O R G A N I C / F E R T I L I Z E R: 2009

Dec 10, 2009

is it possible to manually install the opsmgr (scom) agent with patches?

the answer is yes and no.  the bottom line is, you can’t do it from a single command line execution as you can generally with other MSI installations.

for example, if you wanted to run the momagent.msi and use the patch switch as shown in this example, it simply will not work.

msiexec /i MOMAgent.msi PATCH=Q954049-x86.msp;Q954903-x86.msp;Q956689-x86.msp USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=mytestgroup MANAGEMENT_SERVER_DNS=mytestserver.mydomain.com SECURE_PORT=5723 ACTIONS_USE_COMPUTER_ACCOUNT=1 /l opsmgr_install.log


instead, you’d have to run the previous installation without specifying the PATCH= switch.  once completed, then you can roll in the additional patches by running msiexec in update mode.  it would look something like this:

msiexec /update Q954049-x86.msp;Q954903-x86.msp;Q956689-x86.msp REINSTALL=ALL REINSTALLMODE=omus /L*v opsmgr_install.log /qn


thanks clive!

Nov 11, 2009

forcing a task sequence to rerun … from powershell

well, kind of.  steve rachui wrote this genius little gem about how to manage the instances of the configmgr agent scheduler to manipulate a task sequence to rerun.  as you’ll note in the post, he didn’t indicate a method to automate it.  this is actually rather easy to accomplish from powershell.

first of all, our example … we’ll use steve’s screenshots as reference.  here’s the id that we want to get rid of: CEN20018-CEN00027-DBBBC9D6.

to be quite veracious and unerring, we should use the exact task sequence id in question.  we can set that to a variable just for kicks.

$tsid = “CEN20018”
alright, now that we have that, let’s examine the command we’re going to use.  to get information out of wmi, we have to use the get-wmiobject cmdlet.  ordinarily, you could just provide the class name you want to look at, but as steve noted in his post, you need to connect to a different namespace: root\ccm\scheduler.  let’s retrieve all the classes of this namespace using –list.
get-wmiobject –namespace “root\ccm\scheduler” –list
here’s a snippet of the expected output:
__Win32Provider {} __SystemSecurity {GetSD, GetSecuri.. CCM_Scheduler_History {} __NotifyStatus {} __ExtendedStatus {} __SecurityRelatedClass {}

ah, there we go.  the class we’re looking for is ccm_scheduler_history.  next thing we’ll do is pull the instances of this class.  if we just pull the class, it’ll be quite a nasty output, so let’s concentrate on what’s important for now: the schedule id.

Get-WmiObject -Namespace "root\ccm\scheduler" -Class ccm_scheduler_history | ft scheduleid

now we get a succinct output of just the schedule ids.  there’s the schedule id we’re looking for!


let’s pull it all together and see how it looks.

Get-WmiObject -Namespace "root\ccm\scheduler" -Class ccm_scheduler_history | where { $_.scheduleid -like "$tsid*" }

perfect.  now we got back the right instance of the class.  i’m going to set this to a new variable called $tsinstance because i’m just that creative.

$tsinstance = Get-WmiObject -Namespace "root\ccm\scheduler" -Class ccm_scheduler_history | where { $_.scheduleid -like "*$tsid*" }

now, finally, we’re to the point where we can get rid of the thing.  so … how?  well… as it turns out, there’s a cmdlet for that.  all we need to do is pass the object to remove-wmiobject.  that just rocks.  here’s the finished command.

$instance | Remove-WmiObject

and if you just want one long command, here’s that as well:

Get-WmiObject -Namespace "root\ccm\scheduler" -Class ccm_scheduler_history | where { $_.scheduleid -like '*CEN20018*' } | Remove-WmiObject

Nov 10, 2009

Active Directory Cookbook 3rd Edition

just wrote a short review about active directory cookbook, 3rd edition. this is one of the most useful books in my library.
Originally submitted at O'Reilly

When you need practical hands-on support for Active Directory, the updated edition of this Cookbook provides quick solutions to more than 300 problems you might encounter when deploying, administering, and automating Microsoft's network directory service. You'll find recipes for the Lightwe...

Fan of the Series

5out of 5
Pros: Easy to understand, Well-written, Helpful examples, Accurate, Concise
Best Uses: Intermediate, Expert
Describe Yourself: Sys Admin
I became a fan of the series when Robbie Allen released the very first one. Since then, I've been hooked. It's amazing how the book has developed over time to become the monstrosity that it is today. It's enormous, weighing in at over 1000 pages. Though the true value is in all the "recipes" in the book, I really enjoy all the background material that each section provides.

Each topic has:
  • Problem - the task you need to perform
  • Solution - how to perform it
  • Discussion - additional information about the topic

It's great to have a reference that succinctly defines the task and the solution without having to read gobs of pages. It's not just limited to scripting as the name may imply. Most solutions are defined for scripting (vbscript, powershell, command shell), however, often times you'll find the gui (graphical user interface) equivalent of how to achieve the task.

Laura Hunter is a great author and well-respected MVP in the Active Directory space. All of the contributing authors from the past editions are tops in their field and sources of information I have relied on in the past and will continue to do so for as long as I support Active Directory.

It's time I give up my 2nd Edition Cookbook and make room for this one on my reference shelf. Valuable book!

Nov 4, 2009

social software in the workplace - magic quadrant 2009

right up there with ibm and jive software.  hope they’re not talking about lotus notes!  ;)


full details for this and other magic quadrant reports are located here: http://www.microsoft.com/presspass/itanalyst/default.mspx.

