DefinIT Because if IT were easy, everyone would do it…


VCP5 – vSphere 5 Configuration Maximums Quiz in PowerShell

Posted by Sam McGeown

I've been learning my vSphere 5 config maximums before my upcoming VCP5 exam, so in a supreme effort of procrastination I thought I'd write a PowerShell quiz script: here it is!

Save the QuizMe.ps1 file into a folder and then place one or more text file in the same folder containing a comma delimited set of questions and answers. Then run QuizMe.ps1!


PowerShell: Recursively taking ownership of files and folders and adding permissions without removing existing permissions

Posted by Sam McGeown

PowerShell LogoThis is every file server admin's nightmare: hundreds of shares, thousands of folders, hundreds of thousands of files - and custom or not inherited rights on many of them. Terabytes of data that need auditing - e.g. to find customer data, or credit card information. How do you go about accessing all the data in all the trees? What about backups failing because someone removed the System account? Of course you can seize control of the folder by taking ownership and pushing down from a top level - but how do you preserve the existing Access Control Lists?


SCOM 2007 R2: Daily Health Check Script

Posted by Sam McGeown

An updated version of this script has been released:

MSFT-System-Center-logoI've been working with a Microsft SCOM PFE (Premier Field Engineer) for the last few months and part of the engagement is an environment health check for the SCOM setup. Based on this Microsoft recommend a series of health checks to for the environment that should be carried out every day. This is summarised as the following:

  1. Check the health of all Management Servers and Gateways
  2. Check the RMS is not in maintenance mode
  3. Review Outstanding Alerts
  4. Review Agent's Health Status
  5. Review Backup Status
  6. Review any Management Group Alerts
  7. Review the Pending Management status
  8. Review Database Sizes (Operations, Data warehouse, ACS)
  9. Review Volume of Alerts
  10. Review Alert Latency
  11. Document any changes 

VMware PowerCLI – Set Path Selection Policy on all LUNs for a host

Posted by Sam McGeown

Just a quick script to set the Path Selection Policy on any LUNs on a host that do not have your target policy enabled. The script sets the server to Maintenance mode first, evacuating any VMs if you are in a full DRS automated environment. While this is not strictly necessary, it was required for my production environment just to be safe.

param( [string] $vCenterServer = $(Read-Host -prompt "Enter vCenter Server Name"),
[string] $TargetPolicy = $(Read-Host -Prompt "Enter target policy (RoundRobin, Fixed or MostRecentlyUsed)"),
[string] $TargetHost = $(Read-Host -Prompt "Enter target Host"),
[switch] $WhatIf)

# Add the VI-Snapin if it isn't loaded already
if ((Get-PSSnapin -Name "VMware.VimAutomation.Core" -ErrorAction SilentlyContinue) -eq $null ) {Add-PSSnapin -Name "VMware.VimAutomation.Core"}

Connect-VIServer $vCenterServer | out-null

Write-Host "Connected to: " $vCenterServer -ForegroundColor Green
Write-Host "Target PSP: " $TargetPolicy -ForegroundColor Yellow

switch ($TargetPolicy) {
RoundRobin { $DisplayPolicy = "VMW_PSP_RR"; }
MostRecentlyUsed { $DisplayPolicy = "VMW_PSP_MRU"; }
Fixed { $DisplayPolicy = "VMW_PSP_FIXED"; }
default { Write-Warning "Unknown PSP selected! Please consult the help and try again."; exit }

Write-Host "Setting Policy to"$TargetPolicy" on "$TargetHost -ForegroundColor Green

if($WhatIf) {
$vHost = Get-VMHost -Name $TargetHost
$vHost | Set-VMHost -State Maintenance -Evacuate -WhatIf
$vHost | Get-ScsiLun -LunType "disk" -ErrorAction SilentlyContinue | where {$_.IsLocal -eq $false -and $_.MultipathPolicy -ne $TargetPolicy} | Set-ScsiLun -MultipathPolicy $TargetPolicy -WhatIf
$vHost | Set-VMHost -State Connected -WhatIf
} else {
$vHost = Get-VMHost -Name $TargetHost
Write-Host "Setting "$TargetHost" to Maintenance Mode" -ForegroundColor White
$vHost | Set-VMHost -State Maintenance -Evacuate
$vHost | Get-ScsiLun -LunType "disk" -ErrorAction SilentlyContinue | where {$_.IsLocal -eq $false -and $_.MultipathPolicy -ne $TargetPolicy} | Set-ScsiLun -MultipathPolicy $TargetPolicy
Write-Host "Exiting Maintenance mode on"$TargetHost -ForegroundColor White
$vHost | Set-VMHost -State Connected

SCOM 2007 DFS Backlog Monitoring – Distributing a RunAs account to only DFS replication members

Posted by Sam McGeown

The DFS monitoring tool in SCOM 2007 has some great features, which will replace many a custom VB script running in enterprises. As with a lot of Management Packs, to get the most out of it you need to have a dedicated RunAs account with local admin permissions on the servers you are monitoring (e.g. for the Backlogged Files reporting).

The easy (and wrong) option here is to go with the less secure option and distribute a RunAs account to ALL servers. There are lots of reasons why you wouldn’t want to distribute the credentials to every server in your SCOM installation – but just from a security standpoint, you shouldn’t do it! Selecting the “More Secure” option and distributing credentials only to servers which will require them is a much safer bet.

You can view the members of the DFS discovered inventory in the SCOM Console by going to the “Discovered Inventory” view and changing the target type to “Replication Member” – which is great: you can see all the Servers involved in the DFS replication topology. But there’s no easy way to add these to a RunAs credential to distribute.

To narrow it down to a short list, you can open a Operation Manager Shell prompt and  list any monitoring classes which have “DFS” in the name – there are about 6 or so:

Get-MonitoringClass | where {$_.Name –match “DFS”}

The one that matches my SCOM console view is “Microsoft.Windows.DfsReplication.ReplicationGroupMember” so I want to select all the monitoring-objects that match this discovery and export the “Path” (server name) to a csv file:

Get-MonitoringClass | where {$_.Name –match “Microsoft.Windows.DfsReplication.ReplicationGroupMember”} | get-monitoringobject | select-object Path | export-csv c:\DFS-Members.csv

I’ve not yet figured out how to add these to the RunAs account credential distribution via PowerShell, so I’m afraid it’s a manual process from here. To make it easier I opened the csv in Excel and filtered out duplicates (for servers with multiple DFS shares) before pasting the servers in individually to the distribution dialogue.

Once the RunAs account has been downloaded by the Agents, and if you've added it correctly to your "DFS Replication Monitoring Account" profile, you should start to see the Backlog Monitoring view beginning to populate.

Page 1 of 3123