O R G A N I C / F E R T I L I Z E R: 02.08

Feb 29, 2008

february 29, 2008

kind of cool.  thought i'd post just to have one out there for leap year.

Feb 22, 2008

misc: disk encryption rendered useless?

a friend of mine pointed me to this wired blog article.  if you use disk encryption and thought your company information was safe... think again!  pretty disturbing...

Feb 21, 2008

misc: an additional method to resolving wmi failures...

it's understated to say that issues with wmi are nebulous problems.  i've blogged about it a couple of times in the past, each with a potentially different solution.  there are even pretty in depth posts with how to correct wmi problems.  here's some links for starters:

http://marcusoh.blogspot.com/2006/03/sms-addressing-wmi-corruption.html
http://marcusoh.blogspot.com/2008/01/mom-correcting-most-troublesome-mom.html
http://www.microsoft.com/technet/scriptcenter/topics/help/wmi.mspx

they contain some of the more common ways of troubleshooting wmi problems.  there's going to come a time when none of it works.  you'll be tempted to rebuild the entire repository just to beat down the recalcitrant system.  before doing so, try this method that one of my coworkers used to correct a problem issued when issuing this query:

select * from win32_networkadapter

this would kick back error # 0x80041013 - "provider load failure".  (you may be more familiar with it as wbem_e_provider_load_failure) knowing that this was a problem with the win32_networkadapter class, it was tracked back to these requirements.  what was believed to be the offending .dll and .mof (cimwin32.dll and cimwin32.mof) files were copied from another working system and compiled/registered.  well... that didn't fix it.  yeah, surprise.

wmidiag.vbs was executed against the system to see what it could locate.  these are the results that came up of notable interest:

92567 15:12:33 (1) !! ERROR: WMI EXECQUERY operation errors reported: ..................................................................... 1 ERROR(S)!
92568 15:12:33 (0) ** - Root/CIMv2, Select * From Win32_NetworkAdapter WHERE AdapterType IS NOT NULL AND AdapterType != "Wide Area Network (WAN)" AND Description != "Packet Scheduler Miniport", 0x80041013 - (WBEM_E_PROVIDER_LOAD_FAILURE) COM cannot locate a provider referenced in the schema.
92159 15:12:33 (0) ** 1 error(s) 0x80041013 - (WBEM_E_PROVIDER_LOAD_FAILURE) COM cannot locate a provider referenced in the schema
92160 15:12:33 (0) ** => This error is typically due to the following major reasons:
92161 15:12:33 (0) **    - The application queried by the WMI provider is not installed, not available or not running
92162 15:12:33 (0) **      at the time of the request was made. This error can also be generated because 
92163 15:12:33 (0) **      the application supporting the providers has been uninstalled.
92164 15:12:33 (0) **    - Some WMI providers (i.e. RSOP Planning Mode, Exchange 2003) are implemented as a WMI service.
92165 15:12:33 (0) **      Make sure the required services are successfully started.
92166 15:12:33 (0) **    - The WMI provider binary files are not accessible (i.e. access denied ACL).
92167 15:12:33 (0) **    - A WMI provider registration problem at the CIM level (MOFCOMP.EXE) or at the COM level (REGSVR32.EXE).
92168 15:12:33 (0) **      You must re-register the WMI provider by recompiling its associated MOF file with MOFCOMP.EXE
92169 15:12:33 (0) **    Note: - If the WMI provider DLL CIM and COM registrations are correct, this error can
92170 15:12:33 (0) **            be returned because the provider has a dependency on another DLL that cannot be
92171 15:12:33 (0) **            loaded (missing or bad DLL)
92172 15:12:33 (0) **          - Dependencies can be found with the DEPENDS.EXE tool coming with the
92173 15:12:33 (0) **            Windows XP and Windows 2003 Support Tools. The command line is as follows:
92174 15:12:33 (0) **            i.e. DEPENDS.EXE <PATH><Provider.DLL>
92175 15:12:33 (0) ** => When a WMI provider fails to load, it is possible to trace the provider load process by
92176 15:12:33 (0) **    submitting, via WBEMTEST and asynchronously, the following WMI event query:
92177 15:12:33 (0) **    'Select * From MSFT_WmiSelfEvent'
92178 15:12:33 (0) **    Then you can trace the following WMI events:
92179 15:12:33 (0) **    - Msft_WmiProvider_ComServerLoadOperationEvent
92180 15:12:33 (0) **    - Msft_WmiProvider_InitializationOperationEvent
92181 15:12:33 (0) **    - Msft_WmiProvider_LoadOperationEvent
92182 15:12:33 (0) **    and depending on the WMI operation executed, you can trace the following WMI events:
92183 15:12:33 (0) **    i.e. for an enumeration:
92184 15:12:33 (0) **    - Msft_WmiProvider_CreateInstanceEnumAsyncEvent_Pre and Msft_WmiProvider_CreateInstanceEnumAsyncEvent_Post
92185 15:12:33 (0) **    i.e. for a put operation:
92186 15:12:33 (0) **    - Msft_WmiProvider_PutInstanceAsyncEvent_Pre and Msft_WmiProvider_PutInstanceAsyncEvent_Post

when i looked at the logs originally, i glossed over it and tried to execute the query in the wrong context.  my coworker had a bit more diligence about it and did it right.

