[ Teknoglot ]

If you are looking into replacing an (or just switching to another primary) Operations Manager 2007 Gateway Server for any reason, there’s a little more to consider than just right-clicking the clients and selecting “Change Primary Management Server” in the Operations Console.
You could end up with agents not being able to connect to the Management Group at all due to a small problem with the order in which Operations Manager do things.

Here’s basically what happens:

• You tell Operations Manager to change Primary Management Server for AGENTX from GW1 to GW2.
• The SDK Service (i guess) tells GW1 that “You’re no longer the Primary Management Server for AGENTX”
• GW1 acknowledges this and stops talking to AGENTX. And I mean Completely stops talking to AGENTX.
• OpsMgr then tells GW2 to start accepting communication from AGENTX.
• OpsMgr tries to tell AGENTX that it should talk to GW2 since GW1 won’t listen.

Spotted the problem?
This modus operandi probably works when agents are on the same network and in the same domain where fail-over is sort of automatic. The problem we are facing now is that the server are telling the Gateway to stop accepting communications to and from the agent before the agent is notified that there is a new Gateway server to talk to. The agent will continue to talk to GW1 but will be completely ignored and you will probably start seeing events in the Operations Manager eventlog on GW1 with EventID 20000.

How do I get around this little feature then?

No matter if you found this article after running into the mentioned troubles or if you are googling ahead of time to be prepared, the fix is the same and consists of a few powershell scripts. These scripts are out there allready, but in different contexts, hence this post.

First step: Install the new Gateway

Documentation on this from Microsoft is good enough, but here’s the short version.

1. Verify name resolution to and from Gateway server and Management Server
2. Create certificate for the Gateway server
3. Approve the Gateway server
4. Install Gateway server
5. Import certificates on Windows system
6. Run MOMCertImport.exe on Gateway server to add the certificate into Gateway server configuration
7. Wait

The wait is for the gateway server to get all needed configuration from RMS and to download all neccesary management packs, run all the discovery scripts and so on. When the Operations Manager event log has calmed down a bit, move to step two.

Second step: Configure Agent Failover

Connect to an Operations Manager Command Shell. Any will do, as long as it’s connected to the correct Management Group.
Then run the following script:

$primaryGW= Get-ManagementServer | where {$_.Name -eq 'GW2.domain.local'}
$failoverGw = Get-ManagementServer | where {$_.Name -eq 'GW1.domain.local'}
$agents = Get-Agent | where {$_.primarymanagementservername -eq 'GW1.domain.local'}
Set-ManagementServer -AgentManagedComputer: $agents -PrimaryManagementServer: $primaryGW -FailoverServer: $failoverGw

Remember to change “GW1.domain.local” to you OLD Gateway servername and “GW2.domain.local” to your NEW Gateway servername.
If you don’t know powershell, this script basically configures all agents using the old Gateway to use the new one as primare, but keep the old one as a fail-over server. The Gateways will still get to know the changes before the agents, but since the old on is still listening to the agents (though, as the fail-over host) it will be able to tell them to go to the new one, GW2.

Ok, so I reinstalled my linux partition with Ubuntu 9.04 x64 and decided to try EXT4 on the root partition. Like, yesterday.
Managed to get the Citrix client running (way more easy on Ubuntu than Fedora, I’ll be back on that) and all without too much fuzz.

First reboot gave me a “let’s FSCK!”. So I FSCK-ed and booted up to the desktop.

Second reboot gave me a “let’s FSCK!”. And I did. Booted to the desktop.

Third boot went smoothly, but all of a sudden all the icons decided to go AWOL. Rebooted again.

Fourth boot gave me a “let’s FSCK!”. I replied with “Well FSCK You!”

Fifth boot gave me a “let’s FSCK!”. I rebooted back to Windows 7.

Tonight I am reinstalling Ubuntu 9.04 x64 with EXT3.

Just wanted to raise a word of caution about the TCP Port Check in Operations Manager 2007.

