Calling all Technical Women – We want your C.V.

World Wide Online Event

Hi Ladies,

We have an World Wide online event happening very soon here which gives you an opportunity to meet and talk to Technical Women working in in Services at Microsoft and find out what the job is actually like. Plus we are interested in you too. We would love to have lots of women who are considering job roles at Microsoft to send us your c.v. by simply clicking on the bottom link to register for the Webinar. So come on Ladies especially EMEA we want to hear from you !

Optimizing and reducing the noise on Admin Packs Scom

I have been working with my customer around reducing the noise and also optimising SCOM 2007 R2. The main emphasis of my work has been around the Active Directory Managment pack, but some of the techniques that I have highlighted and the links that I have used can be used more generic

http://blogs.technet.com/momteam/archive/2010/02/19/opsmgr-2007-r2-mp-version-6-1-7599-0-is-released.aspx

Check whether you have Configured for any Clusters, Active Directory, & Exchange “Agent Proxying” The reason this should be set is as follows;

When deploying the AD or Exchange management packs you need to enable proxying on agents in order for discovery to work properly. This is further detailed in the blogs below. There is also listed a tool that can be used to enable this across multiple Domain Controllers at once, otherwise you have to go to each individual server.

a. http://blogs.msdn.com/boris_yanushpolsky/archive/2007/08/02/enabling-proxying-for-agents.aspx

b. http://blogs.msdn.com/boris_yanushpolsky/archive/2008/01/24/troubleshooting-event-id-33333-logged-by-the-data-access-layer.aspx

c. http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!1077.entry?wa=wsignin1.0&sa=673832820

d. http://cameronfuller.spaces.live.com/blog/cns!A231E4EB0417CB76!1152.entry

e. http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!1077.entry

2. Another good technique to reduce noise is to run the following reports from the ODR Reporting Library .

3. In addition we can be more specific by focussing in on a particular Management Pack.

By choosing the following under the Generic Report Library.

These above reports can then enable us to identify the most noisiest errors .We can then take this information and then go to the specific Monitor and modify or disable it in the following way;

4. Also certain Alerts even though their health has been restored do not close down the Alert view thus creating unnecessary noise. Therefore you can carry out the following to address this.

5. Also you may or may not be aware of this , which can cause noise from Domain Controllers if the agent is deployed manually . OOMADS

OOMADS.MSI which is the active directory helper object.
From Technet – "If an agent is manually deployed to a domain controller, and
an Active Directory management pack is later deployed, errors might occur
during deployment of the management pack. To prevent errors from occurring
before deploying the Active Directory management pack, or to recover from
errors that might have already occurred, you will need to deploy the Active
Directory management pack helper object. This is done by deploying the file
oomads.msi on the affected domain controller. The file oomads.msi can be
found on the computer hosting the agent at C:\Program Files\System Center
Operations Manager 2007\HelperObjects.
After an agent has been manually deployed to a domain controller, locate the
oomads.msi file and double-click the file to install the Active Directory
management pack helper object.
You need to manually deploy oomads.msi only to domain controllers that will
host an agent and will be monitored via the Active Directory management
pack. The Active Directory management pack helper object is automatically
installed when the agent is deployed using the Discovery Wizard."
Although the article talks about Domain Controllers, it will apply equally
to computers you want to use as Clients for AD monitoring as they also use
OOMADS.MSI

Installation Checklist for Active Directory Managment Pack

1.Import the Active Directory Server Pack
Create a Management Pack in which to store customizations, such as overrides (for details on why, see this post)
2.(Optional) Import the Active Directory Client Management Pack and override the AD Client 3.Monitoring Discovery Rule
4.Enable the Agent Proxy Setting on all Domain Controllers
5.Configure an account for Replication Monitoring (associated with the Active Directory 6.Management Pack Account Profile)
7.Create a RunAs account and associate it with the AD MP Account Profile

Optional Configuration
1.Configure the maximum time allowed for change to replicate across a forest
2.Disable collection of warnings, performance data, and miscellaneous noncritical events to decrease network traffic.

3. Enable data collection for the Replication Latency Report
Set parameters for tasks

Common Problems

• Oomads not installed
• Oomads 64-bit issues
• Agent proxy settings enabled on all Domain Controllers
• AD MP Account Profile Run As Account Password is not validated by the application when entered

Floppies 101 uses for plus other Random thoughts

We have just had Long Bank holiday weekend in the U.K. so I have taken the opportunity to carry out some spring cleaning and have  been clearing out a load of boxes . I came across a long forgotten box of floppy disks. It took be another 20 minutes to locate my USB Floppy drive reader. After going through the floppies which seemed so sloooow, as I was carrying this out I sat there reminiscing about my old dual floppy 720k non hard disk phillips pc , then my old 286 Olivetti pc came flashing into my brain. Then suddenly I started getting all romantic about my 520k ? orginal IBM pcs I used to support in a previous life, plus the excitement I felt when I took delivery of my first IBM PS2 machine with 4 mb of Ram and a 40mb hard drive. By this time I had looked through all my floppies and found some old photos and Sibelius arrangements my husband had done years ago. Then I realised with a start how long I had been working in this fascinating , changing, frustrating  and exhilarating industry and then plugged in my shiny new 32gb USB stick to transfer the contents of my floppies to :)…..Happy days !

