I am currently working on my Masters degree at the University of Michigan, School of Information.  As part of this program I am taking a class at the Buisness school called "Becoming a transformative leader".  I have decided to share some of my thought and writings I do for this class.  This first post is what I wrote for my Weekly Best Practice paper today.  This supposed to be a one paragraph account of something I did to live in the fundamental state of leadership over the past week.  For more information about the fundamental state of leadership check out the book: The Deep Change Field Guide.

Weekly Best Practice Paper for 2/1/2012

I have been trying to think of ways to insert the principles of being in a fundamental state of leadership into my routine so that it becomes habit.  I have also been thinking of, yet again, trying to be more organized so that I can get more accomplished during my week.  This week I started something new to my routine.  Based on the "Getting Things Done" method I am starting to do a Weekly Review.  This is time I set assign each week to review my accomplishments for the week, my project and ideas that I want to work on, and what I am going to do next week.  As part of this process I have added a few items in my checklist of things to do to help me be a better leader.  I have an item to specifically think about what results I want to create next week.  I may even write this down on my office whiteboard so that I can read it when I get back to work on Monday.  I also have an item to consider assumptions after I have reviewed my projects lists and to-do items.  This will hopefully remind me to continuously think about what assumptions I have and force me to question them.  I have an item to improve my networking and to thank someone who deserves it so that I can remain other-focused and improve my relationships.  Finally I will be listing my week's accomplishments.  This is being done for two purposes.  First so that I can keep track of all the little things I have accomplished over time but also so that I can consider if what I am doing am internally directed.  My hope is that by doing this each week these practices will become routine and second nature over time.  

My current weekly review checklist is based on a few things.  First a GTD based weekly review list.  Second, some lists of things to do weekly to lead a better life.  Finally, things I am learning from class.  I am sure this checklist will change over time but its a starting point.

Occasionally I need to add a site to the Trusted Sites or Local Intranet Zones on computers.  Group policy is the obvious way to do this but if you put it to Computer Configuration > Administrative Tools > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List, the zone becomes controlled by the administrator and the end user can't add sites later.  

In the past I have had to use the IE Customization tool to create a custom package.  Today.. I found a much better way to add sites to zones that can be updated on the fly.  Thank goodness for the registery and GPP.

Basically I am using GPP to drop a registry key down that adds the site to zone.  I have found that the user needs to logoff and back on for it to take effect.  

The key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains contains the zone mappings under the enhanced security configuration. Each registry key that is below this key in the registry hierarchy is a Web site domain. Each of these keys has values which indicate the allowed protocol and the zone to which that protocol belongs for the domain. A value of 0x001 indicates the Intranet zone and a value of 0x002 indicates the Trusted sites zone.

http://msdn.microsoft.com/en-us/library/ms537181(v=vs.85).aspx

Works great so far!!

Today I went to look at and download the latest version of Dan Cunningham's Workstation Migration Assistant.  Unfortunatly I couldn't get to it at all.

http://dcunningham.net/sysadmin-tools/migration-assistant/

Heck.. I can't get to http://dcunningham.net either.

I get nothing.  Pinging dcunningham.net doesn't give me a DNS name.  Maybe its my location, I am at a Microsoft Tech Center at the moment, but I am guessing not.  Anyone know what happened here?  I hope everything is OK.  Did Mr. Cunningham fail to renew his domain name? 

Matt

Recently I have been handed the backup responsibilities for our servers.  To do this I have been implementing DPM 2010.  I ran into a small problem today and wanted to write it up so that I don't forget it, and to share what I found.

