Monday, April 21, 2008

The sum of all of really silly OCS questions

I had those silly OCS questions, asked some good folks and have them answered so you might want to take a look on them:
  • In web conferencing, I know that the conferencing server has a built-in load balancing functionality, so if we have a pool of servers and new conference will start, the least loaded server will be selected to host the conference, now suppose that a user 1 scheduled a conference in a pool with 3 conf. server. Server 1 is elected to host the conference. Within the conference user 8 and user 9 wanted to join the conference but server1 became loaded so what exactly will happen, user 9 and user 8 will be hosted on server2, or will not be able to join the conf?.
All Conference states and information are on the focus which is in the SQL Data Base… So even if user 1 is on Server 1 the conference info and state are in SQL… So when users 8,9 connects to Servers 2 and 3 no problems…
  • In the VOIP when a user forward a call to his mobile, how is the caller/receiver are charged? User1 called user2 and he forwarded the call to his mobile. So user1 will be charged on that as mobile call, does user’s 2 phone system get charged for the call forward?
User 1 calls User 2 (Users 2 pay for costs for calling initial User 1 number)… Users 2 decided to forward to his mobile from system… System of User 2 will pay costs to call User 2 mobile number… User 2 happened to be roaming and kidding around then User 2 pays roaming bills… Think of it as separate phone calls each paying the cost of his decision…
  • In the OCS planning examples I found a note that indicates that in the OCS topology only 1 edge server in the OCS topology should serve the external IM access even for multiple pools. Doesn’t seems logic for me why I cannot have multiple edge server for each site and users configured the FQDN for the edge serve and login using edge server in their site.
Because you could only have one FQDN with the name ( and this is what is initially supported and tested… The main Access edge server has to also be the destination of the FQDN (
  • If the note in point 3 is right, this means that I will have to plan the BW at the central location to serve the hall clients logging in, and I will need a director as well. The other point the access proxy redirect or proxy the traffic?
Bandwidth for logon and text is not a big deal.. Yes anyway for your first question… For the second question… The Access Proxy Server will proxy the user’s traffic coming from the internet to the user’s internal pool…
  • What is the HA planning for the Media Gateway?, searched for that and didn’t find it mentioned any where…
Is it mentioned in the Voice Ignite material… HA planning is to have redundant Media Gateways with similar configuration…
  • How to schedule a telephony meeting?
Currently telephony conference role is to integrate with your telephony conference provider, this is planned in the future releases.
Duhhhhh J.

What is passive SUP for?

Long time I haven’t blogged sorry I was busy with some re-allocation to new place..etc


A nice discussion I have involved in about the benefit of having a passive SUP in the SCCM hierarchy, well NOTHING.


you do need to create a non active SUP to install the active Internet-based SUP (selected and configured in the Software Update Point Component Properties) and when creating an NLB for the active SUP.  The non active SUP would be installed on each server in the NLB and then the active SUP would be configured as the NLB.


Other than this, you cannot use it for reporting. I thought that clients in branch sites can report to the local WSUS and this info will be replicated to the parent WSUS somehow, well this is wrong. So if you will not deploy a WSUS you don’t need passive SUPs.




Tuesday, April 15, 2008

SCCM across forests - one final note


One final note regarding this topic, if you will install SCCM site in different forest, Microsoft doesn’t support installing the secondary site in the new forest,  you will have to install a child site only on the new site. So all the planning has to be done base on child site planning.

Thursday, April 10, 2008

PXE boot creates a new record for computers after reinstalling the OS using PXE

I spent this week trying to understand this issue from a lot of SCCM folks, thanks god I finally got it, so I would like to share it with you:

When you take a laptop, PXE boots it and drops an image onto it. ConfigMgr client installs and laptop joins site and applies packages – cool! Now then you clear PXE advertisement and roll out an OS onto that system again. There has been no change at all on the laptop so all the BIOS GUIDS etc. are identical, however a new ConfigMgr resource record and a new ConfigMgr GUID is assigned to the machine. The machine maintains its domain SID, MAC address, SMBIOS GUID etc. so why SCCM is creating the a new records:

This is the default behavior If site in mixed mode, and manually resolve conflicts is not enabled, the rebuilt machine gets new sccm identity (guid). If the site setting to manually resolve conflicts is enabled, then those records would appear in the resolve conflicts node. If in native mode this should not occur.