The following link will make you smile

http://news.bbc.co.uk/1/hi/magazine/8651750.stm

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

Apologies for not blogging for sometime. I have been away on vacation, out of the country on training plus work commitments so add that up and it equals and enforced hiatus. Plus of course do not forget the Volcano :).

Well I am back now and have an interesting information around Event Log access and the way thing have changed in Windows 2008 . This comes out of some work I have been doing with my customer.

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.

I have extrapolated the information contained in the following two KBarticles. It is not easy as it is using service discretionary access control lists.

http://support.microsoft.com/kb/323076 plus http://support.microsoft.com/kb/914392  .

This works for both Domain Controllers and Member servers. Therefore when it talks in the body of the steps around Default Domain Group Policies , this can be supplanted with the relevant Group Policy object.

You will also need to download a Name to Sid type utility. Details of this here.

http://support.microsoft.com/kb/276208

There are others around externally and internally to Microsoft. The internal one would only be available to you if you raise a Premier Support Call as part of your premier contract if you have one.

Plus of course you have the Windows Sysinternals

http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx 

As per the article follow the below steps;

Use Group Policy to Set Your Application and System Log Security for a Domain, Site, or Organizational Unit in Active Directory

Important: To view the group policy settings that are described in this article in  the Group Policy editor, first complete the following steps, and then continue to the "Use Group Policy to Set Your Application and System Log Security" section:

1. Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf

folder.

2. Add the following lines to the [Register Registry Values] section:

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2

3. Add the following lines to the [Strings] section:

AppCustomSD="Eventlog:Security descriptor for Application event log"

SecCustomSD="Eventlog:Security descriptor for Security event log"

SysCustomSD="Eventlog:Security descriptor for System event log"

DSCustomSD="Eventlog:Security descriptor for Directory Service event log"

DNSCustomSD="Eventlog:Security descriptor for DNS Server event log"

FRSCustomSD="Eventlog: Security descriptor for File Replication Service event log"

4. Save the changes you made to the Sceregvl.inf file, and then run the regsvr32  scecli.dll command.

5. Start Gpedit.msc, and then double-click the following branches to expand them:

Computer Configuration Windows Settings Security Settings Local Policies Security Options

6. View the right panel to find the new "Eventlog" settings.

7. Open the relevant Policy for the member server. Open Computer Configuration -> Windows Settings  Security Settings  Local Policies  Security Options Look for Event Log settings

3) Use a  name2sid utilitily to find the SID of the group for which you want to give access to

the event viewer.

4) Open “Eventlog: Security descriptor for Application event log”. Click on Define

this policy setting.

Copy the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Directory

Service\CustomSD etc…

Copy the above value for each of the event logs (like application, system, security

etc…) & append respective event logs with (A;; 0x3;;;SID of the Group) in the above

policy

Here 0x3 indicates read & write privileges. The write privileges are required only

if the group needs to write events into the event logs (like an application service

using this user account)

Replace 0x3 with 0x1 – if this group needs only READ access to the event viewer

5) Run GPupdate

As an FYI see below for the explanation of the codes;

Replace 0x3 with 0x1 – If this group needs only READ access to the event viewer
5) Run GPupdate on the DC
Entry Meaning
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL,
WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
(A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE.
The specific event log access mask bits are:
0x0001 ELF_LOGFILE_READ Permission to read log files.
0x0002 ELF_LOGFILE_WRITE Permission to write log files.

However for Windows 2008 Life gets much easier

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

However if you do not want to give access to ALL event logs you still have to resort to using SDDL

The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the wevtutil utility.

For Example

If you need to define access to just the System event log on our Windows 2008 Server.

1. open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.

wevtutil gl system > C:\temp\out.txt

2. Open the text file and copy out the channelAccess: entry

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )

3.  Copy the Interactive User (IU) rights and add your user or group  to them.

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))

Last we need to apply the new SDDL. Just replace the O:BAG:XXXX with your SDDL String you created in the previous step.

wevtutil sl System /ca:O:BAG:XXXX

In addition you can remove access for the Event Log Readers group from event log in question by removing the (A;;0x1;;;S-1-5-32-573) entry from the respective log SDDL String.

