O R G A N I C / F E R T I L I Z E R: 07.07

Jul 19, 2007

sms: forcing child sites to show up in the parent hierarchy...

this was recently posted on the myitforum mailing list. it's worth archiving for later reference. :) question:
I have a secondary site that shows its parent site as the primary, which is good. In my SMS console, I have registered my central site database and my primary site database. When I drill down to the secondary site in question from the central site, I can see it, BUT if I drill down to the secondary site from the primary it is not there?? Any one ever see this?
answer:
Copy the site control file from the secondary site and rename it to *.CT2. Copy the renamed file into the HMAN.BOX on the parent primary and it will show up after it gets processed. This resolves the immediate problem of not seeing the secondary from the primary. You may need to take a look at the SENDER.LOG to determine why it isn't communicating. Thanks, Mark A. Mears, Sr.

os: tcpip offloading and windows server 2003...

recently, we had problems with the [t]cpip [o]ffload [e]ngine features on a nic that caused all kinds of bizarre and strange problems. apparently if you have a nic that supports the scalable networking pack, included in windows server 2003 sp2, these features kick in. the guys over at msexchangeteam.com posted this very nice write up on their blog.

if you're planning on upgrading ... this is a must read.

here's a few articles related to this as well:
http://support.microsoft.com/kb/942861
http://support.microsoft.com/default.aspx/kb/912222

Jul 11, 2007

ds: another tool to add to your sysinternals toolbelt...

this was released recently, and everyone is blogging or posting about it. i might as well join in. :) anyway, it's called adexplorer, brought to you from the same guys that bring you all those nice sysinternals tools. this isn't the only free ldap browser out there though. there is the softerra ldap browser which is also pretty nice.

Jul 6, 2007

mom: subnet missing from ad site configuration

if you've upgraded your domain controllers to windows 2003 (and i hope by now you have), you won't be able to pick up these events anymore:

Event Type: Information
Event Source: NETLOGON
Event Category: None
Event ID: 5778
Date:
Time:
User: N/A
Computer: 'Computer Name'
Description: 'Computer Name' tried to determine its site by looking up its IP address ('Computer IP Address') in the Configuration\Sites\Subnets container in the DS. No subnet matched the IP address. Consider adding a subnet object for this IP address.

instead, you get this type of event message that really doesn't help at all:
Event Type: Information
Event Source: NETLOGON
Event Category: None
Event ID: 5807
Date:
Time:
User: N/A
Computer: 'Computer Name'
Description: During the past 4.22 hours there have been 26 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
if you're still interested in these messages, you can create a new type of rule, pulling from a different location instead. the first thing you'll need to do is create a new provider. in my case, i named it something silly like... netlogon log. here are the parameters:
  • provider name: netlogon log
  • provider log type: generic single-line log file
  • directory: c:\windows\debug
  • format: generic
  • file pattern: netlogon.log
now create a new rule with the netlogon log provider that we created above. i set the criteria to:
description contains substring ': NO_CLIENT_SITE:'
now you can set it to alert or just collect the event data. it'll read the netlogon.log file and send up an event every time a line matching the description above shows up. the event data will look like this:
Description:
DIR:C:\Windows\debug, Log Directory
FIL:Netlogon.log, Log File
FMT: Generic Single-Line Log File Format, File Format
ENT: 01/01 12:01:01 DOMAIN: NO_CLIENT_SITE: COMPUTERNAME 10.1.1.89

ds: enumerating dns ptr records with dnscmd...

wow, what an fun topic. :/ it was a little confusing so i figured i'd post it as a gentle reminder for later when i completely forget. let's assume you have a reverse lookup zone of 10.x.x.x. if you want to pull the records for 10.1.1 for example, you could run the command like this:
dnscmd /enumrecords 10.in-addr.arpa. 1.1
it doesn't actually show you semantically how all this gets put together, unless you fork it up like i did. here's the output of an incorrect command format:
c:\>dnscmd /enumrecords 10.in-addr.arpa. 10.1.1

DNS Server failed to enumerate records for node 10.1.1.10.in-addr.arpa.
    Status = 9714 (0x000025f2)

Command failed:  DNS_ERROR_NAME_DOES_NOT_EXIST     9714  (000025f2)

if you notice, it appends the 10.in-addr.arpa zone name to the requested node name of 10.1.1. since 10.1.1.10 doesn't exist, it fails. moving on... i think in older versions, you had to include the "." following the zone, like "10.in-addr.arpa." instead of "10.in-addr.arpa". in either case, it works. you can see though, in the failed command context, it shows two dots trailing 10.1.1.10.in-addr.arpa. coffee time.

