O R G A N I C / F E R T I L I Z E R: 2007

Dec 31, 2007

sms: sql query to display chassis type

here's a query inspired by a post from garth jones for something sherry kissinger whipped up. this sql query basically gives you an output of all of your machines, with the type of chassis.

select  sys.name0 as 'Name', sys.manufacturer0 as 'Manufacturer', sys.model0 as 'Model',
        case enc.chassistypes0
            when 1 then 'Other'
            when 2 then 'Unknown'
            when 3 then 'Desktop'
            when 4 then 'Low Profile Desktop'
            when 5 then 'Pizza Box'
            when 6 then 'Mini Tower'
            when 7 then 'Tower'
            when 8 then 'Portable'
            when 9 then 'Laptop'
            when 10 then 'Notebook'
            when 11 then 'Hand Held'
            when 12 then 'Docking Station'
            when 13 then 'All in One'
            when 14 then 'Sub Notebook'
            when 15 then 'Space-Saving'
            when 16 then 'Lunch Box'
            when 17 then 'Main System Chassis'
            when 18 then 'Expansion Chassis'
            when 19 then 'SubChassis'
            when 20 then 'Bus Expansion Chassis'
            when 21 then 'Peripheral Chassis'
            when 22 then 'Storage Chassis'
            when 23 then 'Rack Mount Chassis'
            when 24 then 'Sealed-Case PC'
            else 'Unknown'
        End As 'Chassis'
from    v_gs_computer_system sys join
        v_gs_system_enclosure enc on sys.resourceid=enc.resourceid
order by 'Chassis'

Dec 20, 2007

mom: pending action does not show "requires patching"...

follow along with me on how disjointed this whole thing is. we've been on mom 2005 for quite awhile. after seeing some more than the usual amount of scripting errors and lock ups, i started looking into possible causes. i ran across the hotfix outlined in kb934441. that's not uncommon, really. now the reason i went with this hotfix versus some others is because of the file version. this one updates to the latest of 5.0.2911.41 (in case you were wondering.)

all that background aside, look at these instructions:

To apply this hotfix, follow these steps:

  1. Copy the MOM2005-SP1-KB934441-X86-IA64-ENU.msi file to a local folder or to a shared folder on the network. If you use a shared folder, make sure that the computers that require this hotfix can access the folder.
  2. Log on to one of the computers that require this hotfix by using an account that has administrative credentials.
  3. Run the MOM2005-SP1-KB934441-X86-IA64-ENU.MSI file. (You can run the file at a command prompt, or you can run the file by using Windows Explorer.)
  4. Repeat steps 2 and 3 on each computer that requires this hotfix.

looks ordinary enough... and you would probably assumed this worked. WRONG! all this does is expand the contents of the .msi to a folder. inside that folder are .msps and a updatemom.exe. let's say you did the logically thing... and double-clicked the .msp. you go on to install the patch and then review the rest of the kb article which states the following:

Manually apply the hotfix. Or, follow these steps to use the MOM 2005 server to apply the hotfix:

  1. Use the Pending Actions folder in the MOM 2005 Administrator console to make sure that the manual installation of the MOM 2005 agents is approved.
  2. Click the "Agent-managed Computers" folder in the MOM 2005 Administrator console, right-click the MOM 2005 agent in the details pane, and then click Update Agent Settings.

um, no. you might think to yourself, "self, i should kick off a discovery cycle". you do that. walk off, grab coffee, run into a coworker and talk about last minute gift ideas or holiday parties... head back to your desk, refresh pending actions... and a whole lot of nothing. like a lump of coal in your stocking.

this got me interested in updatemom.exe. certainly it wasn't put there for no reason. i'm no google or live expert... but putting in a search like "updatemom.exe" should give back something, right? hmmm. not quite so. luckily, (despite the inconsistencies in different hotfixes and total lack of documentation) it wasn't too hard to figure out. if you run updatemom.exe as a command, you'll get the following pop-up box.


very friendly, i know. true to its word, you have to type in the command exactly as it states! it would look something like this:

Z:\>updatemom.exe /x86msp:q934441-x86.msp /agent /ia64msp:q934441-ia64.msp
when this is executed correctly, the following directories will be updated with the .msp file:
  • <ProgramFiles>\Microsoft Operations Manager 2005\x86\Patches
  • <ProgramFiles>\Microsoft Operations Manager 2005\ia64\Patches

kick off discovery... and check your pending actions. now you should see the "requires patching" actionable machines.

Dec 12, 2007

sms: you couldn't f5 your way out of a paper bag!

otherwise known as "i've been waiting for async query to complete!" i'm not entirely sure at this point whether or not i love or hate it when you hear the words "thank god you're here!" while you're walking to your desk in the morning. this is before you set your things down, while your lids are still half-shut... and certainly before your first good cup of coffee.

i'm just glad most of the time it's someone cracking a joke. too bad it wasn't this morning. it's not that i'm saying it was a necessarily terrible thing. it's always great to have something new to discover, get frustrated with, and eventually conquer ... or most likely ... concede.

today's problem du jour was a sms issue. (i'm sure you caught on to that by the title.) collection evaluator was taking a tremendously long time trying to refresh certain collections. the collection evaluator log indicated a problem like this:

Preparing to refresh collection XYZ01234 12/11/2007 2:34:06 PM 26116 (0x6604) Refreshing results for collection XYZ01234 12/11/2007 2:34:06 PM 26116 (0x6604) Waiting for async query to complete, have waited 325 seconds already. 12/11/2007 2:37:06 PM Waiting for async query to complete, have waited 645 seconds already. 12/11/2007 2:42:26 PM Waiting for async query to complete, have waited 975 seconds already. 12/11/2007 2:47:56 PM Results refreshed for collection XYZ01234, 961 entries changed. 12/11/2007 2:53:38 PM

looking closely at it, there were a few odd things about it but definitely nothing out of the ordinary. just strange oddities like using subselect statements to make sure it had the sms client in add/remove programs. hmmmmmmm... since i'm using sms inventory for the collection criteria in the first place, doesn't that imply it had the sms client in arp at some point? :) anyway, the snippet is the modified version, without the subselect.

select SMS_R_System.ResourceID, SMS_R_System.ResourceType, SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client 
from SMS_R_System inner join SMS_G_System_SoftwareFile as Project on Project.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId 
where (Project.FileName = "Winproj.exe" and Project.FileVersion < "11.0.2003" or SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft Project% 2002")

i tried all manner of grouping the stuff together to make it run right, cycling collection evaluator over and over again because each failure meant run times that extended into torment! after a lot of slight query changes, nothing helped. i figured i'd dissect it to see where the problem was exactly.

this is what produced some very interesting results. after tearing the collection criteria apart, what i found was that each individual query would produce a very quick query execution. instead of the wql query above, i created these two separate ones.