The Problem:

I added a servers system state to a recovery group.  When ever it tries to create the initial replica it would fail.  DPM said:

Description: DPM cannot create a backup because Windows Server Backup (WSB) on the protected computer encountered an error (WSB Event ID: 546, WSB Error Code:  0x8079005F). (ID 30229 Details: Internal error code: 0x809909FB) 

The only thing I could find on the protectyed server was the Event ID 546 which said:

The backup operation attempted at '‎2011‎-‎08‎-‎05T16:56:14.705364900Z' has failed to start, error code '2155413599'. Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

The Fix:

I found the answer it this thread: http://www.eggheadcafe.com/software/aspnet/35551740/problem-backing-up-2008r2-system-state-with-dpm-2010.aspx

Check the backup target being used by DPM, by looking at C:\Program Files\Microsoft Data Protection Manager\DPM\Datasources\PSDataSourceConfig.xml on the protected server.  Check for <FilesToProtect> element.  I found that this was pointed to D:\WindowsImageBackup.  The problem was that this server didn't have a D:\.  Now, I don't know why DPM initially set this path, but I do know that if you change that to C:\WindowsImageBackup the problem is fixed.

I have been working on a script for our SCCM OSD task sequences.  For years we have simply had all of our drivers in SCCM and used the Auto Apply Drivers step in the task sequence to get everything to work.  This has been a good approach for our very de-centralized environment where we need to be able to build just about anything.  Recently however we have been trying to move toward a hybrid method.  Basically we want the task sequence to use a specific set of drivers if it is a known model, but fall back to the simple auto apply drivers set if there isn't a driver package / category.

I put together a script that queries SCCM for a list of categories and compares them with the Make & Model of the machine.  My script is largely based on the following: http://blogs.technet.com/b/deploymentguys/archive/2008/04/18/configuration-manager-dynamic-driver-categories.aspx

This was working great under my credentials but I wanted to switch to a least privileged account since this would ultimately be housed in a script.  We have a service account for this type of thing, but when I ran the script using that account I either got an error or an Access Denied message.

After a bit of trial and error and poking around I found that I needed to set the following to get this to work.

DCOM Permissions

• On your site server run DCOMCNFG
• Expand Component Services > Computer > My Computer
• Right click My Computer and select properties
• Select the COM Security tab
• Under Access Permissions click Edit Limits
• Enter your service account and give it Remote Access permissions
• Under Launch and Activation Permissions click Edit Limits
• Enter the service account and give it Remote Launch and Remote Activation permissions

WMI Permissions

• On your site server open Server Manager
• Expand Configuration and select WMI Control
• Right click and select properties
• Select the Security tab
• Select Root and click the Security button
• Add your service account and give it Execute Method, Provider Write, and Enable Account

SCCM Permissions

• Within SCCM you need to give the service account read permissions for All Instances of Device driver

Currently we have a notification to send all critical alerts to my team's group email. We get a lot of noise, but that is what I was asked to do. A number of my team members would rather get email alerts instead of looking at the console. We also set it up simply send us all of the critical alerts because we didn't' want to miss one.

A while back, we had a member of our team break off and take his service with him. He has a lot of separate web applications, among other things, being monitored and he wants to only get those alerts. That seemed simple enough.  I created a group including the objects for his service and created a new notification for this group.  Then members of my team asked to have our notification change so that it sends all critical alerts expect those related to the above group.

Why on earth can I not figure this out?  SCOM seems to not like exceptions.  Sure I can create a group with exceptions, but I can't create a group with everything in it, so that I can have everything except X.  The main problem here is that we want to insure that nothing is missed.  If we just start creating groups for things we do want to be notified about, inevitably we will miss something and not get those alerts.

Anyway, if anyone knows of a way to create a group that includes everything expect for the members of another group please leave a comment.

I just got done watching the VMM2012 CEP meeting video from yesterday which largely covered the new features for bare metal deployment for host hardware.  Here are my notes and take aways from this meeting.

NOTES:

The goal of this feature is:

Discover bare metal machines and bring them to a fully provisioned state with Hyper-V enabled

This feature is based on the following:

• VHD image based deployment to bare metal
• Host Profiles are used for a consistent configuration to a variety of hardware
• Add Resource Wizard for selection and customization at deployment time
• OOB communication and the Windows Deployment Server (WDS) PXE server allow for the bare metal computer to boot into our deployment agent

The basic high level workflow for Bare Metal Deployment in VMM2012.

