Pages

tirsdag 11. november 2014

PowerShell: Parse netstat for Remote Connections and more...

I needed a way to find out who was connected to my Operations Manager Management Servers.

Of course you can use the GetConnectedUserNames method of the Management Group object in PowerShell like this:
Import-Module OperationsManager
Get-SCOMManagementGroup|%{$_.GetConnectedUserNames()}

But this will only give you the names and not the remote computername. To do this I wrote a PowerShell function that parse netstat output, and also use Invoke-Expression to get the user of a specific process. To use it to list computers/users connected to a specific Operations Manager Management Server, I execute this on the Management Server:
. \RemoteConnections.ps1
Get-RemoteConnection -Port 5724 -ProcessName 'Microsoft.EnterpriseManagement.Monitoring.Console'

You can also list computers/users connected to a specific Service Manager Management Server, like this:
. \RemoteConnections.ps1
Get-RemoteConnection -Port 5724 -ProcessName 'Microsoft.EnterpriseManagement.ServiceManager.UI.Console'

Or list computers/users connected to a specific Virtual Machine Manager Management Server, like this:
. \RemoteConnections.ps1
Get-RemoteConnection -Port 8100 -ProcessName 'VmmAdminUI'

This is how the content of RemoteConnections.ps1 looks like:
function Get-ConnectionData{
  param ( 
    [Parameter(Mandatory=$true)]
    $RemoteAddress
  )

  process {
    try {
      $IPv4Address = ''
      $IPv6Address = ''
      $ComputerName = ''
      $UserName = ''
      if($remoteAddress -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'){
        $IPv4Address = $remoteAddress
        $ComputerName = [System.Net.DNS]::GetHostByAddress($remoteAddress).hostname
      }else{
        $IPv6Address = $remoteAddress
        $tmp = nslookup $remoteAddress 2>$null
        if($tmp[3]){$ComputerName = $tmp[3].split(' ')[4]}
      }

      if($ComputerName -and $ProcessName){
        $UserName = (Invoke-Command -ComputerName $ComputerName -ScriptBlock {param($ProcessName) $owners = @{}; gwmi win32_process -Filter ("Name LIKE '"+$ProcessName+"%'")|% {$owners[$_.handle] = $_.getowner().user};Get-Process -ProcessName $ProcessName -ErrorAction SilentlyContinue|select Id,@{l='Owner';e={$owners[$_.id.tostring()]}}} -ArgumentList $ProcessName).Owner
      }
    }
    catch [System.Exception] {
      Write-Error $_.Exception.Message
    }
    New-Object PSObject -Property @{  
      IPv4Address = $IPv4Address
      IPv6Address = $IPv6Address
      ComputerName = $ComputerName
      Username = $UserName
    }
  }
}

function Get-RemoteConnection{
  <#
  .SYNOPSIS
  Use this function to list Remote Connections
  .DESCRIPTION
  This function will list remote connections
  .EXAMPLE
  Get-RemoteConnection -Port 5724 -ProcessName 'Microsoft.EnterpriseManagement.Monitoring.Console'
  .EXAMPLE
  Get-RemoteConnection -Port 5724 -ProcessName 'Microsoft.EnterpriseManagement.ServiceManager.UI.Console'
  .EXAMPLE
  Get-RemoteConnection -Port 8100 -ProcessName 'VmmAdminUI'
  .PARAMETER Port
  The Port to list connections for
  .PARAMETER Protocol
  The Protocol for the connection. May be any of TCP, TCPv6, UDP or UDPv6.
  If unspecified all protocols are listed
  .PARAMETER ProcessName
  The process name of remote application responsible for the connection.
  If this is specified, we try to get the username that started the process.
  #>
  param (
    [Parameter(Mandatory=$True,
    ValueFromPipeline=$True,
    ValueFromPipelineByPropertyName=$True,
      HelpMessage='What port would you like to list connections for?')]
    [string]$Port,
    [Parameter(Mandatory=$False,
      HelpMessage='What protocol would you like to list connections for?')]
    [string]$Protocol='',
    [Parameter(Mandatory=$False,
      HelpMessage='What remote process on the connected computer do you want owner name for?')]
    [string]$ProcessName=''
    
