Powershell: Prevent Users To View and Change Input or Config Files That Are Used by a Script
Often, I use .xml or .ini files to store settings that a PowerShell script uses. When I distribute my scripts to end users, sometimes, I want to make sure users cannot manually view or change the content of these config files.
Below is what I did to achieve the goal:
- Create a password protected zip file that contains the config file (.xml or .ini).
- rename the zip file from xxxxxx.zip to xxxxxx.bin
- In powershell script, use ICSharpCode.SharpZipLib.dll to unzip renamed zip file
- compile powershell script to exe so users cannot view the script to figure out the zip file password.
- read the content of the extracted config file
- delete extracted config file
To compile the powershell script, I can use one of these tools:
Below is a sample Powershell script (Zip-Test.PS1) I have written to read a xml file inside a renamed zip file:
param ([string]$FilePath)
$ziplib = Join-Path $FilePath "ICSharpCode.SharpZipLib.dll"
[System.Reflection.Assembly]::LoadFrom("$ziplib") | Out-Null
$ZipName = "Health-Check.bin"
$XmlName = "Health-Check.xml"
$xmlPath = Join-Path $FilePath $XmlName
$ZipPath = Join-Path $FilePath $ZipName
$objZip = New-Object ICSharpCode.SharpZipLib.Zip.FastZip
$objZip.Password = "password"
$objzip.ExtractZip($ZipPath, $FilePath, $XmlName)
if ((Test-Path $xmlPath))
{
$xml = (get-content $xmlPath)
Remove-Item $xmlPath -Force
}
$xml.configuration
The script extracts and reads the health-check.xml file and deletes health-check.xml straightaway, it happens so fast, it won’t be possible for end users to access the file. Below is the output from above sample code (content of my XML file):
One thing to keep in mind: in most of my scripts, I use
$thisScript = Split-Path $myInvocation.MyCommand.Path -Leaf $scriptRoot = Split-Path (Resolve-Path $myInvocation.MyCommand.Path)
To determine the script name and location. $MyInvocation does not work anymore after I converted the Powershell script to EXE. Therefore, from my above example, I’m actually passing the directory location into the script as a parameter.
Using SCOM PowerShell Snap-in and SDK client with a PowerShell Remote Session
Recently, I’ve been working on a utility based on PowerShell scripts using WinForms GUI to perform some SCOM tasks (i.e. create maintenance window, approve manually installed agents, adding network devices, etc.). Since this script is going to be widely used in the organisation when it’s completed, I’ve always kept in mind that when users run this utility, the utility should only connect to SCOM SDK service when required and disconnect as soon as the task is done. In another word, I don’t want this utility to remain connected to the SDK service because Microsoft recommends the concurrent connections should not exceed 50 per management group.
So I did some testing to make sure my scripts disconnects from the RMS SDK service. I opened perfmon on RMS watching the “Client Connections” counter under OpsMgr SDK Service:
and want to make sure the performance counter drops when the script is supposed to disconnect from SCOM management group. In my script, I use both the SCOM PowerShell Snap-in and the SCOM SDK, below is what the code looks like:
SCOM PowerShell Snap-in:
Connect to management group:
$RMS = "<RMS Server Name>" Add-PSSnapin Microsoft.EnterpriseManagement.OperationsManager.Client New-PSDrive -Name:Monitoring -PSProvider:OperationsManagerMonitoring -Root:\ Set-Location "OperationsManagerMonitoring::" new-managementGroupConnection -ConnectionString:$RMS | Out-Null Set-Location $RMS
Disconnect from management group:
$CurrentMG = get-managementGroupConnection
if ($CurrentMG -ne $null)
{
$CurrentMG | Remove-ManagementGroupConnection | Out-Null
}
SCOM SDK:
Firstly, Load Assembly:
[System.Reflection.Assembly]::LoadFrom("$sdkDir\Microsoft.EnterpriseManagement.OperationsManager.Common.dll") | Out-Null
[System.Reflection.Assembly]::LoadFrom("$sdkDir\Microsoft.EnterpriseManagement.OperationsManager.dll") | Out-Null
Connect to management group:
$UserName = "<user name>" $UserDomain = "<user domain>" $password = "<password>" $securePassword = ConvertTo-SecureString $password –AsPlainText -Force $MGConnSetting = New-Object Microsoft.EnterpriseManagement.ManagementGroupConnectionSettings($RootMS) $MGConnSetting.UserName = $UserName $MGConnSetting.Domain = $UserDomain $MGConnSetting.Password = $SecurePassword $ManagementGroup = New-Object Microsoft.EnterpriseManagement.ManagementGroup($MGConnSetting)
Disconnect from management group:
I couldn’t find a “disconnect” method for the Microsoft.EnterpriseManagement.ManagementGroup object. So I tried to simply remove the variable:
Remove-Variable ManagementGroup
I couldn’t unload the SDK DLLs as I read it’s a limitation in .NET, the only way to unload a loaded DLL is to close the app.