1. Configure a WDS based PXE server for the enviroment.
2. You put the VHD and drivers for the hosts in a VMM Library.
3. Setup a logical network if your using a static IP
4. You create a Host Profile using a wizard
1. Define OS Image (VHD)
2. Define Partitions
3. Select Drivers
4. Configure OS options including Joining the domian etc.

MY THOUGHTS:

I am kinda suprized that the bare metal provisioning within VMM2012 is based on boot from VHD.  I really don't know how I feel about this.  I one hand I am worried that running my host off a VHD will result in performance degredation.  But then again, I can also see how it might be easier to work with VHD files.  I guess I just need to jump in with both feet and try it out.  I am concerned that this is only available via PXE.  While in the log run I think this is a great capability, I have found WDS to be unreliable and I want to have a physical bootmedia option.  

My other complaint seems to be a common one with Microsoft products.  It is great that the computer can join the domain by itself but why on earth can I not specify which OU to put the computer account in.  In my enviroment I only have control over a specific OU.  If I just join the domain I can't manage the computer afterward.  This means that we have to go through a lot of extra customization work to pre-create the computer account.  I just wish that they would give me the option of defining the OU in all of these products when it automates joining the domain.

*Disclaimer*  These are my notes.  This information could be wrong or misunderstood.  I have tried to get everything correct but I would doublecheck my facts before quoting me.

 So we recently purchased an APC Netbotz  (http://www.netbotz.com/products/appliances.html) to monitor the environment in one of our server rooms.  Unfortunately it only keeps 12 hours of data natively which wasn't exactly what we wanted.  We wanted to be able to look at the temperature trends for at least 48 hours (a weekend lets say).    

To answer this need I set out to use SNMP monitors in SCOM to get the sensor data from the Netbotz device into SCOM.  At first I thought I was going to have to create a custom management pack up with a bunch of SNMP monitors.  Thankfully I found an easier answer. 

I found the xSNMP Extensions for System Center OpsMgr 2007 (http://xsnmp.codeplex.com/) basically did everything for me.  You start by downloading the xSNMP Management Pack Suite (v1.1.1E).  This suite can monitor a number of SNMP based devices including the Netbotz.  I imported the following management packs included in the suite and left the rest out for now.

• xSNMP.mp
• xSNMP.Overrides.xml
• xSNMP.NetBotz.mp

Once these MPs are imported you need to use the Discovery Wizard to discover the Netbotz as a network device.  All you need to know to do this is the IP address and the SNMP community string.  After the device has been added successfully, you wait.  After a while you can add the network adapter for the Netbotz to one of the groups created by the xSNMP Overrides MP.  This is all spelled out in the included PDF.  Once you have done this, you wait some more.  This does take a while to get fully monitored.  I would say wait until the next day.

So far, that is all I have done.  We get alerts from the Netbotz in SCOM.  We can also look at the performance graphs over a period of time.

I would also recommend importing the xSNMP Report Pack.  This will give you pre-configured reports for your use.

My one complaint so far... the performance report for the temperature is in Celsius.  Not a huge deal, but I wish I could change it to Fahrenheit.  Other than that I don't have any complaints.  I turned out to be fairly simple to setup and gives me more information that I had before.

 I applied for the SCVMM 2012 CEP program this morning.  I actually really hope I get in. 

It starts tomorrow so check it out if your interested.

http://blogs.technet.com/b/systemcenter/archive/2011/05/24/system-center-virtual-machine-manager-2012-cep-to-start-may-26th.aspx

 Part 1: http://myitforum.com/cs2/blogs/mclanem/archive/2011/04/25/scom-virtualization-candidates-report-with-hp-servers-part-1.asp

The problem re-explained:

A few months ago, I found that no matter what parameters I used I received no results when trying to run the Virtualization Candidates report in SCOM. After digging deeper into the issue I found that the "Virtual Machine" property on all of my HP servers was NULL. The problem was that the discovery used the Win32_BaseBoard class which doesn't exist on HP servers so when the discovery ran, it returned an instead of returning true or false. I used a custom management pack to change the discovery to that it would look in Win32_ComputerSystem instead, fixing this issue. Unfortunately, I found that correcting the issues with the Virtual Machine property didn't fix the Virtualization Candidates report.