  )
  if($Protocol -eq ''){
    $lines = netstat -ano
  }else{
    $lines = netstat -ano -p $Protocol
  }
  foreach($line in $lines){
    $cols = $line.Split(' ',[System.StringSplitOptions]::RemoveEmptyEntries)
    if($cols[1] -notmatch '^\[::' -and ($cols[0] -eq 'TCP' -or $cols[0] -eq 'UDP')){
      if(($la = $cols[1] -as [ipaddress]).AddressFamily -eq 'InterNetworkV6'){
        $localPort = $cols[1].split('\]:')[-1]
      }else{
        $localPort = $cols[1].split(':')[-1]
      }
      if(($ra = $cols[2] -as [ipaddress]).AddressFamily -eq 'InterNetworkV6'){
        $remoteAddress = $ra.IPAddressToString
      }else{
        $remoteAddress = $cols[2].split(':')[0]
      }
      if($localPort -like $Port -and $remoteAddress -ne '' -and $remoteAddress -ne '0.0.0.0' -and $remoteAddress -ne '127.0.0.1' -and $remoteAddress -notlike 'fe80*'){
        Get-ConnectionData -RemoteAddress $RemoteAddress
      }
    }
  }
}

tirsdag 2. september 2014

tirsdag 19. august 2014

OpsMgr: Properties with brackets in PowerShell

Have you tried to select or filter on properties using brackets in PowerShell? Did you figure out how to do it? If not, read on...

For example, I execute this command in Operations Manager Shell:
Get-SCOMClass -DisplayName 'Windows Computer'|Get-SCOMClassInstance|select -First 1 *

And the result:
[Microsoft.Windows.Server.Computer].IsVirtualNode            : (null)
[Microsoft.Windows.Computer].PrincipalName                   : dc1.contoso.com
[Microsoft.Windows.Computer].DNSName                         : dc1.contoso.com
[Microsoft.Windows.Computer].NetbiosComputerName             : dc1
[Microsoft.Windows.Computer].NetbiosDomainName               : CONTOSO
[Microsoft.Windows.Computer].IPAddress                       : 10.0.0.10
[Microsoft.Windows.Computer].NetworkName                     : dc1.contoso.com
[Microsoft.Windows.Computer].ActiveDirectoryObjectSid        : S-0-0-00-000000000-0000000000-000000000-0000
[Microsoft.Windows.Computer].IsVirtualMachine                : True
[Microsoft.Windows.Computer].DomainDnsName                   : contoso.com
[Microsoft.Windows.Computer].OrganizationalUnit              : OU=Computers,DC=contoso,DC=com
[Microsoft.Windows.Computer].ForestDnsName                   : contoso.com
[Microsoft.Windows.Computer].ActiveDirectorySite             : contoso
[Microsoft.Windows.Computer].LogicalProcessors               : 1
[Microsoft.Windows.Computer].PhysicalProcessors              : 1
[Microsoft.Windows.Computer].HostServerName                  : (null)
[Microsoft.Windows.Computer].VirtualMachineName              : (null)
[Microsoft.Windows.Computer].OffsetInMinuteFromGreenwichTime : (null)
[Microsoft.Windows.Computer].LastInventoryDate               : (null)
[Microsoft.SystemCenter.ManagedComputer].InstallDirectory    : C:\Program Files\Microsoft Monitoring Agent\Agent\
[Microsoft.Windows.Server.2008.Computer].InstallType         : Full
[System.ConfigItem].ObjectStatus                             : System.ConfigItem.ObjectStatusEnum.Active
[System.ConfigItem].AssetStatus                              : (null)
[System.ConfigItem].Notes                                    : (null)
[System.Entity].DisplayName                                  : dc1.contoso.com
IsManaged                                                    : True
HealthState                                                  : Success
StateLastModified                                            : 8/19/2014 10:00:00 AM
IsAvailable                                                  : True
AvailabilityLastModified                                     : 8/19/2014 10:00:00 AM
InMaintenanceMode                                            : False
MaintenanceModeLastModified                                  :
MonitoringClassIds                                           : {e817d034-02e8-294c-3509-01ca25481689, ea99500d-8d52-fc52-b5a5-10dcd1ba-33f801db7d37...}
LeastDerivedNonAbstractMonitoringClassId                     : ea99500d-8d52-fc52-b5a5-10dcd1e9d2bd
ManagementGroup                                              : SCOMMG
Name                                                         : dc1.contoso.com
Path                                                         :
DisplayName                                                  : dc1.contoso.com
FullName                                                     : Microsoft.Windows.Computer:dc1.contoso.com
ManagementPackClassIds                                       : {e817d034-02e8-294c-3509-01ca25481689, ea99500d-8d52-fc52-b5a5-10dcd1ba-33f801db7d37...}
LeastDerivedNonAbstractManagementPackClassId                 : ea99500d-8d52-fc52-b5a5-10dcd1e9d2bd
TimeAdded                                                    : 8/19/2014 10:00:00 AM
LastModifiedBy                                               :
Values                                                       : {(null), dc1.contoso.com, dc1.contoso.com, dc1...}
LastModified                                                 : 8/19/2014 10:00:00 AM
IsNew                                                        : False
HasChanges                                                   : False
Id                                                           : 83f8d115-ccc8-5d88-2345-00d0148ecbd3
ManagementGroupId                                            : c6f7583b-f37e-101a-30fa-e53639ee0d80