Some customers have notices the the system-logs on some Unix machines are completely swamped with “connection error”, “TCP Connect failed”, “TCP Session Lost” and similar and after a bit och research the problematic servers were narrowed down to those monitored by Operations Manager. Specifically, those who are targeted by a TCP Port Check.

It would seem like the TCP-connection never fully initializes on the target server. Kind of like knocking on your neighbours door and then hiding. Then when the door opens, no one is there.

Maybe there’s a setting somewhere to modify how “deep” a Port Check should go before closing. Perhaps fully initializing and then sending a proper “Close” instead of just cutting the connection. In a few extreme cases we have noticed that the target server even goes so far as to start a session, but never ending it since there’s no closure and finally having no sessions to spare for the real users. But on most servers it’s just an annoyance since the “real” errors is very hard to be found in all the connection related logs.

Anyway. Just a good thing to keep in mind when running TCP Port Checks from Operations Manager 2007. Keep an eye on the logs when implementing the port checks.

I get this question every now and then and every time I find myself completely flabbergasted and having to look things up once again. To avoid wasting my time on the same question once again and perhaps help others doing the same, here’s a little guidance.

Don’t get me wrong now.
SQL Express has it’s applications and for a free database server, it’s not half-bad. Small development sites, minor, not that extremely important systems with lower performance and feature demands, minor website databases et cetera could do well with SQL Express.

Here’s my list of questions you have to ask to find if SQL Express is the correct choice.

1. Do your applications support SQL Express?
   If your application developers cannot say “Yes” to this, you’re out of luck. You could probably get their applications to run on SQL Express anyway, but application support if something goes bad will most likely be zilch.
2. Do your applications fit the hardware limitations?
   SQL Express is limited to 1GB RAM, 1 CPU and 4GB of databases. 1GB of RAM seems a bit tight to me for any production data. Also, on SQL Express 2005, according to Microsoft, you cannot run parallel queries.
   ”SQL Server Express can install and run on multiprocessor machines, but only a single CPU is used at any time. Internally, the engine limits the number of user scheduler threads to 1 so that only 1 CPU is used at a time. Features such as parallel query execution are not supported because of the single CPU limit.”
   If this is still true on SQL Express 2008, I don’t know and I haven’t found any information about it (yet).
   When answering this question, remember to calculate expected growth and possibly new databases/applications too.
3. Do your applications use database replication?
   If, so. Do the new server need to act as a publisher? If, yes, then you’re out of luck. SQL Express do handle database replication, but only as a subscriber. If you need to publish data, then you need a “bigger” SQL Edition.
4. Do you need Database Mail?
   SQL Express does not have Database Mail. You have to find other ways to code your notifications. This question has raised counter-questions from customers as to “What would I need Database Mail for?”. It is, evidently a feature not used by many. Personally, I find it useful. Clay McDonald has a nice blog-post on how to make SQL-triggers send mail on, for instance, inserts into a table using Database Mail. You could of course have it send mail on deletions as well. In my mind, this might come in handy in user-databases in CRM- or HR-systems. Every time an employee gets deleted from the database, the HR-admin could receive a notification.
5. Do you need the SQL Agent?
   Perhaps not. Maybe you feel comfortable with scheduling your database backups using the windows scheduler and homebrew scripts. Just make sure your monitoring software (or IT-personnel) discover when the script fails. An increasing amount of applications require the SQL Agent to schedule and monitor recurring tasks, like Microsoft’s App-V. Without the SQL Agent, the databases would grow ad infinitum. How about index maintenance? This is also possible to go by using your own scripts and the windows scheduler. SQL Express can do most maintenance tasks you would need using scripts and T-SQL. The SQL Agent just makes it simpler and more manageable. Once again, double-check this with the application developer.
6. Do you application use SSIS/DTS-jobs?
   This is not included in SQL Express. Maybe there’s a work-around, but I haven’t found it and I doubt it is supported by anyone.
7. Do you need to be able to troubleshoot performance problems?
   You can do this on SQL Express with a great deal of knowledge and timers. The SQL-profiler, the Performance Data Collection and the Database Tuning Advisor makes it easier. Specifically, the SQL-profiler comes in really handy when you suspect the application (not the system) to be the bad guy since you can trace the queries and pin-point where the performance-hit resides. Using the SQL-profiler I have been able to optimise indexes to and thus making database servers go from a 98% CPU Load to 3% CPU Load. I have also been able to pin-point specific queries and use them as “evidence” that the problem is bad/sloppy code rather than problems with the database server. Also, using the SQL-profiler.