Test Results:
Regardless which way I use to connect to SCOM (PowerShell Snap-in or SDK), the perf counter does not drop when I tried to disconnect using methods above. In fact, I could only get the counter drop when I close the Powershell console (or exit my GUI app which is just a pure Powershell script).
As shown above, notice that as soon as I exit PowerShell, the counter has dropped by 1.
Therefore, I thought I had 2 options to work around this issue.
1. Getting the script to launch another powershell.exe instance when trying to connect to SCOM every time but by doing so, I can’t really pass data / variable back to my script.
2. Use PowerShell Remoting to create a PS Session on local computer, run whatever needs to run against SCOM and remove the PS Session when it’s done. By doing so, I can still pass variables back to my script.
So I’ve decided to go with PowerShell Remoting. I’ve used “Enable-PSremoting –force” cmdlet to enable PS Remoting with all default settings.
I’ll use a simple get-agent cmdlet via PS Remoting as example, I’ve written something like this:
$RMS = "<RMS Server Name>"
$AgentName = "<Agent Computer Name>"
$NewSession = new-pssession
$agent = invoke-command -session $NewSession -ScriptBlock {
param($RMS,$AgentName)
Add-PSSnapin Microsoft.EnterpriseManagement.OperationsManager.Client
New-PSDrive -Name:Monitoring -PSProvider:OperationsManagerMonitoring -Root:\
Set-Location "OperationsManagerMonitoring::"
new-managementGroupConnection -ConnectionString:$RMS | Out-Null
Set-Location $RMS
$Agent = Get-Agent | Where-Object {$_.PrincipalName -imatch $AgentName}
$Agent
} -ArgumentList $RMS, $AgentName
Remove-PSSession $NewSession
I ran above code using an account that is a domain admin in my test environment and it’s also a SCOM administrator in my management group. But somehow I get this error:
The user does not have sufficient permission to perform the operation.
After some research, I realised that I have to use the CredSSP (Credential Security Support Provider) authentication to pass my credential from the local Powershell session to the PS Remoting session (in this case, also on my local machine). So I modified my script to use Credssp when creating the new PS Session:
$me = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $NewSession = new-pssession -ComputerName $env:COMPUTERNAME -Authentication Credssp -Credential (Get-Credential $me)
It turned out, after the modification, the code still would not work:
I then found that I will also have to configure the remote session to pass my credential to the remote server again – in this case, the SDK service in SCOM RMS (second hop). so my credential will be passed from Local PowerShell session –> PS remote session on the local computer –> SCOM RMS SDK Service.
In addition to “Enable-PSRemoting –force”, I had perform the following to make it work:
1. Enable WinRM CredSSP to allow the second hop:
Via PowerShell:
- Set-Item WSMAN:\localhost\client\auth\credssp –value $true
- Set-Item WSMAN:\localhost\service\auth\credssp –value $true
Or Via Group Policy:
- Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow CredSSP authentication – Set to “Enabled”
- Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow CredSSP authentication – Set to “Enabled”
2. Configure Credentials Delagations
in Group Policy (either domain GPO or local policy), under
Computer Configuration\Administrative Templtes\System\Credential Delegation\Allow Delegating Fresh Credentials
- Set to Enabled
- Add “WSMAN/<local computer name>” to the server list
Now, after I updated the group policy (gpupdate /force), the code should just work. As shown below, I have retrieved the agent information using SCOM Powershell Snap-in via a PS remote session.
And now if I take a look at the OpsMgr SDK Service “Client Connections” perf counter:
My script has connected to the SDK service for few seconds then disconnected!
Conclusion:
My code ended up like this:
$me = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$RMS = "<RMS Server Name>"
$AgentName = "<Agent Computer Name>"
$NewSession = new-pssession -ComputerName $env:COMPUTERNAME -Authentication Credssp -Credential (Get-Credential $me)
$agent = invoke-command -session $NewSession -ScriptBlock {
param($RMS,$AgentName)
Add-PSSnapin Microsoft.EnterpriseManagement.OperationsManager.Client
New-PSDrive -Name:Monitoring -PSProvider:OperationsManagerMonitoring -Root:\
Set-Location "OperationsManagerMonitoring::"
new-managementGroupConnection -ConnectionString:$RMS | Out-Null
Set-Location $RMS
$Agent = Get-Agent | Where-Object {$_.PrincipalName -imatch $AgentName}
$Agent
} -ArgumentList $RMS, $AgentName
Remove-PSSession $NewSession
I could not use “localhost” as computer name when creating new PS session (and adding “WSMAN/localhost” in “Allow Delegating Fresh Credentials policy”. It doesn’t work.
More Reading:
On OpsMgr SDK service client connections counter:
http://thoughtsonopsmgr.blogspot.com.au/2010/12/how-to-get-alert-when-too-many-scom.html
On CredSSP , PS Remoting and SCOM PowerShell Cmdlets:
Additionally, I ran into this free ebook about a week ago, Even though I’m still reading it, it’s a pretty good book: Secrets of PowerShell Remoting.
