Plain Text Prose

here's a query inspired by a post from garth jones for something sherry kissinger whipped up. this sql query basically gives you an output of all of your machines, with the type of chassis. select sys.name0 as 'Name' , sys.manufacturer0 as 'Manufacturer' , sys.model0 as 'Model' , case enc.chassistypes0 when 1 then 'Other' when 2 then 'Unknown' when 3 then 'Desktop' when 4 then 'Low Profile Desktop' when 5 then 'Pizza Box' when 6 then 'Mini Tower' when 7 then 'Tower' when 8 then 'Portable' when 9 then 'Laptop' when 10 then 'Notebook' when 11 then 'Hand Held' when 12 then 'Docking Station' when 13 then 'All in One' when 14 then &#

follow along with me on how disjointed this whole thing is. we've been on mom 2005 for quite awhile. after seeing some more than the usual amount of scripting errors and lock ups, i started looking into possible causes. i ran across the hotfix outlined in kb934441 . that's not uncommon, really. now the reason i went with this hotfix versus some others is because of the file version. this one updates to the latest of 5.0.2911.41 (in case you were wondering.) all that background aside, look at these instructions: To apply this hotfix, follow these steps: Copy the MOM2005-SP1-KB934441-X86-IA64-ENU.msi file to a local folder or to a shared folder on the network. If you use a shared folder, make sure that the computers that require this hotfix can access the folder. Log on to one of the computers that require this hotfix by using an account that has administrative credentials. Run the MOM2005-SP1-KB934441-X86-IA64-ENU.MSI file. (You can run the file

otherwise known as "i've been waiting for async query to complete! " i'm not entirely sure at this point whether or not i love or hate it when you hear the words "thank god you're here!" while you're walking to your desk in the morning. this is before you set your things down, while your lids are still half-shut... and certainly before your first good cup of coffee. i'm just glad most of the time it's someone cracking a joke. too bad it wasn't this morning. it's not that i'm saying it was a necessarily terrible thing. it's always great to have something new to discover, get frustrated with, and eventually conquer ... or most likely ... concede. today's problem du jour was a sms issue. (i'm sure you caught on to that by the title.) collection evaluator was taking a tremendously long time trying to refresh certain collections. the collection evaluator log indicated a problem like this: Preparing to refresh colle

this has been a total source of irritation since i've been a windows mobile user. i thought it was just a 5.0 thing and apparently never annoyed enough to check. when i found it happening on my 6.0, that's when i realized it was something worth looking into... if you have the same problem, the fix is in this blog post .

i forgot all about this thing.  it started cropping up in my environment but couldn't figure out why.  after awhile, it finally dawned on me.  the agent was reinstalled, but the computer table was never adjusted.  yeah, i wish i was making this up.  this happens when you monitor DCs in an untrusted forest or domain.  here's the article .  i particularly love the way it says this: WORKAROUND To work around this issue, install a separate MOM management group in each untrusted forest. Note This issue has been known to be partially resolved by the following method. First, apply MOM 2005 SP1. Then, use the Active Directory Topology Discovery script to enable the server fully qualified domain names (FQDNs) to be added to the Computer table. However, when you use this method, most of the scripts will continue to log errors. of course, it doesn't tell you how to resolve this.  in the onepoint database, there's a table called "computer".  there's

awhile back, greg ramsey and warren byle wrote this magnificent book called sms 2003 recipes: a problem-solution approach . it's the equivalent of the active directory cookbook for sms. it has all kinds of scripts that can help automate your environment. now, the best part is, the scripts are all free and available for download. it's a little cumbersome trying to find it... so for your reference, here's the link .