The investigation continues

At this point I took the problem to Microsoft. Working with one of their support engineers we found that the Virtualization report doesn't really rely on this property. The Microsoft System Center Virtual Machine Manager 2008 R2 management pack creates a new object. When I navigate to Discovered Inventory and change the target type to Virtualization Candidate computer I again get no results. The reason for this is the same as the IsVirtualMachine property. The script used to create this object looks in Win32_BaseBoard for the manufacturer property. Since HP servers don't have this class, the script errors out and the object doesn't get created.

Unfortunately this is a sealed MP. I asked the support engineer if we could get the team who originally wrote the MP to change it from Win32_BaseBoard to Win32_ComputerSystem but was told that they didn't see it as broken because it only effects a specific set of servers. I guess they are OK with their MP not working for an entire hardware vendor.

Instead we set out to edit the MP ourselves.

This approach failed.. multiple times. The reason it failed has to do with the way Microsoft made this MP available. It isn't available thought the normal MP catalog. Instead you have to run an installer from the VMM installation media. If you try to import the customized MP SCOM complains that there is already a version installed and it fails to import. I did try uninstalling the MP (which was a pain because there were a number of dependencies) and I was finally able to install the customized MP, but then when I ran the installer on the VMM installation media (to get the dependencies reinstalled) if failed saying it was already installed. At this point I got really frustrated because this was really the only approach the Microsoft support engineer wanted to take. Here is what I did on my own to fix the problem.

Create a Custom MOF

I created a custom MOF which would fill in the Win32_Baseboard field and thus make everything work as it is suppose to.

1. Save this file HP_BaseBoard.txt
2. Rename it HP_BaseBoard.mof
3. Run the following command from an elevated CMD prompt mofcomp.exe [path]\HP_BaseBoard.mof

How simple. Why didn't I think of this before. I guess its because I haven't ever really changed WMI before so it really isn't in my toolbox of tricks. Sure we edited the mof for SCCM, but for some reason that was different.

OK. I actually I went a few steps further to get this deployed in my environment. I wrote a vbscript that will compare the Win32_ComputerSystem Manufacturer key with that of the Win32_BaseBoard key on HP systems. If they are not equal the script will run the mofcomp command and log the results in the Event log otherwise it will exit. This script will then set via group policy on our server OU. This way any future servers will get the required key even if they are not built using our automated solution.

Feel free to have a look the SetBaseBoard.vbs script here: SetBaseBoard.txt You need to also have the HP_BaseBoard.mof file linked above.

To verify that things are working do the following:

• Within the SCOM Console Navigate to the Monitoring Pane
• Select the Discovered Inventory node under Monitoring
• Click Change Target Type under Actions
• Enter Candidate under looking for and select the Virtualization Candidate Computer from the System Center Virtual Machine Manager 2008 R2 MP. (There is probably more then one)
• You should see any computers that may be virtualization candidates listed.

Give it a little time for SCOM to catch up, but the Virtualization Candidates report will now start to have results.

I ran across this blog post today and found it very interesting.  He tells how the 80 column standard punch card had influence over the first email programs.

http://blog.mimecast.com/2011/02/why-is-email-so-complicated-part-221-the-legacy-of-punch-cards/

 Here is an excerpt:

So, we live in a world where my daughter can email me a video of my grandchildren, which still amazes and delights me, but that 6 megabyte video becomes 8 MB for transit because it has to be encoded as 80 column lines that are safe for punch cards, just in case it needs to be printed on them.

Protocols, like animals, evolve to produce solutions that work, not necessarily solutions that are optimal or elegant.  We walk upright with a quadruped’s backbone, and email transmits video with a punch card’s line format.

As long as it ain’t broke, we probably won’t fix it.