My Observation on SCCM Clients BITS Settings
Yesterday, while we were reviewing the SCCM (2007 R3) client BITS settings at work, we (my team) have some interesting findings with SCCM client’s BITS settings.
We found when the BITS bandwidth throttling settings are configured for a SCCM primary site. SCCM clients get the policy and write the settings into Windows local policy:
SCCM Computer Client Agent BITS Settings:
BITS Settings from SCCM Client’s Windows local policy (Local Policy –>Computer Configuration –>Administrative Templates –>Network –>Background Intelligent Transfer Service (BITS) –>Limit the maximum network bandwidth for BITS background transfers):
As you can see, the SCCM site setting is identical to SCCM client’s local policy. SCCM 2007 Unleashed has explained the client BITS settings. You can read about it on Google Books HERE.
The book did not state and explain the SCCM client actually WRITES the SCCM site’s BITS policy into SCCM client’s Windows local group policy object (GPO). So I did below tests IN ORDER in my home SCCM 2007 R3 AND SCCM 2012 RTM test environments to work out the behaviours of SCCM client and compare SCCM Client’s BITS setting against the above mentioned setting in local policy:
1. SCCM Client BITS setting left as default in SCCM (Not configured).
- SCCM 2007 Client Computers: BITS policy in local GPO is set to DISABLED!
- SCCM 2012 Client Computers: Same as SCCM 2007 client computers
2. Enable BITS in SCCM Computer Client Agent setting (In 2007, apply to both clients and BDPs, in 2012, just enable it since there is no BDPs in 2012 anymore.), and define some throttling settings. Then trigger machine policy retrieval on SCCM client computers.
- SCCM 2007 Client Computers: BITS policy in local GPO is ENABLED in throttling settings are set to as same as SCCM policy.
- SCCM 2012 Client Computers: Same as SCCM 2007 client computers
3. Change BITS throttling settings in SCCM. Then trigger machine policy retrieval on SCCM client computers
- SCCM 2007 Client Computers: BITS policy in local GPO updated accordingly.
- SCCM 2012 Client Computers: Same as SCCM 2007 client computers
4. Change BITS throttling settings in SCCM client’s Windows local policy. Then trigger machine policy retrieval on SCCM client computers.
- SCCM 2007 Client Computers: local policy remained the same after machine policy retrieval.
- SCCM 2012 Client Computers: Same as SCCM 2007 client computers
5. Change BITS throttling settings in SCCM again. Then trigger machine policy retrieval on SCCM client computers.
- SCCM 2007 Client Computers: local policy was updated again according to SCCM client’s BITS policy.
- SCCM 2012 Client Computers: Same as SCCM 2007 client computers
Conclusions:
Based on the tests I have performed. I have come to below conclusions:
- When the SCCM client’s BITS policy is not configured, the BITS throttling settings OS local policy is set to DISABLED, so effectively no BITS throttling is allowed for ALL the apps that uses BITS on the SCCM client computer. (i.e. in our case, VMM agent)
- Upon SCCM policy change, SCCM client changes local policy with updated settings once it has retrieved the updated policy via SCCM client’s machine policy retrieval (by default runs every 60 minutes).
- The SCCM client’s BITS settings are NOT enforced in local policy. i.e. when local policy is manually updated to be different than SCCM client’s policy, SCCM client does not enforce and update local policy. SCCM clients ONLY write to local policy when the SCCM BITS policy is CHANGED on the primary site.
- SCCM 2007 clients and SCCM 2012 clients exhibit same behaviour.
So, please look out if you have other apps that uses BITS and the bandwidth is throttled. SCCM client would update the local policy without you knowing it.
Alternatively, using a domain GPO to set BITS throttling settings seems like a good idea. By doing so, you can target different SCCM clients more granularly (targeting different OUs, using WMI filters and AD groups to set GPO scopes) whereas in SCCM 2007, this setting is unique across all clients in the primary site. Additionally, domain GPO will override local policy so local policy can be ignored.
Using SCOM To Count Logs and Produce Reports
Recently, I’ve been asked twice to produce daily reports involves counting some kind of logs:
Scenario 1:
The support team need to count number of Application event log entries of events with a specific event ID. A daily report is required to list the number for each computer.
Scenario 2:
An application produces a log file each day. The support team need to count the number of a specific phrase appeared in previous day’s log file. A daily report is required to list the count number for each computer.
The solution I produced for both scenarios are very similar. so I thought I’d blog this one.
Solution from High level View:
- Create a rule in the SCOM management pack to run once a day.
- Write a script within a rule in the SCOM management pack to count the log
- map the count number to performance data and save it in the SCOM operational and data warehouse DB.
- design a report for raw performance data in SQL SRS report builder
- save the report into the management pack
- schedule the report to run and to be emailed out once a day, AFTER the rule has run for the day.
In this blog post, I’m not going to go through the steps of creating the custom data source module and the performance collection rule. They are pretty straightforward and the sample management pack can be downloaded HERE.
I will however go through the steps to create the custom report for the data collected by this rule. I’m creating the report rather than using the built-in performance reports from the “Microsoft Generic Report Library” because none of the built-in performance reports support a table format. I don’t want any fancy charts with the report. All I want is a simple list of the raw perf counter values.
