SCAPaoT

After trying to install the System Center Orchestrator 2012 Beta on an Hyper-V testsystem,
I stumbled over an error in the Wizard.

While the sql server was up and running I inserted it into the field.
After selecting “Next” the wizard said: “Database connection failed”

The next steps where:

• Checking the sql server firewall
• Checking all sql services are up and running
• Ping and connection are successfull
• Access with the domain accounts where successfull

After checking all possibilities, I remebered, that the active directory computer account was recycled.

There where an Installation of the Orchestrator beta with the same computername in that active directory before.
So I decided to rejoin the computer. 

Now the wizard did the installation.

Conclusion:

If you have a “Database connection failed”-error on installation, check the active directory computer object also.
Perhaps clearing the service principal name attribute will also help you out.

At a customer we decided to remove the need of backing up files in the branches, so theres no need for the employees to switch tapes or usb drives.
To get all data backed up nevertheless, we implemented DFSR between the branches and the head quarter. In the head quarter the data are backed up.

A quick look in the DFSR reportings showed up, that there are files, that where not backed up.

With a little search in a famous serach engine, we stumbled throughwards that blog:
http://blogs.technet.com/b/askds/archive/2008/11/11/dfsr-does-not-replicate-temporary-files.aspx

At the customer, there are some scanning devices responsible to convert all paper mail into digital files. Those devices are generating its output directly on the file server.
All files generated that way do not loose the temporary file attribute after saving the file.

So we buidled a powershell script that run’s as scheduler to remove these flags on a daily base.

If you are interested in this on,

here you are:

<#

.SYNOPSIS
This script is for determing files with  "Temporary File" attribute set.

.DESCRIPTION
The script shows files where the "Temporary File"-attribute is set. Those files are not synchronised by Microsoft DFSR.
Also the script can remove the attribute, based on the file extension.
The common extensions are a set as default, but can be overridden by command.

.PARAMETER startpath
    Specifies the file path to start the search for files with "Temp File"-attribute set.

    Required?                    true
    Default value
    Accept pipeline input?       false

.PARAMETER RemoveTemp
    If this switch is used, the "Temp File"-attribute is removed from the file.

    Required?                    false
    Default value
    Accept pipeline input?       false
.PARAMETER extensions
    Specifies the file extensions that should be inspected.

    Required?                    false
    Default value   (".pdf",".xls",".doc",".docx",".xlsx",".ppt",".pptx",".bmp",".jpg")
    Accept pipeline input?       false

.PARAMETER countOlny
    If given, only the count of the affected file is shown.

    Required?                    false
    Default value  
    Accept pipeline input?       false

.EXAMPLE
.\tempfiles.ps1 -startpath D:\

This Example lists the files where the "Temp File"-attribute is set located on the hole D:\ - Drive

.EXAMPLE
.\tempfiles.ps1 -startpath D:\ -removeTemp

This Example lists the files where the "Temp File"-attribute is set and removes the "Temp File"-attribute.

.EXAMPLE
.\tempfiles.ps1 -startpath D:\ -removeTemp -extensions ".exe",".jpg"

This Example lists the files where the "Temp File"-attribute is set if the file extension is exe or jpg only.
.NOTES
See Link for further description.

.LINK

<a href="http://blogs.technet.com/b/askds/archive/2008/11/11/dfsr-does-not-replicate-temporary-files.aspx">http://blogs.technet.com/b/askds/archive/2008/11/11/dfsr-does-not-replicate-temporary-files.aspx</a>

#>

param([string]$startpath=(read-host "Start Pfad"),[switch]$removeTemp,[string[]]$extensions=(".pdf",".xls",".doc",".docx",".xlsx",".ppt",".pptx",".bmp",".jpg"),[switch]$countOnly)

if(!($startpath -eq ""))
{
if(test-path -path "$startpath" -ErrorAction SilentlyContinue)
{
if(!($countonly))
{
Get-childitem $startpath -recurse | `
ForEach-Object {
 if (($_.attributes -band 0x100) -eq 0x100)
 {
  
  foreach($ext in $extensions)
  {
  if($_.extension.tolower() -eq $ext.tolower())
   {
    $_.fullname
  
    if($removetemp)
    {
     $_.attributes = ($_.attributes -band 0xFEFF)
    }
   break
   }
  }
 }
}
}
else
{
$count = @(Get-childitem $startpath -recurse | where-object { $_.attributes -band 0x100 }).count
"There are $count files affected in $startpath with seleted extensions: `"$extensions`""
}
}
else
{
"Path $startpath not found!"
}
}
else
{
 get-help .\tempfiles
}

Actually there is a bug within an update, that replaces the conhost.exe on Server 2008 R2 systems that do not have SP1 installed.
At these serversystems the eventlog for application is flooded with “EventID 33,  SideBySide” pointing towards conhost.exe and a missing assembly.