maybe this is old news. maybe i'm just getting around to hearing about it... or maybe we finally did something right? now we're seeing the problem. here's the deal... recently, we decided to move from our current tier administrative approach to a three-tier approach which truly separates user, server, and domain functions so that we can minimize accidental screw ups to some degree. in doing this, our server admin accounts were added to the sms servers. our user accounts were removed. keep some of the base functionality, we left our user accounts in our sms reporting groups. apparently after applying windows server 2003 sp1, there are some changes that need to occur for launching sms web reporting if your account is a member of the sms reporting users group but not the local administrators group. trying to launch results in an error like this: Server object error 'ASP 0178 : 80070005' Server.CreateObject Access Error /SMSReporting_093/ReportsNav.asp, line 1

i sent this out to the subscribed members of the atlanta smug. thought anyone else that's in the atlanta area might be interested in going. here are the details! obviously it's a british thing... look how tea is presented before coffee. anyway, drop me a line or leave a comment if you're going. would love to meet up! register here... 1E Road Show: Enterprise Solutions Atlanta Road Show, US: Thursday, 29 November 2007 Emory Conference Center Hotel 1615 Clifton Road Atlanta GA 30329 Tel: 404 712 6000 Website : www.emoryconferencecenter.com Location/Map : http://www.emoryconferencecente r.com/maps.html Note : Detailed event information will be provided on confirmation of registration. Morning – Technical Session 08:30 am – 09:00 am Registration and reception with tea & coffee 09:00 am – 09:30 am Guest introduction and their IT challenges - Courtney Austin, Marketing Manager and Bruce Walter, Business Manager, 1E 09:30 am – 10:45 am Microsoft Sys

as a part of trying to familiarize myself with powershell, i figured converting some of my favorite dsquery commands to it would be as good of a measure as any. the problem was, i had a hell of a time figuring it out! thankfully, hal was nice enough to help out... in order to get displayname and streetaddress from dsquery, you'd use a command like this: dsquery user -samid myUser | dsget user -display oh wait a second... there is no switch for streetaddress. all you'll get is something like this: display My User (Test) let's try that again... dsquery * -filter "(&(objectcategory=person)(samaccountname=myUser))" -attr displayname streetaddress in my case, i have multiple lines in my streetaddress attribute, which throws off the entire format. this is something i wanted to avoid so i seeked powershell as the answer (instead of writing a vbscript to handle it.) displayname streetaddress My User (Test) 2000 My Test A

in case you're asked for it, like i am, all the time, as in ... yesterday, today, tomorrow... Do not contain all or part of the user's account name. Contain characters from three of the following four categories: English uppercase characters (A through Z). English lowercase characters (a through z). Base-10 digits (0 through 9). Non-alphanumeric (for example, !, $, #, %). extended ASCII, symbolic, or linguistic characters. i believe in cases where it refers to "part of the user's account name" it specifically means 3 or more characters in a row. for example, since my name is "marcus" i can't have the letters "arc" or "rcu" or "mar" in my password. it's not referenced in the following article but is referenced in a sql 2005 article. anyway, here's more detail from the article ...

heard of this tool? just saw it come through activedir. check it out here: http://www.fcsovelto.fi/adae . here's a small blurb of what it does: ADAE (Active Directory Attribute Editor) enables you to add your own property pages (tabs) to the Active Directory Users and Computers. This way you can view and/or modify predefined attributes, such as user's EmployeeID, or any new attributes you or your applications have added to AD. look carefully on the page. read/write version costs money . read version is free.

i was on a field visit recently and came across an interesting dilemma.  the administrators i worked with indicated that the turnaround time on a newly imaged machine would be somewhere in the neighborhood of 48 hours.  this was something that i couldn't get my mind to engage.  if the image process itself took an hour or so, throw in a few minutes to unpack it, set it up, connect it, pop the disc in and run it, etc... why was it taking 48 hours or longer? well, it seemed that our antiquated imaging process caused delays of up to 48 hours before a newly imaged machine would receive all the required security updates. rather than using something like going to windows update, the administrators chose to let the process work through on its own.  looking into this, our problems were created by a couple of things that could easily be addressed. sms client installation script is only available as a machine startup gpo. this requires the machine to be rebooted twice. it had to receive t