The basic problem is that when a computer is re-imaged from bare-metal in mixed mode security, ConfigMgr has no way to know if it’s really the same computer and you want it to have the same identity, or whether it is some rogue computer trying to usurp the identity of an already managed computer. PXE is a very insecure protocol, and things like the MAC address and SMBIOS are easily spoofed.

The “Manually resolving conflicting records” option is a site-wide setting, but if you set it, it requires IT Admin intervention to resolve the conflict. The current behavior is not considered to be a bug, though arguably we should offer an “automatically merge” option that doesn’t require IT Admin intervention

In native mode you don’t have this issue because of the certificates, In native mode, essentially SCCM punted the problem off to whomever (or whatever) is issuing the certificates. If the certificate issuer thinks it’s the same computer, then the new issued certificate should have the same subject name and #2 under Native Mode Security in the slide below applies. If the certificate issuer doesn’t think it’s the same computer or doesn’t know, then the new issued certificate should have a different subject name and #3 under Native Mode Security applies.

But How the certificate issuer knows that the computer is old is new one then?

Could be by a wide spectrum of different ways, depending on how certain the certificate issuer wants to be that it really is the same computer and not some rogue.

At the least secure, but most automatic, end of the spectrum, the certificate could be issued by AD automatically for any computer joining the domain, with the subject name set of the FQDN of the computer. In this case, if the computer runs an OS deployment task sequence, it will be able to join the domain (since the task sequence has the domain join credentials) and it will automatically get a certificate from AD without the IT Admin doing anything. Obviously, this isn’t very secure.

At the other end of the spectrum, and IT Admin might have to physical visit the computer, verify its identity, and install the certificate from removable media once he has verified the identity of the computer. This is the most secure approach, but the hardest because of the manual steps required.

Any given customer will have to decide what approach meets their needs on the security/ease-of-use tradeoff.

In the case of PXE boot, the MAC address of the computer and/or the SMBIOS UUID of the computer are matched against entries in the ConfigMgr database. Assuming that a matching entry is found, the computer name from the database entry is sent back to the computer running the task sequence and that computer name is assigned, this is how SCCM recognize the machine in the case of PXE where not certificate is installed on the machine the machine is wiped off.

Wednesday, April 9, 2008

SCOM is not monitoring DHCP server cluster resource

here is interesting info:

My customer has DHCP server is running on a cluster node, all of the other cluster groups are monitored but not the DHCP group this result that the virtual server not  included in the windows 2003 DHCP group and DHCP on it is not monitored, I found the issue: the issue that the discovery is processing the start reg value with object of 2, on the cluster the attribute is set to 3:









As I searched and most of my fellow consultants did, it looks that the DHCP MP is not cluster aware, and this will be fixed in the next version, so be careful as this is not mention anywhere in the documentation either in DHCP MP or cluster MP.



Monday, April 7, 2008

SCCM distributed application is not monitored - SCOM 2007


Here is some tips for people who cannot monitor SCCM using the latest SCOM management pack:

-          Make sure the agent proxy is enabled on the SCCM server.

-          Make sure that you have created  SMS_INSTALL_DIR_PATH system variable.

-          Make sure that you installed the SCOM x86 agent, you cannot monitor SCCM using the x64 agent, this is a known issue, so you might need to install the agent manually.

I am pretty sure that the SCCM distributed application will be monitored now J

Saturday, April 5, 2008

what information are lost when using the restore-mailbox

Here is a nice info you have to consider,

When restoring mailboxes from RSG all of the information are retained like special folders, dumpster and calendar items, but when it comes to rules, ACL and views they are lost.