Jul 3, 2007

sms: advertising packages based on status message

i have no idea what to call this particular post. i mean, it's the day before the 4th of july... so i could call it something like... making fireworks with sms? i don't know.

the whole thing started off when i was down visiting with a site system. they pointed out that some of their clients were failing to patch. further examination revealed that these clients looked healthy. wiping vpcache, reinstalling the client, etc... just wasn't doing it.

examining this scan process showed that smswushandler.log was where the real problems were stemming from. anyway, i found that some of their failures had a common execution status of 11412. the unfortunate part of this error message is that it can mean different types of scan failures including down-level or broken windows update agents. in my case, i wanted to break it up into two distinct things so that i could correct both client problems. the reason for doing is because 11412 isn't distinct enough to handle it with one method of remediation.

i used the idea of health collections to build this scenario. i had some leftover collection structure from an original one that i got from chris sugdinis. building the passing collections for windows update agent made it easy to pick out the broken windows update agents. of any that passed the version criteria, i used collection limits to bring those into the new collection, where i used the sms_clientadvertisementstatus class to pull back the 11412 error messages. (this method of creating queries is noted by eric holtz and greg ramsey.) here's the criteria i used:

 

select sys.ResourceID,sys.ResourceType,sys.Name,sys.SMSUniqueIdentifier, sys.ResourceDomainORWorkgroup,sys.Client from sms_r_system as sys inner join SMS_ClientAdvertisementStatus as cas on sys.ResourceID=cas.ResourceID WHERE cas.AdvertisementID in ('xyz00001','xyz00002','xyz00003') and cas.lastexecutionresult=11412 and cas.laststate=11

 

the value in the parenthesis are the advertisement ids in my environment. now what to do with this new collection? target them for repair. here's a batch command you can use to do just this.

Jul 2, 2007

os: capturing packet traces in such a clever way...

i was referred to by microsoft pss on this great article on how to capture netmon traces (and stop them when a certain criteria is met). there were a few differences from our end than what's in the article. basically, we were required to look for an event on a particular machine and stop the trace on an entirely different machine. here's the command line i used:

nmcap /network * /capture /file c:\temp\myCapture.cap:200M /stopwhen /frame "ipv4.SourceAddress==192.168.0.20 and ipv4.DestinationAddress==192.168.0.10" /DisableConversations
 
here's what the switches mean:
  • nmcap - this file is usually located under c:\program files\microsoft network monitor 3.0
  • /network * - selects all network adapters, wildcard capable
  • /capture - capture packets
  • /file - capture to the file c:\temp\myCapture.cap
  • :200M - sets myCapture.cap to a circular 200MB
  • /stopwhen - specifies to look for a condition on when to stop (in this case what's defined in /frame)
  • /frame - filter used to specify when source addr of a packet is 192.168.0.20 and the destination addr is 192.168.0.10
  • /disableconversations - this is discussed in the linked article, basically helps save memory consumption
putting it all together, the machine that triggers the event has a script running on it that detects an event id. when the event id is found, the script pings the other machine. once the packet comes across on the other machine, with the source/destination matching up to what's in "/frame", it stops the capture.

mom: reporting on security event data

another mom blogger, bryce kinnamon, wrote up this nifty blog. i'm blogging about it in case you missed it. typically the problem with reporting security event data is that the data itself is all clogged up in the description field. using patindex, bryce shows a clever way to break this up into distinct columns. very nice.

misc: new mom mvp!

i just heard that anders bengtsson was finally awarded a mvp yesterday. this guy has been doing some great work. i've been watching to see just when he'd get his nom. looks like it finally came through! congratulations to you, anders. keep up the great work supporting the community. (looks like i'll have to pay attention to what he says now... :/ ...)