Add/Remove Programs:

select SMS_R_System.ResourceID, SMS_R_System.ResourceType, SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client 
from SMS_R_System inner join SMS_G_System_SoftwareFile as Project on Project.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId 
where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft Project% 2002"

Software Files:

select SMS_R_System.ResourceID, SMS_R_System.ResourceType, SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client 
from SMS_R_System inner join SMS_G_System_SoftwareFile as Project on Project.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId 
where Project.FileName = "Winproj.exe" and Project.FileVersion < "11.0.2003"

as i said earlier, this had a dramatic effect on run time. it went from minutes to seconds. the answer was so simple. instead of using a single collection criteria, we'd add both. after running the new collection, i made sure coll-fullcollection evaluator showed me the same improved performance. the query finished its execution in 4 seconds. that's better!

so here you go. something like this produces much better results in this case. i'm still trying to figure out why.

for a fun exercise, i took some screenshots... but then realized, i can't use most of them since they don't really tell a story. ah well. i guess i have more to learn about this blogging stuff still. unfortunately for you, the story isn't over yet!

here i am again blogging about sms 2003 and mom 2005. yes, yes, i know... there are new technologies out which i unfortunately am not using yet. so for all of those less fortunate, yours truly included, there is still a great deal of value in what you've got running. the sms 2003 management pack for mom 2005 does not have any rules that look for long-running queries! even if you think you're a genius, you're bound to make a screw up sooner or later. if you have other people working with you, in the same environment, more opportunities abound... (and i don't mean people to blame).

well, that's a quick fix! all you need is a fairly easy regex expression and a new application log provider.


as you can see in the screenshot above, i've created a new provider and named it "sms 2003 collection evaluator log." the provider log type is "generic single-line log file". all you have to do next is point this to your sms log directory and specify the colleval.log file... and yes, just for you, i've got that screenshot too!


once you have this provider done, you'll need to create a new event rule and tie it to your sms computer group. in your event rule, your data provider should be the one you created above. just switch the provider name like this:


under the criteria section, switch to the advanced view since you won't have access to specifying regex matching. once in it, you'll need to populate it with this regular expression:

.*have[ ]waited[ ]([3-9][0-9][0-9]+|[1-9][0-9][0-9][0-9]+)[ ]seconds.*

it should look like this when you're done:


mom 2005 is a finicky little beast when it comes to regex statements. if you remember, the original statement in the log looks like the following:

Waiting for async query to complete, have waited 325 seconds already. 12/11/2007 2:37:06 PM

by finicky, i mean, mom will not handle spaces in a regex statement. if you put it in, you'll get a syntax error. obviously we need to put spaces in the text to look for... otherwise we'd be relying solely on the number of seconds. probably not a good idea since it's just a number value. to get around that just put a space inside of empty brackets like this -- [ ]. as far as the other brackets, this regex statement will pick up any value above 300 seconds. 300 seconds = 5 minutes which seems like a reasonable thing to look for. you can slide this out as necessary... but this isn't a tutorial on regex (nor am i qualified to give one, nor would you want to receive one from me). :)

you're set. now at least you'll know if sms is getting its face punched by badly written queries or some other oddity. at some point i'll look into why the original query took so long. it seems like this problem didn't crop up until after sp3... so maybe? i don't know. it's a stretch. if anyone knows, please leave a comment!

Nov 28, 2007

misc: windows mobile reply to all leaves your email address...

this has been a total source of irritation since i've been a windows mobile user. i thought it was just a 5.0 thing and apparently never annoyed enough to check. when i found it happening on my 6.0, that's when i realized it was something worth looking into... if you have the same problem, the fix is in this blog post.

Nov 20, 2007

mom: ad remote topology discovery failed to execute...

i forgot all about this thing.  it started cropping up in my environment but couldn't figure out why.  after awhile, it finally dawned on me.  the agent was reinstalled, but the computer table was never adjusted.  yeah, i wish i was making this up.  this happens when you monitor DCs in an untrusted forest or domain.  here's the article.  i particularly love the way it says this:


To work around this issue, install a separate MOM management group in each untrusted forest.

Note This issue has been known to be partially resolved by the following method. First, apply MOM 2005 SP1. Then, use the Active Directory Topology Discovery script to enable the server fully qualified domain names (FQDNs) to be added to the Computer table. However, when you use this method, most of the scripts will continue to log errors.

of course, it doesn't tell you how to resolve this.  in the onepoint database, there's a table called "computer".  there's a column in there called "fqdn".  you have to specify the fqdn of the machine in question.

Nov 19, 2007

sms: sms 2003 recipes...

awhile back, greg ramsey and warren byle wrote this magnificent book called sms 2003 recipes: a problem-solution approach. it's the equivalent of the active directory cookbook for sms. it has all kinds of scripts that can help automate your environment. now, the best part is, the scripts are all free and available for download. it's a little cumbersome trying to find it... so for your reference, here's the link.

Nov 9, 2007

sms: reporting access denied after applying sp1...

maybe this is old news. maybe i'm just getting around to hearing about it... or maybe we finally did something right? now we're seeing the problem. here's the deal... recently, we decided to move from our current tier administrative approach to a three-tier approach which truly separates user, server, and domain functions so that we can minimize accidental screw ups to some degree. in doing this, our server admin accounts were added to the sms servers. our user accounts were removed. keep some of the base functionality, we left our user accounts in our sms reporting groups. apparently after applying windows server 2003 sp1, there are some changes that need to occur for launching sms web reporting if your account is a member of the sms reporting users group but not the local administrators group. trying to launch results in an error like this:
Server object error 'ASP 0178 : 80070005' Server.CreateObject Access Error /SMSReporting_093/ReportsNav.asp, line 1055 The call to Server.CreateObject failed while checking permissions. Access is denied to this object.
no point in expressing the changes required in dcomcnfg. they're all covered in this article. :)

Nov 8, 2007

misc: 1e roadshow: enterprise solutions

i sent this out to the subscribed members of the atlanta smug. thought anyone else that's in the atlanta area might be interested in going. here are the details! obviously it's a british thing... look how tea is presented before coffee. anyway, drop me a line or leave a comment if you're going. would love to meet up! register here...

1E Road Show: Enterprise Solutions

Atlanta Road Show, US: Thursday, 29 November 2007

Emory Conference Center Hotel 1615 Clifton Road Atlanta GA 30329 Tel: 404 712 6000 Website: www.emoryconferencecenter.com Location/Map: http://www.emoryconferencecenter.com/maps.html

Note : Detailed event information will be provided on confirmation of registration.

