O R G A N I C / F E R T I L I Z E R: 02.06

Feb 28, 2006

mom: trimming down alerts...

you might find this one useful. in any environment, you're going to expect to get a fair amount of event id 7000 or something like this:
Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7000 Date: 2/28/2006 Time: 3:00:48 AM User: N/A Computer: SERVERNAME Description: The BROKEN service failed to start due to the following error: The system cannot find the file specified. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
so in order to create proper event filters, you need to know the parameters of the event. otherwise, you have to do a description-based search. not fun. anyway, i thought i'd map out event id 7000 since this probably generates a lot of noise. i color-coded it above.
  • parameter 1: "BROKEN"
  • parameter 2: "The system cannot find the file specified."
by the way, the best method to find the event parameters is to use the management pack wizard. you can specify what you want to look at and the event id. it'll display all the parameters for that event id.

mom/sms: cut the noise...

one of my good friends, richard threlkeld, posted an article titled cut through the noise: better reporting with mom and sms. as always, his information is usually a good read. just don't let him talk you into dumping sms 2003 in favor of sms 2.0 sp5. :D

Feb 23, 2006

mom: alerting on security events with a repeat window

yeah, the title is not very glamourous and probably doesn't make much sense. let me explain a bit on what i'm talking about.

let's say that you get an event for 529. one 529 probably doesn't mean very much or amount to anything since it's indicating a logon failure. i'm pretty sure that most people screw up putting in their password correctly the first time, second time, etc. now if you continue to get event 529 repeatedly, say for 30 minutes, for the same user, there might be a problem there, right? this is where setting up a repeat window is extremely helpful.

you'll need two rules to make this work, a consolidation rule and an event rule. fill in the following properties for both:

consolidation rule:

  • provider name: security
  • source: security
  • event id: 529
  • parameter 1: user field. leave it blank if you don't want to specify anything.
  • parameter 2: domain group. same condition as parameter 1.
  • consolidate: event number, source name, logging computer, parameter 1, parameter 2
  • events must occur within: 1800 seconds (or 30 minutes)

the last field is your "window". essentially what you're doing is consolidating all the events that are picked up in a 30 minute period. don't worry, this will make sense as we go along.

event rule:

  • provider name: security
  • source: security
  • event id: 529
  • repeat count: is more than 10

the last field is how many times this event 529 is picked up in the 30 minute window before indicating that a problem exists. we can use repeat count in this event rule since the event that's issued after the 30 minute window (assuming there are any) will continue to keep up with how many times it occurred. if we break this down, if event 529 is detected more than 10 times in 30 minutes, alert me!

you can use this method anywhere that a repeated event in a time window indicates a problem. one last thing, if you're picking up security events, you'll want to enable guid resolution on your mom servers.

Feb 22, 2006

sms: logfileviewer...

this is pretty cool. 1e has a utility called logfileviewer which displays all the appropriate logs for a particular function. i've known about this for awhile but thought i'd mention it because it came up in a conversation over lunch today with a coworker from a different division. let's say you want to find what's wrong with an advertisement. you'd perform an open set and choose advertisement problems on advanced client. it'll consolidate all the logs, in date/time sequence and color code the output. while you're at it, check out their other free utilities.

how is the sms guid generated?

i thought i'd post about this since i've not seen anything written on the subject (or maybe my google skills need honing). anyway, according to the clientidmanagerstartup.log, it evaluates these three things:
  • smbios
  • sid
  • hwid
also, it looks like hwid is a computed value based on these five fields:
  • win32_systemenclosure.serialnumber
  • win32_systemenclosure.smbiosassettag
  • win32_baseboard.serialnumber
  • win32_bios.serialnumber
  • win32_networkadapterconfiguration.macaddress

Feb 21, 2006

mom: i don't care about send queues...

there's a rule called mailbox store: send queue > 25 in the exchange management pack. generally, this is an indication that mail is not going out for whatever reason. it looks specifically at this counter:
  • object: msexchangeis mailbox
  • counter: send queue size
  • instance: _total
now why would you want to turn off a rule that's clearly pretty important? this counter looks at the number of messages in the store delivery. unfortunately, it includes deferred messages. since mom is simply looking at the counter value (and does not support dynamic thresholds), it has no way of interpreting the difference between deferred delivery (messages marked to deliver at a later time) and deferred submission (waiting retry from delivery failure).