 I showed up to work this morning and found this alert in our SCOM server. I can not figure out why the alert is being generated or how I can get it to go away.

ConfigMgr 2007 Perf Threshold: PSP Database Requests Outstanding > 4 over 1 hour

Summary

In a one-hour interval, more than four PXE Service Point database requests were processed.

The PXE Service Point uses several threads to process requests from PXE devices. When a PXE request is processed, a thread makes a database request. For each processor the device has, two threads are allocated.

This performance threshold means that for the last hour, the PXE Service Point service was waiting for the database to reply on at least four threads.

Causes

This condition could occur because:

• The database responds too slowly.
• Too many devices are PXE booting.
• A rogue PXE client is on the network.

Resolutions

• Verify whether too many devices are PXE booting.
• Ensure that no rogue PXE client is on network.
• Determine whether the database is responding to requests too slowly.

I do not see too many devices trying to PXE boot over the past hour. According to the status messages over the past day there are only 3 or 4 PXE boot attempts. I also have verified that I can PXE boot a client as normal. I guess I don't know who to Ensure there isn't a rouge PXE client on the network. I do know that it isn't requesting anything according the the status messages. Also, how do I determine the response time of the PXE server to the database?

I have tried to restart the WDS service on the PXE server and manually reset the alert, but neither of them had an effect, the alert was regenerated.  I tried searching the internet for an answer or guidance, but I got ZERO hits on my searches.  It was like no one had seen this problem before.

So, I moved on to another alert that for our SCCM Site. 

ConfigMgr 2007 Status: Site Component Manager could not access site system

A new monitored SMS status message on machine [OurSite] from component SMS_SITE_COMPONENT_MANAGER with message ID 1037 was found in the site [Site] database.

So, I opened up the status messages for the time the alert was created (2 days ago) and found single status message with ID 1037.  Interestingly enough it basically indicated that the site server couldn't talk with the database server.  This was during a maintenance window when the database server was likely applying updates.  It had since come back online and everything was working fine.  Deleting this single event cleared up both alerts, the Site Component Manager alert and the PXE server alert. 

Why on earth can this MP not be smarter then that?  Why does it rely so much on status messages in our site?  This often requires me to go in and delete the old status message to clear the SCOM alert.  Why can't it be much more real time and auto correcting?  There has to be a better way.  The other thing that really gets to me is that the MP is really not that clear on what the problem is and how to resolve it.  Look at the summary above for the PXE alert.  Those resolution suggestions do not help at all, at least not in my opinion.

My complaints go on... but this is what got me this morning.

I have been struggling with this problem for a while now and I thought I would share the details along with the solution(s) I have come up with.  But first, a little background.

We have a SCOM 2007 R2 server monitoring our servers.  We use HP hardware for all of our servers.  We have been making an effort to virtualize our environment over the past few months, but our big push is planned for this summer.  In an effort to make the preparations, I am trying to use the Virtualization Candidates report provided by the SCVMM 2008 R2 Management Pack.

A few months ago, when I started this whole thing I found that, no matter what parameters I used, I received no results.  This didn't seem right, so I started digging deeper into the issue.  As it turns out the Virtualization Candidates report doesn't work on HP servers.  There are two related parts to this problem.  One I have solved, the other I am still working on.  In this first part I will give you the first part of the problem and the solution I worked out. 

IsVirtualMachine Property

Every computer in SCOM has a property called "Virtual Machine" in its details.  You can see this if you select the computer and look in the detail view.  This should be set to True if computer is a virtual machine and False if it is a physical machine.  When I started looking into this issue I found that for most of our monitored computers, this value was instead NULL so I assumed that if I fixed that issue, my report would have data.  So, why was it NULL.  The answer is that when Microsoft wrote the MP, they wrote it poorly (at least in my opinion). 

The built in discovery that is responsible for this value and located in the System Center Internal Library is called "Discover if Windows Computer is a Virtual Machine".  This simply runs the following WMI query and sets the property as the result.