this has actually been released for a little while. i don't know why i'm just getting around to posting it when i've known about it awhile. i generally post the things that i want to locate later... and i guess this hadn't bubbled to the top of that list yet. anyway, i was looking for it... so here it is for your information too. basically it'll show you before and after state changes. you run it before you make a change (like an installation) and then after. http://microsoft.mrmpslc.com/InnovateOnWindowsServer/resources.aspx

i was wondering if i got renewed this year because the renewals seemed to go out late. i found out on the evening of my renewal date that i am renewed. :)

ran into a problem today where an administrator told me that their "top 100 mailboxes by size" report stopped working. now, to define the boundaries of "stopped working", let's evaluate these few things: report works for other servers report worked a month ago i generally follow these basic rules to troubleshoot a report issue: check if the report contains data check if data exists in the console check if data exists in the reporting tables so going on the boundaries of "stopped working", we start with step 1. i open up the report to verify what the person telling me is the same thing i'm seeing. in this case, it actually was. :o i tried switching the report to a different server and data came up. i tried switching it to the problem server and no data existed. perplexing! i went to step 2. to make this easier, i created some custom performance views to look at the object "mcexchdg" breaking it down into "mailbox mb" a

if you've got the antigen management pack deployed, you might be seeing a lot of irritating noise that looks similar to this message: WARNING: are engine was not found on [servername]. Update number could not be retrieved. a little bit of investigation in the script, prompts this joyful discovery. as it turns out, the script has no provision for logging/not logging errors that may occur. the only parameter that changes logging effect is one to log to text. apparently these events aren't very important since there are no corresponding alerts. :| hmmm. since it's generating quite a bit of event noise, i decided to shut off this behavior. this was easy enough. in the code block below, you'll see where i simply commented the line that writes the mom event. it's on line 81. ... 'If Update number is null, the engine was not found in the registry If IsNull(UpdateNumber) or UpdateNumber = "" Then WriteLog "WARNING: " & EngineName &am

i guess i'm hooked because here i am again writing about this stuff. anyway, this was just too cool to pass up. using one line, you can compare two text files: compare-object $(get-content file1.txt) $(get-content file2.txt) didn't say the stuff was complicated. :)

i've been goofing off a little bit with powershell. it wasn't all the hype or fanfare from snover or the ps team or any of the other talented powershell people out there. it was a friend of a friend who kept talking about it until i was sick of hearing it. so, i spent a little time getting acquainted. turns out, it's pretty damn cool. it's more than hype... anyway, i took this post from ying li about manipulating datetime stamps on files. i thought i'd switch it into a one-liner... just for fun. here it is: gci | foreach {$_.lastwritetime = $(get-date).addminutes(5)}

well, during my travel, i find myself at a site whose collection management was a little sparse. to help move them along, i wrote up a script to move a collection to a new parent collection, through a command line. it was a little bit of a challenge because there weren't very many samples floating around. many thanks to dave lippa and the rest of the group at myitforum for their help! i shamelessly stole stuff out of greg ramsey's script. the script is located here . there's not that much to it, actually. you simply tell it the old parent, the new parent, and the id of the collection you're moving. i suppose it's more concept than anything else. it'd be easy to make this thing much more useful... but you know... necessity. less words. :| just keep in mind when doing something like this that in order to remove the current collection link, you have to add a new one. otherwise, it will go through as if it works but never remove it. order it correctly and t

if you were interested in a way of retrieving objects into a collection that don't exist in another collection, it's actually not very difficult. for example, you have a collection of clients with antivirus.  now you want to create a collection of clients that do not have antivirus.  instead of creating a new one, you run subselect to bring back all the clients that are not in the original antivirus collection. the only thing you have to know is the collection id of the collection that you want to check. for the samples below, note that [collid] is a generic tag for your collection ids. if you examine the root\sms\site_ of your sms server, you'll see a list of sms collections labeled with: sms_cm_res_coll_[collid] this is what you need to build your subselect query. if you query this in wbemtest, with something like select * from sms_cm_res_coll_[collid] you should get back a list of resource ids which look something like this: ... sms_cm_res_coll_[coll

most of you are probably familiar with the icmpping script available from huntland services . one of the admins i work with wanted something that would do the same type of functionality but work for a list of servers. i took it a tiny step further and had it read from an ou instead of a text file. you'll want to modify this part to reflect your environment: oCommand.CommandText = " ;" & _ "(&(objectClass=Computer)(objectCategory=Computer));name" sSiteName is the variable that you can specify in your parameters location. you could even put the path directly into the script and bypass all that. anyway, here's the script ! i tried to put it in this post... but you know how those translations go. :) have fun!