Now you may wonder, how do I use Select-Object to view only Name and IPAddress? Well, square brackets require double-escaping in PowerShell (see this Microsoft Connect Feedback), so this is how:
Get-SCOMClass -DisplayName 'Windows Computer'|Get-SCOMClassInstance|select -First 1 Name,``[Microsoft.Windows.Computer`].IPAddress

Great, but what if I would like to use Where-Object to filter on IPAddress? Well, in this case we do not need to backtick-escape these brackets, instead we need to put single quotes around the entire property name, like this:
Get-SCOMClass -DisplayName 'Windows Computer'|Get-SCOMClassInstance|where{$_.'[Microsoft.Windows.Computer].IPAddress' -match '10.0.0.10'}|select Name,``[Microsoft.Windows.Computer`].IPAddress

onsdag 13. august 2014

SQL Server: Unable to modify a Maintenance Plan

Are you unable to modify an existing Maintenance Plan in SQL Server Management Studio?

If you have installed the Microsoft SQL Server Management Studio tools in a Basic edition, try to install the Complete tools.

You can use "Installed SQL Server features discovery report" in Tools section of SQL Server Installation Center to see what features you have installed.

You may find that you also need to install Microsoft SQL Server Shared Management Objects. This is part of Microsoft SQL Server Feature Pack. You can find it at Microsoft Download Center. Be sure to select the version that correspond to the SQL Server you have installed.

mandag 28. juli 2014

Outlook Reply / Forward prefixes

Email clients can’t cope as well with a mix of prefixes from across the globe. It’s best to stick with RE and FW as a courtesy to other people. Outlook lets non-English language users do that with two setting buried in the options.
  • Use English for message flag labels
  • Use English for message headers on replies and forwards [and for forward notifications]

OUTLOOK 2013 AND OUTLOOK 2010
Go to File | Options | Advanced | International Options


OUTLOOK 2007 AND BEFORE
Go to Tools | Options | Mail Format | International Options

søndag 27. juli 2014

Windows: Time Synchronization

Hyper-V Integration Services synchronizes the time of virtual machines with the physical host because virtual machines tend to experience time drift over time. Never disable Hyper-V Time Synchronization, it's important when the virtual machine boots and resumes saved states.

Benjamin Armstrong talk about this topic in more detail in his Virtualization Blog. Here are some of the PowerShell commands I use to configure Time Synchronization in a domain.

# If the computer is a virtual machine running in Hyper-V, disable aspects of time synchronization from Hyper-V with:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider' -Name 'Enabled' -Value 0

# For the Domain Controller holding the PDC emulator role (chech with netdom /query fsmo), configure a remote time source:
& C:\Windows\System32\w32tm.exe /config /manualpeerlist:"0.no.pool.ntp.org,0×1 1.no.pool.ntp.org,0×1 3.no.pool.ntp.org,0×1 4.no.pool.ntp.org,0×1" /syncfromflags:manual /reliable:YES /update
Restart-Service w32time
& C:\Windows\System32\w32tm.exe /resync /rediscover

For member servers, configure synchronization with the domain:
& C:\Windows\System32\w32tm.exe /config /syncfromflags:DOMHIER /update
Restart-Service w32time
& C:\Windows\System32\w32tm.exe /resync /rediscover /force

lørdag 26. juli 2014

DPM: Configure a Backup Network

Let's say I have a production network, contoso.com with subnet 192.168.0.0/24. I already have two domain controllers (dc1 and dc2), a backup server (dpm1) and other member servers. The domain controllers and DPM servers are running Windows Server 2012 R2. I wan't to add a backup network. This is how I would do it:

First I add a network interface to each server. This will be used by the backup network. I name the interface BackupNet on each server.