Nov 3, 2009

xian wings 2010 announcement eminent

i just got this little piece of information from my favorite sales girl at jalasoft.  it looks like they’re extending your view of the network to your mobile device.  now you can know when your datacenter is on fire while you’re enjoying your stouffer’s frozen dinner and watching an episode of flashforward.  here’s the blurb:

“Jalasoft informed today to a close network of contacts that they are going to announce the release of Xian Wings 2010. Wings 2010 will be part of the Xian suite and will make it possible for network and server administrators to gain better control of their environments thanks to a special client application that works on their mobile device.”


moving configmgr package shares to an alternate location

ever since sms got into the business of managing security updates, it’s been a struggle trying to make sure that distribution points are sized right for the amount of content they’re going to be hosting.  we’re all clowns in a circus and should be quite adept at juggling by now.  :)

once you’re beyond that small hurdle, you may find yourself in the same pickle when you start venturing into OSD.  even in a san world where drive space can magically show up on your server, it’s still often easier to get additional drive space than it is to increase existing drive space.

i had to do a bit of reshuffling recently and found this blog post from the manageability team blog immensely helpful:  http://blogs.technet.com/smsandmom/archive/2008/09/04/moving-the-smspkgc-share-to-a-different-drive.aspx.

there is one caveat though that my coworker enlightened me about.  if you’re using bits-enabled distribution points (and i imagine the majority of us are), you’ll want to make one additional change.  any distribution points utilizing bits will have a corresponding virtual directory which will need to be adjusted to the new location.  to do this, fire up your internet information services (iis) manager.

  1. navigate to site server\web sites\default web site\sms_dp_smspkg[x]$.
  2. right-click the virtual directory and choose properties.
  3. in the local path field, change the path to the new location.

[x above is the drive letter.]


here’s a screen shot of what to do. image


comments always welcome.  hope you get some good mileage out of this.

Oct 29, 2009

how to keep your sysinternals tools in sync …

here is quite possibly the easiest way i’ve found to sync them up.  sometime last year, sysinternals made all of their tools accessible directly from the web.  this means no more having to go download the tools.  you could launch them or pull them down via live.sysinternals.com.

to go one step further on this bit of information, live.sysinternals.com\tools is directly accessible via explorer, cmd shell, powershell, etc.  this is demonstrated as such:



well, now that opens up a variety of different options to sync your copy.  explorer would be easiest for drag and drop.  if you’re familiar with any of the copy utilities, this should be old hat to you.  for me, i favor robocopy in this scenario:



to sync them in the future, you’d run the same command again.  just in case you missed it, here it is:

robocopy \\live.sysinternals.com\tools . *.exe

Oct 22, 2009

authoring resource kit released for opsmgr 2007 r2

microsoft just released the authoring resource kit last night.  it looks quite helpful!  i’m about to fire it up and see what it’s all about.  here’s the posted feature summary:

  • Authoring Console - Develop MPs within a GUI environment.
  • Management Pack Best Practice Analyzer (MPBPA)
    • MPBPA scans management packs for best practice compliance and provides automated resolution for numerous issues. This tool integrates with the Authoring Console.
  • Management Pack Spell Checker (MP Spell Checker)
    • MP Spell Checker checks spelling in management packs to eliminate errors in display strings.
  • Management Pack Visio Generator (MP Visio Generator)
    • MP Visio Generator allows you to generate a class inheritance and class relationship diagram using Microsoft Office Visio.
  • Management Pack Diff (MP Diff)
    • MP Diff shows the differences between two management packs.
  • Management Pack Cookdown Analyzer (MP Cookdown Analyzer)
    • MP Cookdown Analyzer identifies workflows which may break cookdown. Suggestions are provided for how to fix the performance problems.
  • All References Add-in
    • All References Add-in helps find all management pack elements that reference the specific element chosen. For example, the ability to right click a class and find all rules, monitors, overrides, as well as anything else that targets that class is provided. This tool works on most management pack elements.
  • Workflow Analyzer
    • The Workflow Analyzer provides the ability to statically analyze all types of workflows. It also allows users to trace workflows running on any Health Service.
  • Workflow Simulator
    • The Workflow Simulator provides the ability to test certain types of workflows such as discoveries, rules, and monitors without a Management Server and Management Group. Key functionality includes the ability to test workflows as well as view and validate output prior to signing and importing the MP into a Management Group for additional testing.
  • Management Packs
    • Three management packs which are frequently used as dependencies are provided as part of the tools installation. These MPs are necessary to allow the Authoring Console to open most MPs available online in the System Center Operations Manager MP Catalog. The provided MPs are:
      • Microsoft.SystemCenter.DataWarehouse.Report.Library
      • Microsoft.SystemCenter.InstanceGroup.Library
      • Microsoft.SystemCenter.ServiceDesigner.Library

this is the LINK to download it.

