Explain the magic “300” in DPM.

This is a chosen limit that derives from the Logical Disk Manager (LDM) number of volumes that can coexist on a Windows system. We’ll explore some details in a minute but first the following; note that DPM requires 2 volumes to protect a data source, 1 for the replica and 1 for the recovery point volume. This means if we max out a supportable DPM server on this aspect there will be at least 600 volumes on the system.

LDM has a fixed size data structure (the LDM database) with records (to define volumes) that occupy at least 1 ‘slot’ and sometimes 2. To cut short, there are 2960 slots available and each new volume requires 3 or 4 slots and 1 more for each time a volume is extended. Wait a minute, with 300 data sources requiring 600 volumes, which consumes 1800 out of 2960. In other words; you cannot extend all replicas and recovery point volumes twice on a maximum configuration. Not that this is likely to occur but chances increase with DPM2010 as we will see. Obviously if there are less data sources or less need be extended you can do that more often. At some point we need ‘consolidation’ to reduce consumption of slots. Okay, but how? Create a new volume large enough to hold all data of an extended volume, move data and delete the old volume releasing all extent slots.

Get all Monitors and Overrides for a Management Pack

For monitors, you use this command: get-monitor -managementPack name.mp | export-csv filename

For example, this command gets the monitors associated with one of the core Management Packs:
get-monitor -managementPack System.Health.Library.mp | export-csv "C:\monitors.csv"

For overrides: get-override -managementPack name.mp | export-csv filename

For example, this command:
get-override -managementPack Microsoft.SystemCenter.OperationsManager.Internal.mp | export-csv "c:\overrides.csv"

How to Manage Stored User Names and Passwords in Windows Credential Manager

Start the Credential Manager by opening the Control Panel and navigating to Control Panel > All Control Panel Items > Credential Manager.

Or use

rundll32.exe keymgr.dll, KRShowKeyMgr

Upgrade Certification Authority to SHA256

A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,
an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you will need to run
the following commands from an elevated command line window:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc

Make sure you are  using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider - and then renewing the certification authority’s certificate.

If this proves to be too complicated, then you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.

Issue with SCOM agent in forest trust domain(0x80090311)

Issue with SCOM agent in forest trust domain.

Event ID : 20057
Failed to initialize security context for target MSOMHSvc/rms_fqdn The error returned is 0x80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.
And also this one less frequently:

Event ID : 21016
OpsMgr was unable to set up a communications channel to rms_fqdn and there are no failover hosts.  Communication will resume when rms_fqdn is available and communication from this computer is allowed.

If you see these events  with code (0x80090311), that is mean (trust is corrupted) and agents can not authenticate to MS.
The most common reason is Firewall issue.
(TCP/UDP 88 port (Kerberos) and TCP/UDP 389 port (LDAP)) should be open from Agent to Management Server DCs.

0x109_7_1a0_40000 Research into hyper-v cases

0x109_7_1a0_40000

Research into hyper-v cases and looking at vmware workaround
For example, VMWare has a known issue that will modify this MSR register

https://support.microsoft.com/en-us/kb/2902739

Our internal security mechanism are detecting a change / misalignment in the Machine Specific Registers

What content was changed in the MSR register, we cannot find out in a dump, since this information is not included in the dump.

Sicne we have seen similar issues in the past we assume that this is because HW/BIOS is not synchronizing register correctly once the security feature called TXT (Intels Trusted Execution Technology) is enabled.

Solution

=======

To enable Processor Compatibility Mode on existing VMs, you need to shut down the VM and change the Processor setting for the VM, selecting the Migrate To A Physical Computer With A Different Processor Version check box, which you’ll find in the Settings dialog box of Hyper-V Manager. 

Windows updates rollback after reboot and update installation fails Error: Windows failed to install the following update with error 0x800F0922

Cause
=======

CBS Corruption

Resolution
=========

Ran dism commands to remove-package Package_for_KB2919355~31bf3856ad364e35~amd64~~6.3.1.14

dism /online /cleanup-image /startcomponentcleanup

dism /online /cleanup-image /restorehealth

Check for App Readiness service and start the service.

Installed rest of the update except KB2919355 and rebooted the server.

Ran sfc scan and installed KB2919355 successfully. 

How do Rejoin a Computer to the Domain without Losing it’s SID

There are a couple of ways do this:

1. In AD right click the computer and select Reset Account. Then re-join without un-joining the computer to the domain. Reboot required.
2. In an elevated command prompt type: dsmod computer “Computer DN” – reset. Then re-join without un-joining the computer to the domain. Reboot required.
3. In an elevated command prompt type: netdom reset MachineName /domain DomainName /User0 UserName /Password0 {Password | *} The account whose credentials you provided must be a member of the local administrators group. No rejoin. No reboot.
4. In an elevate command prompt type: nltest /Server:ServerName /SC_Reset:DomainDomainController  No rejoin. No reboot.

