SCAPaoT

Since a few years, every consultant for SCOM is on it’s way to tell the customers: “Do not save anything into the Default Management Pack”

There where tips like renaming the Default Management Pack into something like: “Do Not Use This On”
And the best practise in every MP documentation to use a new MP instead of the Default MP.
Also there is a comunity MP that monitors the changes on the Default MP to give an early hint that there where things saved on.
And there are a lot of guides how to manually clean up the Default MP.

In SCOM 2012 Beta there was done some nice thing, helping keeping the Default MP clean.
If you disable a rule or a monitor, in SCOM 2007 it was save into the Default MP.
In 2012 Beta, it is not. But see your self:

As you can see:
Disabling a rule leads to the same dialog as overriding a rule does.
In here “Enabled” is checked and set to “false” 

And the best thing in here is: You have to select a Management Pack!
The Default MP isn’t selected by default. 

Thanks a lot Microsoft!

Actually there is a bug within an update, that replaces the conhost.exe on Server 2008 R2 systems that do not have SP1 installed.
At these serversystems the eventlog for application is flooded with “EventID 33,  SideBySide” pointing towards conhost.exe and a missing assembly.

For further details on that error see the following KB article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;977648

 The corresponding hotfix can be found here:

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=977648&kbln=de

At a customer, there are many servers with 2008 R2 installed.
So we decided to build a monitor in SCOM that displays an information for every system that hasn’t been updated with the hotfix or an sp1 installed.

The monitor fires the following script, checking the fileversion of conhost.exe.

Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()

Set objFSO = CreateObject("Scripting.FileSystemObject")
conhostVersion =  objFSO.GetFileVersion("c:\windows\system32\conhost.exe")

If InStr (1,conhostVersion, ".16823", 1) > 0 Then
 Call oBag.AddValue("Status","BAD")
else
 Call oBag.AddValue("Status","OK")
End If

Call oAPI.Return(oBag)

So after enabling the monitor, we have 138 servers left to patch.

Kind regards and happy patching.

Yesterday, Microsoft released the cummulativ update pack number 4.

http://support.microsoft.com/kb/2449679

Before you are going to install it, read the corresponding documentation twice.
Also make sure, you follow the steps written in the KB article.

I would recommend to install it at a test environment at first (if you have).
For production environments, wait round about 2 weeks to get the most issues found by the community.

But after that time don’t miss to install the CU4.

Kind regards,
Benedikt

A customer asked me to monitor the age of the pattern files of the Symantec Endpoint Protection 11 Client (SEP11) on its server systems.

As I didn’t found an Symantec SEP Management Pack, I decided to create it on my own.

Perhaps someone could make use of it too, I decided to show it step by step.

Lets start

In the Authoring view select Monitor and “Create a Monitor” on the right site.

1. Select the Monitor type to create: “Timed Script Three State Monitor”
2. Change the Management Pack, for example, create a new one called “_SEP”

3. Name the Monitor and add a description
4. Select the target for the monitor: (in our case, all computers) Windows Computer
5. Make sure that “Monitor is enabled” is checked

6. Set a value how often the monitor will run and check for the pattern file age
(normally once a day should be enough, but that way it would take also one day to close the alerts automatically if the pattern are updated)

7. Add a script name (make sure that the name of the script is unique to avoid conflicts with other Management Packs)
8. Add the script that collects the pattern age from the registry of the computer system

Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
const HKEY_LOCAL_MACHINE = &H80000002

badState = 10
warningState = 5

Set objRegistry = GetObject("winmgmts:root\default:StdRegProv")
strKeyPath = "SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV"
strValueName = "PatternFileDate"

objRegistry.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath, strValueName, strValue
If IsNull(strValue) Then
   
 strKeyPath = "SOFTWARE\Symantec\Symantec Endpoint Protection\AV"
 strValueName = "PatternFileDate"

 objRegistry.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath, strValueName, strValue 

End If

If Not IsNull(strValue) Then

y = 1970 + strValue(0)
m = 1 + strValue(1)
d = strValue(2)

date1 = CDate(y & "/" & m & "/" & d)
date2 = now
diffdays = DateDiff("d",date1, date2)

else

diffdays = -1

End If

if diffdays >= badState then

 Call oBag.AddValue("state","BAD")
 state = "BAD"
else

if diffdays >= warningState then

  Call oBag.AddValue("state","WARNING")
 state = "WARNING"
else
 
 Call oBag.AddValue("state","GOOD")
 state = "GOOD"
end If

end if

Call oAPI.LogScriptEvent("SEPPAtternFileState.vbs", 101, 2, "Patternstatescript delivered state " & state & ". Pattern File age is " & diffdays & " days.")
Call oBag.AddValue("PatternDateTimeToNowDiff",diffdays)

Call oAPI.Return(oBag)

9. Add the BAD state. (If the script returns a BAD)

10. Add the WARNING state. (If the script returns WARNING)

11. Add the GOOD state. (If the script returns GOOD)

12. Set the monitor state corresponding to the script result.

13. Enable the check box for alert generation
14. Change the dropdown “Generate an alert when: The monitor is in a critical or warning health state”
15. Add an alert name (this is what you’ll see when the error is thrown)
16. Change the severity to: “Match monitor’s health”
17. Add an alert text. Mine can be found here (it includes the computer name an the age of the pattern files and a few common resoulution possibilities)

SEP Pattern files on $Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$ are $Data/Context/Property[@Name='PatternDateTimeToNowDiff']$ days old!

