SCAPaoT

In the upcomming version of System Center Operations Manager, SCOM 2012 Beta, the single point failure is removed.

There is not more Root Management Server. All management servers are equal to each other.

Really? Almost.
There is still a RMS, called RMS – Emulator.

If you can think of the old days of NT4,  and the concept of PDC and BDC, SCOM was working the same way till 2012.
Now it is more than Active Directory. The PDC is avaliable for older systems and some special things, called PDC-Emulator.

So the SCOM Team did it the same way. They decided to bring the RMS back as emulated version to keep the backward compatibility.
Management packs that rely on the RMS role, for example the exchange 2010 one, can be used without any restrictions.

And there are some new cmd-lets for the powershell to managed this old/new role:
Get-RMSEmulator and Set-RMSEmulator.
Also it is shown in the windows computer view, who has the role of RMS-E at the moment.

The Integration Pack for System Center Operations Manager, released for Opalis 6.3 but also avaliable for System Center Orchestrator 2012 Beta does not work with System Center Operations Manager 2012 Beta.

It’s caused by a change inside the SDK.

You can see the error here:

So, I have to create my own activities / powershell scripts for creation of alert or setting maintainance in SCOM 2012 Beta.

Ok, most of you might not care about those little things that changed inside of SCOM 2012 beta, but there are really nice changes.
The first thing I regcognized was the Deauft MP is not set as default.

Second, little but nice, extra:

You can set the resolution state of an alert directly without opening the properties of an alert.

At many of our customers, there are custom resolution states established. So alerts are set to “In Progress” for example. So everybody knows the alert isn’t new and a supporter has started to resolve it.

Before SCOM 2010 Beta, the user had to open the alert to set these value.

Actually there is a bug within an update, that replaces the conhost.exe on Server 2008 R2 systems that do not have SP1 installed.
At these serversystems the eventlog for application is flooded with “EventID 33,  SideBySide” pointing towards conhost.exe and a missing assembly.

For further details on that error see the following KB article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;977648

 The corresponding hotfix can be found here:

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=977648&kbln=de

At a customer, there are many servers with 2008 R2 installed.
So we decided to build a monitor in SCOM that displays an information for every system that hasn’t been updated with the hotfix or an sp1 installed.

The monitor fires the following script, checking the fileversion of conhost.exe.

Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()

Set objFSO = CreateObject("Scripting.FileSystemObject")
conhostVersion =  objFSO.GetFileVersion("c:\windows\system32\conhost.exe")

If InStr (1,conhostVersion, ".16823", 1) > 0 Then
 Call oBag.AddValue("Status","BAD")
else
 Call oBag.AddValue("Status","OK")
End If

Call oAPI.Return(oBag)

So after enabling the monitor, we have 138 servers left to patch.

Kind regards and happy patching.

A customer had the error that scheduled reports where not sent out from the SCOM 2007 R2.
In that case, the status of these schedules where: Error: Thread was being aborted.

There was no more error in the eventlog or any other location that pointed out to an error.
Also if the reports where opened from the opsmgr console, they where shown fine.

So one thing we figured out was, that the time slot for the reports was really big.
For example: Get CPU-Usage Performance for 5 Servers for the last year.

So we had a look at the server usage at the time when the scheduled report should have run and found that the server was under big pressure at that moment.
We recommended to move the reportingservices to an other machine for running the reporting services only and to spread the reports all over the days.

Now also big reports are generated as requested.

After having that issue at a customer,
I found a blog (http://gefufna.wordpress.com/2010/12/27/no-graphs-charts-are-included-in-scheduled-scom-reports/)  
and a corresponding kb article at Microsoft that describes that behavior.

http://support.microsoft.com/kb/972821/en-us

Not mentioned in the kb article is, that the written code has to be place between the <runtime> </runtime> section of the reportingservices.exe.xml file.
Also you have to be sure that the code is placed next to existing <dependentAssembly></dependentAssembly> sections if they already exist.
And, at least, the reporting services have to be restarted.

If the reporting services do not start up right after your modification, you wrecked up the xml structure.

When everything works fine, the report shows the graph like it does in the interactive view.

Yesterday, Microsoft released the cummulativ update pack number 4.

http://support.microsoft.com/kb/2449679

Before you are going to install it, read the corresponding documentation twice.
Also make sure, you follow the steps written in the KB article.

I would recommend to install it at a test environment at first (if you have).
For production environments, wait round about 2 weeks to get the most issues found by the community.

But after that time don’t miss to install the CU4.

Kind regards,
Benedikt

A customer asked me to monitor the age of the pattern files of the Symantec Endpoint Protection 11 Client (SEP11) on its server systems.

As I didn’t found an Symantec SEP Management Pack, I decided to create it on my own.

Perhaps someone could make use of it too, I decided to show it step by step.

Lets start

In the Authoring view select Monitor and “Create a Monitor” on the right site.

