How to create SNMP Probe Based Two-State Monitor in SCOM?

Let’s say for example that you need to monitor value of specific performance counter on SNMP-enabled device and raise an Alert when it is above the configured threshold. In order to do that, SNMP Probe Based Monitor should be used.

To create such monitor, procedure is pretty straightforward. Click on the Authoring tab in the Operations Console, and open Monitors in the Navigation Pane. After that, open Actions -> Monitor -> Create a Monitor -> Unit Monitor -> SNMP -> Probe Based Detection -> Simple Event Detection -> Event Monitor – Single Event and Single Event.

I will not go into more details on how to create the monitor. Just follow the Create a unit monitor wizard and make sure that the appropriate community string and the object identifier (OID) is entered, as well as expressions for the unhealthy/healthy conditions.

Once you have finished the wizard and successfully created the monitor, you might notice that it doesn’t work as expected.

By default, Create a unit monitor wizard creates SNMP Probe Based Monitor which treats any collected value as string. As a result, an Alert is raised even in conditions when value is actually below the configured threshold. This is because result of string comparison differs from the comparison of numeric values. To give you an example, if you have configured monitor to raise an Alert when the collected value is greater than “30” (numeric), an Alert will also be raised if the collected value is “4”,”5”,”6”, etc. String value of “4” is greater than string value of “30” which is not the case with numeric values.

Problem resolution

In order to solve this problem, you need to dive into XML. In XML editor (XML Notepad for example), open the Management Pack in which SNMP Probe Based Monitor is stored.

Look after the text similar to the following:

<FirstExpression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type=”String”>/DataItem/SnmpVarBinds/SnmpVarBind[1]/Value</XPathQuery>

              </ValueExpression>

              <Operator>Greater</Operator>

              <ValueExpression>

                <Value Type=”String”>30</Value>

              </ValueExpression>

            </SimpleExpression>

</FirstExpression>

… and replace the XPathQuery Type and Value Type to the appropriate data type. In our case, it is Integer:

<FirstExpression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type=”Integer”>/DataItem/SnmpVarBinds/SnmpVarBind[1]/Value</XPathQuery>

              </ValueExpression>

              <Operator>Greater</Operator>

              <ValueExpression>

                <Value Type=”Integer”>30</Value>

              </ValueExpression>

            </SimpleExpression>

</FirstExpression>

 

Don’t forget to perform the same change for the <SecondExpression> definition also.

Save changes in XML file and import the Management Pack into the SCOM.

For more information about the ExpressionType and data types used in Operations Manager, refer to the following article: http://msdn.microsoft.com/en-us/library/ee692979.aspx

HTTP 500 Internal Server Error when accessing SCCM Reports

If you are receiving HTTP 500 Internal Server Error when accessing SCCM Reports via web browser, check the following settings:

1. Make sure that you are not hitting the limit of maximum rows returned by a report query. By default, report viewer in SCCM 2007 is configured to limit the results returned by a report query to 10 000 rows.

To change the number of rows returned by a report query, create the Rowcount DWORD value under the HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Reporting registry key.

Set its value to the number of rows that you want returned in the report query. If you want to return all rows, set the value to 0xffffffff, which is the hexadecimal equivalent of –1.

For more information, refer to the following TechNet article: How to Configure the Maximum Rows Returned by a Report Query, available at the: http://technet.microsoft.com/en-us/library/bb680885.aspx

 

2. Increase the ASP response buffer limit size (aspbufferinglimit).

In IIS 6.0 change has been introduced which limits a default ASP response buffer to 4 MB. Increasing the buffer limit might help you in resolving this problem. To increase the buffer limit, follow these steps:

• Click Start, click Run, type cmd, and then click OK.
• Type the following command, and then press ENTER:

cd /d %systemdrive%\inetpub\adminscripts

• Type the following command, and then press ENTER:

cscript.exe adsutil.vbs SET w3svc/aspbufferinglimit LimitSize

LimitSize represents the buffering limit size in bytes. For example, the number 67108864 sets the buffering limit size to 64 MB.

