O R G A N I C / F E R T I L I Z E R: 05.07

May 30, 2007

sms: customizing advanced client local policies

nearly missed this gem. here's a great technet article that should get you started on customizing local client policies. there are myriad opportunities that stuff like this could be vitally important. think boiler plate. once you have something, you could modify your script to accept different command-line parameters and issue those over sms as a part of some overall customizer package. http://www.microsoft.com/technet/technetmag/issues/2006/09/CustomizeSMS/

May 29, 2007

mom: trimming noise...

here are three queries that i usually use to help isolate noise. generally, i run these about once a week to see what's going on. anyway, it's pretty cool to see what kind of events/performance data is coming in, what the highest offenders are, etc. two of these will look very familiar (since they come with your mom installation). alerts:
SELECT  TOP 10 [Name],count(TimeRaised) AS 'AlertCount' 
FROM  SDKAlertView
GROUP BY [Name]
ORDER BY 'AlertCount' DESC

SELECT  TOP 10 [Name],sum(RepeatCount) AS 'AlertCount-Suppressed'
FROM  SDKAlertView
GROUP BY [Name]
ORDER BY 'AlertCount-Suppressed' DESC
events:
SELECT  CONVERT(char(10), TimeGenerated, 101) AS 'Events Date (by Day)',
  COUNT(*) AS 'Number of Events', Message
FROM  SDKEventView 
GROUP BY CONVERT(char(10), TimeGenerated, 101), Message
ORDER BY 'Events Date (by Day)' DESC 

SELECT  NTEventID, COUNT(*) AS 'Number of Events', Message
FROM  SDKEventView 
GROUP BY NTEventID, Message
ORDER BY 'Number of Events' DESC
performance:
SELECT  Top 100 PerformanceCounterName, COUNT(*) 
FROM  SDKPerformanceView 
GROUP BY PerformanceCounterName
ORDER BY count(*) desc

May 22, 2007

sms: sms collection evaluator message id 620

if you find these populating your collection evaluator status messages, it's probably because of a mismatch in your query somewhere. here's a sample status message:
Microsoft SQL Server reported SQL message 245, severity 16: [22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value 'myMachineName' to data type int.
doesn't really give you much to go on. to get more details, open up colleval.log. the easiest way to spot where to pinpoint the problem is to look by the date/time in the status message. look for that... or something close to that in your logs. in the log file, the error message shows up. it looks like this:
*** [22018][245][Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the varchar value 'myMachineName' to data type int.
following pretty closely, you'll see another line that might look something like this:
Could not refresh collection XYZ00012. Will retry later.
now we're getting somewhere. now we have a collection id that we can go interrogate to see what it is in the query that's quite possibly not right. in my case, extremely possible. :)just as a fyi, looking into the collection, it was discovered that in a subselect query, resource id was being used to check a list of values where system name was being used. since resource id and system name are different data types (varchar and int), the comparisons would fail.

misc: atlanta smug 6/13/07

southeast management user group (atlanta)! it's coming up again. mark your calendars and get registered. sign up link below... look forward to seeing you there.
   8:30-9:00am  Light Breakfast
 
  9:00-10:00am  Introduction to System Center Configuration Manager 2007
 
 10:00-11:00am  Using System Center Data Protection Manager 2007 to protect
                and recover Exchange Server, Microsoft SQL Server, SharePoint
                Portal Server, as well as Windows file services
 
 11:15-11:30am  Break
 
 11:30-12:30pm  (Working Lunch) - Using System Center Operations Manager 2007
                to meet Regulatory Compliancy Needs
 
  12:30-1:45pm Deploying Vista Today with SMS 2003 and Deploying Vista and
                Windows Server 2003 in the future with System Center
                Configuration Manager 2007
 
   1:45-2:00pm Break
 
   2:00-3:30pm How to monitor your Core Infrastructure and Distributed
                Applications with System Center Operations Manager 2007
Registration Links Event Title : Charlotte Southeast Management User Group Meeting June 6 Event ID : 1032340757 Event URL : http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340757&Culture=en-US Event Title : Atlanta Southeast Management User Group Meeting June 13 Event ID : 1032340758 Event URL : http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340758&Culture=en-US Event Title : Raleigh Southeast Management User Group Meeting June 26 Event ID : 1032340759 Event URL : http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340759&Culture=en-US

May 21, 2007

sms: advanced client policies takes a long time to apply

after you tell an advanced client to retrieve policies, you may notice there's a little bit of a delay from retrieval to application. microsoft is instilling the value of patience by forcing a two-minute delay between these steps. here's jeff's response on the myitforum mailing list thread:
Don't forget that there is a built in two minute delay between when a client downloads a new policy and evaluates/applies it. This delay is by design in case there are a lot of policies that need to be downloaded before the client starts compiling them. ~Jeff

as an update, phil wilcock wrote up this blog entry noting how to remove the two minute delay. basically, you want to compile a mof which changes the wmi settings on the client. here's the contents:

 

#pragma namespace("\\\\.\\root\\ccm\\policy\\machine\\Requestedconfig")
instance of CCM_PolicyAgent_Configuration
{
    PolicySource = "Local";
    PolicyDownloadMethod = "BITS";
    PolicyEnableUserGroupSupport = true;
    PolicyRequestAssignmentTimeout = 65;
    PolicyTimeUntilAck = 43200;
    PolicyTimeUntilExpire = 86400;
    AuthorityName = "SMS:XXX";
    PolicyTimeUntilUpdateActualConfig = 0;   
};

May 2, 2007

ds: account policy settings

i've been asked this question more times than i can recall by auditing agencies, security, compliance regulation, etc. at first, i'd goof around the domain policy settings looking for this stuff. someone happened to ask me how to change a local admin password on a server. i suggested net and stumbled on this:
net accounts
Force user logoff how long after time expires?:       7
Minimum password age (days):                          7
Maximum password age (days):                          7
Minimum password length:                              7
Length of password history maintained:                7
Lockout threshold:                                    7
Lockout duration (minutes):                           7
Lockout observation window (minutes):                 7
Computer role:                                        WORKSTATION
if you want to see what it is for your domain, run net accounts /domain.