Management Server Maintenance Mode in SCOM 2012

Posted on September 9, 2011 by alexvgemst

Another nice enhancement in SCOM 2012 !

In SCOM 2007 (R2) you had a problem when you put your RMS into Maintenance Mode,

because this meant the workflow ‘Stop Maintenance Mode’ which ran on the RMS,

was actually unloaded 🙂

So this meant your RMS actually would never come out of Maintenance Mode ;-(

You had to manually get it out of Maintenance Mode, normally using the “End Maintenance Mode” Console Task.

In SCOM 2012, because of its more distributed architecure, the “Stop Maintenance Mode” workflow will actually be moved to another Management Server, when the MS that currently runs this, is put into Maintenance Mode.

The only thing you need to do, is make sure you never put more then 50% of your Management Servers into Maintenance Mode, because this makes your Resource Pool unusable.

Here’s a slide from the CEP Presentation I attended:

So yet another nice new feature to expect!

Add Permissions on Files and Folders using PowerShell

Posted on August 22, 2011 by alexvgemst

Seems very simple, but I had to puzzle a little to get it working,

here’s a small function I came up with, maybe it will save you some time,

it will Add permissions, not replace the ACL.

Function GrantFullControl ($File)

{

$acl = $file.GetAccessControl()

$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule (“Administrators”,”FullControl”,”Allow”)

$acl.AddAccessRule($accessrule)

$file.SetAccessControl($acl)

}

So you can call it like this:

$MyFile = Get-ChildItem “Myfile.txt”

GrantFullControl $MyFile

Operations Manager 2012 Command Shell revamped

Posted on July 28, 2011 by alexvgemst

I took a first peak at the SCOM 2012 Beta, and was interested in the announced new PowerShell CmdLets for Operations Manager 2012 of course !

Here’s some stuff I noticed after playing around a bit:

All CMDLets have the ‘SCOM’ identifier in it, according to the documentation it should be ‘SC’, possibly this will change in the future, I’m not sure which one it’s gonna be.

Also the CmdLets are implemented in a Powershell 2.0 compliant ‘Module‘, not in a PoSh 1.0 ‘Snap-In’.

The module is automatically loaded if you start the ‘Operations Manager Shell’ using the default shortcut in the Start Menu.

You can load it yourself in PowerShell using the command: ‘Import-Module OperationsManager’

There are various totally new CmdLets, like ‘Get-SCOMGroup’ for example

Get-SCOMGroup –DisplayName *Agent*, *Windows*

displays all SCOM Groups with the specified Displaynames:

You can create temporary and permanent connections to a Management Group.

Temporary connections mean you can specify a computername.

By the wayhis can be any Management Server now, because they all run the Data

Acess service,the RMS role is basically gone,

And you can specify credentialswith the CmdLets:

example:

Get-Agent -ComputerName MyMgmtServer –Credential (Get-Credential)

Permanent connections is more like the connections we’re used to make in Ops Mgr 2007.

The ‘Get-SCOMAlert’ CmdLet seems to be revamped, it’s got a lot of default parameters, in OpsMgr 2007 we had to use the ‘-Criteria’ switch a lot, which could be a bit clumsy in my experience:

The Install-SCOMAgent CmdLet seems to have improved.

There is no need to first perform a discovery like in Ops Mgr 2007 (R2).

Also you can specify an ActionAccount (which performs the deployment so needs Administrative permissions on the to-be Agent)

And also an ‘AgentActionAccount ‘, this is the account the Agent will use by default, if not specified Local System is used:
(Just specifying this because it’s slightly confusing)

Anyway these are my very first findings of the new Ops Mgr 2012 PowerShell Module.

O yeah, it still seems possible to load the ‘Old’ OpsMgr 2007 R2 PowerShell Snap-In, so your old scripts won’t break I suppose, and you can migrate them to the New style at your own pace!