The backup network will use subnet 192.168.10.0/24.

I create a DNS Zone, backup.contoso.com, using Powershell:
Add-DnsServerPrimaryZone -Name backup.contoso.com -ReplicationScope 'Domain' -PassThru -DynamicUpdate Secure -ComputerName dc1

On each DNS Server I open DNS Properties > Interfaces and verify that the backup interface is selected.

I configure backup interface on all servers using PowerShell:
Invoke-Command -ComputerName dc1 -ScriptBlock {Set-DnsClientServerAddress -InterfaceAlias 'BackupNet' -ServerAddresses ('192.168.10.5','127.0.0.1')}
Invoke-Command -ComputerName dc2 -ScriptBlock {Set-DnsClientServerAddress -InterfaceAlias 'BackupNet' -ServerAddresses ('192.168.10.6','127.0.0.1')}
Invoke-Command -ComputerName dpm1 -ScriptBlock {Set-DnsClientServerAddress -InterfaceAlias 'BackupNet' -ServerAddresses ('192.168.10.5','192.168.10.6')}
Invoke-Command -ComputerName dc1,dc2,dpm1 -ScriptBlock {Set-DnsClient –InterfaceAlias 'BackupNet' -ConnectionSpecificSuffix 'backup.contoso.com' –RegisterThisConnectionsAddress $true –UseSuffixWhenRegistering $true}
Invoke-Command -ComputerName dc1,dc2,dpm1 -ScriptBlock {ipconfig /registerdns}

Then I add Backup and Production Networks to DPM:
Add-DPMBackupNetworkAddress –DPMServerName dpm01.contoso.com –Address 192.168.10.0/24 –SequenceNumber 1
Add-DPMBackupNetworkAddress –DPMServerName dpm01.contoso.com –Address 192.168.0.0/24 –SequenceNumber 2
Restart-Service DPM

mandag 12. mai 2014

DPM: Troubleshooting

When debugging problems with DPM you should look at the logs.

For the agent you will find the logs in:
%windir%\temp\MSDPM*.log
C:\Program Files\Microsoft Data Protection Manager\DPM\Temp

For the server you will find the logs where you installed DPM, for example:
C:\Program Files\Microsoft System Center 2012 R2\DPM\DPMLogs
C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\Temp

If the problem is Connectivity, try to run
C:\Program Files\Microsoft Data Protection Manager\DPM\bin\SetDPMServer.exe -dpmServerName <yourdpmserver>

Configure Windows Firewall Correctly:
The following initial command should enable the agent to be installed:
netsh advfirewall firewall add rule name = "dpmac" dir=in program="C:\Program Files\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\<DPMVersion>\dpmac.exe" action=allow

Note DPM version information has to reflect your current DPM installation version. A sample path is used above. Replace <DPMVersion> (and path if required) with the correct DPM version number in the form x.x.xxxx.x.
DPM 2010: version 3.0.7696.0
DPM 2012: version 4.0.1908.0
DPM 2012 SP1: version 4.1.3313.0
DPM 2012 R2: version 4.2.1205.0

If this command does not enable the agent installation to succeed, add the following additional rules:
netsh advfirewall firewall add rule name="Microsoft System Center 2012 R2 Data Protection Manager Replication Agent" dir=in program="C:\Program files\Microsoft Data Protection Manager\DPM\bin\dpmra.exe" profile=Any action=allow

netsh advfirewall firewall add rule name="Microsoft System Center 2012 R2 Data Protection Manager DCOM setting" dir=in action=allow protocol=TCP localport=135 profile=Any

netsh advfirewall firewall set rule group="@FirewallAPI.dll,-28502" new enable=yes

netsh advfirewall firewall add rule name="DPMAM_WCF_SERVICE" dir=in program="C:\Microsoft Data Protection Manager\DPM\bin\AMSvcHost.exe" profile=Any action=allow

netsh advfirewall firewall add rule name="DPMAM_WCF_PORT" dir=in action=allow protocol=TCP localport=6075 profile=Any