this was recently posted on the myitforum mailing list. it's worth archiving for later reference. :) question: I have a secondary site that shows its parent site as the primary, which is good. In my SMS console, I have registered my central site database and my primary site database. When I drill down to the secondary site in question from the central site, I can see it, BUT if I drill down to the secondary site from the primary it is not there?? Any one ever see this? answer: Copy the site control file from the secondary site and rename it to *.CT2. Copy the renamed file into the HMAN.BOX on the parent primary and it will show up after it gets processed. This resolves the immediate problem of not seeing the secondary from the primary. You may need to take a look at the SENDER.LOG to determine why it isn't communicating. Thanks, Mark A. Mears, Sr.

recently, we had problems with the [t]cpip [o]ffload [e]ngine features on a nic that caused all kinds of bizarre and strange problems. apparently if you have a nic that supports the scalable networking pack, included in windows server 2003 sp2, these features kick in. the guys over at msexchangeteam.com posted this very nice write up on their blog. if you're planning on upgrading ... this is a must read. here's a few articles related to this as well: http://support.microsoft.com/kb/942861 http://support.microsoft.com/default.aspx/kb/912222

this was released recently, and everyone is blogging or posting about it. i might as well join in. :) anyway, it's called adexplorer , brought to you from the same guys that bring you all those nice sysinternals tools. this isn't the only free ldap browser out there though. there is the softerra ldap browser which is also pretty nice.

if you've upgraded your domain controllers to windows 2003 (and i hope by now you have), you won't be able to pick up these events anymore: Event Type: Information Event Source: NETLOGON Event Category: None Event ID: 5778 Date: Time: User: N/A Computer: 'Computer Name' Description: 'Computer Name' tried to determine its site by looking up its IP address ('Computer IP Address') in the Configuration\Sites\Subnets container in the DS. No subnet matched the IP address. Consider adding a subnet object for this IP address. instead, you get this type of event message that really doesn't help at all: Event Type: Information Event Source: NETLOGON Event Category: None Event ID: 5807 Date: Time: User: N/A Computer: 'Computer Name' Description: During the past 4.22 hours there have been 26 connections to this Domain Controller from client machines whose IP addresses

wow, what an fun topic. :/ it was a little confusing so i figured i'd post it as a gentle reminder for later when i completely forget. let's assume you have a reverse lookup zone of 10.x.x.x. if you want to pull the records for 10.1.1 for example, you could run the command like this: dnscmd /enumrecords 10.in-addr.arpa. 1.1 it doesn't actually show you semantically how all this gets put together, unless you fork it up like i did. here's the output of an incorrect command format: c:\>dnscmd /enumrecords 10.in-addr.arpa. 10.1.1 DNS Server failed to enumerate records for node 10.1.1.10.in-addr.arpa.     Status = 9714 (0x000025f2) Command failed:  DNS_ERROR_NAME_DOES_NOT_EXIST     9714  (000025f2) if you notice, it appends the 10.in-addr.arpa zone name to the requested node name of 10.1.1. since 10.1.1.10 doesn't exist, it fails. moving on... i think in older versions, you had to include the "." following the zone, like "10.in-a

i have no idea what to call this particular post. i mean, it's the day before the 4th of july... so i could call it something like... making fireworks with sms? i don't know. the whole thing started off when i was down visiting with a site system. they pointed out that some of their clients were failing to patch. further examination revealed that these clients looked healthy. wiping vpcache, reinstalling the client, etc... just wasn't doing it. examining this scan process showed that smswushandler.log was where the real problems were stemming from. anyway, i found that some of their failures had a common execution status of 11412. the unfortunate part of this error message is that it can mean different types of scan failures including down-level or broken windows update agents. in my case, i wanted to break it up into two distinct things so that i could correct both client problems. the reason for doing is because 11412 isn't distinct enough to handle it with one m

