Skip to main content


Showing posts from 2009

is it possible to manually install the opsmgr (scom) agent with patches?

the answer is yes and no.  the bottom line is, you can’t do it from a single command line execution as you can generally with other MSI installations. for example, if you wanted to run the momagent.msi and use the patch switch as shown in this example, it simply will not work. msiexec /i MOMAgent.msi PATCH=Q954049-x86.msp;Q954903-x86.msp;Q956689-x86.msp USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=mytestgroup SECURE_PORT=5723 ACTIONS_USE_COMPUTER_ACCOUNT=1 /l opsmgr_install.log   instead, you’d have to run the previous installation without specifying the PATCH= switch.  once completed, then you can roll in the additional patches by running msiexec in update mode.  it would look something like this: msiexec /update Q954049-x86.msp;Q954903-x86.msp;Q956689-x86.msp REINSTALL=ALL REINSTALLMODE=omus /L*v opsmgr_install.log /qn   thanks clive !

forcing a task sequence to rerun … from powershell

well, kind of.  steve rachui wrote this genius little gem about how to manage the instances of the configmgr agent scheduler to manipulate a task sequence to rerun .  as you’ll note in the post, he didn’t indicate a method to automate it.  this is actually rather easy to accomplish from powershell. first of all, our example … we’ll use steve’s screenshots as reference.  here’s the id that we want to get rid of: CEN20018-CEN00027-DBBBC9D6 . to be quite veracious and unerring, we should use the exact task sequence id in question.  we can set that to a variable just for kicks. $tsid = “CEN20018”   alright, now that we have that, let’s examine the command we’re going to use.  to get information out of wmi, we have to use the get-wmiobject cmdlet.  ordinarily, you could just provide the class name you want to look at, but as steve noted in his post, you need to connect to a different namespace: root\ccm\scheduler.  let’s retrieve all the classes of this namespace using –list.   get-w

Active Directory Cookbook 3rd Edition

just wrote a short review about active directory cookbook, 3rd edition. this is one of the most useful books in my library. Originally submitted at O'Reilly When you need practical hands-on support for Active Directory, the updated edition of this Cookbook provides quick solutions to more than 300 problems you might encounter when deploying, administering, and automating Microsoft's network directory service. You'll find recipes for the Lightwe... Active Directory Cookbook Fan of the Series 5out of 5 Pros: Easy to understand, Well-written, Helpful examples, Accurate, Concise Best Uses: Intermediate, Expert Describe Yourself: Sys Admin I became a fan of the series when Robbie Allen released the very first one. Since then, I've been hooked. It's amazing how the book has developed over time to become the monstrosity that it is today. It's enormous, weighing in at over 1000 pages. Though the true value is in all

social software in the workplace - magic quadrant 2009

right up there with ibm and jive software.  hope they’re not talking about lotus notes!  ;) full details for this and other magic quadrant reports are located here: .

xian wings 2010 announcement eminent

i just got this little piece of information from my favorite sales girl at jalasoft.  it looks like they’re extending your view of the network to your mobile device.  now you can know when your datacenter is on fire while you’re enjoying your stouffer’s frozen dinner and watching an episode of flashforward.  here’s the blurb: “Jalasoft informed today to a close network of contacts that they are going to announce the release of Xian Wings 2010. Wings 2010 will be part of the Xian suite and will make it possible for network and server administrators to gain better control of their environments thanks to a special client application that works on their mobile device.” fabulous!

moving configmgr package shares to an alternate location

ever since sms got into the business of managing security updates, it’s been a struggle trying to make sure that distribution points are sized right for the amount of content they’re going to be hosting.  we’re all clowns in a circus and should be quite adept at juggling by now.  :) once you’re beyond that small hurdle, you may find yourself in the same pickle when you start venturing into OSD.  even in a san world where drive space can magically show up on your server, it’s still often easier to get additional drive space than it is to increase existing drive space. i had to do a bit of reshuffling recently and found this blog post from the manageability team blog immensely helpful: . there is one caveat though that my coworker enlightened me about.  if you’re using bits-enabled distribution points (and i imagine the majority of us are), you’ll want to make one additional ch