Windows 10 on WSUS Shows as Windows Vista

Please see below comment from Michael regarding Hotfix 3095113 which resolves this issue.

The changes you need to add to the SQL cmd file are:

UPDATE [SUSDB].[dbo].[tbComputerTargetDetail]
SET [OSDescription] = 'Windows 10'
WHERE [OSMajorVersion] = '10'
AND [OSMinorVersion] = '0'
AND [OldProductType] = '1'
AND ([OSDescription] <> 'Windows 10' or [OSDescription] IS NULL)



Delegate Moving User, Group and Computer Accounts Between Organizational Units in Active Directory

http://social.technet.microsoft.com/wiki/contents/articles/20747.delegate-moving-user-group-and-computer-accounts-between-organizational-units-in-active-directory.aspx

Object	Organizational Unit	Permission Tab	Apply to	Permission
User	Source Organizational Unit	Object	This object and all descendant objects	Delete User objects
		Properties	Descendant User objects	Write Distinguished Name
		Properties	Descendant User objects	Write name
		Properties	Descendant User objects	Write Name
	Destination Organizational Unit	Object	This object and all descendant objects	Create User objects
Group	Source Organizational Unit	Object	This object and all descendant objects	Delete Group objects
		Properties	Descendant Group objects	Write Distinguished Name
		Properties	Descendant Group objects	Write name
		Properties	Descendant Group objects	Write Name
	Destination Organizational Unit	Object	This object and all descendant objects	Create Group objects
Computer	Source Organizational Unit	Object	This object and all descendant objects	Delete Computer objects
		Properties	Descendant Computer objects	Write Distinguished Name
		Properties	Descendant Computer objects	Write name
		Properties	Descendant Computer objects	Write Name
	Destination Organizational Unit	Object	This object and all descendant objects	Create Computer objects

RunbookTester.config

To start the Runbook Designer as another user, click Start > All Programs > Microsoft System Center 2012 > Orchestrator, then hold down the SHIFT key and right click on Runbook Designer. Select Run as different user. Enter the account credentials of the other user, and Runbook Designer launches. You can then go to the runbook you want to test and then click Runbook Tester.
Note: Your alternate user must have rights in the Runbook Designer to see the runbook and must be part of the Orchestrator Users group in order to the runbook to load in the Runbook Tester.
You can verify that this account is being used to open and test the runbook by going to the following directory:

C:\Users\<ACCOUNT_NAME>\AppData\Local\Microsoft System Center 2012\Orchestrator

In there you should see an XML file that represents the runbook being edited, and a file named RunbookTester.config that shows that Runbook tester is being opened in that user context.

"Access Denied" in Runbook Designer when connecting to the Orchestrator

To add additional users and/or security groups to be authorized for remote access, launch and activation of the omanagement DCOM Server, follow the instructions below:

1. On the System Center Orchestrator Management Server, launch dcomcnfg to open up the Component Services applet.
2. Expand Component Services, then Computers, then My Computer.
3. Right-click My Computer, then click Properties.
4. Click the COM Security tab.
5. Under Access Permissions, click Edit Limits.
6. Click Add then enter details of the desired local or Active Directory based security group and click OK.
7. Click the new entry and then select the Allow checkbox for each permission then click OK.
8. Under Launch and Activation Permissions, click Edit Limits.
9. Click Add then enter details of the desired local or Active Directory based security group and click OK.
10. Click the new entry and then select the Allow checkbox for each permission then click OK.
11. Click OK to close the My Computer Properties dialog.
12. Expand My Computer, then click DCOM Config.
13. Locate omanagement, then right-click and choose Properties.
14. Click the Security tab.
15. Under Launch and Activation Permissions, click Edit.
16. Click Add then enter details of the desired local or Active Directory based security group and click OK.
17. Click the new entry and then select the Allow checkbox for each permission then click OK.
18. Under Access Permissions, click Edit.
19. Click Add then enter details of the desired local or Active Directory based security group and click OK.
20. Click the new entry and then select the Allow checkbox for each permission then click OK.
21. Click OK to save the changes.
22. Close the Component Services applet.
23. Open a Command Prompt.
24. Type sc stop omanagement and press Enter.
25. Type sc start omanagement and press Enter.

Once the Orchestrator Management Service (omanagement) is restarted, direct users and members of security groups that were added will now be able to successfully connect to the System Center Orchestrator Management Server using the Runbook Designer.

SCOM 2012 - The SDK service still used old database server which was defined in registry.

Symptom

After we upgraded SCOM to 2012R2 and move to a new ops DB server, the console failed to connect to connect to Data Access Service. We found that the Data Access Service was stopped after it's started automatically.

Cause

The SDK service still used old database server which was defined in registry.