i was referred to by microsoft pss on this great article on how to capture netmon traces (and stop them when a certain criteria is met). there were a few differences from our end than what's in the article. basically, we were required to look for an event on a particular machine and stop the trace on an entirely different machine. here's the command line i used: nmcap /network * /capture /file c:\temp\myCapture.cap:200M /stopwhen /frame "ipv4.SourceAddress==192.168.0.20 and ipv4.DestinationAddress==192.168.0.10" /DisableConversations   here's what the switches mean: nmcap - this file is usually located under c:\program files\microsoft network monitor 3.0 /network * - selects all network adapters, wildcard capable /capture - capture packets /file - capture to the file c:\temp\myCapture.cap :200M - sets myCapture.cap to a circular 200MB /stopwhen - specifies to look for a condition on when to stop (in this case what's defi

another mom blogger, bryce kinnamon , wrote up this nifty blog. i'm blogging about it in case you missed it. typically the problem with reporting security event data is that the data itself is all clogged up in the description field. using patindex, bryce shows a clever way to break this up into distinct columns . very nice.

i just heard that anders bengtsson was finally awarded a mvp yesterday. this guy has been doing some great work. i've been watching to see just when he'd get his nom. looks like it finally came through! congratulations to you, anders. keep up the great work supporting the community. (looks like i'll have to pay attention to what he says now... :/ ...)

in case you're interested, there's a simulcast of one of minasi's sessions on command-line server management. here's the link: Command Microsoft Windows from C: ... and Get Ready for Server Core! (Level 300)

this stuff is pretty cool! granted, you probably have most of these in a boilerplate already... but if you don't, this is great reference material. there's one for vbscript and powershell. vbscript reference powershell reference

nearly missed this gem. here's a great technet article that should get you started on customizing local client policies. there are myriad opportunities that stuff like this could be vitally important. think boiler plate. once you have something, you could modify your script to accept different command-line parameters and issue those over sms as a part of some overall customizer package. http://www.microsoft.com/technet/technetmag/issues/2006/09/CustomizeSMS/

here are three queries that i usually use to help isolate noise. generally, i run these about once a week to see what's going on. anyway, it's pretty cool to see what kind of events/performance data is coming in, what the highest offenders are, etc. two of these will look very familiar (since they come with your mom installation). alerts: SELECT TOP 10 [Name],count(TimeRaised) AS 'AlertCount' FROM SDKAlertView GROUP BY [Name] ORDER BY 'AlertCount' DESC SELECT TOP 10 [Name],sum(RepeatCount) AS 'AlertCount-Suppressed' FROM SDKAlertView GROUP BY [Name] ORDER BY 'AlertCount-Suppressed' DESC events: SELECT CONVERT(char(10), TimeGenerated, 101) AS 'Events Date (by Day)', COUNT(*) AS 'Number of Events', Message FROM SDKEventView GROUP BY CONVERT(char(10), TimeGenerated, 101), Message ORDER BY 'Events Date (by Day)' DESC SELECT NTEventID, COUNT(*) AS 'Number of Events', Message FROM SDKEventView GRO

if you find these populating your collection evaluator status messages, it's probably because of a mismatch in your query somewhere. here's a sample status message: Microsoft SQL Server reported SQL message 245, severity 16: [22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value 'myMachineName' to data type int. doesn't really give you much to go on. to get more details, open up colleval.log . the easiest way to spot where to pinpoint the problem is to look by the date/time in the status message. look for that... or something close to that in your logs. in the log file, the error message shows up. it looks like this: *** [22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value 'myMachineName' to data type int. following pretty closely, you'll see another line that might look something like this: Could not refresh collection XYZ00012. Will