Handy Operations Manager 2012 Control Panel applet

Posted on July 27, 2011 by alexvgemst

I’ve started to evaluate the recently released SCOM 2012 Beta.

I took a look at a new Agent side feature, a Operations Manager Agent Control Panel applet, to be found under the ‘System and Security ‘ node:

When the applet is opened you see a list of all configured Management Groups for the Agent:

Here you can Add/Edit/Remove Management Groups.

In the ‘Edit…’ Mode you can change the Action Account easily.

You can also enable/disable the ‘Automatically update management group assignments from AD DS.

When disabling this the applet will ask you for confirmation to remove the AD Assigned Management groups:

When manually adding a Management Group, you can easily configure settings in one windows as following:

In short: A handy new Agent feature, that enables you to quickly and clearly configure Management Group assignments on an Ops Mgr Agent.

Just Another Maintenance Mode Script for SCOM 2007

Posted on January 25, 2011 by alexvgemst

This is based on Timoty Mc Fadden’s Remote Maintenance Mode scheduler:

http://www.scom2k7.com/scom-remote-maintenance-mode-scheduler-20/

for which many thanks!

I fiddled a little with the script, so it can be used to set a SCOM Group in Maintenance Mode, containing different kinds (types) of Objects.

I needed to do this for a customer, who performed regular maintenance on related

servers, but it wasn’t always necessary to put the entire computer in Maintenance Mode. It should be easy to add other classes as needed.

Here’s the code:

Param($rootMS,$groupName,$minutes,$comment,$reason,$startMM)

# Load Ops Mgr Snap-In
Add-PsSnapin “Microsoft.EnterpriseManagement.OperationsManager.Client”
# Go to Monitoring Drive
Set-Location “OperationsManagerMonitoring::”

# Connect to Management Group
$MGConn = New-ManagementGroupConnection -connectionString:$rootMS

If (!($MGConn))
{
Write-Host “Failed to connect to RMS”
Exit
}

# Go to RMS location on Monitoring Drive
Set-Location $rootMS;

# Instantiate objects for necessary classes
$GroupClass = Get-MonitoringClass -Name:System.Group
$windowsComputerClass = Get-MonitoringClass -Name:Microsoft.Windows.Computer
$IISServerRoleClass = Get-MonitoringClass -Name:Microsoft.Windows.InternetInformationServices.ServerRole
$WindowsClusterClass = Get-MonitoringClass -Name:Microsoft.Windows.Cluster

# Instantiate Group that was given as parameter
$GroupInstance = (Get-ManagementGroupConnection).ManagementGroup.GetPartialMonitoringObjects($GroupClass) | where {$_.DisplayName -eq $groupName}

if (!($GroupInstance))
{
Write-Host “Specified Group not found”
Exit
}
# Function that activates the Maintenance Mode
Function PutInMaintMode ($Objects) {

ForEach($Object in $Objects)
{
Write-Host “Object Fullname: ” + $Object.FullName
$startTime = [DateTime]::Now
$endTime = $startTime.AddMinutes($minutes)

if($startMM -eq $true -and $Object.InMaintenanceMode -eq $false)
{
New-MaintenanceWindow -startTime:$startTime -endTime:$endTime -comment:$comment -Reason:$reason -monitoringObject:$Object
}
}
}

# Retrieve all objects contained in the group.
# You can add classes here if necessary
$Computers = $groupInstance.GetRelatedMonitoringObjects($windowsComputerClass,[Microsoft.EnterpriseManagement.Common.TraversalDepth]::OneLevel)
$IISServers = $groupInstance.GetRelatedMonitoringObjects($IISServerRoleClass,[Microsoft.EnterpriseManagement.Common.TraversalDepth]::OneLevel)
$WindowsClusters = $groupInstance.GetRelatedMonitoringObjects($WindowsClusterClass,[Microsoft.EnterpriseManagement.Common.TraversalDepth]::OneLevel)

# Call the Maintenance Mode Function per Class
PutInMaintMode $Computers
PutInMaintMode $IISServers
PutInMaintMode $WindowsClusters

Hello WordPress

Posted on January 21, 2011 by alexvgemst

I migrated my Blog from beloved Microsoft to WordPress,

I’ve been pretty busy, but will attempt to post some interesting new items soon!