Oct 21, 2009

health service handle count threshold for exchange mp

another admin pointed out something very odd with this particular monitor.  apparently, the monitor has some overrides that change the threshold in certain scenarios.  to start, the monitor description:

This monitor ensures that the "Process\Handle Count" counter for the HealthService.exe process does not exceed a set threshold over a series of consecutive samples.  If the conditions are met this monitor will change to a critical state, which will then roll up to the "Health Service State" monitor.  The "Health Service State" monitor is configured to run a recovery when its state is critical, which will automatically attempt to restart the Health Service.

basically once you breach this number, the health service restarts.  this is typically a good thing since you’re keeping it maintained.  now, flip to the overrides.


notice that there’s an exchange 2007 computer group override where the value is 5000.  try to edit this override.  you should get a similar screen.


notice how the value of 5000 doesn’t show up here.  interesting that it would even be set at 5000 since 6000 would seem a better rounded number for most agents.  so why would the exchange 2007 computer group want a lower threshold?  mysterious…

not really -- if you know the history.  turns out at one point the threshold was set to some whacky low number.  i don’t have a back rev environment to go pull the actual value.  let’s just say it was 200.  with this value in place, the exchange mp couldn’t reliably operate in large-scale environments with health service constantly restarting.  the override value comes from the exchange mp, forcing the threshold count to a much higher, more realistic value.

this makes complete sense except the value is lower than what is shown in the screen shot above, right?  actually … the value of 6000 was introduced in the latest operations manager 2007 core mp which was released after the exchange mp.

oh by the way, you’ll see this same behavior in the health service private bytes threshold monitor.  (thanks guys!)

Oct 14, 2009

logsmith 1.2 released – includes event parameters!

stefan koell of code4ward.net does it again with an update to logsmith.  this time, you can see the parameters of the events you’re collecting.  very cool gem for opsmgr!  get more detail HERE at systemcentercentral.com.

this is a screenshot of log smith in action from system center central.


clearing opsmgr agent cache from the console …

i just ran across this.  could be deeply embedded or something or not well advertised.  anyway, here’s the navigation path if you want to flush the health service state and cache from an agent via the console.

first of all, navigate to the agent health state view. 

[monitoring / operations manager / agent / agent health state ]


you’ll see two panes at this point: agent state from health service watcher and agent state.  we only care about the agent state pane.  click on the agent that you’re going to send the missile.  in your actions pane, you will see “flush health service state and cache”.


Oct 13, 2009

adjusting “failed to send notification using server/device”

the actual rule name is “Failed to send through device alerting rule” that we’ll be working with.  i’m not going to go into length explanations since this is fairly straightforward.  just a few things that i wanted to point out (mainly links to good info).  basically, this alert has no overrides that are useful.  it kept sending out messages that looked like this:

Notification subsystem failed to send notification using device/server ‘sip.myDomain.com' over 'sip' protocol to 'sip:myUser@myDomain.com'. Microsoft.Collaboration.SignalingException: The requested operation failed.: Sip response: Temporarily Unavailable (0x1e0). Rule id: Subscriptione94d0bc3_ff32_48dc_8e96_3fdda0ba1663

this tends to come up often if the user is not online when the alert is sent through.  i suppose you could try to limit the number of times you’d run into this scenario by adjusting the hours that IM is used for alert notification (or not using it at all).  i opted to create an identical rule with the right event criteria.

  • ran logparser and dumped the event so that i could see the exact parameters.  it’s detailed HERE on stranger’s blog.  the output is separated by pipes.  i reformatted it to make it easier to read:
1 myManagementGroup|
2 Subscriptione94d0bc3_ff32_48dc_8e96_3fdda0ba1663|
3 Alert Notification Subscription Server|
4 {E07E3FAB-53BC-BC14-1634-5A6E949F9230}|
5 sip|
6 sip.myDomain.com|
7 sip:myUser@myDomain.com|
8 Microsoft.Collaboration.SignalingException|
9 The requested operation failed.: Sip response: Temporarily Unavailable (0x1e0)

  • created an identical rule with the following properties (reference HERE for kevin’s blog post if you need more information):
    • expression -
      • Event ID equals 31503
      • Event Source equals Health Service Modules
      • Parameter 1 equals $Target/ManagementGroup/Name$
      • Parameter 5 does not equal sip
    • response -
      • Suppression – Parameter 5, 6, 7, 8, 9

now you simply need to disable the original rule and turn this one on (saving it to your own management pack of course).  we simply set the event rule to pick up where parameter 5 does not equal sip.  by doing this we’ve effectively stopped any alerts on notifications where sip is involved.

Oct 6, 2009

list domain controllers with powershell

for my own edification and later reference.

to start, let's grab the current domain.
$myDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

just for fun, we’ll look at the forest.

now, let’s list the domains of the forest.

this will count every domain controller in every domain.
$myDomain.Forest.Domains | % { $_.DomainControllers.Count }

for a final count, we’ll add all the numbers together into $myCount.
$myDomain.Forest.Domains | % { $myCount = $_.DomainControllers.Count + $myCount}

to list all of the domain controllers, we can run this command.
$myDomain.Forest.Domains | % { $_.DomainControllers } | Select-Object name

finally, another way to count all of the domain controllers in the forest.
($myDomain.Forest.Domains | % { $_.DomainControllers } | Select-Object name).count

Oct 2, 2009

atlanta systems management user group (smug) – 10/9/2009!

we’re meeting up again for another day of system center topics.  be there or be square.  if you’re square, show up anyway.  we’re all geeks, and you’ll be in good company.


see you there!

Oct 1, 2009

most valuable professional award!

looks like i’m in for another year in the system center operations manager discipline.  congratulations to all of the rest of you who are either new or renewed this month.

“Congratulations! We are pleased to present you with the 2009 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in System Center Operations Manager technical communities during the past year.”

Sep 24, 2009

list active directory subnets with powershell

Windows PowerShell

sometimes it’s fun to do things the long way (not) and then do the equivalent in a shortcut fashion.

these are the steps i used to retrieve subnets from active directory.


first of all, let’s grab the forest.

$myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()


now, we can get the list of sites names.

$myForest.Sites | Select-Object name


if we see a site name that we like, we can retrieve just that site name and the subnets associated with it.

$myForest.Sites | Where-Object { $_.Name -eq 'myCity' } | Select-Object Subnets


well, that’s probably not what you wanted unless you have such few subnets you can see the whole thing.  let’s pass that through the ExpandProperty feature of select-object.

$myForest.Sites | Where-Object { $_.Name -eq 'myCity' } | Select-Object -ExpandProperty Subnets


that’s better!

Sep 16, 2009

using powershell select-string creatively…

this came up yesterday.  i thought it was cool enough to blog.  i’m sure this is pretty elementary for most of you.


i was trying to find a way to search a list of files for content and pull back some attributes along with the search.  the problem is once you pass objects from get-childitems through select-string, the type changes.


looking at the object type

let’s look at the type before we send it through select-string:

PS C:\data\temp> ls | gm -MemberType property

   TypeName: System.IO.FileInfo

Name              MemberType Definition
----              ---------- ----------
Attributes        Property   System.IO.FileAttributes Attributes {get;set;}
CreationTime      Property   System.DateTime CreationTime {get;set;}
CreationTimeUtc   Property   System.DateTime CreationTimeUtc {get;set;}
Directory         Property   System.IO.DirectoryInfo Directory {get;}
DirectoryName     Property   System.String DirectoryName {get;}
Exists            Property   System.Boolean Exists {get;}
Extension         Property   System.String Extension {get;}
FullName          Property   System.String FullName {get;}
IsReadOnly        Property   System.Boolean IsReadOnly {get;set;}
LastAccessTime    Property   System.DateTime LastAccessTime {get;set;}
LastAccessTimeUtc Property   System.DateTime LastAccessTimeUtc {get;set;}
LastWriteTime     Property   System.DateTime LastWriteTime {get;set;}
LastWriteTimeUtc  Property   System.DateTime LastWriteTimeUtc {get;set;}
Length            Property   System.Int64 Length {get;}
Name              Property   System.String Name {get;}


now after select-string:

PS C:\data\temp> ls | Select-String marcus | gm -MemberType property

   TypeName: Microsoft.PowerShell.Commands.MatchInfo

Name       MemberType Definition
----       ---------- ----------
Context    Property   Microsoft.PowerShell.Commands.MatchInfoContext Context {get;set;}
Filename   Property   System.String Filename {get;}
IgnoreCase Property   System.Boolean IgnoreCase {get;set;}
Line       Property   System.String Line {get;set;}
LineNumber Property   System.Int32 LineNumber {get;set;}
Matches    Property   System.Text.RegularExpressions.Match[] Matches {get;set;}
Path       Property   System.String Path {get;set;}
Pattern    Property   System.String Pattern {get;set;}


retrieving the original attributes

as you can see, after sending it through select-string, it converts the type from FileInfo to MatchInfo.  as long as i only care about the properties i can use from matchinfo, that’s not really a problem.  as noted here:

PS C:\data\temp> ls | Select-String marcus | ft filename, line -auto

Filename        Line
--------        ----
machinelist.txt MARCUS


that becomes a problem since the original attributes aren’t maintained.  for example, let’s say i want to pull back the creation time of the file.  this illustrates the problem:

PS C:\data\temp> ls | Select-String marcus | ft filename, line, {$_.creationtime} -auto

Filename        Line   $_.creationtime
--------        ----   ---------------
machinelist.txt MARCUS


if we embed a command, we can retrieve the item again and then pull back the property of it.

PS C:\data\temp> ls | Select-String marcus | ft filename, line, {(ls $_.filename).creationtime} -auto

Filename        Line   (ls $_.filename).creationtime
--------        ----   -----------------------------
machinelist.txt MARCUS 4/16/2009 1:45:10 PM


shout out

lots of thanks to shay levy and hal rottenberg for their incredibly rich powershell knowledge.

Sep 10, 2009

how to identify the smsexec thread when processor utilization is high

there’s no secret formula to this.  you’ll just have to roll up your sleeves and do it.  apparently, this used to be in some old article Q234508 which has been removed for whatever reason since this works with sms 2.0, sms 2003, and configmgr (sccm) 2007.


identifying the instance

on your troubled server, use these steps to get perfmon to show you where the problem is occurring:

  1. fire up perfmon (obviously).
  2. add thread object with the following counters:
    • % processor time
    • id thread
  3. for instances, choose all the instances that begin with smsexec.

could be quite a bit.  i had close to 90.

if you think it’ll help, you can try the report view (ctrl+r) to isolate the thread causing the problems.  otherwise, you can enable highlighting (ctrl+h) and with zen like patience, move through all of the smsexec threads until you see the thread that’s eating up % processor time.  sometimes it’s easier watching it in histogram view, then double-clicking the line that’s bouncing around like an ice cream charged 4 year old.

once you find it, write down the instance number.  (i don’t trust you to remember it).  don’t close out perfmon yet.


isolating the thread

once you’ve identified the instance, these steps will locate the thread value.