Morning – Technical Session

08:30 am – 09:00 am Registration and reception with tea & coffee

09:00 am – 09:30 am Guest introduction and their IT challenges - Courtney Austin, Marketing Manager and Bruce Walter, Business Manager, 1E

09:30 am – 10:45 am Microsoft System Center overview - Lauren DiNatale, Management and Security Solution Specialist, Microsoft

10:45 am – 11:00 am - Tea & coffee break

11.00 am – 12.15 pm 1E solutions - Derek Hartung, 1E, Lead Consultant

12.15 pm – 12.30 pm 1E Solution Demo - Brian Tucker, 1E Solutions Engineer

12.30 pm – 12.45pm myITForum Overview, Rod Trent, President, myITForum

12.45 pm – 1.00 pm Session Summary - Sumir Karayi, 1E Chief Executive Officer

Lunch – With guests split into tables with specifically grouped discussion points hosted by a 1E/Guest speaker attendee

Afternoon – 'Go-Green' Business Session

02:15 pm – 02:45 pm Guest Go Green challenges - Courtney Austin, Marketing Manager and Bruce Walter, Business Manager

02:45 pm – 03:30 pm Go Green with 1E solutions and industry research - Sumir Karayi, 1E Chief Executive Officer

03.30 pm – 03.45 pm 1E Go-Green Solution Demo - Brian Tucker, 1E Consultant, Tucker, 1E Solutions Engineer

03:45 pm – 04:15 pm - Tea & coffee break

04.15 pm – 04:45 pm Customer 'Go-Green' insight with ROI – Brian Mufley, Manager, Framework Engineering, LendLease

04.45 pm – 05:00 pm Event wrap-up, next steps - Sumir Karayi, 1E Chief E

misc: dsquery vs powershell...

as a part of trying to familiarize myself with powershell, i figured converting some of my favorite dsquery commands to it would be as good of a measure as any. the problem was, i had a hell of a time figuring it out! thankfully, hal was nice enough to help out... in order to get displayname and streetaddress from dsquery, you'd use a command like this:
dsquery user -samid myUser | dsget user -display
oh wait a second... there is no switch for streetaddress. all you'll get is something like this:
  My User (Test)
let's try that again...
dsquery * -filter "(&(objectcategory=person)(samaccountname=myUser))" -attr displayname streetaddress
in my case, i have multiple lines in my streetaddress attribute, which throws off the entire format. this is something i wanted to avoid so i seeked powershell as the answer (instead of writing a vbscript to handle it.)
  displayname                 streetaddress
  My User (Test)              2000 My Test Avenue
Suite 200
here's how you'd pull the information from powershell (providing you use the quest add-ons)...
get-qaduser testdomain\myUser | format-table displayname,streetaddress

DisplayName                                  StreetAddress
-----------                                  -------------
My User (Test)                               2000 My Test Avenue...
already much better. however, the street address is truncated. so let's try again.
get-qaduser testdomain\myUser | format-table -wrap displayname,streetaddress
now we get the full street address, but as you can see, the cr/lf is carried over. to get rid of it, we'll insert a replace statement.
DisplayName                                  StreetAddress
-----------                                  -------------
My User (Test)                               2000 My Test Avenue
                                             Suite 200
get-qaduser testdomain\myUser | format-table -wrap displayname,@{label = "StreetAddress";expression = {$_.streetaddress -replace "`n",", "}}
resulting in this much nicer formatted version...
DisplayName                                  StreetAddress
-----------                                  -------------
My User (Test)                               2000 My Test Avenue, Suite 200

Nov 5, 2007

ds: password complexity rules...

in case you're asked for it, like i am, all the time, as in ... yesterday, today, tomorrow...
  • Do not contain all or part of the user's account name.
  • Contain characters from three of the following four categories:
    • English uppercase characters (A through Z).
    • English lowercase characters (a through z).
    • Base-10 digits (0 through 9).
    • Non-alphanumeric (for example, !, $, #, %). extended ASCII, symbolic, or linguistic characters.
i believe in cases where it refers to "part of the user's account name" it specifically means 3 or more characters in a row. for example, since my name is "marcus" i can't have the letters "arc" or "rcu" or "mar" in my password. it's not referenced in the following article but is referenced in a sql 2005 article. anyway, here's more detail from the article...

Nov 1, 2007

ds: ad attribute editor (adae)...

heard of this tool? just saw it come through activedir. check it out here: http://www.fcsovelto.fi/adae. here's a small blurb of what it does:
ADAE (Active Directory Attribute Editor) enables you to add your own property pages (tabs) to the Active Directory Users and Computers. This way you can view and/or modify predefined attributes, such as user's EmployeeID, or any new attributes you or your applications have added to AD.
look carefully on the page. read/write version costs money. read version is free.

Oct 16, 2007

sms: installing itmu updates out-of-band

i was on a field visit recently and came across an interesting dilemma.  the administrators i worked with indicated that the turnaround time on a newly imaged machine would be somewhere in the neighborhood of 48 hours.  this was something that i couldn't get my mind to engage.  if the image process itself took an hour or so, throw in a few minutes to unpack it, set it up, connect it, pop the disc in and run it, etc... why was it taking 48 hours or longer?

well, it seemed that our antiquated imaging process caused delays of up to 48 hours before a newly imaged machine would receive all the required security updates. rather than using something like going to windows update, the administrators chose to let the process work through on its own.  looking into this, our problems were created by a couple of things that could easily be addressed.

  1. sms client installation script is only available as a machine startup gpo. this requires the machine to be rebooted twice. it had to receive the policy (naturally) and then execute it.
  2. sms collections refresh once a day. this means that client may not fall into the right collection on the same day, same hour, etc.
there are no real issues with bullet #1. it's the way things work. the client has to receive the policy first. in order to apply it though, it has to reboot. :/ that kind of sucks and slows things way down. ad discovery (and subsequent installation) happens nightly, which means, if a machine is imaged that morning, it won't get the client until that evening if it just sits there.  in this particular case, logon scripts aren't used so that's ruled out.  as i mentioned before, the admins just let it sit there... so clearly it was the overnight discovery and installation that catches the machine.

bullet #2 is interesting. if you increase your schedule cycle for the particular collection, that'll definitely speed things up. still, there's a balance you have to meet to make sure you're not running sql statements over and over just to make sure new machines coming up get things immediately. the really unfortunate part about this is that you have to wait for bullet #1 to occur first. :)  so let's say the machine was imaged at 8am, it receives the client at 1am, the collection refreshes at 6pm, and the client is done... somewhere around 7pm.  so, the theory of 48 hours seems about accurate.

there's lots of ways to get around this problem. you could speed up collection schedules and put the client into the image. you could create local policies that mirror advertisements and compile them on the client locally. for fun, i wanted to see how this was being done by other folks. i received some great input from the myitforum mailing list and ended up going with this idea from greg smith called "installing itmu updates on demand". this is great work. basically, greg created a script to run through a patch installation cycle, without calling patchinstall.exe.

there were some things in the script that just didn't work for my environment so i created another script to run prior to it. it handles the following things:
  • from a list of package ids, it extracts the actual smspkgx$ locations.
  • installs windows update agent, if required.
  • installs sms client, if required.
  • runs scanwrapper.
  • installs any required patches.
the sms client installation does a bit of goofiness with how it downloads the .msi and runs everything in the background. in order to make sure the script didn't launch anything prior to the installation being complete, i put a loop in to check for the smssoftwaredistribution component. that did the trick...

all of the heavy lifting was in the installdsuwupdates.vbs script that i mentioned before (by greg smith). this is just my little wrapper that makes things work a little better for me. :) if you want to use my method, you'll need to update the following values in sms_update.vbs:
  • sSMSServer - your server name
  • sWUA = package id for windows update agent
  • sITMU = package id for ITMU patches
  • sSCAN = package id for ITMU scanner (scanwrapper)
after that, you should be good to go. one thing to note, in the installdsuwupdates.vbs file, there is a line that looks like this: szXML = szBase & "PatchAuthorize.xml". you can change the .xml filename to whatever you use in your organization. for instance, we have a cumulative update with a different name to install everything. great one to use for patching up one-off like this.

have fun! you can get the files here. it contains my script and an updated installdsuwupdates.vbs script (to handle a few things i'm sending to it).

