Skip to main content


Showing posts from August, 2009

using powershell to list active directory trusts

this is an easy concept to do for the current domain: $myLocalDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $myLocalDomain.GetAllTrustRelationships()   it’s a little different if you want to do it for another domain, such as the root domain, for example: $myRootDirContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext( 'domain' , "" ) $myRootDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain([System.DirectoryServices.ActiveDirectory.DirectoryContext]$myRootDirContext) $myRootDomain.GetAllTrustRelationships()

useful tasks for the extended ad mp

if you’ve decided to start using the extended ad mp over on , you’ve probably noticed in the user guide (cough) that in order to pick up expensive/ineffecient ldap queries, you need to change some registry values. first of all, what’s the fire engine have to do with this post?  actually nothing.  i just saw it and thought “red”.  yeah. anyway, if you’re going to set it manually, it shows you how right here in guide: Open the Registry Editor Locate the following Registry key – HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering and change its value to 4 or 5. Open the Operations Console, and click the Authoring button. Expand Management Pack Objects , and then click Rules . In the Rules pane, type LDAP into the Look for box, and then click Find Now. Locate the LDAP Summary Report of Expensive or Inefficient Queries and/or the An

configuration manager compliance summary reports by site

Image by cell105 via Flickr if you’ll recall from my last post , i had a bit of trouble trying to figure out a way to generate reports by authorization list.  well, i got by that hurdle.  the problem is the tables i was using to generate the report weren’t really designed for running on a massive scale.  in fact, i started timing it and realized that it was taking on average about 3-4 seconds per machine.  so for an average enterprise of 10,000 machines, it would take -- ( ( 10,000 * 3 ) / 60 ) / 60 = 8.33 hours no one really found this acceptable for obvious reasons.  well, with a bit more digging, i found i could do the same kind of thing without having to aggregate the report details to generate a compliance number.  instead of using v_updatecompliancestatus , i started using v_updateliststatus_live .  is it just me or do they seem to be named inappropriately? anyway, i created a new set of reports, taking a bit from the old and a bit from existing reports such as

generating a compliance summary report based on an authorization list

i hope someone doesn’t respond to this post and say… hey it was already done – right here!  i searched for awhile and couldn’t find any canned reports someone had done to display security update compliance by machine based on an authorization list.  i’m no sql expert, and my skillz at writing sql queries are not m@dd by any stretch of the imagination .  however, i was able to finagle what appears to be decent output. here’s a screen capture of the query output we’ll be working with:   this report contains links that will generate another report of the specific updates used in the calculation of the summary:   background the reason why we find this report immensely useful is because it limits the data set based on your authorization list.  when you execute the report, you will have to provide two things: a collection id – which set of machines do you want to look at? an authorization list id – which authorization list do you want to check against? this wa

bug with synthetic transactions (exchange 2007 native mp)

Image by Hil via Flickr if you’re using the native exchange 2007 mp with clustered mailbox servers, you may have noticed that your synthetic transaction executions are timing out. you should be able to recognize the alerts.  they look something like this: Some of the MAPI connectivity transactions failed. Detailed information: Target: System mailbox for XYZ Error: The transaction did not complete in the alotted time (20 seconds).   here is an explanation from microsoft: “In the core OpsMgr code, there is a “cluster override” that disables all workflows for objects that are contained by a cluster virtual server, unless the workflows are running on the Active Node.  When we create the relationship between the Synthetic Transaction object and the Cluster Virtual Node for the Mailbox Server, the CAS Server is now subject to the "cluster override" even though it isn't a member of the cluster , because now the Synthetic Transaction hosted on th

how to properly target machines with the dfs management pack

Image by GravitysAppleNZ via Flickr if you’re planning to install the microsoft windows dfs 2003 management pack (yes, the converted one), you should be certain to target properly.  if you don’t, you’ll end up with some trash data coming from other dfs sources (e.g. domain controllers) that you may not want in your dfs views. i spent a disproportionate amount of time on this to figure out all the ins and outs of targeting inside of this mp.  i would love to say it was for my edification, but in actuality, it was because the agents apparently didn’t work right until they were restarted.  :| anyway, so the bottom line is, it was much easier than what i describe in this post on system center central .  it may still be confusing to others however so i’m posting it here. the first thing you’ll want to do is create a new group.  there isn’t much to do here except target your members properly.  i used something like this to target a few of my dfs servers.  specifically, i’m us