O R G A N I C / F E R T I L I Z E R: 11.06

Nov 20, 2006

mom: maintenance mode hta

in other words, a gui. matt broadstock was kind enough to notify us about this utility on the msmom list. it's a 1.0 version so there are plenty of things to improve, but this makes changing maintenance mode en masse a very simple task. check it out. it's labeled mom maintenance mode utility gui. send up your feedback.

ds: dumping all dns records

i've linked an interesting article on dumping out dns records. the one requirement is that zone transfers has to be turned on for the receiving client. in this case, it'd be your workstation... what fun. here are the steps, in short:
  1. nslookup
  2. set type=any
  3. ls -d domain.com > mydnsrecords.txt
  4. exit
read the full article if you want the details... :T or try this method with dnscmd.exe.

Nov 8, 2006

sms: itmu v3 installation failure

run into this error code with itmu v3?
error code: 0x80004005
this is because in order to successfully complete the install, you've got to rdp to the console session. as a reminder, in order to do this, from a run line type the following:
mstsc /v: /console
(by the way, the issue has been corrected in the newest bits. :)

Nov 6, 2006

os: time sync information

UPDATE: added some information regarding syncing to non-windows time sources.

i hate dealing with time synchronization. the tools for windows are so hokey. you know, little nuances like deprecating net time in favor of w32tm just doesn't get enough press. oh well. recently, i had to look through this stuff again. i decided i'd write up a little blog note as a reminder for myself the next time i have to look at this stuff. to start off with, very useful links.

how to turn on debug logging in the windows time service
how to configure an authoritative time server in windows server 2003
windows time server and internet communication
time synchronization may not succeed when you try to synchronize with a non-windows ntp server in windows server 2003

... and now, some very useful commands:

setting a time sync source:

w32tm /config /update /manualpeerlist:time.nist.gov time.windows.com /syncfromflags:MANUAL

verifying the settings:

w32tm /dumpreg /subkey:parameters
... following the commands above, if you're syncing time successfully, and you've turned on time sync debug logging as specified in the first link above, a successful entry in the log will look like the entry snippet below...
148232 19:09:40.0266456s - /-- NTP Packet: 
148232 19:09:40.0266456s - | LeapIndicator: 0 - no warning; VersionNumber: 3; Mode: 4 - Server; LiVnMode: 0x1C 
148232 19:09:40.0266456s - | Stratum: 2 - secondary reference (syncd by (S)NTP) 
148232 19:09:40.0266456s - | Poll Interval: 7 - 128s; Precision: -6 - 15.625ms per tick 
148232 19:09:40.0266456s - | RootDelay: 0x0000.1BFEs - 0.109344s; RootDispersion: 0x0000.CC68s - 0.798462s 
148232 19:09:40.0266456s - | ReferenceClockIdentifier: 0xC02BF412 - source IP: 192.168.1.1 
148232 19:09:40.0266456s - | ReferenceTimestamp: 0xC8FA05E75E673B78
148232 19:09:40.0266456s - - 12807313511368762700ns - 
148232 19:05:11.3687627s 
148232 19:09:40.0266456s - | OriginateTimestamp: 0xC8FA06F406D23EFC
148232 19:09:40.0266456s - - 12807313780026645600ns - 
148232 19:09:40.0266456s 
148232 19:09:40.0266456s - | ReceiveTimestamp: 0xC8FA06F406986261
148232 19:09:40.0266456s - - 12807313780025762700ns - 
148232 19:09:40.0257627s 
148232 19:09:40.0266456s - | TransmitTimestamp: 0xC8FA06F406986261
148232 19:09:40.0266456s - - 12807313780025762700ns - 
148232 19:09:40.0257627s 
148232 19:09:40.0266456s - >-- Non-packet info: 
148232 19:09:40.0266456s - | DestinationTimestamp: 
148232 19:09:40.0266456s - 0xC8FA06F406D23EFC
148232 19:09:40.0266456s - - 12807313780026645600ns
148232 19:09:40.0266456s - - 
148232 19:09:40.0266456s 
148232 19:09:40.0266456s - | RoundtripDelay: 000ns (0s) 
148232 19:09:40.0266456s - | LocalClockOffset: -882900ns - 0:00.000882900s 
148232 19:09:40.0266456s - \--
w32tm /config /update /manualpeerlist:mynonwindowstimesource.com,0x8 /syncfromflags:MANUAL

Nov 2, 2006

mom/sms: a couple of interesting articles...

i thought i'd point out a couple of interesting articles since the problem seems to surface on some of the listmail subscriptions i'm a part of. the first one is the neverending question... why do the active directory and exchange helper objects get installed on machines that aren't domain controllers or exchange servers? it's simple. the push installation does it automatically. here's the article that goes into detail about the asinine method to avoid this (manual installations or remove through arp). i included this one because it was something one of my coworkers discovered with microsoft (russ slaten to be exact). he's published a blog entry on it. here's the official article, however. basically it details how to get around (scripted or otherwise) the problem when you try to import a report, and it mercilessly tacks your cpu. basically the import object wizard can't handle large sql queries. :)

mom: securevantage directory services management pack

you're probably quite familiar w/ securevantage by now. if you don't, they produce management packs focused on security. it works right in mom... and is pretty wicked stuff. anyway, they offer a free directory services mp which does some basic functionality. if you don't have it, check it out... anyway, the really cool part is they mention me in the management pack description! nice! here's a snippet:
Management Pack
Purpose
The Directory Services Controls MP (DCMP) provides low-level auditing for all types of objects in Active Directory. Directory Services events not only identify the object that was accessed and by whom but also document exactly which object properties were accessed.
Features
The Secure Vantage DSMP provides detailed OU auditing on user, group, gpContainer, dnsDomain and organizational units. The MP provides base event collection, control alerting, operational views, a forensic analysis report and KB content from Microsoft Security MVP Randy Franklin Smith and MOM MVP Rory McCaw. Additional acknowledgement goes to Marcus Oh, fellow MOM guru.
Configuration

Directory Service Access events work a lot like Object Access events because you must first enable the audit policy at the system level, the activate auditing on the specific objects you want to monitor. To enable auditing on a file, open the file's properties dialog box from within Windows Explorer, select the Security tab, click Advanced and then select the Auditing tab on the Advanced Security Settings dialog box. To enable auditing on an AD object, follow the same path but from within the Active Directory Users and Computers snap-in (rather than Windows Explorer). Then specify the permissions you want to audit when users request access to the object.

Nov 1, 2006

mom: evaluate all criteria

ever wonder how to get an event rule to evaluate all of the criteria that you specify? add this as part of the criteria set:

Message DLL - matches wildcard - * 


make sure this goes to the top of the list (or second to the top anyway).