There’s more, of course, but these point are the most common pit-falls in my experience. As you can see, there’s three “do you need”-questions  and there are highly optional. Far from everyone use them and often because of lacking SQL Server knowledge. You don’t know what you can do. Still, the most important question is #1. Is SQL Express a supported database server for your applications. Hopefully, the developer knows the answer to this directly. No maybe’s. Yes or No.

Personally, I find that If you need a database server for production data, don’t go for SQL Express. Many customers have gone that way because “it’s free!” just to find themselves in the midst of a SQL Server upgrade and database migration a year later.

The MSMQ Management Pack seems to have a few problems with it’s discovery script that can lead to the following error showing up in the logs:

The process started at 13:34:40 failed to create System.Discovery.Data. Errors found in output:

C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 49\9788\DiscoverQueues.vbs(107, 4) Microsoft VBScript runtime error: Subscript out of range: '[number: 0]'

Command executed: "C:\WINDOWS\system32\cscript.exe" /nologo "DiscoverQueues.vbs" {615D37C9-477D-62E2-0833-6ECBF0E89A87} {A176AC83-CC31-01C3-5DE9-E2DFF64E7CC7} "MASKED.server.fqdn" "MSMQ" "true" "true" "False" "false"
Working Directory: C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 49\9788\

One or more workflows were affected by this.

Workflow name: Microsoft.MSMQ.2003.DiscoverQueues

Instance name: MASKED.server.fqdn

Instance ID: {A176AC83-CC31-01C3-5DE9-E2DFF64E7CC7}

Management group: MASKED

This seems to be related to the discovery of public queues on some servers that has none. One quick fix, or rather work-around, is to override the discovery on these servers to set DiscoverPublic to False.

Well, I wouldn’t really call this a fix and I don’t really know if I’ve got all facts for a decent how-too but this little manoeuvre helped me getting sound from the internal speakers on my Lenovo T61 in Fedora 11. Yah, that’s AMD64/x64 by the way.

I found out after a bit of googling that sound really is working, but only when using the head-phone jack. So i tried it out and much to my amusement it was true. This means that the sound-card has been discovered and enabled.

Anyway. Opening a terminal and running alsamixer -c0 will enable you to turn on the internal speakers.
In the mixer, step right until you get to “speaker” and you might find that it is muted by the MM above it. Press M and it will turn to 00. Now check your master volume and start enjoying the sound… i hope.
If this doesn’t work, you probably need to apply some patches and stuff found by… eh… google.

Good luck!

Don’t know how I missed this when writing the last post, but Microsoft released the MP for Windows Server 2008 NLB yesterday (28/4 -09). This is the initial release for Win2k8 NLB so I guess we just have to try it out then.

Quick Details

Feature Summary

• Monitor the NLB Node status.
• Based on the status of individual cluster nodes, determine the overall state of the cluster.
• Where an integration management pack exists, determine the health state of a cluster node by looking at the health state of the load balanced application, such as IIS.
• Alert on errors and warnings that are reported by the NLB driver, such as an incorrectly configured NLB cluster.
• Take the node out of the NLB cluster if the underlying load-balanced application becomes unhealthy, and add the node back to the cluster when the application becomes healthy again.

Requires OpsMgr 2007 SP1 or later, the Base Operating System MP for 2008, the QFEs for Windows Server 2008 and that you are not running the converted 2003 NLB MP. If you are running the old converted NLB MP, upgrade first. As an additional recommendation, Microsoft recommends in the MP Guide that you install the QFE for wmiprvse.exe problems on Windows Server 2008.