Rules, views, forms and ACLs are not recoverable when you use an RSG, so you might need to make sure to document those down and make sure that you inform the end-user about that to avoid any troubles.

deploying OS using SCCM to unknown computers

Because people might want to know how, Michael Niehaus posted a great article about it here so visit it you will like it.

Backing up Exchange 2007 using Veritas 11d

Well, most of us had issues with backing up Exchange 2007 using Veritas 11d, I fought for over of 2 months to get it working and finally I did, I found that there is a lof of folks out there that were fighiting with it with no luck, but after opening so many cases with Symantec and Microsoft we managed to push it to work, most of us got the ugly error:

Completed status: Failed
Final error: 0xe0008488 - Access is denied.
Final error category: Security Errors

For additional information regardaxing this error refer to link V-79-57344-33928

Click an error below to locate it in the job log
Backup- Exchange2007.lab.localMicrosoft Information StoreFirst Storage Group V-79-57344-33928 - Access is denied.
Access denied to database Log files.
Backup- Exchange2007.lab.localMicrosoft Information StoreSecond Storage Group V-79-57344-33928 - Access is denied.
Access denied to database Log files.

Click an exception below to locate it in the job log
Backup- Exchange2007.lab.localMicrosoft Information StoreFirst Storage Group WARNING: "Exchange2007.lab.localMicrosoft Information StoreFirst Storage GroupLog files" is a corrupt file.
This file cannot verify.
Backup- Exchange2007.lab.localMicrosoft Information StoreSecond Storage Group WARNING: "Exchange2007.lab.localMicrosoft Information StoreSecond Storage GroupLog files" is a corrupt file.
This file cannot verify.
Verify- Exchange2007.lab.localMicrosoft Information StoreFirst Storage Group WARNING: "Log files" is a corrupt file.
This file cannot verify.
Verify- Exchange2007.lab.localMicrosoft Information StoreSecond Storage Group WARNING: "Log files" is a corrupt file.
This file cannot verify.

This guide will contain the required detailed steps to configure Veritas 11d to make things works.

here is the guide


Edge server is not applying Recpient filtering

I implemented a big Exchange organization (couple of Clustered mail server and hubs and CASs and edge server) however when I tested Email filtering on the edge server I found that the HUB server is delivering the NDR not the EDGE as below:

Microsoft Mail Internet Headers Version 2.0

Received: from mail.ourdomain.corp ([z.z.z.z]) by mail2.ourdomain.corp with Microsoft SMTPSVC(6.0.3790.3959);

                 Wed, 4 Jul 2007 22:38:23 +0300

Received: from ([x.x.x.x]) by with Microsoft SMTPSVC(6.0.3790.3959);

                 Wed, 4 Jul 2007 23:38:00 +0400

Received: from Edge.Domain.local ( [y.y.y.y])

                by (Postfix) with ESMTP id 519514F856

                for <>; Wed,  4 Jul 2007 15:34:02 -0400 (EDT)

Received: from Hub-cas.Domain.local ( by

 ( with Microsoft SMTP Server (TLS) id 8.0.700.0; Wed, 4 Jul 2007

 22:33:27 +0300

MIME-Version: 1.0



Date: Wed, 4 Jul 2007 22:34:00 +0300

Content-Type: multipart/report; report-type=delivery-status;


Content-Language: en-AU


In-Reply-To: <5486BE6683AFD54F935039CCF748F6645EB83E@EGMAIL02.SPSEGY.synergyps.corp>

References: <5486BE6683AFD54F935039CCF748F6645EB83E@EGMAIL02.SPSEGY.synergyps.corp>

Thread-Topic: sdkfj

Thread-Index: Ace+chJwkNcA93RTS0eP7gFPEivGtwAADLvH

Subject: Undeliverable: sdkfj

Return-Path: <>

X-OriginalArrivalTime: 04 Jul 2007 19:38:00.0514 (UTC) FILETIME=[D4908A20:01C7BE72]



Content-Type: multipart/alternative; differences=Content-Type;




Content-Type: text/plain; charset="us-ascii"

Content-Transfer-Encoding: quoted-printable



Content-Type: text/html; charset="us-ascii"

Content-Transfer-Encoding: quoted-printable





Content-Type: message/delivery-status



Content-Type: message/rfc822

Although that the agent were enabled in the GUI, it seems that the transport agent were disabled when I got them using the get-trasnportagent cmdlet, enabling them using enable-trasnportagent solved the issue J.