Oct 5, 2007

os: windows system state analyzer

this has actually been released for a little while. i don't know why i'm just getting around to posting it when i've known about it awhile. i generally post the things that i want to locate later... and i guess this hadn't bubbled to the top of that list yet. anyway, i was looking for it... so here it is for your information too.

basically it'll show you before and after state changes. you run it before you make a change (like an installation) and then after.


Oct 4, 2007

misc: mvp renewed...

i was wondering if i got renewed this year because the renewals seemed to go out late. i found out on the evening of my renewal date that i am renewed. :)

Sep 19, 2007

mom: missing data in top 100 mailboxes by size...

ran into a problem today where an administrator told me that their "top 100 mailboxes by size" report stopped working. now, to define the boundaries of "stopped working", let's evaluate these few things:
  1. report works for other servers
  2. report worked a month ago
i generally follow these basic rules to troubleshoot a report issue:
  1. check if the report contains data
  2. check if data exists in the console
  3. check if data exists in the reporting tables
so going on the boundaries of "stopped working", we start with step 1. i open up the report to verify what the person telling me is the same thing i'm seeing. in this case, it actually was. :o i tried switching the report to a different server and data came up. i tried switching it to the problem server and no data existed. perplexing! i went to step 2. to make this easier, i created some custom performance views to look at the object "mcexchdg" breaking it down into "mailbox mb" and "mailbox message count". both views work but again, same problem. no data is posted for the problem server. at this point, we know the rules must be working because some servers are posting data. this is definitely an agent-side problem then... right? since the person reported that this report worked on the same server in the past, we go to step 3. i ran a little query that looked like this just to see what was there:
select top 10 * from sdkperformanceview where computername = [problemserver] and performanceobjectname='mcexchdg'
i get back counters for mcexchdg but not for the expected "mailbox mb" counter! hmmm. so apparently the data never did exist for this server. so at least we know the thing never worked for this server, instead of thinking something changed along the way. to figure out what was happening, instead of being a good administrator and googling it, potentially finding results that could save me hours, i decided to use the script "exchange 2003 - collect mailbox statistics" to troubleshoot. in order to do this, i went through the following:
  • replace all createevent entries with wscript.echo
  • comment out on error resume next
  • use local reference of computer name instead of scriptcontext.targetnebioscomputer
now i figured when i ran it, i'd get errors. i did! i had to use an interactive cmd shell to make this work since the script demands to run as "localsystem". after that, i had to run through it for a few iterations to find where it failed, comment it, and move on. so what was the end result? you have to have the servernameMOM accounts. in this case, it turned out we did... however, someone inadvertently renamed the servernameMOM account!

mom: antigen retrieve update number script noise...

if you've got the antigen management pack deployed, you might be seeing a lot of irritating noise that looks similar to this message:
WARNING: are engine was not found on [servername]. Update number could not be retrieved.
a little bit of investigation in the script, prompts this joyful discovery. as it turns out, the script has no provision for logging/not logging errors that may occur. the only parameter that changes logging effect is one to log to text. apparently these events aren't very important since there are no corresponding alerts. :| hmmm. since it's generating quite a bit of event noise, i decided to shut off this behavior. this was easy enough. in the code block below, you'll see where i simply commented the line that writes the mom event. it's on line 81.
... 'If Update number is null, the engine was not found in the registry If IsNull(UpdateNumber) or UpdateNumber = "" Then WriteLog "WARNING: " & EngineName & " engine was not found on " & ScriptContext.TargetComputer ' WriteMOMEvent "WARNING: " & EngineName & " engine was not found on " & ScriptContext.TargetComputer & ". Update number could not be retrieved.", 2, Null ScriptContext.Quit End If ...
watch that word wrap... hope that helps!

Sep 18, 2007

misc: powershell compare-object to compare text files...

i guess i'm hooked because here i am again writing about this stuff. anyway, this was just too cool to pass up. using one line, you can compare two text files: compare-object $(get-content file1.txt) $(get-content file2.txt) didn't say the stuff was complicated. :)

misc: changing datetime stamps with powershell

i've been goofing off a little bit with powershell. it wasn't all the hype or fanfare from snover or the ps team or any of the other talented powershell people out there. it was a friend of a friend who kept talking about it until i was sick of hearing it. so, i spent a little time getting acquainted. turns out, it's pretty damn cool. it's more than hype... anyway, i took this post from ying li about manipulating datetime stamps on files. i thought i'd switch it into a one-liner... just for fun. here it is: gci | foreach {$_.lastwritetime = $(get-date).addminutes(5)}

Aug 27, 2007

sms: moving collections through a command line...

well, during my travel, i find myself at a site whose collection management was a little sparse. to help move them along, i wrote up a script to move a collection to a new parent collection, through a command line. it was a little bit of a challenge because there weren't very many samples floating around.

many thanks to dave lippa and the rest of the group at myitforum for their help! i shamelessly stole stuff out of greg ramsey's script. the script is located here.

there's not that much to it, actually. you simply tell it the old parent, the new parent, and the id of the collection you're moving. i suppose it's more concept than anything else. it'd be easy to make this thing much more useful... but you know... necessity. less words. :| just keep in mind when doing something like this that in order to remove the current collection link, you have to add a new one. otherwise, it will go through as if it works but never remove it.

order it correctly and things are great. 1. add. 2. delete.