Resolution

1. Update the “Reporting”(SCOM DW) settings in registry for the management servers to use the new scom DW server

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Reporting\

2. Update registry value “HKLM\Software\Microsoft\System Center\2010\Common\Database” to use the new server name and database name.

Getting Heartbeat failure Alerts for Unix Agents

Cause

Unix non-Privileged account didn't have the Unix account 

Resolution

1) Verified the configuration and collected the issue related information
2) Found that KB 2585542 is installed on RMS that breaks the WINRM communication 
3) Also found the registry workaround has been followed as per KB 2643584

SCOM - 如何清除舊資料 ?

USE [OperationsManager]

DECLARE @rowcount int

DECLARE @Err int

DECLARE @GroomingThresholdUTC datetime

SET @GroomingThresholdUTC = getutcdate()

EXEC @Err = dbo.p_DiscoveryDataPurgingByTypedManagedEntity @GroomingThresholdUTC,250, 0

EXEC @Err = dbo.p_DiscoveryDataPurgingByRelationship @GroomingThresholdUTC,250, 0

EXEC @Err = dbo.p_DiscoveryDataPurgingByBaseManagedEntity @GroomingThresholdUTC,250, 0

VMware VM unable to access \\server\J$

Cause

This is a known issue on VMware virtual machines due to VMWare capability of HotPlug/HotAdd 

Resolution

To resolve the issue, we need to implement the steps provided in VMWare article pasted below,

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012225 

Check the default data set retention date setting in DW.

USE OperationsManagerDW

SELECT DataSetDefaultName,
AggregationTypeId,
MaxDataAgeDays
FROM StandardDatasetAggregation sda
INNER JOIN dataset ds on ds.datasetid = sda.datasetid
ORDER BY DataSetDefaultName

How to Add, Enable, and Disable Namespaces

https://technet.microsoft.com/en-us/library/hh544004.aspx

Active Directory Managmenet Pack possible errors

The problem is that the AD Attribute “fSMORoleOwner” for the infrastructureMaster is set to an Old DC.

-------fixfsmo.vbs------------------
const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_CANONICAL = 2

set inArgs = WScript.Arguments

if (inArgs.Count = 1) then
    ' Assume the command line argument is the NDNC (in DN form) to use.
    NdncDN = inArgs(0)
Else
    Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN"
End if

if (NdncDN <> "") then

    ' Convert the DN form of the NDNC into DNS dotted form.
    Set objTranslator = CreateObject("NameTranslate")
    objTranslator.Init ADS_NAME_INITTYPE_GC, ""
    objTranslator.Set ADS_NAME_TYPE_1779, NdncDN
    strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
    strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1)
     
    Wscript.Echo "DNS name: " & strDomainDNS

    ' Find a domain controller that hosts this NDNC and that is online.
    set objRootDSE = GetObject("LDAP://" & strDomainDNS & "/RootDSE")
    strDnsHostName = objRootDSE.Get("dnsHostName")
    strDsServiceName = objRootDSE.Get("dsServiceName")
    Wscript.Echo "Using DC " & strDnsHostName

    ' Get the current infrastructure fsmo.
    strInfraDN = "CN=Infrastructure," & NdncDN
    set objInfra = GetObject("LDAP://" & strInfraDN)
    Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner

    ' If the current fsmo holder is deleted, set the fsmo holder to this domain controller.

    if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then

        ' Set the fsmo holder to this domain controller.
        objInfra.Put "fSMORoleOwner",  strDsServiceName
        objInfra.SetInfo

        ' Read the fsmo holder back.
        set objInfra = GetObject("LDAP://" & strInfraDN)
        Wscript.Echo "infra fsmo changed to:" & objInfra.fsmoroleowner

    End if

End if

Copy this VB Script into a file and execute this with the following parameter.

• cscript fixfsmo.vbs DC=DomainDnsZones,DC=contoso,DC=com
• cscript fixfsmo.vbs DC=ForestDnsZones,DC=contoso,DC=com

SCCM versions

	RTM	CU1	CU2	CU3	CU4	CU5
CM07 SP2	4.0.6487.2000
CM12 RTM	5.0.7711.0000	5.0.7711.0200	5.0.7711.301
CM12 SP1	5.0.7804.1000	5.0.7804.1202	5.0.7804.1300	5.0.7804.1400	5.0.7804.1500	5.0.7804.1600
CM12 R2	5.0.7958.1000	5.0.7958.1203	5.0.7958.1303	5.0.7958.1401	5.0.7958.1501	5.0.7958.1604
CM12 SP2/R2 SP1	5.0.8239.1000	5.0.8239.1203
CM16
CU KBs
CM12 RTM		KB2717295	KB2780664
CM12 SP1		KB2817245	KB2854009	KB2882125	KB2922875	KB2978017
CM12 R2		KB2938441	KB2970177	KB2994331	KB3026739	KB3054451
CM12 SP2/R2 SP1		KB3074857