Cannot delete or edit Event/rule/monitor/view in SCOM 2007

Today, I was implementing SCOM 2007 to manage a nice environment (About 80 servers, some unix/oracle and cisco devices) and i got the below error when I tried to delete a view in the SCOM: following error: Note: The following information was gathered when the operation was attempted. The information may appear cryptic but provides context for the error. The application will continue to run. : Verification failed with [1] errors: ------------------------------------------------------- Error 1: : Failed to verify Language Pack: [ENU] with errors: : Failed to verify display string : [ManagementPackElement=MomUIGenaratedRecovery6131e4f2aa3f4346bff32aa8010ef2cb in ManagementPack:[Name=Microsoft.SystemCenter.OperationsManager.DefaultUser, KeyToken=, Version=6.0.5000.0]] Cannot find ManagementPackElement [Type=ManagementPackElement, ID=MomUIGenaratedRecovery6131e4f2aa3f4346bff32aa8010ef2cb] in ManagementPack [ManagementPack:[Name=Microsoft.SystemCenter.OperationsManager.DefaultUser, KeyToken=, Version=6.0.5000.0]] ------------------------------------------------------- Failed to verify Language Pack: [ENU] with errors: : Failed to verify display string : [ManagementPackElement=MomUIGenaratedRecovery6131e4f2aa3f4346bff32aa8010ef2cb in ManagementPack:[Name=Microsoft.SystemCenter.OperationsManager.DefaultUser, KeyToken=, Version=6.0.5000.0]] Cannot find ManagementPackElement [Type=ManagementPackElement, ID=MomUIGenaratedRecovery6131e4f2aa3f4346bff32aa8010ef2cb] in ManagementPack [ManagementPack:[Name=Microsoft.SystemCenter.OperationsManager.DefaultUser, KeyToken=, Version=6.0.5000.0]] : Failed to verify Language Pack: [ENU] with errors: : Failed to verify display string : [ManagementPackElement=MomUIGenaratedRecovery6131e4f2aa3f4346bff32aa8010ef2cb in ManagementPack:[Name=Microsoft.SystemCenter.OperationsManager.DefaultUser, KeyToken=, Version=6.0.5000.0]] Cannot find ManagementPackElement [Type=ManagementPackElement, ID=MomUIGenaratedRecovery6131e4f2aa3f4346bff32aa8010ef2cb] in ManagementPack [ManagementPack:[Name=Microsoft.SystemCenter.OperationsManager.DefaultUser, KeyToken=, Version=6.0.5000.0]] Additionally I cannot create any rul/alert/monitor or anything, I found that the error exist because We had a rule that use a diagnostic but we deleted it but the refference still exist, the error exist in the refference MomUIGenaratedRecovery6131e4f2aa3f4346bff32aa8010ef2cb] it is a bug, and to solve it, export the default maangement pack to XML file , use XML notepad to edit the XML filde downlaod it from here: and open the XML file and search for the bad refference, and delete all of the display root and all of it its attributes, then import the MP again to the SCOM, there is no other way to solve it.

Hub/CAS is no longer supported

I would like to update you, as the PSS advised that HUB/CAS placement as a failover (as we designed before) is not recommend approach anymore as it causes the edge sync service to crash, this behavior is not confirmed in every implementation and it is random, but the case is confirmed.


I have been advised to design CAS servers and HUB server separately until E12 SP1 which should fix this issue which will include a fix for the HUB NLB issue.