Using Powershell to Access SCOM 2007 Performance Data

Posted on February 4, 2010 by alexvgemst

I’ve been working in a SCOM 2007 R2 implementation project for a while,

and started playing around with the ‘Operations Manager Shell’,

which is basically PowerShell with the SCOM 2007 R2 PowerShell SnapIn and some extra functions loaded.

This post assumes you have an existing connection to a Management Server, created with

the New-ManagementGroupConnection CmdLet for example.

This time I wanted to see how I could get some Performance Data out of SCOM,

so I could always quickly access any collected performance data without logging on to the Graphical Ops Console.

I started fiddling around and doing some discovery on the commands, and came up with following command,

Get-PerformanceCounter | Select-Object MonitoringObjectPath, ObjectName, CounterName | Out-GridView

that displays all available PerformanceCounter instances (assumes PowerShell v2.0 for Out-Gridview):

You can leave the ‘GridView’ open for ease of the next commands to display Performance values.

I created a basic function that you can use to display Performance Values for any available counter,

starting 7 days ago, and ending 1 day ago (feel free to customize as you like).

Function Get-PerfData ($FQDN,$ObjectName="Processor",$CounterName="% Processor Time")

{

$criteria= "MonitoringObjectPath=’$FQDN’ AND ObjectName=’$ObjectName’ AND CounterName=’$CounterName’"

$perfcounter =Get-PerformanceCounter -criteria $criteria

$time=Get-Date

$starttime=$time.AddDays(-7)
$endtime=$time.AddDays(-1)

$perfcounter | Get-PerformanceCountervalue -StartTime $starttime -EndTime $endtime | Select-Object SampleValue,TimeSampled | Out-GridView -Title $Criteria

}

When you call the Function like this:

Get-PerfData myserver.stresstest.com "Memory" "Available MBytes"

you quickly get a GridView of the requested data, with the requested counter in the title bar.

Enjoy!

Changes in Functionality from Windows Server 2008 to Windows Server 2008 R2

Posted on January 9, 2010 by alexvgemst

A recent Microsoft document came out, describing the changes in functionality

between Server 2008 and 2008 R2, showing there are serious changes.

For those of you not up to speed yet,

this is not like the 2003 to 2003 R2 upgrade, there are many core improvements in Server 2008 R2,

concerning Active Directory, GPO, NAP, Remote Desktop Services (not just a rename!), WDS, Powershell (has 2.0 included !),

just to name a few !

Download here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=2db685c7-bb06-4083-9978-66b57661f6f7

Crashing Spoolers ? Printer Driver Isolation is coming!

Posted on October 16, 2009 by alexvgemst

Another nice 2008 R2 feature, I hadn’t paid attention to yet, is Printer Driver Isolation.

If, like me, you have (non pleasant) experiences with crashing Spoolers,
especially notorious on Terminal/Citrix Servers or high volume Print Servers with loads of diffent (3rd party) printer drivers,

you will probably be delighted by this new feature!

I haven’t seen it used in a production environment yet, but from what it looks like, it’s very promising.

Here’s some history of using Printer Drivers in the Real World:

In the Old Days (Pre W2K), Printer Drivers (called version-2) used to run in Kernel mode and could easily BSOD a printserver.

Beginning with W2K, Version-3 Printer Drivers were introduced, which run in User-Mode and can not BSOD a server,

“only” the Printing Subsystem (=Spooler Service=spoolsv.exe) in which the drivers were loaded.

As you probably know this is still a major concern for Print Servers, on which a spooler crash can have large impact,

if it hosts hundreds or even thousands of Print Queues, or if it happens regularly in Citrix farms where dozens of

users can be working on a server at the same time.

