Skip to main content


Showing posts from February, 2006

mom: trimming down alerts...

you might find this one useful. in any environment, you're going to expect to get a fair amount of event id 7000 or something like this: Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7000 Date: 2/28/2006 Time: 3:00:48 AM User: N/A Computer: SERVERNAME Description: The BROKEN service failed to start due to the following error: The system cannot find the file specified. For more information, see Help and Support Center at so in order to create proper event filters, you need to know the parameters of the event. otherwise, you have to do a description-based search. not fun. anyway, i thought i'd map out event id 7000 since this probably generates a lot of noise. i color-coded it above. parameter 1 : "BROKEN" parameter 2 : "The system cannot find the file specified." by the way, the best method to find the event parameters is to use the

mom/sms: cut the noise...

one of my good friends, richard threlkeld , posted an article titled cut through the noise: better reporting with mom and sms . as always, his information is usually a good read. just don't let him talk you into dumping sms 2003 in favor of sms 2.0 sp5. :D

mom: alerting on security events with a repeat window

yeah, the title is not very glamourous and probably doesn't make much sense. let me explain a bit on what i'm talking about. let's say that you get an event for 529. one 529 probably doesn't mean very much or amount to anything since it's indicating a logon failure. i'm pretty sure that most people screw up putting in their password correctly the first time, second time, etc. now if you continue to get event 529 repeatedly, say for 30 minutes, for the same user, there might be a problem there, right? this is where setting up a repeat window is extremely helpful. you'll need two rules to make this work, a consolidation rule and an event rule. fill in the following properties for both: consolidation rule: provider name: security source: security event id: 529 parameter 1: user field. leave it blank if you don't want to specify anything. parameter 2: domain group. same condition as parameter 1. consolidate: event numb

sms: logfileviewer...

this is pretty cool. 1e has a utility called logfileviewer which displays all the appropriate logs for a particular function. i've known about this for awhile but thought i'd mention it because it came up in a conversation over lunch today with a coworker from a different division. let's say you want to find what's wrong with an advertisement. you'd perform an open set and choose advertisement problems on advanced client . it'll consolidate all the logs, in date/time sequence and color code the output. while you're at it, check out their other free utilities .

how is the sms guid generated?

i thought i'd post about this since i've not seen anything written on the subject (or maybe my google skills need honing). anyway, according to the clientidmanagerstartup.log, it evaluates these three things: smbios sid hwid also, it looks like hwid is a computed value based on these five fields: win32_systemenclosure.serialnumber win32_systemenclosure.smbiosassettag win32_baseboard.serialnumber win32_bios.serialnumber win32_networkadapterconfiguration.macaddress

mom: i don't care about send queues...

there's a rule called mailbox store: send queue > 25 in the exchange management pack. generally, this is an indication that mail is not going out for whatever reason. it looks specifically at this counter: object: msexchangeis mailbox counter: send queue size instance: _total now why would you want to turn off a rule that's clearly pretty important? this counter looks at the number of messages in the store delivery. unfortunately, it includes deferred messages. since mom is simply looking at the counter value (and does not support dynamic thresholds), it has no way of interpreting the difference between deferred delivery (messages marked to deliver at a later time) and deferred submission (waiting retry from delivery failure).

mom: what is the action account?

another rainy day. i was having a discussion with a coworker about some issues that we encountered after one of our mom action accounts locked out. i had forgotten nearly everything that it's responsible for. it then struck me. i wrote an article on this. here's a small blurb: Runs computer discovery. Performs agent push-installations (similar to SMS 2003 Client Push Installation account). Performs uninstallations and settings updates for agent-managed computers. Runs tasks issued from the MOM console. Runs responses and scripts on agent-managed computers (including the Management Server). Performs actions on agentless and agent-managed computers. Collects data from agentless and agent-managed computers. Communicates with agentless and agent-managed computers.

sms: dcm (desired configuration monitoring)

i decided it was about time i started looking at desired configuration monitoring since the likelihood that we'll move to sms v4 in the short term is pretty close to zero. anyway, to date, i haven't done a thing with it. the interface is clunky and unintuitive. oh well, there are probably plenty worse, and i can't hide from it forever. here are some links i found to more information (someone left me a comment on a previous post that directed me on this search). my hope is that if i post these links someone else will actually do all the work in understanding dcm and write up some cute, easy-to-follow guide. :) dcm technet site dcm technet documentation dcm download dcm developer's blog the dcm developer's blog is pretty good stuff. whoever dropped that note, thanks!

mom: does smtp retry?

the simple answer is no. mom 2000 nor 2005 handles retries when sending alerts via smtp. there are certain contingencies that can be followed since only one smtp address can be used. utilize a smtp record through dns round robin (create a host record to multiple IPs). keep in mind that this is not really load balancing. situate smtp behind a real load balancer. we were using option 1 for quite awhile. a couple of years ago, we went with option 2 with very good success. the smtp servers that sit behind the load balancer are not mail store servers (is my exchange terminology right?). instead, they're bridgehead servers. in this manner, if the mail store is down, the messages can queue on the bridgehead servers. even this won't guarantee every message will make it but raises are chances of success.

sms and corrupted metabase

you've probably have seen this error come through before: Product: SMS Management Point -- Error 25006. Setup was unable to create the Internet virtual directory CCM_System - The error code is 80020009. one of my cohorts, andrew cohen , came up with this fix from microsoft: Make a copy of metabase.xml from %windir%\system32\inetsrv. Enable manual metabase edit by right-clicking on Server in IIS Manager. Open metabase.xml with notepad. Search for ccmisapi.dll and delete the entire line. save the file with the same name. Change metabase back to automatic edit by right clicking on servername in IIS. Restart IIS. In the SMS Admin Console, under SMS Site Systems, properties of target MP, uncheck Management Point selection. Check MPSETUP.LOG to make sure the MP has uninstalled successfully. Recheck the MP check box and wait for installation to complete.

systems management server 2003 account review tool

this is an interesting tool. i didn't realize it was out. basically does an assessment of the defined accounts in use with your sms installation. here's a small blurb about it. check the link to get more info... The new Microsoft Systems Management Server (SMS) 2003 Account Review Tool is designed to assess the use of SMS accounts in a central site or child sites and alert you to account configurations that might increase security risk in your environment.Supported Operating Systems: Windows Server 2003; Windows Server 2003 R2 Datacenter Edition (32-Bit x86) You must run the tool on a primary site server. Before the Account Review Tool assesses the account usage in your SMS hierarchy, it performs an environment check. If any of the following conditions are not true, the Account Review Tool will fail the environment check and will not run the account assessment. The site server where you run the Account Review Tool must be a member of a Microsoft Windows NT 4.0

might want to stop rolling itmu...

tim minter posted recently that sms 2003 sp2 is now available for download. since itmu is included, should this deter you from continuing your rollout? hmmm. i suppose if you've been testing sp2 in the lab, it'd certainly be easier to go right ahead with sp2 and get all the benefits.