how to keep your sysinternals tools in sync …

here is quite possibly the easiest way i’ve found to sync them up.  sometime last year, sysinternals made all of their tools accessible directly from the web.  this means no more having to go download the tools.  you could launch them or pull them down via to go one step further on this bit of information,\tools is directly accessible via explorer, cmd shell, powershell, etc.  this is demonstrated as such:   well, now that opens up a variety of different options to sync your copy.  explorer would be easiest for drag and drop.  if you’re familiar with any of the copy utilities, this should be old hat to you.  for me, i favor robocopy in this scenario:   to sync them in the future, you’d run the same command again.  just in case you missed it, here it is: robocopy \\\tools . *.exe

authoring resource kit released for opsmgr 2007 r2

microsoft just released the authoring resource kit last night.  it looks quite helpful!  i’m about to fire it up and see what it’s all about.  here’s the posted feature summary: Authoring Console - Develop MPs within a GUI environment. Management Pack Best Practice Analyzer (MPBPA) MPBPA scans management packs for best practice compliance and provides automated resolution for numerous issues. This tool integrates with the Authoring Console. Management Pack Spell Checker (MP Spell Checker) MP Spell Checker checks spelling in management packs to eliminate errors in display strings. Management Pack Visio Generator (MP Visio Generator) MP Visio Generator allows you to generate a class inheritance and class relationship diagram using Microsoft Office Visio. Management Pack Diff (MP Diff) MP Diff shows the differences between two management packs.

health service handle count threshold for exchange mp

another admin pointed out something very odd with this particular monitor.  apparently, the monitor has some overrides that change the threshold in certain scenarios.  to start, the monitor description: This monitor ensures that the "Process\Handle Count" counter for the HealthService.exe process does not exceed a set threshold over a series of consecutive samples.  If the conditions are met this monitor will change to a critical state, which will then roll up to the "Health Service State" monitor.  The "Health Service State" monitor is configured to run a recovery when its state is critical, which will automatically attempt to restart the Health Service. basically once you breach this number, the health service restarts.  this is typically a good thing since you’re keeping it maintained.  now, flip to the overrides. notice that there’s an exchange 2007 computer group override where the value is 5000.  try to edit this override.  you should

logsmith 1.2 released – includes event parameters!

stefan koell of does it again with an update to logsmith.  this time, you can see the parameters of the events you’re collecting.  very cool gem for opsmgr!  get more detail HERE at this is a screenshot of log smith in action from system center central .

clearing opsmgr agent cache from the console …

i just ran across this.  could be deeply embedded or something or not well advertised.  anyway, here’s the navigation path if you want to flush the health service state and cache from an agent via the console. first of all, navigate to the agent health state view.  [monitoring / operations manager / agent / agent health state ] you’ll see two panes at this point: agent state from health service watcher and agent state.  we only care about the agent state pane.  click on the agent that you’re going to send the missile.  in your actions pane, you will see “flush health service state and cache”.

adjusting “failed to send notification using server/device”

the actual rule name is “Failed to send through device alerting rule” that we’ll be working with.  i’m not going to go into length explanations since this is fairly straightforward.  just a few things that i wanted to point out (mainly links to good info).  basically, this alert has no overrides that are useful.  it kept sending out messages that looked like this: Notification subsystem failed to send notification using device/server ‘' over 'sip' protocol to ''. Microsoft.Collaboration.SignalingException: The requested operation failed.: Sip response: Temporarily Unavailable (0x1e0). Rule id: Subscriptione94d0bc3_ff32_48dc_8e96_3fdda0ba1663 this tends to come up often if the user is not online when the alert is sent through.  i suppose you could try to limit the number of times you’d run into this scenario by adjusting the hours that IM is used for alert notification (or not using it at all).  i opted to create an iden

list domain controllers with powershell

for my own edification and later reference.   to start, let's grab the current domain. $myDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()   just for fun, we’ll look at the forest. $myDomain.Forest   now, let’s list the domains of the forest. $myDomain.Forest.Domains   this will count every domain controller in every domain. $myDomain.Forest.Domains | % { $_.DomainControllers.Count }   for a final count, we’ll add all the numbers together into $myCount. $myDomain.Forest.Domains | % { $myCount = $_.DomainControllers.Count + $myCount}   to list all of the domain controllers, we can run this command. $myDomain.Forest.Domains | % { $_.DomainControllers } | Select-Object name   finally, another way to count all of the domain controllers in the forest. ($myDomain.Forest.Domains | % { $_.DomainControlle

most valuable professional award!