Now, let’s briefly go through the data source module and the performance collection rule.
Data Source Module: contains 2 members: System.Scheduler and Microsoft.Windows.PowerShellPropertyBagTriggerOnlyProbe:
The Microsoft.PowershellPropertyBagTriggerOnlyProbe contains a powershell script that counts event log entries and pass the count into a PropertyBag:
#===========================================================================================
# AUTHOR: Tao Yang
# DATE: 30/01/2012
# Version: 1.0
# COMMENT: Count for a particular event in event log and pass the count to property bag
#===========================================================================================
Param ([int]$TimeFrameInHours, [string]$LogName, [int]$EventID, [string]$EventSource)
$StartTime = (Get-Date).AddHours(-$TimeFrameInHours)
$iEventCount = 0
Try {
$Events = Get-EventLog -LogName $LogName -After $StartTime -Source $EventSource | Where-Object {$_.EventID -eq $EventID}
Foreach ($Event in $Events)
{
If ($Event -ne $null) {$iEventCount++}
}
} Catch {
$iEventCount = 0
}
$ComputerName = (Get-WmiObject Win32_ComputerSystem).Caption
$oAPI = New-Object -ComObject "MOM.ScriptAPI"
$OAPI.LogScriptEvent("Event-Count.PS1",9999,0,"Start EventID $EventID Perf Collection Rule. Collecting $EventID events since $starttime...")
$oBag = $oAPI.CreatePropertyBag()
$oBag.AddValue('ComputerName', $ComputerName)
$oBag.AddValue('EventCount', $iEventCount)
$oBag.AddValue('TimeFrameInHours', $TimeFrameInHours)
$oBag.AddValue('LogName', $LogName)
$oBag.AddValue('EventID', $EventID)
$oBag.AddValue('EventSource', $EventSource)
$oBag
Performance Collection Rule: This rule contains:
Data Source: the data source module created previously
Condition Detection: map the event log count in PropertyBag to performance counter
Actions: Write performance data to Operational and DW databases.
Report:
Pre-requisites:
- Install the Performance Report Model in SCOM reporting SSRS. Here’s a detailed instruction (even though it was written for SCOM 2007 SP1, it’s also applies to SCOM 2007 R2): http://www.systemcentercentral.com/BlogDetails/tabid/143/IndexID/20269/Default.aspx
- Please Note that in above article, it uses Event model as example. The report I’m going to create uses Performance model. so please make sure Performance.smdl is uploaded into SCOM Reporting SSRS and configured to use the “Data Warehouse Main” data source.
- Import the half finished management pack (with the data source module and the perf collection rule) into a SCOM management group (preferably your development environment).
- Create an override or simply change the schedule of the rule to run ASAP so the perf data is collected. this is very useful when testing the report later on.
Steps of creating the report:
01.Browse to the SCOM Reporting SSRS reports http://<servername>/reports URL
02. Launch Report Builder and click “Run” if security warning pops up
03. In Report Builder, choose the following options in “Getting Started” pane to create a new report:
04. Enter the report title:
05. Drag “Performance Data Raw into the report
06. Under Performance Data Raw / Object, Drag the “Name” field to the report
07. Rename the title of each row in the report table:
08. Right click the number under “Event Count”, select “Format…”, and change “Decimal places” to 0
09. Click the Filter button to create filters:
10. Under Performance Data Raw \ Performance Rule Instance \ Performance Rule, drag the “Rule System Name” Field to the right and choose the rule I created in the management pack from the list. (Note: the rule name appears on the list because the management pack is already imported into SCOM and this rule has already collected some performance data.)
11. Click on Performance Data Raw and drag “Date Time” field to the right
12. Click on “equals” next to “Date Time” and change it to “After”:
13. Choose “(n) days ago”
14. Change “(n)” to “2”
15. Click OK to exit the Filter Data window
16. Now, it’s time to test run the report. To do so, use the Run Report button on the top. Here’s the result from my test environment (Note: the date time is in UTC, NOT local time):
17. If you want to make the report prettier (i.e. changing the font colour to pink 
) or adjust the column width, or adding a company logo, you can click on “Design Report” button and modify the report.
18. Once you are happy with the report, save it to a RDL (report definition) file:
19. Open up the half finished management pack (unsealed) in Authoring Console, go to Reporting workspace and create a new report:
20. Give the report an ID:
21. In the “General” tab, give the report a name and target it to “Microsoft.Windows.Computer” class
22. Go to “Definition” tab, click “Load content from file” and select the RDL file you’ve just created.
23. Once the RDL file is loaded, remove the first line, which is the XML header <?xml version=”1.0″ encoding=”utf-8″?>
24. Once the first line is removed, go to “Options” tab
25. Make sure “Visible” is set to “true” and “Accessibility” is set to “public”
26. click apply and OK to exit the window
27. Now that the report is successfully created and tested, if you have changed the schedule of the perf collection rule (either edited the rule directly or created an override), it’s time to change the schedule back.