1. Select the Monitor type to create: “Timed Script Three State Monitor”
2. Change the Management Pack, for example, create a new one called “_SEP”

3. Name the Monitor and add a description
4. Select the target for the monitor: (in our case, all computers) Windows Computer
5. Make sure that “Monitor is enabled” is checked

6. Set a value how often the monitor will run and check for the pattern file age
(normally once a day should be enough, but that way it would take also one day to close the alerts automatically if the pattern are updated)

7. Add a script name (make sure that the name of the script is unique to avoid conflicts with other Management Packs)
8. Add the script that collects the pattern age from the registry of the computer system

Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
const HKEY_LOCAL_MACHINE = &H80000002

badState = 10
warningState = 5

Set objRegistry = GetObject("winmgmts:root\default:StdRegProv")
strKeyPath = "SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV"
strValueName = "PatternFileDate"

objRegistry.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath, strValueName, strValue
If IsNull(strValue) Then
   
 strKeyPath = "SOFTWARE\Symantec\Symantec Endpoint Protection\AV"
 strValueName = "PatternFileDate"

 objRegistry.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath, strValueName, strValue 

End If

If Not IsNull(strValue) Then

y = 1970 + strValue(0)
m = 1 + strValue(1)
d = strValue(2)

date1 = CDate(y & "/" & m & "/" & d)
date2 = now
diffdays = DateDiff("d",date1, date2)

else

diffdays = -1

End If

if diffdays >= badState then

 Call oBag.AddValue("state","BAD")
 state = "BAD"
else

if diffdays >= warningState then

  Call oBag.AddValue("state","WARNING")
 state = "WARNING"
else
 
 Call oBag.AddValue("state","GOOD")
 state = "GOOD"
end If

end if

Call oAPI.LogScriptEvent("SEPPAtternFileState.vbs", 101, 2, "Patternstatescript delivered state " & state & ". Pattern File age is " & diffdays & " days.")
Call oBag.AddValue("PatternDateTimeToNowDiff",diffdays)

Call oAPI.Return(oBag)

9. Add the BAD state. (If the script returns a BAD)

10. Add the WARNING state. (If the script returns WARNING)

11. Add the GOOD state. (If the script returns GOOD)

12. Set the monitor state corresponding to the script result.

13. Enable the check box for alert generation
14. Change the dropdown “Generate an alert when: The monitor is in a critical or warning health state”
15. Add an alert name (this is what you’ll see when the error is thrown)
16. Change the severity to: “Match monitor’s health”
17. Add an alert text. Mine can be found here (it includes the computer name an the age of the pattern files and a few common resoulution possibilities)

SEP Pattern files on $Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$ are $Data/Context/Property[@Name='PatternDateTimeToNowDiff']$ days old!

Resolution:

1. Please check if enough space on systemdrive left.

(app. 400MB)

2. Check if Live Update Server is reachable

3. Check if SEP Service is running

4. Reinstall SEP Client

Conclusion

Using these steps you can easily add the SEP pattern file age monitor to your SCOM.
Things you can do if you want to make it more professional:

• build an management pack including discovery for computers where SEP is installed
• add parameters for overrides, so warning and error threshold can be overridden without changing the script
  (actualy it will warn if pattern are 5 or more days old and error when pattern are 10 or more days old)
• this script can also be used to build a rule for performance collection

But this way, it is done in round about 5 minutes.

Kind regards,
Benedikt

I stumbled about the following warning at a customer:

The warning was thrown for several servers and claimed, that the special eventlog for the feature “branch cache” was not able to be read.
Inspecting the systems didn’t show up that the branch cache feature installed.
Also netsh branchcache show status brought up the message: “This command can only be executed when BranchCache is installed.”

The problem was, that branch cache was installed on the systems brought up a warning, but not needed anymore.
While they where installed and configured, SCOM has discovered the systems.
So I installed the brach cache feature again, set the branch cache to disabled using netsh and uninstalled branch cache feature.

After that I disabled the discovery rules shown in the screenshot below.

Next step was to remove the disabled discoveries from the database using the powershell.

“remove-disabledmonitoringobject”

After that, I removed the disable overrides.

So the warnings didn’t appear again.

We had several new server with Server 2008 R2 that where identically installed.
On non of this systems we where able to push out the scom agent.

A look at the push log file on the management server (gateways in our case) showed the error message 8000FFFF and something about: registering a firewall rule failed.

Strange, the firewall was disabled on all systems. So, we had a look at the rules on one of the servers and saw a rule called “MOM Agent Installer Service”.
Deleting this rule started to make the push work like a charme.

Digging into the closed monitors on the SCOM, we saw, that the first push failed with the message:
“A system update is in progress”.

So, because of the windows update reboot while the first push was tried, the agent wasn’t installed, but the firewall rule not deleted successfully.

Conclusion:

If push fails with error 80070102 and 8000FFFF in the log, have a look at the firewall on the system, even it is disabled.