looks like i’m in for another year in the system center operations manager discipline.  congratulations to all of the rest of you who are either new or renewed this month. “Congratulations! We are pleased to present you with the 2009 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in System Center Operations Manager technical communities during the past year.”

list active directory subnets with powershell

sometimes it’s fun to do things the long way (not) and then do the equivalent in a shortcut fashion. these are the steps i used to retrieve subnets from active directory.   first of all, let’s grab the forest. $myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()   now, we can get the list of sites names. $myForest.Sites | Select-Object name   if we see a site name that we like, we can retrieve just that site name and the subnets associated with it. $myForest.Sites | Where-Object { $_.Name -eq 'myCity' } | Select-Object Subnets     well, that’s probably not what you wanted unless you have such few subnets you can see the whole thing.  let’s pass that through the ExpandProperty feature of select-object. $myForest.Sites | Where-Object { $_.Name -eq 'myCity' } | Select-Object -ExpandProperty Subnets   that’s better!

using powershell select-string creatively…

this came up yesterday.  i thought it was cool enough to blog.  i’m sure this is pretty elementary for most of you. background i was trying to find a way to search a list of files for content and pull back some attributes along with the search.  the problem is once you pass objects from get-childitems through select-string, the type changes.   looking at the object type let’s look at the type before we send it through select-string: PS C:\data\temp> ls | gm -MemberType property TypeName: System.IO.FileInfo Name MemberType Definition ---- ---------- ---------- Attributes Property System.IO.FileAttributes Attributes {get;set;} CreationTime Property System.DateTime CreationTime {get;set;} CreationTimeUtc Property System.DateTime CreationTimeUtc {get;set;} Directory Property System.IO.DirectoryInfo Directory {get;} DirectoryName Property System.String DirectoryName {get;} Exists Property

how to identify the smsexec thread when processor utilization is high

there’s no secret formula to this.  you’ll just have to roll up your sleeves and do it.  apparently, this used to be in some old article Q234508 which has been removed for whatever reason since this works with sms 2.0, sms 2003, and configmgr (sccm) 2007.   identifying the instance on your troubled server, use these steps to get perfmon to show you where the problem is occurring: fire up perfmon (obviously). add thread object with the following counters: % processor time id thread for instances, choose all the instances that begin with smsexec . could be quite a bit.  i had close to 90. if you think it’ll help, you can try the report view (ctrl+r) to isolate the thread causing the problems.  otherwise, you can enable highlighting (ctrl+h) and with zen like patience, move through all of the smsexec threads until you see the thread that’s eating up % processor time.  sometimes it’s easier watching it in histogram view, then double-clicking the li

looking for a new IM client? try digsby and never go back! (and switch to alpha mode, if you dare)

alright, i admit i might be a little slow.  i wasn’t catching the hidden message behind the trend initially.  lately, people i communicate with pretty frequently had either mentioned switching to digsby or asking my opinion of it.  i guess it has to do with a few well-placed statements about trying out new features in digsby like global status updates and here most recently, the tighter facebook integration.   switch to digsby the trend i didn’t realize was that people are in search of a new messenger client – and usually one that handles all of their social requirements.  i’ve been a long time fan of messengers that are capable of interacting with a variety of services.  gAIM was where i started (which has since evolved to pidgin).  (for my macbook pro, i use adium).  about a year ago, i switched over to digsby.  i haven’t gone back since.  it connects me to all my email services, facebook, linkedin, twitter, etc. anyway, i’m posting this because friends i’ve recommended

