Sam McGeown

This is my current scenario: there are two existing servers in a stand-alone array - TMG01 and TMG02, and over in a DR site there is a new server (TMG03) that is in the process of being built. To comply with DR, all 3 servers must have their configurations up to date, however there is no direct communication allowed between the two DMZs, so simply adding to the new server as an array member is not possible.

A couple of months ago I posted the first version of my SCOM 2007 R2 Daily Health Check Script - here is version 2. It’s more than a little motivated by some friendly competition with a Microsoft PFE for SCOM, hopefully you’ll agree it’s a big improvement on the last version.

Updated for this version

• Formatting changed to make it more readable and more compatible
• Added “Report generated on ” to the top of the report
• Management Server states reported as one section
• Default MP check moved to beneath the Management servers
• Agents in pending states moved to be with the Agent health states
• Clarified “Unresponsive Agents” and “Agents reporting errors”
• Management server alerts streamlined
• Added top 10 alerts for the last 7 days, and added top alerters for each

I’m planning to wrap in some SQL database size checks and some of the other recommendations later - I’ll post again here when that’s ready 🙂

This is every file server admin’s nightmare: hundreds of shares, thousands of folders, hundreds of thousands of files - and custom or not inherited rights on many of them. Terabytes of data that need auditing - e.g. to find customer data, or credit card information. How do you go about accessing all the data in all the trees? What about backups failing because someone removed the System account? Of course you can seize control of the folder by taking ownership and pushing down from a top level - but how do you preserve the existing Access Control Lists?

An updated version of this script has been released: https://www.definit.co.uk/2012/05/scom-2007-r2-daily-health-check-script-v2/

I’ve been working with a Microsft SCOM PFE (Premier Field Engineer) for the last few months and part of the engagement is an environment health check for the SCOM setup. Based on this Microsoft recommend a series of health checks to for the environment that should be carried out every day. This is summarised as the following:

1. Check the health of all Management Servers and Gateways
2. Check the RMS is not in maintenance mode
3. Review Outstanding Alerts
4. Review Agent’s Health Status
5. Review Backup Status
6. Review any Management Group Alerts
7. Review the Pending Management status
8. Review Database Sizes (Operations, Data warehouse, ACS)
9. Review Volume of Alerts
10. Review Alert Latency
11. Document any changes 

From this, there are certain aspects that can’t be automated so easily, or shouldn’t be - e.g:

This post is nothing more than a shameless request for sponsorship! As the title suggests, I am running the London marathon this year (in 96 days!) for the charity “The Lighthouse Group”. Check out the TLG site for more detail on what they do, but in a nutshell they are a charity that works with young people who have been excluded from school, at risk of exclusion or are at crisis point in their education. It’s a really worthwhile cause and my father-in-law has just been involved in opening a TLG center based in Normanton, Yorkshire

The Test MAPI Connectivity monitor for the Exchange 2007 management pack will automatically generate a critical error for any Recovery Storage Groups you have on monitored Exchange Mailbox Roles. As these are generally temporary Storage Groups created for a recovery and then removed, you don’t want an alert - but manually adding an override for every time is not a great use of your time either.

The State Change event details are as follows:

I learned something new today: SCOM 2007 R2 certificate based communications not only checks the validity of the certificate you use, but also the CA that issued it…let me expand:

Like many organisations there is a root CA (we’ll call it ROOTCA01), and then a subordinate CA (we’ll call that SUBCA01). OPSMGM01 has a certificate to identify itself and has certificates for ROOTCA01 and SUBCA01 in it’s Trusted Root Certificate Authorities.

Just a quick script to set the Path Selection Policy on any LUNs on a host that do not have your target policy enabled. The script sets the server to Maintenance mode first, evacuating any VMs if you are in a full DRS automated environment. While this is not strictly necessary, it was required for my production environment just to be safe.

The DFS monitoring tool in SCOM 2007 has some great features, which will replace many a custom VB script running in enterprises. As with a lot of Management Packs, to get the most out of it you need to have a dedicated RunAs account with local admin permissions on the servers you are monitoring (e.g. for the Backlogged Files reporting).

The easy (and wrong) option here is to go with the less secure option and distribute a RunAs account to ALL servers. There are lots of reasons why you wouldn’t want to distribute the credentials to every server in your SCOM installation – but just from a security standpoint, you shouldn’t do it! Selecting the “More Secure” option and distributing credentials only to servers which will require them is a much safer bet.

It seems that despite my previous experiences with TMG 2010 , I still stumble when creating a TMG array . Here are some “notes to self”, which will hopefully stop me making the same mistakes next time