To confirm that the buffer limit is set correctly, follow these steps:

•   Click Start, click Run, type cmd, and then click OK.
• Type the following command, and then press ENTER:

cd /d %systemdrive%\inetpub\adminscripts

• Type the following command, and then press ENTER:

cscript.exe adsutil.vbs GET w3svc/aspbufferinglimit

In my case, setting the limit to the value of 12582912 (12 MB) did the trick in the Configuration Manager environment of approximately 10 000 managed devices (SCCM Clients).

For more information about the ASP response buffer limit, refer to the following article: Error message when a Web browser sends a request for an active server page to a Web server that is running IIS 6.0: “Response buffer limit exceeded”, available at the: http://support.microsoft.com/kb/925764

Problem with the SCOM Agent authentication against the SCOM Management Server

Problem description

You have successfully installed SCOM Agent manually on managed computer. However, managed computer doesn’t appear in the Agent Managed or Pending Management list in the Operations Console.

The following event is logged in the Operations Manager event log on Agent-managed computer:

Event Type:            Error

Event Source:         OpsMgr Connector

Event Category:     None

Event ID: 20057

Description: Failed to initialize security context for target MSOMHSvc/<SCOM Management Server Name> The error returned is 0×80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.

 

How to confirm the problem?

To troubleshoot the issue, Microsoft Network Monitor can be used:

• Stop HealthService on managed computer to stop the SCOM Agent (open the Command Prompt and type the net stop HealthService).
• Start Microsoft Network Monitor.
• Click on the New capture tab.
• In the Capture Filter, enter the following filter:

KerberosV5
OR KerberosV5_Struct
OR NLMP
OR NLMP_Struct
OR GssAPI
OR SpnegoNegotiationToken
OR GssapiKrb5
OR LDAP

• Click on the Apply button to apply the Capture Filter.
• Click on the Start button to start the new capture.
• Now, quickly start the HealthService to start the SCOM Agent (net start HealthService).
• Wait (usually 10-15 seconds) until event 20057 appears in the Operations Manager event log on the affected computer.
• In Network Monitor, click on the Stop button to stop the capture.
• Now carefully revise capture frames in the Frame Summary window. You should see KerberosV5 and LDAP protocol traffic against the Active Directory Domain Controllers.

NOTE: Above applies in case that you are not using certificate-based authentication.

To resolve this issue, make sure that TCP/UDP 88 port (Kerberos) and TCP/UDP 389 port (LDAP) is open against the Domain Controllers in your Active Directory environment.

These ports are not documented in the TechNet’s article Using a Firewall with Operations Manager 2007.

What happens under the hub?

When SCOM Agent <-> Management Server communication starts, authentication takes place (Kerberos). If you have multi-domain environment, things are bit more complicated. Before the authentication protocols can follow the forest/domain trust path, the service principal name (SPN) of the SCOM Management Server must be resolved (LDAP).

When a managed computer (SCOM Agent) in one domain attempts to access resource computer (SCOM Management Server) in another domain, it contacts the domain controller for a service ticket to the SPN of the resource computer. Once the domain controller queries the global catalog and identifies that the SPN is not in the same domain as the domain controller, the domain controller sends a referral for its parent domain back to the workstation. At that point, the workstation queries the parent domain for the service ticket and follows the referral chain until it gets to the domain where the resource is located.

If you have SCOM Management Server in child domain A of the Active Directory Forest infrastructure and the SCOM Agent in child domain B, make sure that SCOM Agent is able to access all DC’s in the referral chain which are required to get to the domain where SCOM Management Server is located.

For more information about the ports required for the System Center Operations Manager, and the authentication in Operations Manager, refer to the following TechNet articles:

Authentication and Data Encryption for Windows Computers in Operations Manager 2007, available at the: http://technet.microsoft.com/en-us/library/bb735408.aspx

Using a Firewall with Operations Manager 2007, available at the: http://technet.microsoft.com/en-us/library/cc540431.aspx

Updates Resource Center for Office Communications Server 2007 R2 and Clients

New resource is available on the Microsoft TechNet. It is called Updates Resource Center for Office Communications Server 2007 R2 and Clients and it lists all Office Communications Server 2007 R2 related updates in one place.

It is available on the following address: http://technet.microsoft.com/en-us/office/ocs/ee695846.aspx.

Very useful if you have ever been in a situation where you needed to quickly determine the most recent update information for specific product.

Updates Resource Center contains all server-side updates, as well as client-side updates.