In Windows Server 2008 R2 (and Windows 7), Printer Driver Isolation (PDI) is introduced,

which means a bad behaving Printer Driver can only affect itself!

The isolation can be configure on a Per Driver basis, in three modes:

"None – in this mode, print driver components are loaded into the spooler process. This is essentially the model found in previous versions of Windows

Shared – multiple drivers that are set for isolation are loaded into a single shared process space that is separate from the spooler process (PrintIsolationHost.exe) . Although this protects the spooler process, the drivers that are in shared mode can affect one another

Isolated – each driver is loaded into its own process space. This protects the spooler from individual driver failures, and also protects drivers from each other "

Basically the idea is this, at least this is probably how I would set it up:

-Run all well behaving drivers as ‘Shared’ (default)
-Run bad drivers as ‘Isolated’ if no suitable replacement is available
-Don’t run drivers in ‘None’, if necessary move those to separate server if you want a stable solution !

One approach for new drivers would be to start them off as ‘Isolated’,

and when proven innocent, ‘upgrade’ them to shared.

(The shared mode saves system resources as fewer isolation processes are needed).

On systems that don’t host a lot of print queues you could consider running them all isolated,

if resources are a non-issue.

Not all drivers will support isolation, I hope all companies that create Windows printer drivers will make them

compatible asap, so we can use it for all printers, to prevent problems, and have more control over our Print Servers.

The global settings can be managed using GPO, where you can disable or enable PDI,

and configure compatibility settings (override behaviour of compatible and incompatible drivers).

The PrintIsolationHost processes are only started when needed.

And there are registry settings that you can use to configure timeouts for the processes,

especially an option for restarting the Isolated processes after a certain amount of time,

so you can even handle drivers that are known to leak memory!

Of course, you shouldn’t use these, that’s why I said in the ‘Real World’ above 😉

There are often political, financial, historical or other non-technical reasons,

that some printers and especially their drivers have to be used, most of you probably know this.

At least know you have a way to handle these!

O yeah, the isolation settings are set per driver, and you can do so using the update PMC (Printer Management Console):

Have fun!

Enumerate the RODC FAS (Filtered Attribute List)

Posted on September 24, 2009 by alexvgemst

The FAS is the Read Only Domain Controller (RODC) Filtered Attribute Set,

it contains the attributes in the AD Schema that are never replicated to RODCs,

because they contain sensitive or confidential data (password related or other secrets).

Technically this is implemented by setting the 10th bit on the SearchFlags attribute of the schema attribute,

and also setting the 7th bit to make it ‘confidential’.

This means members of ‘Authenticated Users’ can’t read the contents,

this is to have additional security, in case your RODC was robbed, it can’t be used to read the info from other RW or RODCs.

In the examples below the bits practically mean that you need to use 512 (0X200) for searching for RODC Filtered Attributes,

128 (0X80) ) for confidential attributes, and 640 (0x280) for the combination, which is the Microsoft recommended approach,

for adding confidential attributes to the FAS.

But if it is set on attribute level in the Schema definition of attribues,

I guess it’s not a list in the sense you can view it as a list (array) of some kind in AD.

But I was wondering, if I want to view quickly which attributes are in the FAS in a certain Forest, how could I do that ?

I found following article on how to search for certain bitwise set values in Active Directory:

http://support.microsoft.com/default.aspx/kb/269181

Exactly what I was looking for!

I started manually using LDP to try to get the FAS Attributes.

Using a standard search in the Schema partition, I got it to work pretty quickly:

The search returned following list on this environment:

***Searching…

ldap_search_s(ld, "CN=Schema,CN=Configuration,DC=lab,DC=net", 1, "(SearchFlags:1.2.840.113556.1.4.803:=512)", attrList, 0, &msg)

Getting 6 entries:

Dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=lab,DC=net

canonicalName: lab.net/Configuration/Schema/ms-FVE-KeyPackage;