Also verify:
  1. Configure Windows Firewall on client. You have several options:
    • Configure rules to allow specific ports required (see above)
    • Create a rule that will allow all inbound traffic from DPM Server.
    • Turn the firewall off (not recommended but can be used to test if the firewall is the problem).
  2. Ping client from DPM server: ping <yourdpmclient>
  3. Ping DPM server from client: ping <yourdpmserver>
  4. Ping to test MTU size: ping <yourdpmserver> -l 1472 -f
    (If you get Packet needs to be fragmented but DF set, you need to lower 1472 until you get reply. A low value could indicate that you do not get the required throughput).
  5. Use tracert from client to verify routing: tracert <yourdpmserver>
  6. Use tracert from DPM server to verify routing: tracert <yourdpmclient>
  7. Use net view to verify shares on the client: net view \\<yourdpmclient>
  8. Use net view to verify shares on the DPM Server: net view \\<yourdpmserver>
  9. Use sc to verify RPC connectivity to client: sc \\<yourdpmclient> query
  10. Use sc to verify RPC connectivity to DPM Server: sc \\<yourdpmserver> query
  11. Use WBEMTEST to verify DCOM connectivity to client:
    Click Connect > Type inn Namespace: \\<yourdpmclient>\root\default > Connect > Enum Classes > Recursive > OK (If you fail at any point you have problems with DCOM).
  12. Use WMIC to verify WMI connectivity to client: wmic /node:<yourdpmclient> OS list brief
  13. Use NETSTAT to verify that client can connect to DPM server from port 5718: netstat -ano
  14. Use TASKLIST to verify that it is DPMRA.exe that use port 5718 (you need to notice the PID from NETSTAT and compare to the same PID in this list: tasklist /svc
  15. If it is suspected that TCP Chimney Offload is not operating as expected:
    • Try updating network card drivers
    • Check current status: netsh int tcp show global
    • Turn off: netsh int tcp set global chimney=disabled
  16. If it is suspected that RSS is not operating as expected:
    • Try updating network card drivers
    • Check current status: netsh int tcp show global
    • Turn off: netsh int tcp set global rss=disabled
  17. Verify SPN records with SETSPN: setspn -L <yourdpmclient>
    Look at HOST records and verify that they match the hostname and are valid. To register SPN records you can use (you must be domain admin for this): setspn -S HOST/<yourdpmclient> <yourdpmclient>. You can also check for duplicate SPN records with setspn -X.
A mini troubleshoot test when deploying agent could be to do the following from the DPM server:
ping <yourdpmclient>
net view \\<yourdpmclient>
sc \\<yourdpmclient> query
wmic /node:"<yourdpmclient>" OS list brief
wbemtest

If ping fails, then use tracert to see where the traffic dies. Also check the integrated firewall on the target server. If ping fails by using the name, then test by pinging the ip address of the target server. It that works then check the DNS registration.

If net view fails with error 53, make sure the computer name is correct AND that file and printer sharing are enabled. If net view fails with "System error 5 has occurred. Access is denied." verify that you are logged on using an account with permission to view shares on the remote computer. If net view failes by using the name then test with ip address. It that works then check the DNS registration and if it checks out use ipconfig /flushdns and ipconfig /registerdns on both the DPM server and on the client. It this resolves the issue, verify that ADMIN$ is listed.

If sc failes check the client integrated firewall to see if RPC traffic is locked down and being denied. Turn off the firewall and\or rely on the firewall logging as discussed earlier. If there are any firewalls in between the DPM server and the client make sure RPC ports are allowed.

søndag 2. mars 2014

Windows: How to extend evaluation period or convert to retail

When you download and install an evalution version of Windows, you are given 10 days before you have to activate Windows (Product key not required). After that you are given 180-days to evaluate it. You can extend the evaluation period three times. This gives you a total of 720 + 40 days for evaluation.