Script to Add Template path for RMS clients

you will just have to set  office type according to your environment:

Option Explicit

Dim objShell

Dim strMessage, strWelcome, strWinLogon

strWelcome = "AdminTemplatePath" ' New Key

strMessage = "\\server\templates"

strWinLogon = "HKCU\SOFTWARE\Microsoft\office\11.0\common\DRM\"



objShell.RegWrite strWinLogon & strWelcome, 1, "REG_EXPAND_SZ"

objShell.RegWrite strWinLogon & strWelcome, strMessage, "REG_EXPAND_SZ"





how to configure an Exchange 2007 Edge transport to send email to exchange 2003 and set the SCL

If you just configure an EDGE server as a SMTP gateway device without a E2k7 HUB

server & relay mail to & from Ti servers anonymously with default config , the SCL

of the message determined & other relevant infor would not reach the Ti servers & hence lost:

Method 1 :  Using an account for Auth & Passing Exch50 information




--  Create a Domain account for Edge ( required for Authentication ) on the

Exchange 2003 side & add it to "Exchange Domain servers"  Group .


--  Configure a Send connector on Edge  to the  respective E2k3 Server  with

SmartHostMechanism = Basic Authentication  & used the domain account created in

Step 1  for the Credentials


--  Add the permission { ms-Exch-SMTP-Send-Exch50 ) on the NT AUTHORITY \ ANONYMOUS

LOGON on the respective send connector.


     for e.g. . if the Send connector is named as " To E2k3 " , the command to add

the permission would be


--  Add-adpermission "To E2k3" -user:"NT AUTHORITY \ ANONYMOUS LOGON"

-AccessRights:extendedright -Extendedright:ms-Exch-SMTP-Send-Exch50


-- Now SCL would be sent to E2k3 box using the X-EXCH50 verb , after successful

authentication occurs , this can be verified by Protocol logs , Netmon etc  & also

Exposing the SCL values in MS  

    Outlook at the recepient end.



Method 2: Turn off Requireauth for XEXCH50 on Exchange 2003



-- Configure a Send connector on Edge  to the  respective E2k3 Server  with

SmartHostMechanism = ExternalAuthoritative .


-- On the Exchange 2003 server , we need to disable the authentication requirement

to Propogate XEXCH50 . so set


HKLM\SYSTEM\CurrentControlSet\Services\SMTPSVC\XEXCH50\ Exch50AuthCheckEnabled = 0



Exchange 2007 Antispam is skipped and not applied

Tricky new issue poped 6 days ago in a new Edge deployment, the issue was reported by Kashif Awan and we tried to figure it our until it is resolved.

the issue that Edge was receiving a lot of spam email. in spite of anti spam and content filtering was enabled and configured, the agent log reported the following issue:


Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,not available: content filtering was bypassed.

I highlighted the cause in red above, after further investigation we found an article the explains how Anti spam agent logic works: 

further details could be found on :

after a little troubleshooting we found that the content filtering was skipped because the receive connector was configured with Partner permission, so removing the permission and configuring only anonymous access solved the issue.

my comment: this is so weird as the documentation says the connection has to be authenticated but for somehow it didn't authenticate and applied the partner permissions.


Cannot open the properties of edge server

another interesting thing: on the edge server you might want to remove it and you get the error:

"There was a problem accessing the registry on this computer. This may  happen if the remote registry service is not running"

or if try to get the properties of the Edge server and error goes with cannot complete bla bla bla command.

this will happen due a restrictions done by running the SCW (security configuration wizard) so make sure that you import the E12 edge template and configure the Edge and rules correctly


Exchange 2007 blocking PDF files

I had an issue with an Exchange Edge server, the customer was sending PDF files compressed in ZIP or RAR files and they were bounced the email looks something like this:

RejectionResponse                     : Message rejected due to content restrictions or attachment restrictions.