28. Now, if you want to keep the management pack unsealed, just export the updated management pack with the report into SCOM management group from authoring console. If you want to seal it, do so, and delete the previous unsealed version from the management group first, then import the sealed version into the management group.
I always increase the version number so I can lookup Event ID 1201 in SCOM agent’s Operations Manager log and make sure the updated version of the MP is received:
29. After couple of minutes, if everything goes well, you should be able to see the report in both Operations Console Reporting workspace and also in SCOM Reporting SSRS site:
Note: In SSRS, you should also see a .mp file in the same folder. I’ve experienced issues where the report does not get updated with the updated MP, which was caused by incorrect .mp file in SSRS directory. Please refer to my previous post for details.
30. Schedule the report in SCOM reporting (so it can be emailed out according to a schedule) if you want to. make sure the report schedule is AFTER the rule schedule time (i.e. if the rule runs daily at 0:00am, the report schedule should be something like daily at 0:30am) otherwise newly collected data is not included in the report.
That concludes the steps to create the report. Few other things I’d also like to mention:
- In my case, for the second scenario I mentioned in the beginning (reading log files), the whole process and idea is the same. The only thing different is the script in the Data Source module.
- I could have moved the condition detection module (System.Performance.DataGenericMapper) from the rule to the data source module. I didn’t do it because then I can use the same data source module for other purposes later. For example, if later on, the support team comes to me and ask me to generate alerts once the count reaches a threshold, I can simply create a separate rule (or a custom monitor type and a monitor), using the same data source. If the input parameters of the data source is the same as the existing performance collection rule, the data source should only run once for multiple workflows because of the Cookdown feature.
- If the SCOM agent computer is in maintenance mode when the perf collection rule is scheduled to run, no perf data will be collected and the computer will be missing from the report.
- In my example, I’m using a PowerShell script. So PowerShell and it’s execution policy needs to be installed / enabled on the SCOM agent computers. if this doesn’t meet your requirement, just modify the module to use a VBscript instead. I’ve blogged previously on how to create trigger only probe action modules for VBScript.
Again, the sample MP and the Report Definition RDL file can be downloaded HERE.
Changing Display Language on Windows 7 Home and Professional Editions
I bought a laptop for other family members yesterday, it comes with Windows 7 Home Premium. I needed to change the display language from English to Chinese because the main user of this laptop does not speak English.
I thought it was a no brainer as I’ve done it before, all I had to do was to load another language pack in “Regional and Language” in Control Panel. However, I was wrong. apparently this function is available in Windows 7 Ultimate and Enterprise editions.
I didn’t really want to use Windows Anytime Upgrade to upgrade it to Ultimate just so I can change the language. Lucky I found this post: http://mark.ossdl.de/2009/08/change-mui-language-pack-in-windows-7-home-and-professional/
So below is what I’ve done:
- Download Windows 7 Service Pack 1 language pack (Because the laptop comes with Windows 7 SP1, I had RTM version of the language pack but it didn’t work.) – I downloaded the entire ISO from my TechNet subscription, but there are many blog posts around with the direct link to Windows Update for each individual language (such as this one: http://www.technize.net/windows-7-sp1-language-packs-direct-download-links-kb2483139/)
- Extracted the downloaded ISO (from TechNet subscription) to C:\Apps\langpacks
- in Command prompt:
- dism /online /add-package /packagepath:C:\Apps\langpacks\zh-cn\lp.cab
- bcdedit /set {current} locale zh-cn
- bcdboot %WinDir% /l zh-cn
- Backed up and deleted HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\UILanguages\en-US
- Reboot
Note: if there were any windows updates that were pending to be installed, the install may fail after the language was changed. I had to run wuauclt /detectnow so Windows Update agent detects the updates for different language.
SCCM 2012 Log Parser: cmtrace.exe
In my opinion, THE most used utility (other than SCCM console) for any SCCM administrators / engineers would have to be trace32.exe. Back in SMS and SCCM 2007 days, trace32.exe comes with the SCCM Toolkit, which contains a bunch of other tools.
Speaking of my own experience, out of all the tools provided by the toolkit, trace32.exe is the one I used the most.
Now with SCCM 2012, trace32.exe has been replaced by a new tool called cmtrace.exe.
Unlike trace32.exe, cmtrace.exe is actually built-in in SCCM, there is no need to download separate toolkits for it. cmtrace.32 can be found on the SCCM site server, under “<SCCM Install Dir>\tools\” folder. Same as it’s predecessor trace32.exe, cmtrace.exe can be copied / redistributed to other locations / computers alone and use as a log parser.
I have also found that trace32.exe actually does not correct parse SCCM 2012 logs. For example, I’m using both trace32.exe and cmtrace.exe to open execmgr.log from a SCCM 2012 client:
trace32.exe:
cmtrace.exe:
So, if you are working with SCCM 2012, make sure you use cmtrace.exe rather than the good old trace32.exe. And maybe like me, copy cmtrace32.exe to your local machine and use it from there rather than using it on the server.
