Compared to MOM 2005 I was pretty disappointed with the discovery wizard for new agents in the SCOM 2007 console. In my opinion it's not flexible enough for large deployments - but that's what Powershell is for, right :)
We keep strict naming conventions in our Active Directory so it is pretty easy for me to create LDAP queries that return only the servers I want to monitor in SCOM. Let's say I want all Exchange Servers and all of their names end with "EXCHSRV". To get started in the Ops Manager shell we have to create an LDAP query object:
$myldap = new-ldapquerydiscoverycriteria -domain MYDOMAIN -ldapquery "(&(objectClass=Computer)(name=*EXCHSRV))"
We then create a Windows discovery object (my Exchange servers run all on Windows....):
$windiscovery = new-windowsdiscoveryconfiguration -ldapquery $myldap
To start the actual discovery and store the result in another object:
$discovery_results = start-discovery -managementserver (get-managementserver) -windowsdiscoveryconfiguration $windiscovery
If necessary you can look at the $discovery_results object to see which machines were discovered. They will be stored in the CustomMonitoringObjects property.
If you are ready to deploy the agents to the discovered machines you can use this command:
foreach ($server in $discovery_results.CustomMonitoringObjects) {
install-agent -AgentManagedComputer $server -confirm
}
This will loop through each discovered machine and try to install the agent. By using the -confirm parameter we tell the script to ask before doing anything. This can be omitted of course, however I'd be careful unless you are sure your LDAP query is correct and matches only desired machines.
Of course you can use a similar approach to query for any given LDAP property. I put this in a script to scan the domain on a regular basis for new machines that might still be missing a OpsMgr agent.
Wednesday, March 11, 2009
Tuesday, March 10, 2009
Using Powershell to configure WSUS 3.0 Servers
We have a pretty large WSUS 3.0 hierarchy and use a complicated set of GPOs to configure clients. We use client-side targeting to assign machines to computer groups in WSUS, however this setting needs to be set on each downstream server. Of course over time some of those downstream servers were configured incorrectly, causing patches not being deployed to all machines.
I decided to use a powershell script to identify and fix all downstream servers to switch them to client-side targeting. It's a very simple script with no error handling, but it's a pretty good start to do all kinds of automatic configuration changes. This needs to run on the upstream server and of course requires powershell:
----
[System.Reflection.Assembly]::LoadWithPartialName('microsoft.updateservices.administration')
$ap = new-object 'Microsoft.UpdateServices.Administration.AdminProxy'$local = $ap.GetUpdateServerInstance();
$count = 0
$downstreamservers = $local.GetDownStreamServers();
write-host $downstreamservers.count
foreach ($server in $downstreamservers) {
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($server.fulldomainname, $FALSE);
$name = $wsus.Name
$config = $wsus.GetConfiguration()
if ($config.TargetingMode -eq "Client" )
{ write-host "Targeting Mode on $name is Client" -fore Green }
else
{ write-host "Targeting Mode on $name is Server." -fore Red
write-host "Updating config..." -fore Yellow $config.TargetingMode = "Client" $config.Save($FALSE)
$count++
}
}
write-host "Updated $count servers" -fore Yellow
-----
Brief explanation: First we get the local WSUS server and get a collection of all donwstreamservers.
The script then loops thru each WSUS server it found, gets its configuration and checks the "TargetingMode" property. If it's not "Client" we change it to "Server" to client and store the configuration back to the server using the "Save" Method of the configuration object.
I decided to use a powershell script to identify and fix all downstream servers to switch them to client-side targeting. It's a very simple script with no error handling, but it's a pretty good start to do all kinds of automatic configuration changes. This needs to run on the upstream server and of course requires powershell:
----
[System.Reflection.Assembly]::LoadWithPartialName('microsoft.updateservices.administration')
$ap = new-object 'Microsoft.UpdateServices.Administration.AdminProxy'$local = $ap.GetUpdateServerInstance();
$count = 0
$downstreamservers = $local.GetDownStreamServers();
write-host $downstreamservers.count
foreach ($server in $downstreamservers) {
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($server.fulldomainname, $FALSE);
$name = $wsus.Name
$config = $wsus.GetConfiguration()
if ($config.TargetingMode -eq "Client" )
{ write-host "Targeting Mode on $name is Client" -fore Green }
else
{ write-host "Targeting Mode on $name is Server." -fore Red
write-host "Updating config..." -fore Yellow $config.TargetingMode = "Client" $config.Save($FALSE)
$count++
}
}
write-host "Updated $count servers" -fore Yellow
-----
Brief explanation: First we get the local WSUS server and get a collection of all donwstreamservers.
The script then loops thru each WSUS server it found, gets its configuration and checks the "TargetingMode" property. If it's not "Client" we change it to "Server" to client and store the configuration back to the server using the "Save" Method of the configuration object.
Monday, March 9, 2009
Operations Manager 2007 not collecting events
I recently tried to convert one of our simple MOM 2005 rules over to SCOM 2007. It basically just notified us when a administrator account was locked out, a simple but easy way to detect brute force attacks in our environment.
I started with creating a collection rule to get certain events from the Security event logs of all Domain Controllers. I filtered by Event Source, Category and Level ("Success Audit") and targeted it to the AD Domain Controller Role.
I then created a view to check if my events are really recorded to the OpsMgr DB - and there was nothing. Also no errors anywhere. Although the targeting should not have been the problem I tried some options here just to make sure and as expected this didn't help.
It turns out the problem was the filter: I removed Event Category and my events started to come in. My filter was not wrong, it just doesn't seem to work when using the event category! In fact the events in the SCOM view do not show a category at all.
I started with creating a collection rule to get certain events from the Security event logs of all Domain Controllers. I filtered by Event Source, Category and Level ("Success Audit") and targeted it to the AD Domain Controller Role.
I then created a view to check if my events are really recorded to the OpsMgr DB - and there was nothing. Also no errors anywhere. Although the targeting should not have been the problem I tried some options here just to make sure and as expected this didn't help.
It turns out the problem was the filter: I removed Event Category and my events started to come in. My filter was not wrong, it just doesn't seem to work when using the event category! In fact the events in the SCOM view do not show a category at all.
Subscribe to:
Posts (Atom)