SELECT * FROM Win32_BaseBoard WHERE Manufacturer <> "Microsoft Corporation"

There are two problems with this.

1. This will not mark any VMWare guests as Virtual. 
2. Its looking in Win32_BaseBoard.

It is this second problem that was the problem for me.  As it turns out, HP servers don't have a Win32_BaseBoard in their WMI, it simply doesn't exist.  When the discovery runs it errors out causing a null value.  I solved this problem by looking into the first issue.  Someone thankfully had written a custom MP that changed the discovery to account for VMWare guests (http://systemcentercentral.com/Downloads/DownloadsDetails/tabid/144/IndexID/6167/Default.aspx).  I took this MP and changed it further so that it would also account for the HP hardware.  I took the following steps:

• Downloaded the MP from SystemCenterCentral
• Located SELECT * FROM Win32_BaseBoard WHERE Manufacturer <> "Microsoft Corporation" OR Manufacturer <> "VMware, Inc."
• Change Win32_BaseBoard to Win32_ComputerSystem
• Save and Import your new custom MP.

Doing this gives you a solution where any VMWare guests will have Virtual Machine marked as true, and the HP servers will get marked as false instead of NULL.

Here is a copy of the MP that I used: http://myitforum.com/cs2/blogs/mclanem/Virtual.Machine.Discovery.Custom.xml

Unfortunately, this didn't solve my original problem. While I now have the Virtual Machine property reporting properly on all of my servers, I still don't have any results in my Virtualization Candidates report. I have since worked out why, and I think I am getting close to a solution. I will share my findings and solution once I have it all working (Part 2).

 I recently started playing with Dynamic Memory on our dev hyper-v host.  Today I ran into an interesting problem while trying to PXE boot our task sequence boot media.  I had set the VM to use Dynamic Memory with a minimum of 326 MB or RAM.  When I tried to PXE boot the thing to put an OS on it I got the following error message: 

Clicking OK would cause the VM to restart, and I was unable to open the troubleshooting cmd prompt I normally can.

The Fix: Simple.  I up the minimum dynamic RAM to 512 on the VM and I am once again able to boot into PE.

Just a gotcha I figured out and thought I would share.

One of the first things I did after returning from MMS 2011 was to setup System Center Advisor for a few systems in our environment.  I created a small VM and installed the Gateway service.  I installed the agent on 6 servers including the gateway. Then we waited.

So far, I have been fairly unimpressed.  Here are some reasons why:

• I really wish this information / functionality could be integrated into SCOM. I don't want a separate system to logon to in order to get these alerts.
• I still don't know if I need the separate gateway, or if I could have installed it on my SCOM server. Unfortunately, the documentation doesn't give me a hint either way as far as I could tell.
• The functionality is VERY limited. There is a very limited number of available alerts, and the change history nothing new. I can already get that from other sources like SCOM or SCCM.
• I can see where people might think of this as a poor man's SCOM, but it really isn't, at least not yet.

Now, having said that, I do realize that this is a new product... and it is only the Release Candidate version to boot.  Here are some things I like about it or potential uses I see for it.

• It has a nice clean interface. I like the clear description of the problem and the link to the KB Article. I also appreciate the copy to clipboard functionality.
• I like the concept of the cloud based service. I also don't mind how a single user can be given permission to multiple companies and switch between them.
• I can see where this might be useful in the future. If we had this on our servers, and we call Microsoft about a problem, they could hopefully look at the information and alerts to help jumpstart troubleshooting. I could see where that would be useful.
• I can also see Microsoft creating a whole lot of new alerts to help notify customers of vulnerabilities as they are discovered. This would be much more real time then SCOM since they would add the alerts instead of waiting for us to install a MP.

In Summary: I don't really have a use for SC Advisor, but I can see where other might someday be able to benefit from it.  It just depends on how Microsoft starts using the information that we send to their servers.  I do however, really hope that they integrate at least some of the functionality into SCOM so that I can have a single interface to get all of my alerts.  If you would like to check it out for yourself, here is the link: https://www.systemcenteradvisor.com