Installing SCCM 2012 RTM Secondary Site using A Pre-Installed SQL Express 2008 R2 Instance
Since System Center 2012 was RTM’d few days ago, I have started updating / migrating my home environment. After I migrated my 2 Hyper-V servers from VMM 2008 R2 to VMM 2012, I have started building a brand new SCCM 2012 environment so I can migrate SCCM 2007 to it. My plan is to install a Central Admin site, a child primary site and a Secondary site so I have a simple 3-tier hierarchy like my existing 2007 and 2012 Beta 2 environments.
The Central Admin site and the child primary site installation all went pretty smoothly. But I had some issues when installing the secondary site.
When installing Secondary Site from it’s parent primary, There are two options available for the database:
- Install and Configure a local copy of SQL Server Express on the secondary site computer
- Use an existing SQL Server instance.
I wanted to install SQL Express myself so I can control where it’s installed to and locations for data, log and backup files. – This is pretty common and most of SQL DBAs would configure to install SQL on a volume other than C:\ and place data / logs / backups on dedicated and separate disks. By using SCCM to install SQL express for you, you don’t get to choose any of this, which can be pretty annoying.
According to Supported Configurations for Configuration Manager, secondary sites supports SQL Server Express 2008 R2 with SP1 and Cumulative Update 4. So I downloaded SQL Server 2008 R2 Express With SP1 with Tools (SQLEXPRWT_x64_ENU.exe) and SQL 2008 R2 Service Pack 1 Cumulative Update 4 and installed them in order on my secondary site site server.
Below is what I have customised during the SQL express install:
- I configured the location for SQL, SQL instance, data files, log files and backup files the way I wanted it.
- I selected the SQL instance to use the collation “SQL_Latin1_General_CP1_CI_AS” because it is the only collation that SCCM supports.
- I kept the default secondary site SQL instance name “CONFIGMGRSEC” (this name is what’s used if you choose SCCM to install SQL Express for you).
- I have given a pre-configured AD group called “ConfigMgr2012 Servers” which contains all SCCM 2012 site servers sysadmin rights in SQL Express.
After the install, I applied CU4 and all went pretty smoothly.
Now, I tried to push Secondary Site install from the primary site. Under SQL Server setting step, I selected “Use an existing SQL Server instance” option and enter the secondary site server’s FQDN under “SQL server fully qualified domain name” and “CONFIGMGRSEC” under “SQL server instance name, if applicable”. After finishing the wizard, the secondary site install failed during prerequisite checks. I got few errors in regards to the SQL collation is not set to SQL_Latin1_General_CP1_CI-AS:
This is very strange because all my SQL instances in this hierarchy are set to this collation, and because of this, the setup did not even get kicked off.
Additionally, I also found the following:
- On the primary site server, in the ConfigMgrSetup.log under System root, I get the following errors:
- CSql Error: Cannot find type data, cannot get a connection.
- *** [08001][17][Microsoft][ODBC SQL Server Driver][DBNETLIB]SQL Server does not exist or access denied.
- I could use the SQL management studio from Secondary site server to connect to the SQL express instance, but I couldn’t use the SQL management studio from a remote machine to connect to it:
After spending some time troubleshooting, I got it going. Below is what I have done on the SQL Express instance:
1. I’ve assign “ConfigMgr2012 Servers” group (which I created myself and it contains the primary site server’s computer account) “dbcreator” role on top of sysadmin role it already had.
2. I realised by default, after I installed SQL express, TCP/IP protocol is disabled. So I went to SQL Server Configuration Manager, under SQL Server Network Connection —> Protocols for CONFIGMGRSEC—>TCP/IP, enabled it. I also had to configure the ports for this connection:
I removed 0 from “TCP Dynamic Ports” for each IP and added static port 1433 under “TCP Port”
After you enabled TCP/IP and changed the port, you will be prompted that you have to restart SQL server service for the change to take effect, so I restarted the SQL service.
After these steps, the prerequisite checks were passed and the Secondary site installation finished successfully.
In summary below are the steps I took to pre-configure a SQL Express instance for SCCM 2012 secondary site:
- Install SQL Express 2008 R2 with SP1 with Tools
- Configure SQL express install directory as per my standard (not on C:\ drive)
- Configure SQL Express instance name as “CONFIGMGRSEC” as it is default to SCCM secondary site and there’s no reason to change it.
- Select “SQL_Latin1_General_CP1_CI_AS” as SQL server collation.
- Configure data/logs/backups directory
- add primary site server’s computer account (or a group containing primary site server’s computer account) as administrator during install
- Apply SQL Server 2008 R2 Service Pack 1 Cumulative Update 4 after SQL Express install
- Set a limit for amount of memory SQL express can use.
- Reboot secondary site server (just to be safe)
- give the parent primary site server’s computer account dbcreator access in SQL Express instance.
- Enable TCP/IP for the SQL express instance.
- Configure TCP/IP connection port settings.
- Restart SQL service.