Women in Technology Microsoft Career Webcast

About the Event

Meet up to 12 different women from Microsoft Services and learn how they are helping our customers succeed. We are holding four webcasts to accommodate four different time zones on the three roles below. We hope you will join the one that works best for you.

The Consultant:  Meet new customers. Help them assess their business needs. Design and deliver Microsoft technical solutions that allow them to get the maximum value for their business. Be a technical consultant. View job description.
The Technical Account Manager:  Support a Microsoft Premier customer. Deliver Microsoft technical solutions that allow them to have the best operational health possible. Be a technical liaison across Microsoft. View job description.
The Premier Field Engineer:  Active travel to reach many Enterprise customers. Provide proactive and reactive support to the most technically complex and business critical situations. Be the technical expert. View job description.

Who should attend

We are looking for women with great technical experience who have a passion for working with customers.  While our event is open to anyone interested in considering roles at Microsoft, our focus on the above three roles is targeted to those individuals with strong technical expertise, 3-5 years in the technology industry, a Computer Science/Engineering degree or equivalent experience. You must have a proven record of delivering business value to customers preferably on the Microsoft platform, technologies, and products.

REGISTER TODAY for the webcast which best fits your region and time zone: http://www.careernomics.com/microsoft1004. 

Looking for a New Career – How about Premier Field Engineering

Hi Everyone,

I am really excited to tell you that due to our continued success Premier Field Engineering in the U.K. is looking to recruit some more Engineers to join our ranks.

If you are interested in joining a dynamic and exciting team, and working for a great Company, and love working with a wide variety of Enterprise Customers then we are looking for Engineers with experience in the following technologies.

Premier Field Engineers Role

SCOM (System Centre Operations Manager

SCCM (System Centre Configuration Manager)

Platforms (Application Virtualisation)

Platforms (Active Directory)

SQL

These roles will be posted on our Official U.K. Website over the next week or so, so keep your Eyes peeled. Alternatively you can also contact me direct on janelewi@microsoft.com with your C.V, which I can then forward on to the relevant hiring managers.

Carry out a search for Premier Field Engineer https://careers.microsoft.com/search.aspx?gl=GBR#&&p4=GB&p0=Premier+Field+Engineer&p5=all&p1=all&p2=all&p3=all

Microsoft Desktop Player This has potential !

Apologies for not blogging recent weeks. I have been tremendously busy plus working out of the country

My good friend Justin Zarb showed me this the other day.

Microsoft Desktop Player

This is a great utility that gives you a platform to search for technet content based around . You can either use the online version or download the desktop client version. It is currently in Beta so not all the features such as putting in your postcode to find local Technet events are available as yet outside USA

Kevin Remde gives a great explanation of the tool http://blogs.technet.com/kevinremde/archive/2010/04/05/introducing-microsoft-desktop-player-find-technical-content-and-useful-microsoft-resources-easily.aspx

Explaining Close_Wait

I have been working with a customer recently who has a print server that has had its spooler crashing after a 3rd Party service running on it was locking up and freezing and falling over.

One of the signs it was about to fall over was running the following command against the server and seeing lots and lots of Close_waits. This was observed by running the

Netstat –an command. Example output below.

So what do the “State” actually mean. And what is the significance of Close_Wait.

Understanding the TCP sequence of steps for socket closing

As the TCP conversation is a ports and sockets sequence, to understand how to troubleshoot it and carry out root cause analysis. This was an excellent blog that explains this tcp socket conversation very well

http://j2eedebug.blogspot.com/2008/12/difference-between-closewait-and.html

Also see below for the explanation of the different states sockets can enter into as part of that conversation.

State Description

http://support.microsoft.com/kb/137984

CLOSED
Indicates that the server has received an ACK signal from the client and the connection is closed

CLOSE_WAIT
Indicates that the server has received the first FIN signal from the client and the connection is in the process of being closed

So this essentially means that his is a state where socket is waiting for the application to execute close()

A socket can be in CLOSE_WAIT state indefinitely until the application closes it.
Faulty scenarios would be like filedescriptor leak, server not being execute close() on socket leading to pile up of close_wait sockets

ESTABLISHED
Indicates that the server received the SYN signal from the client and the session is established

FIN_WAIT_1
Indicates that the connection is still active but not currently being used

FIN_WAIT_2
Indicates that the client just received acknowledgment of the first FIN signal from the server

LAST_ACK
Indicates that the server is in the process of sending its own FIN signal

LISTENING
Indicates that the server is ready to accept a connection

SYN_RECEIVED
Indicates that the server just received a SYN signal from the client