  1. in perfmon, scroll through your counter list until you’re in the id thread list. 
  2. find the corresponding instance number that you wrote down.
  3. highlight the instance and note the values in last, average, minimum, and maximum.  they should all be identical.  write this down, too.
  4. convert the value to hex using calc.

in my case, the value is 100980 which translates to 18A74.  go to your sms\logs directory and use any assortment of find that you prefer using the hex value of the thread as your search criteria.  why, here’s a good example, right HERE of how to do it. :)

your results should paint a nice picture for you.


additional details

you can get the full article HERE if you need more.

looking for a new IM client? try digsby and never go back! (and switch to alpha mode, if you dare)

Digsby Mascot

alright, i admit i might be a little slow.  i wasn’t catching the hidden message behind the trend initially.  lately, people i communicate with pretty frequently had either mentioned switching to digsby or asking my opinion of it.  i guess it has to do with a few well-placed statements about trying out new features in digsby like global status updates and here most recently, the tighter facebook integration.


switch to digsby

the trend i didn’t realize was that people are in search of a new messenger client – and usually one that handles all of their social requirements.  i’ve been a long time fan of messengers that are capable of interacting with a variety of services.  gAIM was where i started (which has since evolved to pidgin).  (for my macbook pro, i use adium).  about a year ago, i switched over to digsby.  i haven’t gone back since.  it connects me to all my email services, facebook, linkedin, twitter, etc.

anyway, i’m posting this because friends i’ve recommended to use digsby give me responses like “wow, this is cool” or “$#%#^%?  why haven’t you told me about this before?”.  so here it is, i’m telling you about it.


getting digsby

before you run off to go install digsby, consider using the alpha version.  i’m only recommending this because the facebook integration in this version rocks.  the stream let’s you make updates in line – such as commenting, liking, posting, etc.  i’d show you a screen shot, but i don’t really think it’s a good idea to project the updates of my friends.  :)

anyway, if you’re looking for the digsby install files, you can get them here:

regular - http://www.digsby.com/download.php?os=win
alpha – http://update.digsby.com/install/digsby_setup_alpha.exe


running digsby alpha

one other thing, you can set digsby to update to alpha code.  if you’re already running digsby, here’s how to do it.  this used to be posted on their site, but i can’t seem to find it anymore:

  • go to the folder c:\program files\digsby
  • create a new file called "tag.yaml"
  • populate the contents of the file with this:

tag: alpha


(yes, include the –-- in the file).

  • save the file
  • log off digsby
  • log on to digsby, upgrade will start
  • log on again

Sep 3, 2009

dell server management pack suite v4.0 released

Dell computer

Image via Wikipedia

if somehow you haven’t heard yet, dell released their newest management pack – finally.  it looks as if it’s been rewritten because quite frankly, if you had the misfortune of loading the previous one, then you know what a piece of crap it was.

the early word is that you cannot upgrade to 4.0.  it’ll be a wipe and reload.  anyway, here’s the link and a few light details.


Feature highlights of this Dell Server Management Pack Suite v4.0 (A00) -Improvements in scalability and performance over the previous releases by including:

  • Server Scalable MP (for managing large enterprise environments)
  • Server Detailed MP (addon MP that provides detailed instance level monitoring)
  • Performance and Power monitoring and OpenManage 6.1 support for Dell Server MPs
  • DRAC and CMC MPs to monitor Dell Remote Access Controllers and Chassis Management Controllers
  • Override utility to enable Informational alerts for managed Dell Servers

Aug 31, 2009

using powershell to list active directory trusts

this is an easy concept to do for the current domain:

$myLocalDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()



it’s a little different if you want to do it for another domain, such as the root domain, for example:

$myRootDirContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('domain',"myDomain.com")

$myRootDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain([System.DirectoryServices.ActiveDirectory.DirectoryContext]$myRootDirContext)


Aug 26, 2009

useful tasks for the extended ad mp

The 3rd District Fire Rescue Task Forces, Toky...if you’ve decided to start using the extended ad mp over on opsmanjam.com, you’ve probably noticed in the user guide (cough) that in order to pick up expensive/ineffecient ldap queries, you need to change some registry values.

first of all, what’s the fire engine have to do with this post?  actually nothing.  i just saw it and thought “red”.  yeah.

anyway, if you’re going to set it manually, it shows you how right here in guide:

  1. Open the Registry Editor
  2. Locate the following Registry key – HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering and change its value to 4 or 5.
  3. Open the Operations Console, and click the Authoring button.
  4. Expand Management Pack Objects, and then click Rules.
  5. In the Rules pane, type LDAP into the Look for box, and then click Find Now.
  6. Locate the LDAP Summary Report of Expensive or Inefficient Queries and/or the An expensive or inefficient LDAP query was performed rule.
  7. Right-click the rule, click Overrides, click Override the Rule, and then click “For all objects of type: Active Directory Domain Controller Server 2003 Computer Role.
  8. Enable the Override-controlled parameter labeled Enabled and set its Override Setting to True.
  9. Target the override to a custom Management Pack and not the Default Management Pack. Click OK to save your changes.

if you’d rather create tasks, here’s the basic premise:

  1. flip over to the authoring console node.
  2. create a new task as type: agent tasks/command line.
  3. choose the destination management pack of choice as long as it is NOT the default management pack.
  4. be creative with your task name (yes, that’s sarcasm).  for example, i named mine: enable ntds field engineering diagnostics.
  5. choose the task target.  i set mine to: active directory domain controller server 2003 computer role.  i did this namely so that someone wouldn’t try to point this to a regular computer.
  6. full path to file: %windir%\system32\reg.exe
  7. parameters: ADD HLKM\System\CurrentControlSet\Services\NTDS Diagnostics /v “15 Field Engineering” /t REG_DWORD /d 0x4 /f

for the love of all things holy, please do not forget the /f.  if you do, the task will never actually complete since the value should already exist on your domain controller.

