretty quickly awhile back when we were rolling out windows 2000 so whenever i see something on maxtokensize, i wake up. anyway, again, one of the best sources of information, the activedir.org mailing list, carried a conversation on this which lead to a couple of great links: address problems due to access token limitation tokensz tool

Jul 6, 2006

sms: looking for the dcm manifest beta?

saikodi updated his blog recently with some further instructions on locating the dcm manifest beta. i tried to locate it again but couldn't find it. i tried all variations of names to locate it but had no success. know why? i was already signed up. once i switched to "my participation", it was there, hiding in plain sight. search for the word "manifest" in the available list. it should be under the "core infrastructure solutions" connection.

Jun 29, 2006

ds: add conditional forwarders by command line

sometimes i think it's relevant to follow your own advice. of course, some lessons aren't learned by sedulous effort. often times, it requires moments of sheer languor. rtfm, rtfm, rtfm i tell myself! if you want to add conditional forwarders through command line, use this: dnscmd [servername] /zoneadd [zonename.com] /forwarder [primary ip address] [secondary ip address] the /forwarder statement is actually expressing what zone type you want (e.g. primary, secondary, etc). using /forwarder tells dnscmd that you're interested in adding conditional forwarders. this stuff rocks. by the way, this is only available on 2003 or later. here's the tfm if you're looking for all the details.

Jun 26, 2006

mom: sp_helpdb - cannot insert the value null into column

been getting any of these errors?

the system stored procedure sp_helpdb, which is used to gather information about the databases, has returned an error that may indicate that it cannot determine the db owner for the database [databasename].

here are the details:

sp_helpdb @dbname='databasename' on sql server instance: [instancename]. error number: 515, error information: [microsoft][odbc sql server driver][sql server]cannot insert the value null into column '', table ''; column does not allow nulls. insert fails.

this generally occurs when there's no owner specified for the database. executing this query will tell you if that's the case:
select name, suser_sname(sid) from master.dbo.sysdatabases where suser_sname(sid) is null
if indeed it does show up in this query, using sp_changedbowner will fix it. this will assign sa as the owner (make sure to change the database to the one you need to correct):
exec sp_changedbowner 'SA'

Jun 20, 2006

mom: dell openmanage mp has been updated

it's been about a year since their last release so i'm sure there must be some improvements. i'm profiling the management pack in mpstudio now to see how it looks. by the way, you won't find it yet on the mom catalog, but you can get it here: http://ftp.dell.com/sysman/DOMMP21_A01.exe. by the way, germany scored in the ecu v ger game in the first 5 minutes. wow!

Jun 19, 2006

ds: machine account password interval

you're probably familiar with default machine account password reset intervals:
  • nt 4: 7 days
  • 2000 & above: 30 days
some additional details on this came through on the activedir.org list. it's pretty cool so i thought i'd share for those that aren't subscribed. unfortunately the author of this information doesn't a blog (yet). activedir.org does, however, maintain archives of the list. :) i'd link you... but that section seems unresponsive right now. at any rate, here's a snippet of the post. these are the logs generated during success, failure and offset.
  • success:
05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800)
  • failure:
05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) "NORTHAMERICA" 0xc000005e c000005e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0)
  • random offset:
05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca)

ds: technet webcasts on active directory

if you're looking for webcasts to increase your knowledge on ad, check this out.

mom: looking for a training class?

i have a hard time recommending a training class for mom. this is because, historically, microsoft official curriculum sucks. the information is too vague, not very timely, and doesn't discuss real-world issues. there's a new offering that looks very promising and has had some excellent reviews. i've looked over the syllabus. it looks very complete. it's a 4-day crash course on everything you need to know about mom and will bring your level of understanding much higher than what the MOC class could ever do. it's also taught by mom consultants and know their ... stuff. anyway, there's a class coming up in Atlanta! maybe i'll see you there. here's the details.

mom: tracking down duplicate notifications

while i was out at teched, a reader sent me an email on how to track down duplicate notifications. this was pretty fresh in memory since i had just gone through the same ordeal explaining to another group here why they received duplicated emails. now that i have the exact details at my disposal, i can relay them here with some manner of lucidity. (i hope anyway. still trying to get back into work mode ... and for some reason, someone brewed the old, nasty corporate coffee instead of the new, aromatic seattle's best. ah well...) the first thing to do is find the alert in the mom console. once you've isolated it, check the history tab of the alert. you might see something similar to this:
Alert is created in management group myMgmtGroup. === 6/01/2006 08:20:03 === The server side response 'notify group: Network Administrators' triggered by rule 'Send notification for any Alerts with a severity of "Error" or Higher' (DF7DA784-D7D8-4FC5-8109-04AB00A1B511) is executed after alert suppression. === 6/01/2006 08:20:03 === The server side response 'notify group: Other Network Administrators' triggered by rule 'Send notification for any Alerts with a severity of "Error" or Higher' (DF7DA784-D7D8-4FC5-8109-04AB00A1B511) is executed after alert suppression.
what's going on here? as you'll notice, two server side responses are executed. so... at least now you know why you have duplicate notifications. where they're coming from is the next logical question. once you know the rule name, they're pretty easy to find. copy off those rule guids above (uhhh, not mine exactly, your own... guid... you know, unique? get your own). issue the following command in sql query analyzer:
select name from processrule where idprocessrule = 'rule-guid'
replace rule-guid with your rule guid. now you can use that name to search for the rule in the administrator console.