To display license information including remaining evalution time:
slmgr.vbs /dli

To display detailed license information including rearm count:
slmgr.vbs /dlv

To display expiration date:
slmgr.vbs /xpr

To rearm Windows (after evaluation has expired):
slmgr.vbs /rearm

To activate windows (after rearm you need to activate windows within 10 days):
slmgr.vbs /ato

TIP! If you like, you could schedule the rearm using Scheduled Tasks.

After evaluation period has ended you can convert the evaluation to a retail version (unless it is a Domain Controller).

To get the current edition of Windows:
dism /Online /Get-CurrentEdition

To convert from evaluation versions of Windows to retail versions:
dism /Online /Set-Edition: /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

You can also use this to upgrade Windows to a higher edition. To get a list of editions you can upgrade to:
dism /Online /Get-TargetEditions

torsdag 27. februar 2014

OpsMgr 2012: Report Models

Reports in Operations Manager is based on SQL Server Reporting Services. When building reports with Reporting Services you need to know the underlaying database, the data relationships and what queries to use. For this purpose we can use Report Models, although this is now deprecated in SQL Server 2012 we can still use existing models with SQL Server 2012.

Operations Manager ships with such models to help you build reports using data from the Operations Manager Data Warehouse database. You have to import the models into the Reporting Services. This is how you do it:

  1. Open the Reports page in your web brower. If you do not know the URL to your reporting server, look in Operations Manager Console > Administration > Settings > Reporting. You will typically see somthing like this:

    http://reportserver/ReportServer

    Open this URL in your browser, then replace ReportServer with:
    Reports/Pages/Folder.aspx?ViewMode=Detail

     It would then look like this:
    http://reportserver/Reports/Pages/Folder.aspx?ViewMode=Detail

  2. Click the Upload File button:

     
  3. Click Browse and locate the file Event.smdl in folder ReportModels\Other on the Operations Manager installation media, and click Open and then OK.

  4. Locate the Event file that you just uploaded and point the mouse to the name. You will se a select box, click the down arrow of the select box and choose Manage.

  5. Click Data Sources then Browse and select Data Warehouse Main and OK. Click Apply to save the change and then click Home in the top left corner.

  6. Do the same with the file Performance.smdl.

To use the Report Model, you need to open up Report Builder. I did this with the SQL Server 2012 version, older SQL Servers will have older versions and the features will be different:


Then you need to select New Dataset and click Browse other data sources..., select the Event file that you uploaded and click Open and Create:


For now I will not go into details about the creation process but in short: you add fields to your dataset by selecting the entitiy, e.g. Class, Event, Event Parameter, Event Rule, Management Pack, Object or Rule. Then drag and drop fields to the designer. You can also define filters and set options for the dataset. When you are done you can Run the dataset to see the result before you save it.

With the dataset in place you can create a report and use the dataset you have created to extract data from the data warehouse database.

OpsMgr 2012: NiCE Log File Management Pack

I had the chance to take a look at a new management pack from NiCE. It will be available for FREE next week and it is a most welcome addition to the existing functionality that Opertations Manager already provide for monitoring log files. Another great blogger, Stefan Roth, already blogged about it here so I will not go into a lot of details here.

To get started you download a Quick Start guide in PDF format and the MSI installer file from www.nice.de.

The installer, like most Management Pack installers, will extract the management pack to a specified folder. Then you have to import it to your Management Group using the Operations Manager Console. You can uninstall it from Windows Programs and Features after that. However, I would recommend to keep the management pack in a file repository, by version, so you can easily revert to older versions if a new version have problems or changed functionality that you do not like.

The Quick Start guide will tell you with NiCE Step-By-Step guides, how to get started. Quite helpfull.

After playing around with it for a bit I have to say that this is awesome, you should give it a try. Highly recommended.

Highly recommended

UPDATE 28. february 2014: I have found two problems with the current version (1.0.26.0):

1) Self Monitoring Rules targets Windows Computers
The purpose of the Self Monitoring Rules are to monitor the Operations Manager Event Log for warnings and errors in the Operations Manager event log related to this Management Pack. The problem is if you have Windows Clusters. Then the rules will also target the cluster address (the virtual node). This may result in event 26004 being logged on the active node. The event would look something like this:

Log Name: Operations Manager
Source: Health Service Modules
Date: 27.02.2014 14:41:49
Event ID: 26004
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: host.lab.internal
Description:
The Windows Event Log Provider is still unable to open the Operations Manager event log on computer 'cluster.lab.internal'. The Provider has been unable to open the Operations Manager event log for 720 seconds.