I was puzzled in this one, because the engine configure to strip the content not to reject them and the attachment was not so harmful.

after little troubleshooting with get-attachmentfilterentry I didn't find anything that will block PDF or RAR or ZIP

so the solution was to disable the attachment filter engine remove-transportagent -identity attachment filter agent

Note: I am not sure about the identity thing so make sure that you type it correctly, to find our the exact name type get-trasnportagent

and I used Forefront to protect the environment pretty silly ha


how to enable POP3 and IMAP4 on Exchange 2007

Some people didn't know how to setup up POP3 or IMAP4 on Exchange 2007 this is because Exchange 2007 always uses encrypted method when communicating server 2 server, client 2 server

so to enable POP3 or IMAP4 on Exchange 2007 do the following:

start the POP3 and IMAP4 services

enable users for POP3 and IMAP4 using:

set-casmailbox User -popenabled $true -imapenabled $true

or if you have large accounts use:

get-mailbox | set-casmailbox -popenabled $ true - imapenabled $true

set the login type to plain text(Not Encrytped)

set-popsettings - logintype plaintextlogin

restart the POP3 and IMAP$ services


using DMFP

this is new, and pretty unique.

I had that call from MS 1 week ago, they asked if i can manage PDA using SMS, i said that i didn't use the DMFP yet, but it could be tried,.

so we conducted a POC with the customer today, it was very cool, we did it and we managed PDA running Windows CE3 and CE5.

i will post a detialed step by step guide for it later on.




Move MOM database to new SQL server-Active/Active SQL server

Here we go with the detailed steps of moving the MOM DB to a new SQL server, In my case I assumed that the server will be hosted on SQL active/active cluster, the steps are similar for SQL on stad alone server.

there is 2 tricks in the above setup, First Correct the SQL connection in the SQL reporting or it will not wwork, the second is to make sure that the disk that will host the MOM DB and Logs is a part of SQL server dependencies or the MOM DB will not be created.

1-     Uninstall all other MOM Server components (and any MOM Agent of the same management group) that reside on the destination computer.

2-     On the designated active SQL cluster Node create the MOM database using the momcreatedb.exe utility (this utlity could be found on the following path: “MOM CD”:\ SupportTools\x86).

3-      Stop the MOM service on all MOM Management Servers. If MOM to MOM Product Connector (MMPC) is installed, stop the momcomm service.

4-     Back up the current OnePoint database to a file.

5-     On the destination computer, Restore the SQL database using the backup created in step 4.

6-     Grant "db_owner" privileges to the DAS account. The DAS account was specified when you installed the original MOM database component. To grant these privileges, do the following:

a.     In the SQL Server Enterprise Manager navigation pane, expand the SQL instance associated with this database.

b.     Expand Security, and click Logins.

c.     Right-click the DAS account displayed, and open the properties page.

d.     From the Properties page, select the Database Access tab.

e.     Select the OnePoint checkbox.

f.      In the Database Roles for OnePoint pane, select the "db_owner" check box. Click OK.

7-     On the first MOM Management Server start Regedt32.exe, and change the following registry values from the current SQL Server Instance to the new SQL Server Instance SQLservername\instanceame:

·          HKEY_LOCAL_MACHINE\Software\Mission Critical Software\DASServer\DataSource Value

·          HKEY_LOCAL_MACHINE\Software\Mission Critical Software\Onepoint\Configurations\\Operations\Database Value

8-     Restart the MOM service.

1-     On the Designated SQL active node install IIS, and enable ASP.Net

2-     Install SQL Reporting.

3-     Install MOM Reporting As using Normal installation steps.

4-     After the installation complete open MOM reporting console.

5-     Select the SCDW link

6-     Edit the Connection string by Removing the . and replace it with SQLservername\instanceame.

7-     Restart IIS service.

8-     Edit the MOM DTS package job using the following steps:

·         Click Start, then select Settings, Control Panel, Administrative Tools, Scheduled Tasks.

·         Right-click the SystemCenterDTSPackage task and select Properties.

·         In the "Run" text-box change the /srcserver: parameter to the destination computer as in the example below:

MOM.Datawarehousing.DTSPackageGenerator.exe /silent /srcserver: SQLservername\instanceame /srcdb:OnePoint /dwserver: SQLservername\instanceame /dwdb:SystemCenterReporting /product:"Microsoft Operations Manager"

·         Click OK and reconfirm the password.