[usage] sms_collmove.vbs
[example] sms_collmove.vbs collroot abc0019a abc0014a


strSMSServer = "<SMS Server Name>"

Set objArguments = WScript.Arguments
If objArguments.Count <> 3 Then
End If

strOldParentColl = UCase(objArguments(0))
strNewParentColl = UCase(objArguments(1)) 'parent collection ID
strSubColl =       UCase(objArguments(2)) 'collection ID to link

Set objLoc =  CreateObject("WbemScripting.SWbemLocator")
Set objSMS = objLoc.ConnectServer(strSMSServer, "root\sms")
Set Results = objSMS.ExecQuery("SELECT * From SMS_ProviderLocation WHERE ProviderForLocalSite = true")
For Each Loc in Results
    If Loc.ProviderForLocalSite = True Then
        Set objSMS = objLoc.ConnectServer(Loc.Machine, "root\sms\site_" & Loc.SiteCode)
    End If

' Add a collection link
Set ColSvcs = objSMS.Get("SMS_Collection")

' Verify no looping in the collection
ColSvcs.VerifyNoLoops "SMS_Collection.CollectionID=""" & _
    strNewParentColl & """", "SMS_Collection.CollectionID=""" & _
    strSubColl & """", Result

if Result = 0 then
    wscript.echo "Link would cause looping condition, exiting"
    Set objCol = objSMS.Get("SMS_CollectToSubCollect").SpawnInstance_()
    objCol.parentCollectionID = strNewParentColl
    objCol.subCollectionID = strSubColl
    wscript.echo "Added collection link: " & strSubColl & " to " & strNewParentColl & " ..."
end If

' Delete a collection link
Set Coll = objSMS.ExecQuery("select * from sms_collecttosubcollect where parentcollectionid= '" & strOldParentColl & "' and subcollectionid = '" & strSubColl & "'")

For Each colitem In Coll
    WScript.Echo "Deleting subcollection link: " & colitem.subcollectionid & " from " & strOldParentColl & " ..."

Function ListHelp
    WScript.Echo VbCrLf & "SMS Change Parent Collection" & VbCrLf & VbCrLf & _
        "[Usage  ]   sms_collmove.vbs <old parent> <new parent> <subcollection>" & VbCrLf & VbCrLf &_
        "[Example]   sms_collmove.vbs collroot abc0019a abc0014a" & VbCrLf & _
        "              - Transfers subcollection ABC0014A to new parent" & VbCrLf &_
        "              - ABC0019A from old parent COLLROOT" & VbCrLf & VbCrLf &_
        "[Misc   ]   Use COLLROOT as the old parent if the" & VbCrLf &_
           "        subcollection does not have a parent."
End Function

Aug 17, 2007

sms: selecting objects not in a collection

if you were interested in a way of retrieving objects into a collection that don't exist in another collection, it's actually not very difficult. for example, you have a collection of clients with antivirus.  now you want to create a collection of clients that do not have antivirus.  instead of creating a new one, you run subselect to bring back all the clients that are not in the original antivirus collection.

the only thing you have to know is the collection id of the collection that you want to check. for the samples below, note that [collid] is a generic tag for your collection ids. if you examine the root\sms\site_ of your sms server, you'll see a list of sms collections labeled with:


this is what you need to build your subselect query. if you query this in wbemtest, with something like select * from sms_cm_res_coll_[collid] you should get back a list of resource ids which look something like this:


or something similar... i was showing that part just to demonstrate that querying the collection id from wmi in this manner, does indeed produce the members of the collection. now to put it all together, this is how you'd build your subselect query.

select sms_r_system.resourceid, sms_r_system.name 
from sms_r_system 
where resourceid not in 
    select sys.resourceid 
    from sms_cm_res_coll_[collid] AS coll, sms_r_system as sys 
    where sys.resourceid = coll.resourceid

in effect, this would be the same as building a collection that's limited to another collection. the only difference is that when you're using limiting collections, you can't specify to retrieve where a machine doesn't exist in a certain collection.

(btw, you can execute that wql query in wbemtest. works quite nicely. output has a lot to be desired though...)

as a follow on note, kim oppalfens wrote this little post recently on figuring out the collectionid for linked collections.

Aug 3, 2007

mom: icmp pings for servers...

most of you are probably familiar with the icmpping script available from huntland services. one of the admins i work with wanted something that would do the same type of functionality but work for a list of servers. i took it a tiny step further and had it read from an ou instead of a text file. you'll want to modify this part to reflect your environment:
oCommand.CommandText = ";" & _ "(&(objectClass=Computer)(objectCategory=Computer));name"
sSiteName is the variable that you can specify in your parameters location. you could even put the path directly into the script and bypass all that. anyway, here's the script! i tried to put it in this post... but you know how those translations go. :) have fun!

Jul 19, 2007

sms: forcing child sites to show up in the parent hierarchy...

this was recently posted on the myitforum mailing list. it's worth archiving for later reference. :) question:
I have a secondary site that shows its parent site as the primary, which is good. In my SMS console, I have registered my central site database and my primary site database. When I drill down to the secondary site in question from the central site, I can see it, BUT if I drill down to the secondary site from the primary it is not there?? Any one ever see this?
Copy the site control file from the secondary site and rename it to *.CT2. Copy the renamed file into the HMAN.BOX on the parent primary and it will show up after it gets processed. This resolves the immediate problem of not seeing the secondary from the primary. You may need to take a look at the SENDER.LOG to determine why it isn't communicating. Thanks, Mark A. Mears, Sr.

os: tcpip offloading and windows server 2003...

recently, we had problems with the [t]cpip [o]ffload [e]ngine features on a nic that caused all kinds of bizarre and strange problems. apparently if you have a nic that supports the scalable networking pack, included in windows server 2003 sp2, these features kick in. the guys over at msexchangeteam.com posted this very nice write up on their blog.

if you're planning on upgrading ... this is a must read.

here's a few articles related to this as well:

Jul 11, 2007

ds: another tool to add to your sysinternals toolbelt...

this was released recently, and everyone is blogging or posting about it. i might as well join in. :) anyway, it's called adexplorer, brought to you from the same guys that bring you all those nice sysinternals tools. this isn't the only free ldap browser out there though. there is the softerra ldap browser which is also pretty nice.

Jul 6, 2007

mom: subnet missing from ad site configuration

if you've upgraded your domain controllers to windows 2003 (and i hope by now you have), you won't be able to pick up these events anymore:

Event Type: Information
Event Source: NETLOGON
Event Category: None
Event ID: 5778
User: N/A
Computer: 'Computer Name'
Description: 'Computer Name' tried to determine its site by looking up its IP address ('Computer IP Address') in the Configuration\Sites\Subnets container in the DS. No subnet matched the IP address. Consider adding a subnet object for this IP address.

instead, you get this type of event message that really doesn't help at all:
Event Type: Information
Event Source: NETLOGON
Event Category: None
Event ID: 5807
User: N/A
Computer: 'Computer Name'
Description: During the past 4.22 hours there have been 26 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
if you're still interested in these messages, you can create a new type of rule, pulling from a different location instead. the first thing you'll need to do is create a new provider. in my case, i named it something silly like... netlogon log. here are the parameters:
  • provider name: netlogon log
  • provider log type: generic single-line log file
  • directory: c:\windows\debug
  • format: generic
  • file pattern: netlogon.log
now create a new rule with the netlogon log provider that we created above. i set the criteria to:
description contains substring ': NO_CLIENT_SITE:'
now you can set it to alert or just collect the event data. it'll read the netlogon.log file and send up an event every time a line matching the description above shows up. the event data will look like this:
DIR:C:\Windows\debug, Log Directory
FIL:Netlogon.log, Log File
FMT: Generic Single-Line Log File Format, File Format

ds: enumerating dns ptr records with dnscmd...

wow, what an fun topic. :/ it was a little confusing so i figured i'd post it as a gentle reminder for later when i completely forget. let's assume you have a reverse lookup zone of 10.x.x.x. if you want to pull the records for 10.1.1 for example, you could run the command like this:
dnscmd /enumrecords 10.in-addr.arpa. 1.1
it doesn't actually show you semantically how all this gets put together, unless you fork it up like i did. here's the output of an incorrect command format:
c:\>dnscmd /enumrecords 10.in-addr.arpa. 10.1.1

DNS Server failed to enumerate records for node
    Status = 9714 (0x000025f2)

Command failed:  DNS_ERROR_NAME_DOES_NOT_EXIST     9714  (000025f2)

if you notice, it appends the 10.in-addr.arpa zone name to the requested node name of 10.1.1. since doesn't exist, it fails. moving on... i think in older versions, you had to include the "." following the zone, like "10.in-addr.arpa." instead of "10.in-addr.arpa". in either case, it works. you can see though, in the failed command context, it shows two dots trailing coffee time.