one more thing to add, i created a task to turn this off.  all you need to do is change the parameter line to this: ADD HLKM\System\CurrentControlSet\Services\NTDS Diagnostics /v “15 Field Engineering” /t REG_DWORD /d 0x0 /f

if everything worked as planned, when you execute this task, it should look just like this:


Aug 21, 2009

configuration manager compliance summary reports by site

TPS Reports

Image by cell105 via Flickr

if you’ll recall from my last post, i had a bit of trouble trying to figure out a way to generate reports by authorization list.  well, i got by that hurdle.  the problem is the tables i was using to generate the report weren’t really designed for running on a massive scale.  in fact, i started timing it and realized that it was taking on average about 3-4 seconds per machine.  so for an average enterprise of 10,000 machines, it would take --

( ( 10,000 * 3 ) / 60 ) / 60 = 8.33 hours

no one really found this acceptable for obvious reasons.  well, with a bit more digging, i found i could do the same kind of thing without having to aggregate the report details to generate a compliance number.  instead of using v_updatecompliancestatus, i started using v_updateliststatus_live.  is it just me or do they seem to be named inappropriately?

anyway, i created a new set of reports, taking a bit from the old and a bit from existing reports such as the one i created before.  i think it’s more robust.  certainly runs faster than before.  MUCH faster!  (don’t mind the blank spaces.  the interesting thing about web reports is that when you use temporary tables, it displays a blank area).

UPDATE: to eliminate the blank spaces, use -

  • SET NOCOUNT ON at the beginning of your statements for your temporary table
  • SET NOCOUNT OFF at the end of your query after the temporary table is filled.

thanks to sudeesh rajashekharan’s answer on this post.

this is how the report set looks.  it starts with a summary based on each site (blanked out):



clicking the link takes you to the site details report which looks like this:



this report lists out each machine, the last logged on user, and its state.  i found it relevant to add the last known scan time and the last known heartbeat.  this way scans that are old with recent heartbeats would indicate that a machine is having a problem scanning.

now clicking on an individual machine will take you to a detailed report that displays the details of each update.  it would look something like this:



the report mof is available on system center central.  (link provided at the end).  once you import them, you’ll have to link them together to get the drill-downs working.  here’s how you do it.

  • Security Compliance (Summary)
    • link to Security Compliance (Site Details)
    • authlistid - column 6
    • collid – column 7
    • siteid – column 1



  • Security Compliance (Site Details)
    • link to Security Compliance (Machine Details)
    • authlistid – column 6
    • machinename – column 1



and there you have it.  here’s the link for the report: http://www.systemcentercentral.com/Downloads/DownloadsDetails/tabid/144/IndexID/24458/Default.aspx

Aug 13, 2009

generating a compliance summary report based on an authorization list

i hope someone doesn’t respond to this post and say… hey it was already done – right here!  i searched for awhile and couldn’t find any canned reports someone had done to display security update compliance by machine based on an authorization list.  i’m no sql expert, and my skillz at writing sql queries are not m@dd by any stretch of the imagination.  however, i was able to finagle what appears to be decent output.

here’s a screen capture of the query output we’ll be working with:



this report contains links that will generate another report of the specific updates used in the calculation of the summary:




the reason why we find this report immensely useful is because it limits the data set based on your authorization list.  when you execute the report, you will have to provide two things:

  • a collection id – which set of machines do you want to look at?
  • an authorization list id – which authorization list do you want to check against?

this way, when you look at compliance numbers, they are based on the things that you authorized for your environment and not just the massive list of things that could potentially apply to a machine.  this seems to matter in larger environments where updates are governed by their necessity and not as simple as going to windows update and running install everything!


installing the report

if you notice in the first report, the scope id is the 6th column of the list.  the reason it’s in there is because the second report requires it, otherwise, you’d get a return of everything that’s applicable, and not just the ones you authorized.

you can get the two report MOFs required to generate this report from system center central at this LINK.  one issue with reports that utilize drill through models is that the relationship doesn’t come through properly during the mof export.  because of this, i removed the “linked” relationship and exported them.  once you import the report mof, you’ll need to make the following changes:

  1. open the Compliance Summary Report by Collection and Authorization List report.
  2. under the Links tab, change the link type to Link to another report.
  3. select the report named Compliance Summary Report Detail by Computer.
  4. by default, the MachineName prompt will fill in with column 1.  this is valid and does not require changing.
  5. change the column id for AuthListID to 6.



that’s it!  now when you click the arrow for a computer in the main report, you’ll be able to drill through to the detailed report.



before you go off and try this, here are a few things to understand:

  • if the machine is failing to scan or failing to send up state messages related to the update compliance state, these will not show up in the report and will skew your numbers.
  • from technet: “Unlike other software updates state messages that are replicated up the hierarchy to the central site, state messages for deployments are replicated up the hierarchy to the site where the deployment was created. Software update deployment enforcement, evaluation, and compliance information will be missing from reports when they are run from a site higher in the hierarchy than where the deployment was created.”
  • the client version must be >= 4.00.
  • this report is defined to pull microsoft security updates only.



hope you find this helpful.  i can get a list of about 1000 machines in about 30 seconds so the return is not too terrible. :)

Aug 6, 2009

bug with synthetic transactions (exchange 2007 native mp)

Computer bug

Image by Hil via Flickr

if you’re using the native exchange 2007 mp with clustered mailbox servers, you may have noticed that your synthetic transaction executions are timing out.