Exchange 2007 Reset Autocomplete in OWA

Here is a nice tip I found, how to reset the autocomplete names from OWA 2007, as you know this is cached and after some times and for a reason or another you may want reset it, so There email address are retrieved from the AutoComplete cache This cache list is saved in your mailbox. 0x7C080102 in anassociated message called IPM.Configuration.OWa.AutocompleteCache in the ROOT CONTAINER to reset this property you will have to use MAPEDITOR as following:

To get to the mailbox location where this (and other stored information for OWA) follow

these steps:

1. Launch Mapi Editor (MFCMAPI)

2. Select Logon and Display Store Table from the Session menu.

3. Choose a profile that is NOT configured for Exchange Cached Mode from Outlook. (If

you know that profile has cached mode enabled you can edit the profile in Control

Panel using the Mail icon.

4. Right click the entry that starts with Mailbox – in the Display Name column and

select Open Store. A new window showing the Root Container is opened.

5. Right click Root Container and select Open Associated Content Table. A new

window is displayed with a new message.

6. Scroll until you see the Message Class column.

7. Click on the IPM.Configuration.Owa.AutocompleteCache line entry once. (If you

double click it will open the message and its contents are not viewable.)

8. Find the property Name/Tag: 0x7C080102 in the list in the bottom section of the


Thursday, April 3, 2008

One hotfix at a time no more please

Ok, I have found an interesting info today.

The exchange product team and based on the exchange servicing strategy supports installing one update per a time so if you have a punch of updates that needs to be deployed you will have to deploy it once per time.


This is very important and interesting info to find, as I found most my customers are deploying updates in a punch and then reboot, so make sure to follow the exchange servicing model in order to be compliant.



and you cannot install SCOM reporting

Some people reported and error in SCOM reporting:


MSI (c) (DC! E8) [13:47:30:933]: PROPERTY CHANGE: Adding FailedMsgProperty property. Its value is' CheckHttpAddressResponse: Failed Status Code of the remote server sent an error: (503) Server not available. ".


For people who are getting this error, please remove the proxy settings from the IE and try again.

And what about SCOM in multiple forests: design SCOM in multiple forests


I have posted a nice amount of posts about SCCM in multiple forests, it looks like I have gave away all of the required info, not sure if I missed something but sure I recall anything I will post it.


For SCOM deployment across forests, it is very easy. More than SCCM, you have 2 options either allow the agent to talk directly to the RMS/MS servers or deploy a opsmgr gateway in the remote forest, based on studying here is the factors the controls your decisions:

-          If you have a small amount of agents with acceptable bandwidth and network connectivity I would go to allow them to connect directly t the SCOM server.

-          If you have a large amount of servers or WAN connectivity, I would go for deploying a GW in the other forest, check and Google about top 10 benefits of using GW servers, as data will be compressed better, less administrative overhead…etc

In both cases you will need a CA around, you cannot use self signed certificates, an enterprise or standard certificate will do the job, once certificates in place and configured communication will flow smoothly and here is 2 tips:

-          You will need to import and configure a certificate on the RMS/MS server in the original forest. And import the certificate using the certificate import utility, it is not clear in the document and people didn’t pay attention to this point.

-          You don’t need a trust in place between forests.

-          In the other forest where the GW installed you don’t need certificates for agents as long as servers are joined to the forest, agents will communicate with the GW using mutual authentication, GW to RMS communication will be secured using certificates.

-          Note the AD MP will not work across forests.

This is the major points I wanted to highlight, I will start posting about transitioning from SMS to SCCM soon, so keep reading J.

New Cluster MP released

It has been released yesterday, this is a very important update to implement in your infrastructure, it has a lot of fixes and improved cluster performance monitoring.

The download is here;displaylang=en&displaylang=en you will have to uninstall the previous cluster MP before installing this one, check the MP guide file first.


Wednesday, April 2, 2008

RSS feed added


I just added RSS feeds to my blog, you will find it in the upper left corner, you will be able to subscribe, see latest feeds, add to your favorite news reader, so have fun with it. And keep following the blog.