Jul 3, 2007

sms: advertising packages based on status message

i have no idea what to call this particular post. i mean, it's the day before the 4th of july... so i could call it something like... making fireworks with sms? i don't know.

the whole thing started off when i was down visiting with a site system. they pointed out that some of their clients were failing to patch. further examination revealed that these clients looked healthy. wiping vpcache, reinstalling the client, etc... just wasn't doing it.

examining this scan process showed that smswushandler.log was where the real problems were stemming from. anyway, i found that some of their failures had a common execution status of 11412. the unfortunate part of this error message is that it can mean different types of scan failures including down-level or broken windows update agents. in my case, i wanted to break it up into two distinct things so that i could correct both client problems. the reason for doing is because 11412 isn't distinct enough to handle it with one method of remediation.

i used the idea of health collections to build this scenario. i had some leftover collection structure from an original one that i got from chris sugdinis. building the passing collections for windows update agent made it easy to pick out the broken windows update agents. of any that passed the version criteria, i used collection limits to bring those into the new collection, where i used the sms_clientadvertisementstatus class to pull back the 11412 error messages. (this method of creating queries is noted by eric holtz and greg ramsey.) here's the criteria i used:


select sys.ResourceID,sys.ResourceType,sys.Name,sys.SMSUniqueIdentifier, sys.ResourceDomainORWorkgroup,sys.Client from sms_r_system as sys inner join SMS_ClientAdvertisementStatus as cas on sys.ResourceID=cas.ResourceID WHERE cas.AdvertisementID in ('xyz00001','xyz00002','xyz00003') and cas.lastexecutionresult=11412 and cas.laststate=11


the value in the parenthesis are the advertisement ids in my environment. now what to do with this new collection? target them for repair. here's a batch command you can use to do just this.

Jul 2, 2007

os: capturing packet traces in such a clever way...

i was referred to by microsoft pss on this great article on how to capture netmon traces (and stop them when a certain criteria is met). there were a few differences from our end than what's in the article. basically, we were required to look for an event on a particular machine and stop the trace on an entirely different machine. here's the command line i used:

nmcap /network * /capture /file c:\temp\myCapture.cap:200M /stopwhen /frame "ipv4.SourceAddress== and ipv4.DestinationAddress==" /DisableConversations
here's what the switches mean:
  • nmcap - this file is usually located under c:\program files\microsoft network monitor 3.0
  • /network * - selects all network adapters, wildcard capable
  • /capture - capture packets
  • /file - capture to the file c:\temp\myCapture.cap
  • :200M - sets myCapture.cap to a circular 200MB
  • /stopwhen - specifies to look for a condition on when to stop (in this case what's defined in /frame)
  • /frame - filter used to specify when source addr of a packet is and the destination addr is
  • /disableconversations - this is discussed in the linked article, basically helps save memory consumption
putting it all together, the machine that triggers the event has a script running on it that detects an event id. when the event id is found, the script pings the other machine. once the packet comes across on the other machine, with the source/destination matching up to what's in "/frame", it stops the capture.

mom: reporting on security event data

another mom blogger, bryce kinnamon, wrote up this nifty blog. i'm blogging about it in case you missed it. typically the problem with reporting security event data is that the data itself is all clogged up in the description field. using patindex, bryce shows a clever way to break this up into distinct columns. very nice.

misc: new mom mvp!

i just heard that anders bengtsson was finally awarded a mvp yesterday. this guy has been doing some great work. i've been watching to see just when he'd get his nom. looks like it finally came through! congratulations to you, anders. keep up the great work supporting the community. (looks like i'll have to pay attention to what he says now... :/ ...)

Jun 4, 2007

misc: technet simulcast from teched 2007 (minasi)

in case you're interested, there's a simulcast of one of minasi's sessions on command-line server management. here's the link: Command Microsoft Windows from C: ... and Get Ready for Server Core! (Level 300)

misc: reference guides for scripting...

this stuff is pretty cool! granted, you probably have most of these in a boilerplate already... but if you don't, this is great reference material. there's one for vbscript and powershell. vbscript reference powershell reference

May 30, 2007

sms: customizing advanced client local policies

nearly missed this gem. here's a great technet article that should get you started on customizing local client policies. there are myriad opportunities that stuff like this could be vitally important. think boiler plate. once you have something, you could modify your script to accept different command-line parameters and issue those over sms as a part of some overall customizer package. http://www.microsoft.com/technet/technetmag/issues/2006/09/CustomizeSMS/

May 29, 2007

mom: trimming noise...

here are three queries that i usually use to help isolate noise. generally, i run these about once a week to see what's going on. anyway, it's pretty cool to see what kind of events/performance data is coming in, what the highest offenders are, etc. two of these will look very familiar (since they come with your mom installation). alerts:
SELECT  TOP 10 [Name],count(TimeRaised) AS 'AlertCount' 
FROM  SDKAlertView
ORDER BY 'AlertCount' DESC

SELECT  TOP 10 [Name],sum(RepeatCount) AS 'AlertCount-Suppressed'
FROM  SDKAlertView
ORDER BY 'AlertCount-Suppressed' DESC
SELECT  CONVERT(char(10), TimeGenerated, 101) AS 'Events Date (by Day)',
  COUNT(*) AS 'Number of Events', Message
FROM  SDKEventView 
GROUP BY CONVERT(char(10), TimeGenerated, 101), Message
ORDER BY 'Events Date (by Day)' DESC 

SELECT  NTEventID, COUNT(*) AS 'Number of Events', Message
FROM  SDKEventView 
GROUP BY NTEventID, Message
ORDER BY 'Number of Events' DESC
SELECT  Top 100 PerformanceCounterName, COUNT(*) 
FROM  SDKPerformanceView 
GROUP BY PerformanceCounterName
ORDER BY count(*) desc