For further details on that error see the following KB article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;977648

 The corresponding hotfix can be found here:

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=977648&kbln=de

At a customer, there are many servers with 2008 R2 installed.
So we decided to build a monitor in SCOM that displays an information for every system that hasn’t been updated with the hotfix or an sp1 installed.

The monitor fires the following script, checking the fileversion of conhost.exe.

Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()

Set objFSO = CreateObject("Scripting.FileSystemObject")
conhostVersion =  objFSO.GetFileVersion("c:\windows\system32\conhost.exe")

If InStr (1,conhostVersion, ".16823", 1) > 0 Then
 Call oBag.AddValue("Status","BAD")
else
 Call oBag.AddValue("Status","OK")
End If

Call oAPI.Return(oBag)

So after enabling the monitor, we have 138 servers left to patch.

Kind regards and happy patching.

A customer installed a new instance of Operations Manager 2007 R2 CU 4 and added some management packs for monitoring server, sql, active directory and exchange.

Also the agent was deployed to 10 servers in the infrastucture to tune the managment packs.

After round about one week, the OperationsManager database size was 4GB.

Five days later, it was at nearly 8GB big.

So the customer asked, if that growing is as expected and was surprised, that we told him, it should be quite below 1GB with this amount of management packs and agents.

To get a handle on the fast growing of the database site, I stumbled over a create blog from Kevin Holeman about “Useful Operations Manager 2007 SQL queries”.

Yes, it is an old article, but it is the best for finding spammers that fill up the database by running some queries against it.

In conclusion:

The unexpected database growing was caused by the event collection rule from the exchange management pack and a leftover form exchange troubleshooting that traced verbose into the eventlog on a mailbox server.

Thanks Kevin for an other very usefull blog post.

Did you ever saw a error 19 in a tasksequence for rolling out office 2010 or other apps with SCCM 2007 R3?

The error 19 is pointing towards “drive is read only” and the smsts.log looks that way:

In our case, the issue was pointing towards the office 2010 installation files, because it is installed using an cusomtized msp created with /admin argument.
And in there where several things in the msp pointing towards this direction like custom template stores and so on.

But Office wasn’t the culprit. All was caused by bitlocker.
Yes, bitlocker.

If you ask why bitlocker, here is the answer:
The files for the installation of office 2010 where cached for local deployment and support of roaming users.
The bitlocker GPO in the active directory domain was set to:
Deny write access to fixed drives not protected by BitLocker

As the tasksquence tries to store the data on the drive with the highest avaiable free space, the second partition was used.
But as the partition wasn’t encrypted yet, the creation of the _SMSTaskSequence folder failed with “drive is read only” error 19.

We have decided to submit a but report on this error as we couldn’t understand why the cache tries to place the files on a read only drive.

So, if anyone else stumbles on that, check you GPOs and as a best practise, apply the GPO after installation hast finished…

A customer had the error that scheduled reports where not sent out from the SCOM 2007 R2.
In that case, the status of these schedules where: Error: Thread was being aborted.

There was no more error in the eventlog or any other location that pointed out to an error.
Also if the reports where opened from the opsmgr console, they where shown fine.

So one thing we figured out was, that the time slot for the reports was really big.
For example: Get CPU-Usage Performance for 5 Servers for the last year.

So we had a look at the server usage at the time when the scheduled report should have run and found that the server was under big pressure at that moment.
We recommended to move the reportingservices to an other machine for running the reporting services only and to spread the reports all over the days.

Now also big reports are generated as requested.

After having that issue at a customer,
I found a blog (http://gefufna.wordpress.com/2010/12/27/no-graphs-charts-are-included-in-scheduled-scom-reports/)  
and a corresponding kb article at Microsoft that describes that behavior.

http://support.microsoft.com/kb/972821/en-us

Not mentioned in the kb article is, that the written code has to be place between the <runtime> </runtime> section of the reportingservices.exe.xml file.
Also you have to be sure that the code is placed next to existing <dependentAssembly></dependentAssembly> sections if they already exist.
And, at least, the reporting services have to be restarted.

If the reporting services do not start up right after your modification, you wrecked up the xml structure.

When everything works fine, the report shows the graph like it does in the interactive view.

Yesterday, Microsoft released the cummulativ update pack number 4.

http://support.microsoft.com/kb/2449679

Before you are going to install it, read the corresponding documentation twice.
Also make sure, you follow the steps written in the KB article.

I would recommend to install it at a test environment at first (if you have).
For production environments, wait round about 2 weeks to get the most issues found by the community.