Feb 20, 2006

mom: resource kit 2!

keep your eyes peeled. microsoft operations manager 2005 resource kit 2 is due for release any day now (as in this week). keep watching www.microsoft.com/mom for the posting. :)

mom: what is the action account?

another rainy day. i was having a discussion with a coworker about some issues that we encountered after one of our mom action accounts locked out. i had forgotten nearly everything that it's responsible for. it then struck me. i wrote an article on this. here's a small blurb:
  • Runs computer discovery.
  • Performs agent push-installations (similar to SMS 2003 Client Push Installation account).
  • Performs uninstallations and settings updates for agent-managed computers.
  • Runs tasks issued from the MOM console.
  • Runs responses and scripts on agent-managed computers (including the Management Server).
  • Performs actions on agentless and agent-managed computers.
  • Collects data from agentless and agent-managed computers.
  • Communicates with agentless and agent-managed computers.
  • Feb 17, 2006

    sms: dcm (desired configuration monitoring)

    i decided it was about time i started looking at desired configuration monitoring since the likelihood that we'll move to sms v4 in the short term is pretty close to zero. anyway, to date, i haven't done a thing with it. the interface is clunky and unintuitive. oh well, there are probably plenty worse, and i can't hide from it forever. here are some links i found to more information (someone left me a comment on a previous post that directed me on this search). my hope is that if i post these links someone else will actually do all the work in understanding dcm and write up some cute, easy-to-follow guide. :) dcm technet site dcm technet documentation dcm download dcm developer's blog the dcm developer's blog is pretty good stuff. whoever dropped that note, thanks!

    mom: does smtp retry?

    the simple answer is no. mom 2000 nor 2005 handles retries when sending alerts via smtp. there are certain contingencies that can be followed since only one smtp address can be used.
    1. utilize a smtp record through dns round robin (create a host record to multiple IPs). keep in mind that this is not really load balancing.
    2. situate smtp behind a real load balancer.
    we were using option 1 for quite awhile. a couple of years ago, we went with option 2 with very good success. the smtp servers that sit behind the load balancer are not mail store servers (is my exchange terminology right?). instead, they're bridgehead servers. in this manner, if the mail store is down, the messages can queue on the bridgehead servers. even this won't guarantee every message will make it but raises are chances of success.

    Feb 16, 2006

    pete's management blog....: new mom books

    pete's management blog....: new mom books this is cool. pete made a reference to some books coming out for MOM. thanks man. :)

    sms and corrupted metabase

    you've probably have seen this error come through before:

    Product: SMS Management Point -- Error 25006. Setup was unable to create the Internet virtual directory CCM_System - The error code is 80020009.

    one of my cohorts, andrew cohen, came up with this fix from microsoft:

    1. Make a copy of metabase.xml from %windir%\system32\inetsrv.
    2. Enable manual metabase edit by right-clicking on Server in IIS Manager.
    3. Open metabase.xml with notepad.
    4. Search for ccmisapi.dll and delete the entire line. save the file with the same name.
    5. Change metabase back to automatic edit by right clicking on servername in IIS.
    6. Restart IIS.
    7. In the SMS Admin Console, under SMS Site Systems, properties of target MP, uncheck Management Point selection.
    8. Check MPSETUP.LOG to make sure the MP has uninstalled successfully.
    9. Recheck the MP check box and wait for installation to complete.

    Feb 14, 2006

    systems management server 2003 account review tool

    this is an interesting tool. i didn't realize it was out. basically does an assessment of the defined accounts in use with your sms installation. here's a small blurb about it. check the link to get more info...
    The new Microsoft Systems Management Server (SMS) 2003 Account Review Tool is designed to assess the use of SMS accounts in a central site or child sites and alert you to account configurations that might increase security risk in your environment.Supported Operating Systems: Windows Server 2003; Windows Server 2003 R2 Datacenter Edition (32-Bit x86) You must run the tool on a primary site server. Before the Account Review Tool assesses the account usage in your SMS hierarchy, it performs an environment check. If any of the following conditions are not true, the Account Review Tool will fail the environment check and will not run the account assessment.
    • The site server where you run the Account Review Tool must be a member of a Microsoft Windows NT 4.0 domain or an Active Directory domain.
    • The tool skips any primary sites in the hierarchy that are not running SMS 2003.
    • The site server where you run the tool must be running Microsoft Windows Server 2000 SP4a or a later version.
    • The SMS site database server must be running Microsoft SQL Server 2000 SP3 or a later version.
    • The site running the tool must be running in SMS 2003 advanced security mode. The Account Review Tool checks any child sites that are also in advanced security. If the Account Review Tool encounters a child site that is running in standard security, the tool skips that child site and generates a warning message.
    • The account running the tool must have membership in the SMS Admins group and administrative rights to all SMS objects.
    • The account running the tool must have at least db_datareader privilege to the SMS site database and group membership in the SMS Admins security group.

    Feb 13, 2006

    might want to stop rolling itmu...

    tim minter posted recently that sms 2003 sp2 is now available for download. since itmu is included, should this deter you from continuing your rollout? hmmm. i suppose if you've been testing sp2 in the lab, it'd certainly be easier to go right ahead with sp2 and get all the benefits.