dell server management pack suite v4.0 released

Image via Wikipedia if somehow you haven’t heard yet, dell released their newest management pack – finally.  it looks as if it’s been rewritten because quite frankly, if you had the misfortune of loading the previous one, then you know what a piece of crap it was. the early word is that you cannot upgrade to 4.0.  it’ll be a wipe and reload.  anyway, here’s the link and a few light details. Feature highlights of this Dell Server Management Pack Suite v4.0 (A00) - Improvements in scalability and performance over the previous releases by including: Server Scalable MP (for managing large enterprise environments) Server Detailed MP (addon MP that provides detailed instance level monitoring) Performance and Power monitoring and OpenManage 6.1 support for Dell Server MPs DRAC and CMC MPs to monitor Dell Remote Acc

using powershell to list active directory trusts

this is an easy concept to do for the current domain: $myLocalDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $myLocalDomain.GetAllTrustRelationships()   it’s a little different if you want to do it for another domain, such as the root domain, for example: $myRootDirContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext( 'domain' , "" ) $myRootDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain([System.DirectoryServices.ActiveDirectory.DirectoryContext]$myRootDirContext) $myRootDomain.GetAllTrustRelationships()

useful tasks for the extended ad mp

if you’ve decided to start using the extended ad mp over on , you’ve probably noticed in the user guide (cough) that in order to pick up expensive/ineffecient ldap queries, you need to change some registry values. first of all, what’s the fire engine have to do with this post?  actually nothing.  i just saw it and thought “red”.  yeah. anyway, if you’re going to set it manually, it shows you how right here in guide: Open the Registry Editor Locate the following Registry key – HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering and change its value to 4 or 5. Open the Operations Console, and click the Authoring button. Expand Management Pack Objects , and then click Rules . In the Rules pane, type LDAP into the Look for box, and then click Find Now. Locate the LDAP Summary Report of Expensive or Inefficient Queries and/or the An

configuration manager compliance summary reports by site

Image by cell105 via Flickr if you’ll recall from my last post , i had a bit of trouble trying to figure out a way to generate reports by authorization list.  well, i got by that hurdle.  the problem is the tables i was using to generate the report weren’t really designed for running on a massive scale.  in fact, i started timing it and realized that it was taking on average about 3-4 seconds per machine.  so for an average enterprise of 10,000 machines, it would take -- ( ( 10,000 * 3 ) / 60 ) / 60 = 8.33 hours no one really found this acceptable for obvious reasons.  well, with a bit more digging, i found i could do the same kind of thing without having to aggregate the report details to generate a compliance number.  instead of using v_updatecompliancestatus , i started using v_updateliststatus_live .  is it just me or do they seem to be named inappropriately? anyway, i created a new set of reports, taking a bit from the old and a bit from existing reports such as

generating a compliance summary report based on an authorization list

i hope someone doesn’t respond to this post and say… hey it was already done – right here!  i searched for awhile and couldn’t find any canned reports someone had done to display security update compliance by machine based on an authorization list.  i’m no sql expert, and my skillz at writing sql queries are not m@dd by any stretch of the imagination .  however, i was able to finagle what appears to be decent output. here’s a screen capture of the query output we’ll be working with:   this report contains links that will generate another report of the specific updates used in the calculation of the summary:   background the reason why we find this report immensely useful is because it limits the data set based on your authorization list.  when you execute the report, you will have to provide two things: a collection id – which set of machines do you want to look at? an authorization list id – which authorization list do you want to check against? this wa

bug with synthetic transactions (exchange 2007 native mp)