But after that time don’t miss to install the CU4.

Kind regards,
Benedikt

A customer asked me to monitor the age of the pattern files of the Symantec Endpoint Protection 11 Client (SEP11) on its server systems.

As I didn’t found an Symantec SEP Management Pack, I decided to create it on my own.

Perhaps someone could make use of it too, I decided to show it step by step.

Lets start

In the Authoring view select Monitor and “Create a Monitor” on the right site.

1. Select the Monitor type to create: “Timed Script Three State Monitor”
2. Change the Management Pack, for example, create a new one called “_SEP”

3. Name the Monitor and add a description
4. Select the target for the monitor: (in our case, all computers) Windows Computer
5. Make sure that “Monitor is enabled” is checked

6. Set a value how often the monitor will run and check for the pattern file age
(normally once a day should be enough, but that way it would take also one day to close the alerts automatically if the pattern are updated)

7. Add a script name (make sure that the name of the script is unique to avoid conflicts with other Management Packs)
8. Add the script that collects the pattern age from the registry of the computer system

Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
const HKEY_LOCAL_MACHINE = &H80000002

badState = 10
warningState = 5

Set objRegistry = GetObject("winmgmts:root\default:StdRegProv")
strKeyPath = "SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV"
strValueName = "PatternFileDate"

objRegistry.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath, strValueName, strValue
If IsNull(strValue) Then
   
 strKeyPath = "SOFTWARE\Symantec\Symantec Endpoint Protection\AV"
 strValueName = "PatternFileDate"

 objRegistry.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath, strValueName, strValue 

End If

If Not IsNull(strValue) Then

y = 1970 + strValue(0)
m = 1 + strValue(1)
d = strValue(2)

date1 = CDate(y & "/" & m & "/" & d)
date2 = now
diffdays = DateDiff("d",date1, date2)

else

diffdays = -1

End If

if diffdays >= badState then

 Call oBag.AddValue("state","BAD")
 state = "BAD"
else

if diffdays >= warningState then

  Call oBag.AddValue("state","WARNING")
 state = "WARNING"
else
 
 Call oBag.AddValue("state","GOOD")
 state = "GOOD"
end If

end if

Call oAPI.LogScriptEvent("SEPPAtternFileState.vbs", 101, 2, "Patternstatescript delivered state " & state & ". Pattern File age is " & diffdays & " days.")
Call oBag.AddValue("PatternDateTimeToNowDiff",diffdays)

Call oAPI.Return(oBag)

9. Add the BAD state. (If the script returns a BAD)

10. Add the WARNING state. (If the script returns WARNING)

11. Add the GOOD state. (If the script returns GOOD)

12. Set the monitor state corresponding to the script result.

13. Enable the check box for alert generation
14. Change the dropdown “Generate an alert when: The monitor is in a critical or warning health state”
15. Add an alert name (this is what you’ll see when the error is thrown)
16. Change the severity to: “Match monitor’s health”
17. Add an alert text. Mine can be found here (it includes the computer name an the age of the pattern files and a few common resoulution possibilities)

SEP Pattern files on $Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$ are $Data/Context/Property[@Name='PatternDateTimeToNowDiff']$ days old!

Resolution:

1. Please check if enough space on systemdrive left.

(app. 400MB)

2. Check if Live Update Server is reachable

3. Check if SEP Service is running

4. Reinstall SEP Client

Conclusion

Using these steps you can easily add the SEP pattern file age monitor to your SCOM.
Things you can do if you want to make it more professional:

• build an management pack including discovery for computers where SEP is installed
• add parameters for overrides, so warning and error threshold can be overridden without changing the script
  (actualy it will warn if pattern are 5 or more days old and error when pattern are 10 or more days old)
• this script can also be used to build a rule for performance collection

But this way, it is done in round about 5 minutes.

Kind regards,
Benedikt

A customer of mine had several “Idle Minutes Monitor Alert” raised by the Key Management Server MP.

The eventlog for KMS on the KMS Server stated, that there was an KMS request round about every 30 seconds.
So the error was definitiv a false positive.

The treshold for the monitor was default (480 minutes).

I inspected the monitor and saw in the configuration, that the last activity in KMS is stored in the operations manager.
These values are inserted through a scheduled discovery that runs every 15 minutes.

I exported the management pack and had a look on that discovery. There I found an VBS script that does a lot of WMI queries.

As the KMS Server is a Server 2008 R2, and there is a WMI Memory Leak on excessive usage of WMI, I installed the corresponding hotfix and the error was gone.
This hotfix is: KB981314 (http://support.microsoft.com/kb/981314)

Kind regards,

Benedikt