May 22, 2007

sms: sms collection evaluator message id 620

if you find these populating your collection evaluator status messages, it's probably because of a mismatch in your query somewhere. here's a sample status message:
Microsoft SQL Server reported SQL message 245, severity 16: [22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value 'myMachineName' to data type int.
doesn't really give you much to go on. to get more details, open up colleval.log. the easiest way to spot where to pinpoint the problem is to look by the date/time in the status message. look for that... or something close to that in your logs. in the log file, the error message shows up. it looks like this:
*** [22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value 'myMachineName' to data type int.
following pretty closely, you'll see another line that might look something like this:
Could not refresh collection XYZ00012. Will retry later.
now we're getting somewhere. now we have a collection id that we can go interrogate to see what it is in the query that's quite possibly not right. in my case, extremely possible. :)just as a fyi, looking into the collection, it was discovered that in a subselect query, resource id was being used to check a list of values where system name was being used. since resource id and system name are different data types (varchar and int), the comparisons would fail.

misc: atlanta smug 6/13/07

southeast management user group (atlanta)! it's coming up again. mark your calendars and get registered. sign up link below... look forward to seeing you there.
   8:30-9:00am  Light Breakfast
  9:00-10:00am  Introduction to System Center Configuration Manager 2007
 10:00-11:00am  Using System Center Data Protection Manager 2007 to protect
                and recover Exchange Server, Microsoft SQL Server, SharePoint
                Portal Server, as well as Windows file services
 11:15-11:30am  Break
 11:30-12:30pm  (Working Lunch) - Using System Center Operations Manager 2007
                to meet Regulatory Compliancy Needs
  12:30-1:45pm Deploying Vista Today with SMS 2003 and Deploying Vista and
                Windows Server 2003 in the future with System Center
                Configuration Manager 2007
   1:45-2:00pm Break
   2:00-3:30pm How to monitor your Core Infrastructure and Distributed
                Applications with System Center Operations Manager 2007
Registration Links Event Title : Charlotte Southeast Management User Group Meeting June 6 Event ID : 1032340757 Event URL : http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340757&Culture=en-US Event Title : Atlanta Southeast Management User Group Meeting June 13 Event ID : 1032340758 Event URL : http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340758&Culture=en-US Event Title : Raleigh Southeast Management User Group Meeting June 26 Event ID : 1032340759 Event URL : http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340759&Culture=en-US

May 21, 2007

sms: advanced client policies takes a long time to apply

after you tell an advanced client to retrieve policies, you may notice there's a little bit of a delay from retrieval to application. microsoft is instilling the value of patience by forcing a two-minute delay between these steps. here's jeff's response on the myitforum mailing list thread:
Don't forget that there is a built in two minute delay between when a client downloads a new policy and evaluates/applies it. This delay is by design in case there are a lot of policies that need to be downloaded before the client starts compiling them. ~Jeff

as an update, phil wilcock wrote up this blog entry noting how to remove the two minute delay. basically, you want to compile a mof which changes the wmi settings on the client. here's the contents:


#pragma namespace("\\\\.\\root\\ccm\\policy\\machine\\Requestedconfig")
instance of CCM_PolicyAgent_Configuration
    PolicySource = "Local";
    PolicyDownloadMethod = "BITS";
    PolicyEnableUserGroupSupport = true;
    PolicyRequestAssignmentTimeout = 65;
    PolicyTimeUntilAck = 43200;
    PolicyTimeUntilExpire = 86400;
    AuthorityName = "SMS:XXX";
    PolicyTimeUntilUpdateActualConfig = 0;   

May 2, 2007

ds: account policy settings

i've been asked this question more times than i can recall by auditing agencies, security, compliance regulation, etc. at first, i'd goof around the domain policy settings looking for this stuff. someone happened to ask me how to change a local admin password on a server. i suggested net and stumbled on this:
net accounts
Force user logoff how long after time expires?:       7
Minimum password age (days):                          7
Maximum password age (days):                          7
Minimum password length:                              7
Length of password history maintained:                7
Lockout threshold:                                    7
Lockout duration (minutes):                           7
Lockout observation window (minutes):                 7
Computer role:                                        WORKSTATION
if you want to see what it is for your domain, run net accounts /domain.

Apr 5, 2007

os: opening up windows server 2003 service pack 1 for practical functionality...

... or functional practicality or whatever. it's interesting that "secure" has made some things especially troublesome! for instance, out of the box, after applying service pack 1, querying wmi will fail. how do you fix it? you add the account you're using to the local administrators group. now that doesn't sound right since the idea is that we're securing things down. the challenge was to take a user account without elevated permissions and grant it the rights it needs to query wmi without the exposure of adding it to local administrators. it turns out there are three things you have to do to make this work:
  • add the user to "distributed com users" local group
  • grant permission to the wmi namespace for which you wish you allow access (in our case, cimv2)
  • grant permission to service control manager
add the user to "distributed com users" local group:
not much to explain for this. simply add the account to the local group named "distributed com users". i reference an article below. by following this step instead of what's in the article, you can skip anything past #10.
grant permission to the wmi namespace:
when you grant permission, you'll need to grant the following rights:
  • execute methods
  • enable account
  • remote enable
  • read security
you'll also need to grant this permission for "this namespace and all subnamespaces"
grant permission to service control manager:
this step is only necessary if you plan to allow your limited-rights user to query the win32_service class. using sc, you can view the current permissions on scmanager, like this:
  • sc sdshow scmanager
of course that's the easy part. you'll get a big, long sddl in response. assuming your result looks like mine, this is how you want to edit it. by the way, it's all one line in real-life: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY) (A;;KA;;;BA)(A;;KAFALC;;;[your sid here])S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) remember, that line above is ONE LINE. remove the brackets (duh). put in the sid of the account that you want to grant access. you can use a tool like psgetsid to grab the sid value (or just open adsiedit). once you've got it composed, use this command to apply it:
  • sc sdset scmanager [that long sddl above]
now if you want a really cheesy, automated method that you can deploy to your servers, here's a way to do it. btw, you'll need sc.exe (version specific mentioned in the microsoft article below):

sComputer = "."
Set oServices = GetObject("winmgmts:\\" & sComputer & "\root\cimv2")
Set oCIMV2 = oServices.Get("__SystemSecurity=@")
Set oShell = WScript.CreateObject("WScript.Shell")


Function SetWMIPerms
    sBinSDDL = Array([add binary sddl here])
End Function

Function SetSvcsPerms
    sCommand = "sc sdset scmanager [add that same long sddl]"
    oShell.Run sCommand,0
End Function

Function SetDCOMPerms
    sCommand = "net localgroup " & Chr(34) & "Distributed COM Users" & Chr(34) &_
               " " & Chr(34) & "Domain\User" & Chr(34) & " /ADD"
    oShell.Run sCommand,0
End Function
maybe you're wondering how you get that binary sddl that's mentioned in the first function. if you modify a computer to have the correct permissions as noted in the second bullet, you can run this script against the machine. it'll echo back the binary sddl (looks like a long string of numbers and commas) that will contain the changes you've made. here's the cheesy code:
targetmachine = "."