Image by Hil via Flickr if you’re using the native exchange 2007 mp with clustered mailbox servers, you may have noticed that your synthetic transaction executions are timing out. you should be able to recognize the alerts.  they look something like this: Some of the MAPI connectivity transactions failed. Detailed information: Target: System mailbox for XYZ Error: The transaction did not complete in the alotted time (20 seconds).   here is an explanation from microsoft: “In the core OpsMgr code, there is a “cluster override” that disables all workflows for objects that are contained by a cluster virtual server, unless the workflows are running on the Active Node.  When we create the relationship between the Synthetic Transaction object and the Cluster Virtual Node for the Mailbox Server, the CAS Server is now subject to the "cluster override" even though it isn't a member of the cluster , because now the Synthetic Transaction hosted on th

how to properly target machines with the dfs management pack

Image by GravitysAppleNZ via Flickr if you’re planning to install the microsoft windows dfs 2003 management pack (yes, the converted one), you should be certain to target properly.  if you don’t, you’ll end up with some trash data coming from other dfs sources (e.g. domain controllers) that you may not want in your dfs views. i spent a disproportionate amount of time on this to figure out all the ins and outs of targeting inside of this mp.  i would love to say it was for my edification, but in actuality, it was because the agents apparently didn’t work right until they were restarted.  :| anyway, so the bottom line is, it was much easier than what i describe in this post on system center central .  it may still be confusing to others however so i’m posting it here. the first thing you’ll want to do is create a new group.  there isn’t much to do here except target your members properly.  i used something like this to target a few of my dfs servers.  specifically, i’m us

“mid” like functionality in batch script

for awhile, i used for looping to do a lot of manipulation in batch scripts until i ran across this gem.  a friend of mine asked me how to manipulate a date string awhile back.  this is what i came up with. let’s begin with the date /t command.  running it gives us this output: Fri 07/31/2009   most date formats with respect to dates in filenames generally don’t use “/” or include the short day name “fri”.  my conventional method is to push this through a for loop and break out the thing into tokens.  i’ve done this in below by utilizing “/” and “,” as the delimiters. for /f "tokens=1,2,3,4 delims=/, " %a in ( 'date /t' ) do @echo %b%c%d   now we get this output when we echo %b%c%d. 07312009   the challenge i got was how to get the date to show up as 090731.  if we tried to use “0” as a delimiter, it would clearly fail as 07 and 09 have zeroes in them.  here’s an example: for /f "tokens=1-5 delims=/,0 " %a in (

excellent demo on using custom composite data types

Image via Wikipedia if you happened to miss the last system center virtual user group, catch the recorded livemeeting.  there’s a great presentation on using composite monitors.  i believe the source is what’s on technet currently, but the explanation and step-by-step demonstration will help cement the idea.  check it out on system center central :

sql query to list all manual reset monitors

Image via Wikipedia looking for an easy way to list all of your unit monitors classified as a manual reset?  here’s a sql query that you can execute to list them out. SELECT, mv.enabled, mv.displayname,, FROM monitorview mv inner join monitortypeview mtv on inner join managementpackview mpv on mtv.managementpackid = WHERE mv.IsUnitMonitor = 'True' and like '%manualreset%' you can follow the entire thread here .

bug in notification subscription when using custom fields with opsmgr

back last month, i posted an odd behavior i was seeing in opsmgr.  anytime i used a custom field, the notification subscription would not work.  one of the peeps on the forum called pss to work through the issue and had been informed that it was a bug, completely reproducible. you can read the entire thread here: otherwise, here’s a short summary of how to fix the problem: Export the ‘Notifications Internal Library’ Management Pack. Increase the <Version>. For example: <Version> 6.1.7221.1 </Version> Locate the mistakes for each custom Field, which will look like: < SimpleExpression xmlns:xsi ="" xmlns:xsd ="" > < ValueExpression > < Property > Custom8 </ Property > </ ValueEx

configmgr console crashes with error “input string was not in a correct format”

i recently posted a fix to a console crashing condition with configmgr.  looks like it’s round two.  one of the configmgr admins here ran into this issue and asked me about.  this should be an entertaining post, especially when i highlight the advice from microsoft on how to fix this problem.  let’s start, shall we? to begin with, the console crashes, from any machine, when you try to view the settings of specific active directory discovery methods.  this was occurring on two different servers and not always the same ad discovery method.  the only thing of interest that both servers had in common was that they were migrated to new hardware and had run through the site recovery wizard. i captured the message that fires up whenever a crash condition occurs.  it looks like the likely offense is this message: Input string was not in a correct format. that usually means site control configuration file corruption to me.  note that if you modify your site control file, you probably