you should be able to recognize the alerts.  they look something like this:

Some of the MAPI connectivity transactions failed. Detailed information:

Target: System mailbox for XYZ

Error: The transaction did not complete in the alotted time (20 seconds).


here is an explanation from microsoft:

“In the core OpsMgr code, there is a “cluster override” that disables all workflows for objects that are contained by a cluster virtual server, unless the workflows are running on the Active Node.  When we create the relationship between the Synthetic Transaction object and the Cluster Virtual Node for the Mailbox Server, the CAS Server is now subject to the "cluster override" even though it isn't a member of the cluster, because now the Synthetic Transaction hosted on the CAS server is contained by the Cluster virtual server.”


the workaround is to disable the discovery that builds this relationship.  when you do this, be cognizant that the maintenance mode model changes.  the discovery mentioned above that requires disabling is:

name: rms target relationship discovery
target: root management server


this is the net effect of disabling this discovery:

  1. Mailbox Server is put into Maintenance Mode and taken offline
  2. The CAS Synthetic Transactions that target that Mailbox Server will not be put in MM and will continue to run
  3. The transactions will fail and will go into a critical state


oh well!  at least your synthetic transactions will run.  by the way, since this is a bug, it’s being worked on.  :)

Aug 4, 2009

how to properly target machines with the dfs management pack


Image by GravitysAppleNZ via Flickr

if you’re planning to install the microsoft windows dfs 2003 management pack (yes, the converted one), you should be certain to target properly.  if you don’t, you’ll end up with some trash data coming from other dfs sources (e.g. domain controllers) that you may not want in your dfs views.

i spent a disproportionate amount of time on this to figure out all the ins and outs of targeting inside of this mp.  i would love to say it was for my edification, but in actuality, it was because the agents apparently didn’t work right until they were restarted.  :|

anyway, so the bottom line is, it was much easier than what i describe in this post on system center central.  it may still be confusing to others however so i’m posting it here.

the first thing you’ll want to do is create a new group.  there isn’t much to do here except target your members properly.  i used something like this to target a few of my dfs servers.  specifically, i’m using the mom 2005 backward compatibility windows server target since this is the target that one of the discovery rules uses later.



once that’s setup, open the object discoveries section.  to make it simpler, change your scope to microsoft windows 2003 servers with distributed file system service installation.

you should find this discovery -


- targeting the mom 2005 backward compatibility windows computer object.



this is the rule that you want to override.

  • right-click the rule
  • go to overrides > override the object discovery > for all objects of class: mom 2005 backward compatibility windows computer
  • once open, choose override on the enabled parameter and change the override value to “false”.
  • be sure to add this to your own, custom management pack.



now we’ve effectively blocked the discovery from executing against the class above (which subsequently includes damn near everything).  before you go anywhere, let’s create another override. 

  • overrides > override the object discovery > for a group…
  • choose the group that you created prior.  the override value probably shows up as “true” already so this may appear counterintuitive.
  • select the override anyway.
  • again, add this to your own custom mp.



if done right, you should only see the dfs servers you targeted in the custom group you created.  here’s how mine looks:



hope this helps!

Jul 31, 2009

“mid” like functionality in batch script

for awhile, i used for looping to do a lot of manipulation in batch scripts until i ran across this gem.  a friend of mine asked me how to manipulate a date string awhile back.  this is what i came up with.

let’s begin with the date /t command.  running it gives us this output:

Fri 07/31/2009


most date formats with respect to dates in filenames generally don’t use “/” or include the short day name “fri”.  my conventional method is to push this through a for loop and break out the thing into tokens.  i’ve done this in below by utilizing “/” and “,” as the delimiters.

for /f "tokens=1,2,3,4 delims=/, " %a in ('date /t') do @echo %b%c%d


now we get this output when we echo %b%c%d.



the challenge i got was how to get the date to show up as 090731.  if we tried to use “0” as a delimiter, it would clearly fail as 07 and 09 have zeroes in them.  here’s an example:

for /f "tokens=1-5 delims=/,0 " %a in ('date /t') do @echo 0%e0%b%c


we get the output we want but only by forcing 0s into the echo statement.  this can’t be a good idea because eventually the month will increment where there’s no 0 preceding it… like 10, 11, or 12.  that’s when i found this other cool method.

for /f "tokens=1-2 delims= " %a in ('echo %date%') do @set mydate=%b
set mm=%mydate:~0,2%
set dd=%mydate:~3,2%
set yy=%mydate:~8,2%


now i can echo back the output as echo %yy%%mm%%dd% and achieve the result we expect.



this is what i imagine the syntax to look like:

%[var]:~[1st position],[last position]%

incidentally, it accepts negative numbers as well.  so, you could achieve the same effect using %mydate:~-2%.  this is not the same as %mydate:~0,-2% by the way.

why batch files?  i don’t know.  i guess some people still like them. :)

Jul 30, 2009

excellent demo on using custom composite data types

A teacher writing on a blackboard.

Image via Wikipedia

if you happened to miss the last system center virtual user group, catch the recorded livemeeting.  there’s a great presentation on using composite monitors.  i believe the source is what’s on technet currently, but the explanation and step-by-step demonstration will help cement the idea.  check it out on system center central: http://www.systemcentercentral.com/Details/tabid/147/IndexID/21509/Default.aspx

Jul 24, 2009

sql query to list all manual reset monitors

Batch Monitor

Image via Wikipedia

looking for an easy way to list all of your unit monitors classified as a manual reset?  here’s a sql query that you can execute to list them out.