Most recent error details: The RPC server is unavailable.

This will be picked up by the monitor "Failed Accessing Windows Event Log" targeting the "Health Service" and make the agent go into a warning state.

The workarround is to disable the following Rules for Class Windows Computers:
Self Monitoring: NiCE Log File Provider (Errors)
Self Monitoring: NiCE Log File Provider (Warnings)

2) Missing Console Task
This problem may be related to my environment, however it is of greater impact. In my console I noticed that the console tasks was missing. For example in the Windows Computers view, I would normally see the following sections in the Tasks pane: State Actions, Tasks, Navigation, Windows Computer Tasks and Report Tasks. After importing the NiCE Log File Management Pack, only State Actions remained. Closing the console did not help. Starting the console with /clearcache switch did not help.

Only after removing the NiCE Log File Management Pack and restarting the console did the Tasks reappear. I tried to import the management pack once more and after restarting the console, the tasks was missing again. In the event log I found two events that occured at the time I imported the Management Pack, so they are likely to be related:

Log Name:      Operations Manager
Source:        DataAccessLayer
Date:          28.02.2014 16:43:55
Event ID:      33333
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      scom.lab.internal
Description:
Data Access Layer rejected retry on SqlError:
Request: ResourceByCriteria -- (LanguageCode1=ENU), (LanguageCode2=), (Category0=ad3be2e1-d1e2-bbf7-0c05-67ae8781a16a)
Class: 16
Number: 10316
Message: The app domain with specified version id (25189) was unloaded due to memory pressure and could not be found.

The other event was:

Log Name:      Operations Manager
Source:        OpsMgr SDK Service
Date:          28.02.2014 16:43:55
Event ID:      26319
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      scom.lab.internal
Description:
An exception was thrown while processing GetResourcesByCriteria for session ID uuid:89adfa9b-ddca-4143-a1e0-cf91c49e0703;id=35.
Exception message: The creator of this fault did not specify a Reason.
Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UnknownDatabaseException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to The app domain with specified version id (25189) was unloaded due to memory pressure and could not be found.).

UPDATE 6. march 2014: A new release has arrived 1.0.27.0 where the second problem (Missing Console Tasks) outlined above has been resolved. To get this great management pack you need to register at the www.nice.de site and then you will be able to download it for free.

tirsdag 25. februar 2014

OpsMgr 2012: Event 26001 is logged regularly on Windows Server 2012 R2 host computers

Microsoft published a KB about this issue recently. You can find it here:
http://support.microsoft.com/kb/2924512/en

After disabling the two rules I noticed that this event still happend on the Windows Server 2012 R2 host computer. So I did some research.

First I wanted to see where this event came from and executed this PowerShell command against the host:
Invoke-Command -ComputerName host1 -ScriptBlock {get-eventlog Application | where {$_.EventID -eq 26001}|select -First 1}|select Source

Source: Microsoft.SystemCenter.VirtualMachineManager.2012.Report.VPortUsageCollection

Then I wanted to find the Rule, so using Tao Yangs OpsMgr 2012 Self Maintenance Management Pack I was able to back up the sealed management packs to a folder where I got hold of the XML source file for Virtual Machine Manager Management Packs and I assumed it was related to Reports so I opened this: Microsoft.SystemCenter.VirtualMachineManager.2012.Reports.xml

I searched the XML and was able to see that the Source was defined in a DataSource called Microsoft.SystemCenter.VirtualMachineManager.2012.Report.TimedPowerShell.VPortUsagePerformanceProvider wich in turn, when I search for that, was used by the rules Microsoft.SystemCenter.VirtualMachineManager.Network.2012.Vport.BytesReceivedPerSec and Microsoft.SystemCenter.VirtualMachineManager.Network.2012.Vport.BytesSentPerSec

By using PowerShell on the management server I could find the DisplayName and Target for this rule:
Get-SCOMRule -Name Microsoft.SystemCenter.VirtualMachineManager.Network.2012.Vport.*

DisplayName: Virtual port received bytes per second
DisplayName: Virtual port sent Bytes per second
Target: Virtual Port

So, I then disabled the rules in Authoring > Rules > Scope to Virtual Port. After that the event logs stopped.

tirsdag 4. februar 2014

Windows: Read Event Log with PowerShell

Here are some examples of listing events from the last 30 days.