Resolution:

1. Please check if enough space on systemdrive left.

(app. 400MB)

2. Check if Live Update Server is reachable

3. Check if SEP Service is running

4. Reinstall SEP Client

Conclusion

Using these steps you can easily add the SEP pattern file age monitor to your SCOM.
Things you can do if you want to make it more professional:

• build an management pack including discovery for computers where SEP is installed
• add parameters for overrides, so warning and error threshold can be overridden without changing the script
  (actualy it will warn if pattern are 5 or more days old and error when pattern are 10 or more days old)
• this script can also be used to build a rule for performance collection

But this way, it is done in round about 5 minutes.

Kind regards,
Benedikt

A customer of mine had several “Idle Minutes Monitor Alert” raised by the Key Management Server MP.

The eventlog for KMS on the KMS Server stated, that there was an KMS request round about every 30 seconds.
So the error was definitiv a false positive.

The treshold for the monitor was default (480 minutes).

I inspected the monitor and saw in the configuration, that the last activity in KMS is stored in the operations manager.
These values are inserted through a scheduled discovery that runs every 15 minutes.

I exported the management pack and had a look on that discovery. There I found an VBS script that does a lot of WMI queries.

As the KMS Server is a Server 2008 R2, and there is a WMI Memory Leak on excessive usage of WMI, I installed the corresponding hotfix and the error was gone.
This hotfix is: KB981314 (http://support.microsoft.com/kb/981314)

Kind regards,

Benedikt

We had several new server with Server 2008 R2 that where identically installed.
On non of this systems we where able to push out the scom agent.

A look at the push log file on the management server (gateways in our case) showed the error message 8000FFFF and something about: registering a firewall rule failed.

Strange, the firewall was disabled on all systems. So, we had a look at the rules on one of the servers and saw a rule called “MOM Agent Installer Service”.
Deleting this rule started to make the push work like a charme.

Digging into the closed monitors on the SCOM, we saw, that the first push failed with the message:
“A system update is in progress”.

So, because of the windows update reboot while the first push was tried, the agent wasn’t installed, but the firewall rule not deleted successfully.

Conclusion:

If push fails with error 80070102 and 8000FFFF in the log, have a look at the firewall on the system, even it is disabled.

When implementing a new management pack for SCOM 2007 R2, most of the time I try to use Powershell instead of VBScript.
For the development I normally use notepad++, but since this wasn’t installed at customers’ I tried using the ISE.

After an hour of troubleshooting, I switched to the console host of Powershell, and the script was working as suspected.
The code that confused myself are only a few lines:

$api = new-object -comObject 'MOM.ScriptAPI'
$bag = $api.CreatePropertyBag()

$bag.AddValue("test","123")

$api.return($bag)

Running the code in the ISE returns: NOTHING

Running it in the normal console host, retruns the xml structure of the SCOM property bag as suspected.

So, using notepad++ and the consolehost for deployment of managment pack scripts is my recommended way at the moment…

A customer accidently removed his old SCOM 2007 RMS and installed a completely new 2007 R2 with a new name for the managmentgroup.
After removing the ad integration out of the active directory, the server was still showing up in the SCOM logon console under “Registered Servers”.

So we removed it that way:

1. Open up ADSI in the default naming context.
2. Navigate to the server that is shown but not wanted anymore.
3. Remove the “CN=SDKServiceSCP” under the server object.

We had to install the SQL 2005 Reporting Services (included with the SCCM – License of our customer) for enabling the reporting point on the SCCM Site server. The operating system is Server 2008 x64.
But as we started the SQL Server installer, the nothing of the installation features where shown except from the client tools and documentation.
All requirements where checked sucessfully, but installing Reporting Services wasn’t shown.

So we tried a lot of things, enabled 32 bit apps in IIS, restarted several times, added IIS features and so on.
But everything we didn’t show up the selection of Reporting Services feature.

So we started looking at the other software that was installed on that server and found the “Reporting Services 2008 Viewer Redistributable SP1″ installed.
And what to say: that one is the cluprit.
It was installed with the WSUS-Feature.
Removing it shows up the complete feature list in the SQL  Server Installer.
But the WSUS started to throw bad messages until we installed the viewer again.

Microsoft announced the beta 1 of SCCM v.Next on yesterday.

With SCCM v.Next Microsoft buildes the next version of it’s systems managment and software distibution platform formaly also known as SMS.

To get more informations, read the original post here: http://blogs.technet.com/b/systemcenter/archive/2010/05/24/the-next-generation-of-client-management.aspx