- Initiate Secondary Site install from Primary site (via SCCM console). – Unlike SCCM 2007, secondary site install can no longer be performed by running SCCM setup from secondary site servers.
- During setup wizard, choose “Use an existing SQL Server instance”, enter secondary site server’s FQDN and SQL instance name (“CONFIGMGRSEC”). leave site database name and SQL broker port as default.
- monitor install status using the SCCM console:
You can also check:
- C:\ConfigMgrSetup.log on Primary Site server (contains details for Secondary Site install’s prerequisite checks).
- C:\ConfigMgrSetup.log on Secondary Site server (contains details for the actual setup).
Now, instead of having SQL Express installed and configured by SCCM, I have more control of it so I can align the configuration with my organisation’s standard (if it’s in a real production environment 
).
In this case, I have my SQL data file located under F:\SQL_Data\Microsoft SQL Server\MSSQL10_50.CONFIGMGRSEC\MSSQL\DATA:
And log files under G:\SQL_Logs\Microsoft SQL Server\MSSQL10_50.CONFIGMGRSEC\MSSQL\Data:
Reports not updated in SCOM SQL Reporting Service When the Management Pack was Updated
I ran into an issue today. I have updated a report in a management pack. After I updated the version number, sealed it and imported the updated management pack into SCOM, the report that I have modified did not get updated in SQL Reporting Service (SRS).
Generally, once a new MP is imported into a management group, within few minutes, the reports within the MP should be deployed to SRS. This was the case when I updated the very same MP in Development environment, but in Production, I waited few hours and nothing has happened.
After few hours, I finally fix the issue.
For any reports that have been deployed as part of a MP, there should be a .mp file in the SRS folder, like this one:
In the production environment, the .mp file name from my management pack folder in SRS is different than the one in development environment. I checked other management packs in both Prod and Dev and they all have the same .mp file name.
To fix the issue: I deleted the .mp file from SRS, restarted the SRS service. Within one minute, the updated report got deployed to SCOM SQL Reporting Service and the .mp file got recreated as well.
This Blog Has Been Hacked! But Should Be OK Now…
Over the last few days, it seems my blog has been hacked. some suspicious malware codes have been injected into the WordPress PHP pages.
I have just reinstalled WordPress, changed all the passwords and ran another scan. it came out clean. I have manually checked infected pages, the suspicious codes have bee removed.
If you are using Google Chrome and saw the warning page when trying to access my blog:
I have requested Google to review my site again. Hopefully I’ll get my site removed from the blacklist within few days.
System Center Configuration Manager (SCCM) 2007 Client Management Pack for SCOM
Background
Over the time, I have seen some issues and challenges for SCCM administrators to effectively and proactively managing SCCM clients. I have personally seen and experienced some challenging issues. For example:
- Silent clients due to the SMS agent host service not running.
- SCCM Clients are reporting to the incorrect site due to the combination of overlapping boundaries and auto site assignment.
- SCCM Clients missing new functionalities due to Missing SCCM hotfixes (i.e. Power Management in SCCM 2007 R3)
- Advertisement executions failures
- SCCM clients unable to connect to Management Points
- BDP configurations inconsistent (A SCCM client is listed as a BDP on the site server but it is not actually configured as BDP)
- Newly installed software are not promptly updated in SCCM site database as the hardware inventory only runs weekly by default.
During last year’s Christmas period, some of my employers production servers were assigned to an incorrect SCCM site and as a result, some applications were pushed out to these servers during a change freeze period. We only founded it out after the fact and realised some of these servers were reporting to the wrong SCCM sites for months!
This has triggered me to implement a solution so we can proactively monitor the configurations and activities of SCCM 2007 clients so we are alerted before anything bad happens!
I started writing a SCOM management pack for SCCM 2007 clients. It took me few weeks to cover all the issues that my team is facing. Over the last couple of weekends, I have spent a lot of time to re-write / re-brand it and document it so I can actually post this management pack in my blog.
This management pack provides some proactive monitoring and automations for all of above mentioned issues /challenges. Does this sound interesting to you? If so, please continue reading. The documentation and the management pack download link is at the bottom of this article.
So here are some details of the management pack.
Introduction
System Center Configuration Manager (SCCM) 2007 Client Management Packs 2.0.0.0 provides basic monitoring of SCCM 2007 clients.
This set of management packs is intended fill the gap of the official Microsoft System Center Configuration Manager 2007 management pack and focus monitoring the SCCM clients in SCCM infrastructures. These managements pack also provides ability to implement customised monitors to monitor the configurations and baselines of SCCM clients in your organisation’s SCCM infrastructures according to your organisation’s standard. i.e.
· Monitors SCCM site assignment, make sure SCCM clients are assigned to the correct primary site in a multi-sites environment.
· Monitors SCCM client versions to make sure all required SCCM client hotfixes are applied.
· Monitors and make sure any SCCM clients that should be configured as Branch Distribution Points (BDP) are actually configured as BDP.
· Make sure SCCM Client cache size is configured according to your company’s standard.
