PowerShell Script: SCCM Health Check

4 minute read

30/01/2012: This script has been updated to version 3.5. Details can be found HERE. The download link on this article has also been updated to version 3.5.

26/05/2011: Version 3.3 has been posted here. The download link to the script on this post is also updated to the new version 3.3.

21/04/2011: Please be advised that I have posted a newer version of the script here. The existing script download link on this page has also been updated to point to the newer version. For the chanages in newer version, please refer to my updated post.

Over the last few months, I have been working on a PowerShell script to perform some health check activities for a customer’s entire SCCM environment. This is to provide a snapshot of health state of some elements of SCCM environment at a point of time since there is no SCOM in that environment to monitor SCCM at this stage.

Download the script here

The script checks the following:

  1. Ping check all servers in the SCCM infrastructure
    • If first ping fails, wait for number of seconds (defined in XML file) then attempts to ping few more times (Number of retries defined in XML file).
    • if returns any successful pings, ping test is classified as success.
  2. DNS name resolution check for all servers in SCCM infrastructure
    1. forward lookup check
    2. reverse lookup check
    3. compare DNS A record with the FQDN that's set on the server
  3. All site systems in warning or critical state
  4. All site components in warning or critical state
  5. All package distribution with issues
  6. Checks all Non-PXE boot image packages in PXE DP share
  7. Checks any inboxes that contain number of files that's over the threshold (threshold is set in the XML file)
  8. Checks availability of Inbox folders on all primary site servers
  9. Checks SCCM site backups on all primary sites within the "DaysToCheck" that's set in XML file.
  10. Checks any errors in SQL server and SQL agent logs
  11. Checks Application logs on SQL servers for any SQL related errors.

What’s included in this script:

image

  1. SCCM-HealthCheck.ps1: the actual PowerShell script
  2. Health-Check.xml: contains all configuration settings for the script. this file needs to be modified to suit your environment before running the script.
  3. DIRUSE.exe: This is from Windows 2000 Resource Kit (http://support.microsoft.com/kb/927229). it is used to retrieve SCCM inboxes information. I have chosen to use this rather than the native PowerShell cmdlet Get-ChildItem because DIRUSE.EXE retrieves the information much faster against remote servers than Get-ChildItem.

Configuring the script:

The health check script reads all the settings from Health-Check.xml which is located in the same folder as the script.

You’ll need to Configure the XML according to the following:image

Note: If you are having trouble reading the text on above image, this image can be download here

Output:

  1. The script has the option to email out the health check report (can be switched on and off in XML file)
  2. The email body is in HTML format that contains the overall status of each check.
  3. The detailed report is in TXT format and it is attached to the email. it is also located in the same folder as the script with the timestamp. if emailing is turned off, the detailed report can be located there.

Below is a sample HTML email body generated from my test environment:

email report

Security Requirement:

  1. The PowerShell execution policy on the computer that's running the script needs to be set to at RemoteSigned or Unrestricted.
  2. The account used to run this script needs to have:
    1. local admin rights on Central site server, Central site provider server (if not the site server itself)
    2. In the SQL servers, sysadmin rights or at least access to the master DB on all SQL servers to be able to read SQL server and agent logs.
    3. SMS admin access on all primary sites
    4. NTFS read permission to "inboxes" folders on all primary site servers.
  3. Scheduling the script in Windows Task Scheduler:
    1. "Allow log on as batch job" rights is required for the user account to run scheduled jobs.
    2. if scheduling in Windows 2008 or later, please make sure "Run with highest privileges" is ticked to bypass UAC (User Account Control)

Other Requirements:

  1. The operating system for SQL servers has to be Windows 2008 or later. This is because Get-WinEvent is used to read event log rather than using Get-EventLog because Get-EventLog does not support server side filtering. Therefore Get-WinEvent is used to improve performance when reading remote event logs. However, Get-WinEvent only works on Vista and later version of Windows.
  2. PowerShell Version 2 is required to run the script.

What’s Next?

I’m planning to re-write some part of the script to give us an option to utilise PowerShell Remoting wherever is suitable. This will greatly improve the performance of the script (especially when gathering inboxes information across the WAN link). When this is done, Get-ChildItem can be used and executed locally on each site servers and eliminate the needs for DIRUSE.EXE.

I’ll get this done in the next few weeks and post it here once it’s done.

Leave a comment