No support for Mixed-mode (2008 and 2003) clusters though.

I have seen this error popping up every now and then at multiple customer sites and haven’t really been able to solve it yet. It does not look like I am alone either.
The error message usually looks like this:

Error doing IIS Discovery

Error: 0x80070002
Details: The system cannot find the file specified.

One or more workflows were affected by this. 

Workflow name: Microsoft.Windows.InternetInformationServices.2003.DiscoverBase
Instance name: Microsoft.Windows.InternetInformationServices.2003.ServerRole
Instance ID: {A81E4808-4D05-9BFE-4043-DC668527F2D0}
Management group: MASKED

Or…

Error doing IIS Discovery

Error: 0x80070006
Details: The handle is invalid.

One or more workflows were affected by this. 

Workflow name: Microsoft.Windows.InternetInformationServices.2000.DiscoverWebSites26to50
Instance name: IIS Web Server
Instance ID: {D36DA76A-027F-8F3E-4160-115279A1E23A}
Management group: MASKED

I have been trying to figure out what file is missing and/or if the “invalid handle” is related. Possibly a file-handle? Could be but not neccesary since these two errors occur on different servers with increasing repeat-count (atleast once-a-day). The IIS MP does call the IIS*.VBS Scripts in %windir%\System32 but as far as I can tell, on the systems I have tried it on, the scritps return valid data. This does by no means mean that there is no error and evidently I am missing something. But what? Does anyone have a clue to this?

References and other victims:

• “Error Doing IIS Discovery” on Google
• “SCOM: IIS Discovery Probe Module Failed Execution” on Codejnki’s Blog
• “Error doing IIS Discovery Error: 0×80070006″ on TechNet Forums
• “IIS Discovery Probe Module Execution Failure” on Digital Support Forum
• “IIS Discovery Probe Module Execution Failure” on EggHeadCafe
• “IISDiscoveryProbe Error – any ideas?” on Microsoft Discusson Groups

And no, neither of these provides even a hint to a working solution.

Last friday, 24/4 -09,  Microsoft released an updated Management Pack for MSMQ 3.0.

Quick Details

Release History

• 6/3/2008 – Initial Release, version 6.0.6278.23. Refer to the MP guide for further details.
• 4/24/2009 – Undated release, version 6.0.6587.0. Refer to the MP guide for further details.

The MP Guide does not really say much about what’s updated and I don’t know how much more than the reporting they have fixed. I can just state the fact that support for clustered MSMQ 3 instances is still missing.

Here’s my summary of the problems with the NetworkAdapterCheck.vbs script in the Windows Server 2000 Operating System Management Pack för Operations Manager 2007 that is causing the failed to create System.PropertyBagData error i wrote about earlier.
This information in also available on https://connect.microsoft.com/feedback/ViewFeedback.aspx?FeedbackID=432627&SiteID=446

Symptoms

This “research” comes from getting an obscene amounts of Script or Executable Failed to run in the Operations Console. Each time it was the NetworkAdapterCheck.vbs script that could not create PropertyBagData. The error message copied from one of the alerts looks like this:

The process started at 14:29:26 failed to create System.PropertyBagData, no errors detected in the output. The process exited with 0

Command executed: "C:WINNTsystem32cscript.exe" /nologo "NetworkAdapterCheck.vbs" MASKEDCOMPUTERNAME 0 false true false
Working Directory: C:Program FilesSystem Center Operations Manager 2007Health Service StateMonitoring Host Temporary Files 2882781

One or more workflows were affected by this.

Workflow name: Microsoft.Windows.Server.2000.NetworkAdapter.NetworkAdapterConnectionHealth
Instance name: 0
Instance ID: {F4C478D3-38E5-8C29-3957-E3B7F486216E}
Management group: MASKED

This error repeats almost as often as the script is scheduled to run and appears on almost every Windows 2000 server.

Read more…