southeast management user group (atlanta)! it's coming up again. mark your calendars and get registered. sign up link below... look forward to seeing you there. 8:30-9:00am Light Breakfast 9:00-10:00am Introduction to System Center Configuration Manager 2007 10:00-11:00am Using System Center Data Protection Manager 2007 to protect and recover Exchange Server, Microsoft SQL Server, SharePoint Portal Server, as well as Windows file services 11:15-11:30am Break 11:30-12:30pm (Working Lunch) - Using System Center Operations Manager 2007 to meet Regulatory Compliancy Needs 12:30-1:45pm Deploying Vista Today with SMS 2003 and Deploying Vista and Windows Server 2003 in the future with System Center Configuration Manager 2007 1:45-2:00pm Break 2:00-3:30pm How to monitor your Core Infrastructure and Distributed Applications with System Center Operations Man

after you tell an advanced client to retrieve policies, you may notice there's a little bit of a delay from retrieval to application. microsoft is instilling the value of patience by forcing a two-minute delay between these steps. here's jeff's response on the myitforum mailing list thread: Don't forget that there is a built in two minute delay between when a client downloads a new policy and evaluates/applies it . This delay is by design in case there are a lot of policies that need to be downloaded before the client starts compiling them. ~Jeff as an update, phil wilcock wrote up this blog entry noting how to remove the two minute delay. basically, you want to compile a mof which changes the wmi settings on the client. here's the contents:   #pragma namespace ( "\\\\.\\root\\ccm\\policy\\machine\\Requestedconfig" ) instance of CCM_PolicyAgent_Configuration { PolicySource = "Local" ; PolicyDownloadMethod = "BITS" ;

i've been asked this question more times than i can recall by auditing agencies, security, compliance regulation, etc. at first, i'd goof around the domain policy settings looking for this stuff. someone happened to ask me how to change a local admin password on a server. i suggested net and stumbled on this: net accounts Force user logoff how long after time expires?: 7 Minimum password age (days): 7 Maximum password age (days): 7 Minimum password length: 7 Length of password history maintained: 7 Lockout threshold: 7 Lockout duration (minutes): 7 Lockout observation window (minutes): 7 Computer role: WORKSTATION if you want to see what it is for your domain, run net accounts /domain .

... or functional practicality or whatever. it's interesting that "secure" has made some things especially troublesome! for instance, out of the box, after applying service pack 1, querying wmi will fail. how do you fix it? you add the account you're using to the local administrators group. now that doesn't sound right since the idea is that we're securing things down. the challenge was to take a user account without elevated permissions and grant it the rights it needs to query wmi without the exposure of adding it to local administrators. it turns out there are three things you have to do to make this work: add the user to "distributed com users" local group grant permission to the wmi namespace for which you wish you allow access (in our case, cimv2) grant permission to service control manager add the user to "distributed com users" local group: not much to explain for this. simply add the account to the local group named "

these are just as cryptic as it sounds since you don't really have any idea which provider is failing to load. the actual failure message looks like this: 0x80041013 - WBEM_E_PROVIDER_LOAD_FAILURE . your ccmexec.log may have exhibit strange errors like this: Error loading service settings. Code 0x80041013 Phase 0 initialization failed (0x80041013) Service initialization failed (0x80041013) if you're seeing these strange error messages, here's something you can try to fix it up: switch over to %windir%\system32\wbem. register all of the .dlls in this directory. here's a way that microsoft support stated: for /f %s in ('dir /b *.dll') do regsvr32 /s %s issue the following two commands: wmiprvse /regserver winmgmt /regserver if this doesn't resolve it, try the steps again. this time, add in step 2b (below). i'm not sure under what condi

a talented ad guru brought this up to my attention. i thought it was something strange and important enough for everyone (the three of you that may actually read my blog) ... you may be aware of this but dst doesn't affect kerberos at all since kerberos only uses utc. there is still potential for problems, however. if a user moves their clock forward (or backward) instead of letting the dst rules adjust it, then they'll run into kerberos failures in the form of krb_err_time_skew . anything beyond a 5 minute skew is determined to be a replay attack... and subsequently not honored. so with that in mind, you think... domain-joined resources will reset their times to the domain time. unfortunately, this only occurs in 8 hour intervals. of course, if the user just manages to change their time zone, this will not cause the same effect. they'll be fine. the time zone is a local offset which does not affect the utc value like utilizing the date/time applet to change the t