Total Errors per day
Get-EventLog -LogName 'Application' -EntryType Error -After ((Get-Date).Date.AddDays(-30))| ForEach-Object{$_|Add-Member -MemberType NoteProperty -Name LogDay -Value $_.TimeGenerated.ToString("yyyyMMdd") -PassThru} | Group-Object LogDay | Select-Object @{N='LogDay';E={[int]$_.Name}},Count | Sort-Object LogDay | Format-Table -Auto

Errors by Event ID
Get-EventLog -LogName 'Application' -EntryType Error -After ((Get-Date).Date.AddDays(-30))| Group-Object EventID | Sort-Object Count -Descending

Warnings by Event ID
Get-EventLog -LogName 'Application' -EntryType Warning -After ((Get-Date).Date.AddDays(-30))| Group-Object EventID | Sort-Object Count -Descending

mandag 6. januar 2014

Windows Server: Microsoft Hotfix Collection

Windows Server 2012 R2
Hyper-V: Update List for Windows Server 2012 R2
List of Cluster Hotfixes for Windows Server 2012 R2
List of File Services Hotfixes for Windows Server 2012 and 2012 R2

Windows Server 2012
Hyper-V: Update List for Windows Server 2012
List of Cluster Hotfixes for Windows Server 2012

Windows Server 2008 R2
Hyper-V: Update List for Windows Server 2008 R2
List of Cluster Hotfixes for Windows Server 2008 R2
List of Failover Cluster Packages Updated After the Release of Windows Server 2008 R2 Service Pack 1

System Center - Operations Manager
KB2843219 - System Center 2012 Operations Manager: Recommended agent operating system fixes and updates
KB2616936 - Agent Health tips and fixes for System Center Operations Manager 2007
Kevin Holman's System Center Blog - Which hotfixes should I apply?

System Center - Virtual Machine Manager
Recommended hotfixes for Microsoft System Center 2012 Virtual Machine Manager
Recommended hotfixes for System Center Virtual Machine Manager 2008 R2
How to determine the version of Virtual Machine Manager

Windows Client
Windows 7 VDI image hot fixes

Tools
PowerShell script to help verify Windows Server 2012 Hyper-V and Failover Cluster Hotfixes

Windows Server: Rebuild all Performance Counters

You may need to rebuild a computers Performance Counters.

Before you do, check if any Counters are disabled. Use PoweShell to search the registry for all values with name 'Disable Performance Counters' under the Services key, like this:
$val='Disable Performance Counters'; gci HKLM:SYSTEM\CurrentControlSet\Services -rec -ea SilentlyContinue | % {if((gp -Path $_.PsPath) -match $val) {gp -Path $_.PsPath -Name $val}} | select PSPath,$val

To search for values with name 'Disable Performance Counters' under the Services key and return those with data greater than 0:
$val='Disable Performance Counters'; gci HKLM:SYSTEM\CurrentControlSet\Services -rec -ea SilentlyContinue | % {if((gp -Path $_.PsPath) -match $val) {if((gp -Path $_.PsPath -Name $val).$val -gt 0){$_}}}

You could turn on all disabled Counters like this (to actually do it you must remove the -WhatIf parameter):
$val='Disable Performance Counters'; gci HKLM:SYSTEM\CurrentControlSet\Services -rec -ea SilentlyContinue | % {if((gp -Path $_.PsPath) -match $val) {if((gp -Path $_.PsPath -Name $val).$val -gt 0){sp -Path $_.PsPath -Name $val -Value 0 -WhatIf}}}

To rebuild the Counters, open Command Prompt with Run as administrator and type:
cd c:\Windows\System32
lodctr /R
cd c:\Windows\SysWOW64
lodctr /R
WINMGMT.EXE /RESYNCPERF

You must stop and start the Performance Logs and Alerts service, open Command Prompt with Run as administrator and type:
net stop pla && net start pla

And the Windows Management Instrumentation service, open Command Prompt with Run as administrator and type:
net stop Winmgmt && net start Winmgmt