SELECT mv.name,
FROM monitorview mv
inner join monitortypeview mtv on mv.monitortypeid=mtv.id
inner join managementpackview mpv on mtv.managementpackid = mpv.id
WHERE mv.IsUnitMonitor = 'True' and
mtv.name like '%manualreset%'

you can follow the entire thread here.

Jul 23, 2009

bug in notification subscription when using custom fields with opsmgr

back last month, i posted an odd behavior i was seeing in opsmgr.  anytime i used a custom field, the notification subscription would not work.  one of the peeps on the forum called pss to work through the issue and had been informed that it was a bug, completely reproducible.

you can read the entire thread here: http://social.technet.microsoft.com/Forums/en-US/operationsmanagergeneral/thread/260be16a-0f45-4904-8093-7c1caa5ed546

otherwise, here’s a short summary of how to fix the problem:

  • Export the ‘Notifications Internal Library’ Management Pack.
  • Increase the <Version>. For example:
    • <Version>6.1.7221.1</Version>
  • Locate the mistakes for each custom Field, which will look like:
<SimpleExpression xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  • Update this by changing Custom8 to CustomField8. For example:
<SimpleExpression xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  • Save the file & import back into OpsMgr.

thanks goes to graham davies and coentjo!

Jul 22, 2009

configmgr console crashes with error “input string was not in a correct format”

i recently posted a fix to a console crashing condition with configmgr.  looks like it’s round two.  one of the configmgr admins here ran into this issue and asked me about.  this should be an entertaining post, especially when i highlight the advice from microsoft on how to fix this problem.  let’s start, shall we?

to begin with, the console crashes, from any machine, when you try to view the settings of specific active directory discovery methods.  this was occurring on two different servers and not always the same ad discovery method.  the only thing of interest that both servers had in common was that they were migrated to new hardware and had run through the site recovery wizard.

i captured the message that fires up whenever a crash condition occurs.  it looks like the likely offense is this message: Input string was not in a correct format.


that usually means site control configuration file corruption to me.  note that if you modify your site control file, you probably won’t get any support from microsoft.  make sure you have a good backup.


do not follow these steps

before we go on with how you fix this problem, let’s review how microsoft pss believes you should fix this problem.  here’s the first set of steps.

  1. Logon or RDP to SCCM Server, close mmc and console
  2. Delete the adminconsole cache file from : \document and settings\%username%\application data\microsoft\mmc  ; (NOTE: %username% is the currently logged in user ID)
  3. Start mmc and open sccm console.

hmmm.  apparently the fact that this happens on any console or machine is of no concern.  to say the least, this did not fix the problem.  so we’ll go through the action anyway because you cannot move forward without having done all steps prior and in the end having rebooted your server.  i’m sure that must be coming up…

in all fairness, these are actually good steps in capturing the problem when you’re poking around in the dark, in a very large room, with a very short stick.  after the first steps failed, this is what was sent:

  1. Close sccm console
  2. Install .net framework SP2 - if you don’t have this installed yet : http://www.microsoft.com/downloads/details.aspx?familyid=5B2C0358-915B-4EB5-9B1D-10E506DA9D0F&displaylang=en
  3. Delete adminconsole cache file if it still exist (: \document and settings\%username%\application data\microsoft\mmc )
  4. Enable admin verbose log :
    1. Navigate to <installationpath>\adminui\bin folder
    2. Open adminui.console.dll.config using a text editor or notepad
    3. Change the line <source name="SmsAdminUISnapIn" switchValue="Error" > to <source name="SmsAdminUISnapIn" switchValue="Verbose" >
  5. From registry key : HKEY_CURRENT_USER\\CONTROL PANEL\DESKTOP\HUNGAPPTIMEOUT . The default is 5000, change this value to 10000 and reboot the machine
  6. download procmon from : http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
  7. RDP to sccm server, (mstsc/console)
  8. Run procmon and reproduce the issue
  9. Please send me :
  10. Procmon log (.pml)
  11. Event logs from event viewer (*.evt)
  12. Adminui.log, smsprov.log

this is great and all but won’t fix the problem.  in fact, it’ll only help the pss engineer eventually arrive at what the exact problem is.  “Input string was not in correct format”.  seems pretty obvious to me.


consider these steps

i compared a good sitectrl.ct0 against a bad one for the area with issues.  what i noticed to be the problem was pretty simple to fix, actually.  it seemed the console was expecting to read in an integer value when it ran into a string value.

Exception Type: System.FormatException

Exception Message: Input string was not in a correct format.

Server stack trace:
at System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal)

sure enough, in the sitectrl file, it was hitting a string.  here’s how a good file should look:

PROPERTY <Run Count><><><1>
PROPERTY <Startup Schedule><0001170000500008><><0>
<AD Containers>
<Start On Master Site Control File Changes>

and here’s how the broken one looked:

PROPERTY <Run Count><><><1>
PROPERTY <Startup Schedule><0001170000500008><><0>
<AD Containers>
<Start On Master Site Control File Changes>
notice the difference?  yes, the good file has two integers following the ldap location.  you’re asking yourself what these values represent, right?  good.  i wanted to capture it for later reference anyway.  i’m sure you would have figured this out on your own.  turns out they’re search options.  starting with the first one…
  • <0> – Recursive
  • <0> – Include groups
if the value is checked, it’s represented as <0>.  otherwise, unchecked is represented as <1>.  i put it in graphical format… :)