... at least not on your sms 2003 environment. sms 2003 sp3 is the only version that will support a sql 2005 sp2 infrastructure. of course, you know sms 2003 sp3 is not out yet. hold on your deployments until this new sms 2003 service pack is out.

this is a great article that outlines how to setup service principal names , SPNs (generally pronounced as spins)... posting for my own reference.

this was such an obscure find that i thought i'd post it just to refer back to you later. in case you were wondering, 2003 cache holds entries that are invalid for 2 minutes and uses a value of 10 minutes for valid entries. here's the formal info (full reference is in this appendix ): ArpCacheLife Key: Tcpip\Parameters Value Type: REG_DWORD—Number of seconds Valid Range: 0–0xFFFFFFFF Default: In absence of an ArpCacheLife parameter, the defaults for ARP cache time-outs are a two-minute time-out on unused entries and a ten-minute time-out on used entries. Description: See ArpCacheMinReferencedLife

i'm not sure why i never bothered to look at this before. i guess it piqued my interest because a coworker asked me what it needed to communicate with... the server or the agent? well, i fired up a packet sniffer and found this... {MSRPC:456, TCP:455, IPv4:454} 192.168.1.85 192.168.1.35 MSRPC MSRPC: c/o Response: unknown {MSRPC:456, TCP:455, IPv4:454} 192.168.1.35 192.168.1.85 MSRPC MSRPC: c/o Request: unknown {MSRPC:456, TCP:455, IPv4:454} 192.168.1.85 192.168.1.35 MSRPC MSRPC: c/o Response: unknown there's really nothing relevant in the trace to look at. just the fact that the rpc traffic from where maintenance mode ran only goes to the mom agent. so, i guess it is true that maintenance mode uses the agent to communicate to the mom server. this is kind of odd, i think... mostly because you can't use the command-line tool to set the machines in maintenance that are already down.  anyway, make sure the agent can communicate to the server and wherever yo

for your considerations w/ scom, if you have network devices you plan to monitor, attend one of these sessions to see how jalasoft does it. they've been around forever doing mom integrations. :) Presentation We want to invite you to join this special Live Meeting where we will show the new features of Xian Io. Among the topics that we will cover are: Integration with Ops Mgr 07, the Network Scan Server task, configuring rules, performance data, Distributed Applications and receiving alerts. The live meeting will be conducted by Arnold Hagens – Product Marketing Manager Sessions Four sessions will be held during the month of February on the following days: Thursday, February 1st - 12:00 P.M. EST (Eastern Standard Time) Thursday, February 8th - 12:00 P.M. EST (Eastern Standard Time) Thursday, February 15th - 12:00 P.M. EST (Eastern Standard Time) Thursday, February 22nd- 12:00 P.M. EST (Eastern Standard Time) Questions and Confirmation Questions and confirmation of your ses

a good friend and fellow mvp, john hann , wrote up this nice little article which is definitely worth the read. he also mentioned yours truly in the article. :)

and maybe you did or didn't know it. when this happens and you accumulate run history, some not so good stuff happens. for one, the database grows to proportions that should be saved for real space hogs like mom reporting servers. :) the second problem is that if you have to get rid of the agent for any reason, it will first want to remove all associated run histories. if you have too many of them, this operation can make trips to grandma's house short by comparison. to keep that stuff under control, you can go into the identity manager console and delete it ( actions | clear runs ). imagine if you could clear all your runs like that... no embarrassing moments taking the donkey down the grand canyon. anyway, you have to do this manually to keep stuff under control. if that isn't your bailiwick, may i suggest... the more graceful approach of using miisclearrunhistory.exe? using this command-line tool, it's just a matter of a few switches to keep your miis data