Design SCCM in multiple forests - more notes

This is will grow and grow, but here we go:

You don’t need to have native mode across the forests to be able to manage the other forests, as long as each forest as its own site. If you have single site that covers the 2 forest you will need SCCM in native mode.


If you have any questions please post a comment on any of my blog entries.



Tuesday, April 1, 2008

Install/FIX reporting after upgrading RMS to SP1

Went yesterday through a nice SCOM installation, install SCOM then reporting then SP1 for SCOM and reporting, however I had an issue as reports were not showing, tried everything, and went to google and found that most of those cases solved using reporting reinstallation, uninstalled reporting, reset SRS, now I am trying to load the reporting to install, but it gets interrupted, checked the error log and found that reporting cannot be installed as it tries to load MP Warehouse library version that is old and the version will not load. And setup fails.

It gives the following error:

ImportMomManagementPack: Loading management pack C:\Program Files\System
Center Operations Manager
2007\Reporting\ 5:26:43 AM
ImportMomManagementPack: We are using the Client API to load the MP.
ImportMomManagementPack: Error: Unable to load management pack C:\Program
Files\System Center Operations Manager
: Cannot import ManagementPack
<<Microsoft.SystemCenter.DataWarehouse.Internal, 31bf3856ad364e35,
6.0.6246.0>>. A newer version of this ManagementPack <6.0.6246.0> is already
imported in the database.

To fix this issue follow the following steps:

-          Uninstall SCOM reporting

-          Reset SRS if you

-          Export the default MP and remove the WH library reference and overrides.

-          Import it back

-          Delete the WH library and ORD library MP.

-          Install the reporting.

-          Import the original MP

This is a complex solution, I had a reply from the product team, to run the Reporting2007.msi directly and this should solve the problem, didn’t try this one so you have the both solutions now


OpsMgr 2007 SQL MP version 6.0.6278.8 Released

This fixes and changes introduced in this release were thanks in large part to the feedback that all of you have provided to us.

The OpsMgr 2007 MP for SQL 2000 and 2005 has been updated and was released to the MP Catalog on 3/31/2008 (version 6.0.6278.8).  This version includes the fixes from all previous versions of the MP and is supported on both OpsMgr 2007 RTM and OpsMgr 2007 SP1. The table below is an excerpt from the MP guide detailing the changes and fixes that were made in this release.  I'd like to specifically call out the final bullet in the "Changes to SQL Server 2005 Management Pack" as the behavior of the "Database Status" monitor has been updated to have three states now so it can more appropriate handle DB restore and recovery states.

Changes in this Update

The March 2008 update to the SQL Server Management Pack includes the following changes:

General changes

·       The “Transaction Log Space Free (%)” monitor was made public for both SQL 2000 and SQL 2005 to allow for further customization.

·       Some corrections were made and additional detail provided in the “Key Monitoring Scenarios” sections of this guide.

·       Removed the hard-coded exception for jobs with a specific name from the “A SQL job failed to complete successfully” rules for both SQL 2000 and SQL 2005.

·       Fixed an issue with the scripts used to calculate DB free space which was preventing some databases from having their free space correctly monitored on SQL installations that did not have DBs with contiguous IDs.

·       Corrected typographical errors.

Changes to SQL Server 2000 Management Pack

·       Fixed an issue where incorrect free space values were being calculated for some SQL 2000 databases.

Changes to SQL Server 2005 Management Pack

·       A fix was made to address issues with collection of performance data from specific instances of Analysis Services.

·       Significant changes were made to the “Database Status” monitor in the SQL 2005 MP.  The monitor now has three states reflecting good, bad, and neither.  The possible database states have been realigned into these categories which will reduce “false-positive” alert volumes specifically when log-shipping and database backups are occurring.



Design SCCM in multiple forests - notes

Hi All,

I have some notes on my previous post here they are:

-          If you use 2 way forest trust between the forests, then SCCM can use the SCCM machine account in the sender configuration, so you don’t need to create an account, this is a note as I stated that there is must be a trust between forests

-          If you don’t have a trust, then the account used could be a local account, so the trust is not required to configure SCCM across forests.


C ya