Set objServices = GetObject("winmgmts:\\" & targetmachine & "\root\cimv2")
Set CimV2 = objServices.Get("__SystemSecurity=@")
ReturnValue = Cimv2.GetSD(arrSD)

If Err <> 0 Then
    WScript.Echo "Method returned error " & ReturnValue
End If

SDString = ""

For I = Lbound(arrSD) To Ubound(arrSD)
    SDString = SDString & arrSD(I) & ","

SDstring = Left(SDstring,Len(SDstring)-1)
WScript.Echo SDString
once you have the binary sddl, drop it into the first function. don't forget to remove the [ ] brackets. good luck. :) credit: this article was a lot of help microsoft's article on applying sddl change on service control manager

Mar 21, 2007

sms: wbem_e_provider_load_failure causing odd sms client issues...

these are just as cryptic as it sounds since you don't really have any idea which provider is failing to load. the actual failure message looks like this: 0x80041013 - WBEM_E_PROVIDER_LOAD_FAILURE. your ccmexec.log may have exhibit strange errors like this:
Error loading service settings. Code 0x80041013 Phase 0 initialization failed (0x80041013) Service initialization failed (0x80041013)
if you're seeing these strange error messages, here's something you can try to fix it up:
  1. switch over to %windir%\system32\wbem.
  2. register all of the .dlls in this directory. here's a way that microsoft support stated:
    • for /f %s in ('dir /b *.dll') do regsvr32 /s %s
  3. issue the following two commands:
    • wmiprvse /regserver
    • winmgmt /regserver
if this doesn't resolve it, try the steps again. this time, add in step 2b (below). i'm not sure under what condition this occurs, but we found that we had to register tscfgwmi.dll. you'd perform it doing this:
2b. regsvr32 %windir%\system32\tscfgwmi.dll
please let me know if this works for you. i'm curious how many others have experienced it.

Feb 23, 2007

ds: daylight saving time ... and the impatient user

a talented ad guru brought this up to my attention. i thought it was something strange and important enough for everyone (the three of you that may actually read my blog) ... you may be aware of this but dst doesn't affect kerberos at all since kerberos only uses utc. there is still potential for problems, however. if a user moves their clock forward (or backward) instead of letting the dst rules adjust it, then they'll run into kerberos failures in the form of krb_err_time_skew. anything beyond a 5 minute skew is determined to be a replay attack... and subsequently not honored. so with that in mind, you think... domain-joined resources will reset their times to the domain time. unfortunately, this only occurs in 8 hour intervals. of course, if the user just manages to change their time zone, this will not cause the same effect. they'll be fine. the time zone is a local offset which does not affect the utc value like utilizing the date/time applet to change the time forward/backward. hope this helps!

Feb 20, 2007

sms: sql 2005 sp2 is out! don't install it!

... at least not on your sms 2003 environment. sms 2003 sp3 is the only version that will support a sql 2005 sp2 infrastructure. of course, you know sms 2003 sp3 is not out yet. hold on your deployments until this new sms 2003 service pack is out.

Feb 15, 2007

os: default arp cache timeout (life)

this was such an obscure find that i thought i'd post it just to refer back to you later. in case you were wondering, 2003 cache holds entries that are invalid for 2 minutes and uses a value of 10 minutes for valid entries. here's the formal info (full reference is in this appendix): ArpCacheLife
  • Key: Tcpip\Parameters
  • Value Type: REG_DWORD—Number of seconds
  • Valid Range: 0–0xFFFFFFFF
  • Default: In absence of an ArpCacheLife parameter, the defaults for ARP cache time-outs are a two-minute time-out on unused entries and a ten-minute time-out on used entries.
  • Description: See ArpCacheMinReferencedLife

Feb 12, 2007

mom: what does maintenance mode speak to? (packet details)

i'm not sure why i never bothered to look at this before. i guess it piqued my interest because a coworker asked me what it needed to communicate with... the server or the agent? well, i fired up a packet sniffer and found this...

{MSRPC:456, TCP:455, IPv4:454} MSRPC 
MSRPC: c/o Response: unknown 
{MSRPC:456, TCP:455, IPv4:454} MSRPC 
MSRPC: c/o Request: unknown 
{MSRPC:456, TCP:455, IPv4:454} MSRPC 
MSRPC: c/o Response: unknown

there's really nothing relevant in the trace to look at. just the fact that the rpc traffic from where maintenance mode ran only goes to the mom agent. so, i guess it is true that maintenance mode uses the agent to communicate to the mom server.

this is kind of odd, i think... mostly because you can't use the command-line tool to set the machines in maintenance that are already down.  anyway, make sure the agent can communicate to the server and wherever you're running it from can communicate to the agent.

(you -> agent -> mom server)

Feb 1, 2007

misc: xian io demonstrations coming up...

for your considerations w/ scom, if you have network devices you plan to monitor, attend one of these sessions to see how jalasoft does it. they've been around forever doing mom integrations. :) Presentation We want to invite you to join this special Live Meeting where we will show the new features of Xian Io. Among the topics that we will cover are: Integration with Ops Mgr 07, the Network Scan Server task, configuring rules, performance data, Distributed Applications and receiving alerts. The live meeting will be conducted by Arnold Hagens – Product Marketing Manager Sessions Four sessions will be held during the month of February on the following days: Thursday, February 1st - 12:00 P.M. EST (Eastern Standard Time) Thursday, February 8th - 12:00 P.M. EST (Eastern Standard Time) Thursday, February 15th - 12:00 P.M. EST (Eastern Standard Time) Thursday, February 22nd- 12:00 P.M. EST (Eastern Standard Time) Questions and Confirmation Questions and confirmation of your session can be sent to Claudia Ricaldez at claudia.ricaldez@jalasoft.com.

Jan 28, 2007

mom: monitoring active directory with mom (the article)

a good friend and fellow mvp, john hann, wrote up this nice little article which is definitely worth the read. he also mentioned yours truly in the article. :)

Jan 24, 2007

ds: old run history is cluttering your database...

and maybe you did or didn't know it. when this happens and you accumulate run history, some not so good stuff happens. for one, the database grows to proportions that should be saved for real space hogs like mom reporting servers. :) the second problem is that if you have to get rid of the agent for any reason, it will first want to remove all associated run histories. if you have too many of them, this operation can make trips to grandma's house short by comparison. to keep that stuff under control, you can go into the identity manager console and delete it (actions | clear runs). imagine if you could clear all your runs like that... no embarrassing moments taking the donkey down the grand canyon. anyway, you have to do this manually to keep stuff under control. if that isn't your bailiwick, may i suggest... the more graceful approach of using miisclearrunhistory.exe? using this command-line tool, it's just a matter of a few switches to keep your miis database trimmed down. you can find it in your miis resource kit. i had never heard of it until an acquaintance mentioned it to me. anyway, you can get it all setup just by doing something like this:
miisclearrunhistory.exe /pr: <# of days to retain> /y
that's it! of course, there are some other switches like date, time, credentials, logs, etc. not real useful if you're running it as a scheduled job though (except maybe saving the execution history to a specified file name).