the real stuff to look at is where i bolded and underlined the results.  to use this, execute the "select * from msft_wmiselfevent" in the namespace where the problem exists.  it must be executed as an asynchronous notification query.  (The namespace for win32_networkadapter is root\cimv2, for example.)

crap[8]

wbemtest: these are the data elements to choose for asynchronous notification queries

once you execute the query, leave the window open and perform the following:

  1. switch the method invocation options to "semisynchronous".
  2. use the "query" button and execute the problem query statement.
  3. switch back to the window running the msft_wmiselfevent query.

hopefully you'll see where the problem occurs.  in our case, the problem traced back to "brcmgroup provider" which turns out is a broadcom cim provider.  once this was removed, the problem went away.  good job, chris.  here's a link to his post about this topic.

Feb 8, 2008

misc: dsquery vs powershell (2)

this time, i'm going to show you how to retrieve the group membership of a user.  so to begin with, in cmd shell with dsquery:

dsquery user -samid username | dsget user -memberof

and in powershell:

(Get-QADUser -samaccountname username).memberof

look at that, the powershell command-line is in fact, just a tiny bit shorter.  if you run them both, though, dsquery does outperform powershell by a large margin in this demonstration.  still, you have to learn this stuff sooner or later.  :)

now, if you run it as two separate commands, powershell performs just as fast as dsquery (to the human eye at least).  like this:

$user = get-qaduser -samaccountname username
$user.memberof

Feb 6, 2008

mom: empty values from performance threshold rules...

after an upgrade of our mom servers and agents, we noticed that any of our performance threshold rules were bringing back empty values in the "description:" field.  as you'll notice from the snippet below, the information does exist.  for example, source contains "smtp server" and "remote queue length", both of which should be filled in for the description.

Description: : : value =   
Name: SMTP: Remote Queue > 250
Severity: Error
Source: SMTP Server: Remote Queue Length: _Total

if you're running into this problem, it most likely stems from a deployment of hotfix kb934441.  kb934441 upgrades the momengine.dll component to 5.0.2911.41 which is the source of the issue.  there's an unpublished hotfix for this known issue that corrects this problem.  you'll know you're running it if your version number is at 5.0.2911.42.  you'll need to call microsoft if you're experiencing this problem.  here's the .msi name to reference: MOM2005-SP1-KB942736-X86-IA64-ENU.msi.

Feb 1, 2008

sms: maybe you should date your clients? :^)

i don't think it's too much of a stretch or really a broad assumption that any given collection at probably any given site has some amount of stale information.  machines go offline, people go on vacation, machines "mysteriously" drop off the domain...

this tends to come up often so i thought i'd put it out there.  it's all over the place though.  do a search for "sms datediff", "sms getdate", or "sms dateadd".  my guess is the first one will be the most beneficial since it's the one most people use.  if you find that you have too many old machines showing up in your collections, try something like this:

select    SMS_R_System.ResourceID 
from      SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on
          SMS_G_System_WORKSTATION_STATUS.ResourceID = SMS_R_System.ResourceId
where DATEDIFF(dd,SMS_G_System_WORKSTATION_STATUS.LastHardwareScan,GetDate()) < 14


datediff looks for these parts: what to measure, the starting date, the ending date.  in our evaluation, we're measuring by the day, looking at the lasthardwarescan value and using the current date to check against.  we take that value and check to see if it's less than 14.  if it is, cool.  show it.  if not, drop it.

you can do this in sql, too.  no doubt you want to make your reports not show old crap.  here's an example of what a sql statement would look like:

select distinct
            sys.ad_site_name0 as [Site],
            cs.name0 as [CI Name],
            cs.manufacturer0 as [Manufacturer],
            cs.model0 as [Model],
            se.serialnumber0 as [Serial #]
from  v_GS_COMPUTER_SYSTEM cs
            inner join v_GS_SYSTEM_ENCLOSURE se on cs.resourceid=se.resourceid
            inner join v_R_SYSTEM sys on cs.resourceid=sys.resourceid
            inner join v_GS_WORKSTATION_STATUS ws on cs.resourceid=ws.resourceid
where DATEDIFF(day, ws.lasthwscan, getdate()) < 14