SYN_SEND
Indicates that this particular connection is open and active

TIME_WAIT
Indicates that the client recognizes the connection as still active but not currently being used

So the explanation for a close_wait situation is as below;

CLOSE is an operation meaning "I have no more data to send." that is the

client/server has chosen to treat CLOSE in a simplex fashion. The user who CLOSEs

may continue to RECEIVE Until he is told that the other side has CLOSED also. Thus,

a program/application could initiate several SENDs followed by a CLOSE, and then

continue to RECEIVE until signalled that a RECEIVE failed because the other side has

CLOSED. We assume that the TCP will signal a user, even if no RECEIVEs are

outstanding, that the other side has closed, so the user can terminate his side

gracefully. A TCP will reliably deliver all buffers SENT before the connection was

CLOSED so a user who expects no data in return need only wait to hear the

connection was CLOSED successfully to know that all his data was received at the

destination TCP. Users must keep reading connections they close for sending until

the TCP says no more data.

 Adjusting Registry Settings

Registry keys to look at which can sometimes help to configure and adjust this conversation.

MaxUserPort

TcpTimedWaitDelay

http://support.microsoft.com/kb/137984

TCP Connection States and Netstat Output

http://support.microsoft.com/kb/328476

http://technet.microsoft.com/en-us/library/cc938196.aspx

HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

• MaxUserPort

This entry makes more ports available. 

• TcpTimedWaitDelay

Reducing this value from its default setting of 240 seconds will make ports expire sooner. This parameter determines the length of time that a connection stays in the TIME_WAIT state when it is being closed. While a connection is in the TIME_WAIT state, the socket pair cannot be reused. This is also known as the 2MSL state because the value should be double the maximum segment lifetime on the network. See RFC 793 for more details. 

Powershell script to help check WMI setting has been configured

We all know how powerful Powershell is, so it is great to highlight an example of where it was showed to be very effective and really quick to create a positive result.

Recently I highlighted and issue that affected 2003 Domain Controllers which caused High CPU on WMIprvse.exe caused by a memory leak dnsprov.dll.

http://blogs.technet.com/janelewis/archive/2009/12/18/high-cpu-on-wmiprvse-exe-caused-by-memory-leak-dnsprov-dll-windows-2003.aspx

Well with my customer I work with we implemented the change across the entire estate and wanted to check and verify whether this change had been implemented successfully.

Well one of the guys I was working with had recently attended a Premier workshop on Powershell and was eager to try out powershell instead of the vbscript that I had put together.

The powershell script is as below; This checked all the domain controllers to verify that the DNSPROV.DLL is now running within its own isolated wmiprvse.

Powershell line to check DNS shared provider on DCs (note WMI query requires admin rights)

$DCs = [ADSI] $DCs =’LDAP://OU=Domain Controllers,DC=ABC,DC=DEF,DC=Local’; $wmi = foreach($DC in $DCs.psbase.get_children()) {gwmi -namespace Root\MicrosoftDNS -class __Win32Provider -computer $DC.Name}; $wmi | ft __SERVER,HostingModel –au

So if you are applying the workaround mentioned in my previous blog. Please use this powershell script to checkout it has applied across your environment. It certainly worked a treat in our case. Plus also my customer colleague was pleased as punch that he could immediately apply his knowledge from the course. He now has bragging rights as the resident Powershell guru :).

Ladies if you are interested in a Career at Microsoft read on

8th of March 2010

HI Everyone,

I have just come back from a busy week in Amsterdam and my Colleague Charna Westerhold has given me some more details about an exciting event I am taking part in . The event is entitled

No Boundaries Only Unlimited Potential!

International Women’s Day is a global day celebrating the economic, political and social achievements of women past, present and future.

Annually on 8th March, thousands of events are held throughout the world to inspire women and celebrate achievements. A global web of rich and diverse local activity connects women from all around the world ranging from political rallies, business conferences, government activities and networking events.

Microsoft Services will be celebrating International Women’s day by holding an International event to talk about why Diversity and Inclusion is a priority for our business and why here at Microsoft there are no Boundaries only unlimited Potential.

	88 countries, 44 languages, the latest   technology, and 54 million customer   touch points per year.

On the 8^th March join us to explore a career with no boundaries only unlimited potential. Learn why Diversity and Inclusion is one of Microsoft top priorities through online presentation and webcasts. Participate at online chats with company representatives. Times to be announced shortly. To find out more please visit: http://www.careernomics.com/microsoft

Microsoft Services is the consulting, technical support, and customer service arm of the world’s leading software company. The Microsoft Services professional helps customers and partners discover and implement high-value Microsoft solutions that generate rapid, meaningful, and measurable results