There are 2 separate sealed management packs (.MP) in this set:
· TYANG System Center Configuration Manager 2007 Library
- Custom Data Source, Probe Action and Write Action modules
- Custom monitor types
- SCOM console actions for SCCM clients
- SCCM client object discovery
· TYANG System Center Configuration Manager 2007 Monitoring
- Pre-Configured monitors and rules
- Folders and Views
Management Pack Overview
The System Center Configuration Manager 2007 Client Management Packs not only provides various out-of-box preconfigured monitors / rules, but also provides some custom modules / workflows which allow you to build your own monitors to suit your System Center Configuration Manager 2007 environments. These management packs extends what Microsoft System Center Minotoring Pack For Configuration Manager 2007 SP2 v6.0.6000.3 has to offer for SCCM client monitoring. This includes:
Pre-Configured Monitors and Rules:
· Recreated the SMS Agent Host service monitor and included diagnostic and recovery task to automatically restart the service when it has stopped.
· Checks the availability of Management Point of which the SCCM client connects to via HTTP response. The SCCM Management Point HTTP Response Monitor runs hourly to check the HTTP response of the active MP for the SCCM client and generates alerts if HTTP error responses received over 2 consecutive times.
· Checks the version of SCCM clients and generates alert if the version number is lower than 4.00.6487.2157 (KB977384, prerequisite for SCCM 2007 R3)
· Checks SCCM Clients Advertisement Execution history every 30 minutes. If there were any advertisements have been executed over the last 30 minutes, trigger Hardware Inventory so any newly installed applications will be inventoried and stored in SCCM site database. Additionally, if any failed advertisement executions are found, a Critical alert is generated.
Custom Modules and Monitor Types:
1. SCCM Client Property Value Check 2-State Monitor Type. This monitor type can be used to build monitors to monitor SCCM client properties. (i.e. Monitor any SCCM clients that are not assigned to the correct site or Cache Size is not configured according to your organisation’s standard, etc..)
This monitor type Supports the following Properties:
- SiteCode (SCCM Client Site Code)
- Version (SCCM Client version)
- GUID (SCCM client GUID)
- ManagementPoint (MP that SCCM client is connected to)
- ProxyMP (Proxy MP that SCCM client is connected to)
- InternetMP (Internet MP that SCCM client is connected to)
- LogsLocation (path to SCCM client log files)
- CacheLocation (path to SCCM client cache)
- CacheSize (The maximum size of SCCM client cache folder in MB)
- HTTPPort (The HTTP Port for SCCM Client)
- EnableAutoAssignment (if auto site assignment is enabled (true or false)
- AllowLocalAdminOverride (if the SCCM client allows local admin override (true or false))
- IsBDP (If the client is a branch distribution point (true or false))
This monitor type Supports the following Comparison Operators:
- eq (Equal to)
- ne (Not equal to)
- gt (Greater-than)
- lt (Less-than)
- ge (Greater-than or equal to)
- le (Less-than or equal to)
- IsNull (Is Null value)
- NotNull (Not Null value)
2. Write Action module to initiate SCCM client actions
3. Write Action module to repair SCCM client
4. Other Probe Action modules and Data Source modules that were used by pre-configured monitors and rules.
More Comprehensive Object Discoveries
This SCCM client object discovery in this management pack discovers pretty much every SCCM client properties that are visible in the industry well-known utility SCCM Client Center.
Below is a comparison of the properties that SCCM Client Center can check VS. SCCM Client properties been discovered by this management pack VS. what are been discovered from Microsoft’s official management pack:
SCCM Client Center 2.0.4.0:
System Center Configuration Manager 2007 Client Management Pack v2.0.0.0:
Microsoft Official Configuration Manager 2007 SP2 Management Pack v6.0.6000.3:
SCOM Agent Actions for SCCM Clients
A number of SCCM Client actions have been built into this management pack. The following SCCM client actions can be initiated via SCOM Operations Console and Web Console:
· Discovery Data Collection
· File Collection
· Hardware Inventory
· Machine Policy Retrieval Evaluation
· Software Inventory
· Software Metering Usage Report
· Software Updates Agent Assignment Evaluation Cycle
· Software Updates Scan
· SCCM Client Repair
More information
The detailed guide for this MP can be downloaded HERE.
Management Pack Downloads:
From below link, you can download a zip file which contains:
- Sealed version of TYANG System Center Configuration Manager 2007 Library management pack(.mp)
- Sealed version of TYANG System Center Configuration Manager 2007 Monitoring management pack(.mp)
- Unsealed version of TYANG System Center Configuration Manager 2007 Monitoring management pack(.xml)
The reason I’m offering the unsealed version of TYANG System Center Configuration Manager 2007 Monitoring management pack is that if you wish to create additional monitors / rules using the workflows in the library MP, you can just build them into the unsealed MP without creating a separate MP (and saves you time to unseal it).
Management Pack Download HERE.
As always, if you have any issues / questions / concerns or suggestions, email me! I’ll try to get back to you as soon as I can (even though recently I’ve been pretty busy at work and in my personal life. And that’s why it took me so long to write a blog article for this management pack!)