Techibee.com

The purpose of this article is to explain how event forwarding works, different types of event forwarding methods and step-by-step guide for implementing them.

In this part-1 of How to configure event forwarding in windows 7/2008, I will cover some basics about event forwarding, different components involved in the forwarding and their functionality.

Windows 7 and windows 2008 R2 OS supports forwarding event log message to a central defined server. The purpose of this is very simple, you have all required events in one place and you can do auditing, archival, or any other operation you want from single place. You need not depend on external scripts to collect windows event logs from different computers and place them at single place.

There are two main components involved in Event Forwarding.

1) Collector:

Collector is a windows computer which collects events logs from computers from your network and places locally. In other words, this is where all events are saved.

2) Forwarder/Source Computer:

This is a windows computer that forwards the events from local computer to a central computer which is designated as Collector.

The definition of source computer and collector are pretty clear and I believe there is no need to explain them in details. If you are still in doubt, the below picture should definitely clarify that.

Now we know what is source computer and what is a collector computer in event forwarding. The next question you might get is, whether source computer will initiate the event forwarding or the collector will do that. Based on which component is initiating the event forwarding request, the windows event log forwarding is divided into two types. They are called subscriptions.

1) Collector initiated subscription:

In this type of subscription, the collector will go and ask the remote computer to send events to it. It is the job of collector to frequently poll the source computers and get events logs from them. This kind of subscription is best suited when you have limited set of computers. This doesn’t scale well if the source computer base increases.

2) Source initiated subscription:

In this type of subscription, the source computer will send the events logs to collector computer. The job of the collector computer is to just save whatever the source computer sends.

For either collector initiated forwarding or source initiated forwarding a subscription needs to be created at the collector side. A subscription is nothing but a configuration which tells you what eventlogs/events ID should be forwarded. Also the destination of log of the forwarded events will be configured in subscription.

To make event forwarding work, the collector and source computer should be configured do that. I will cover this in detail when I talk about each type of subscription in my next posts.

Another information that is worth sharing is, what type of operating systems can act as source computer and what type of operating systems can play collector role.

Source Computer:

1. Windows XP with Service Pack 2 (SP2)
2. Windows Server 2003 with Service Pack 1 (SP1)
3. Windows Server 2003 with Service Pack 2 (SP2)
4. Windows Server 2003 R2, Windows Vista
5. Windows Vista with SP1
6. Windows 7
7. Windows Server 2008
8. Windows 2008 R2

Collector Computer:

1. Windows Vista with SP1
2. Windows 7
3. Windows Server 2008
4. Windows 2008 R2

One point to note here is, WS-Management 1.1 is not installed by default for computers running on Windows XP with SP2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, or Windows Server 2003 R2, so you must install WS-Man 1.1 to use these platforms as event sources before you set up a source-initiated event subscription. For more information about how to install, WS-Management 1.1, see http://go.microsoft.com/fwlink/?LinkId=100895.

In my next posts I will talk about how to configure source initiated subscription and collector initiated subscription in details.

By this time we as administrators could have noticed that disk cleanup utility is missing in Windows Server 2008. Disk Cleanup/Clean Manager (cleanmgr.exe) is not appeared by default in Volume Properties. Need to follow few steps as below to clean up the volume.

Summary

The Disk Cleanup executable file cleanmgr.exe and the associated Disk Cleanup button are not present in Windows Server® 2008 or in Windows Server® 2008 R2 by default.
Cause

This is by design, as the Disk Cleanup button is part of the Desktop Experience feature. In order to have Disk Cleanup button appear on a disk’s Properties dialog, you will need to install the Desktop Experience feature.

Resolution

So in order to use cleanmgr.exe you’ll need to copy two files that are already present on the server, cleanmgr.exe and cleanmgr.exe.mui. Use the following table to locate the files for your operating system.

Once you’ve located the files move them to the following locations:

1. Cleanmgr.exe should go in %systemroot%\System32.
2. Cleanmgr.exe.mui should go in %systemroot%\System32\en-US.

• You can now launch the Disk cleanup tool by running Cleanmgr.exe from the command prompt.
• Disk Cleanup can now be run by entering Cleanmgr.exe into a command prompt, or by clicking Start and typing Cleanmgr into the   Search bar.

Reference: http://technet.microsoft.com/en-us/library/ff630161(WS.10).aspx

I came across a situation today where I had to find out the switch details to which a particular server is connected. Often we come across such kind of cases where your network administrator is unavailable to tell you which switch/port it is or data center engineer not around to help you with this information.

After thinking about this problem for sometime, one thing clicked in my mind. I remember in VMWare ESX environment, I used CDP(Cisco Discovery protocol) abilities from Virtual center to find out to which switch a NIC is connected. That means all I need to do is, get this CDP information from the switch to which my server NIC/network connection is connected to. So, the question remained is, how do we send the CDP request to the switch, and how to analyze that data.

I did some googling and realized that I am not alone in this world and there are several people who are having similar requirements for different purposes. Then I started looking for CDP utilities for windows operating system and located one — CDP Monitor from TellSoft. I have seen a few people recommended using this in some forums. I didn’t try it personally but you may want to look at this tool. You can get it from http://www.tallsoft.com/cdpmonitor.htm

I didn’t try this tool directly but while going through the information about this tool, I saw somewhere it is mentioned that this uses WinPCAP and fetches the CDP information from that. Then I thought, if it is using WinPCAP why not use Wireshark to get this information? This tool is already available on my server(because it is a much have tool for any deep dives). I captured the network traffic on the server for sometime using Wireshark and looked for the filters that can show only the CDP information and I am successful. I have got the switch details I needed.

Below is the brief procedure:

1. Download and install Wireshark from http://www.wireshark.org/download.html
2. Launch Wireshark and start capturing the traffic on interface for which you need to find the swtich and port details.
3. Let the capture run for few minutes and then in Filter section type CDP and click on Apply.
4. This will show the CDP traffic flow through the server
5. Now select the CDP traffic and expand Cisco Discovery Protocol section in packet details pane.
6. Here the the Device ID represents the switch name to which your server connected
7. And the Port ID represents the ethernet port on switch to which your server is connected

Hmm… I found what I need. I thought documenting this will help other as well and hence authored this port. Feel free to comment.

I came across a article well explaining disk related performance counters in Windows Servers. This gives very good information about what each counter means and their values indicates. It is worth reading..so sharing it with my blog readers.

http://blogs.technet.com/b/askcore/archive/2012/03/16/windows-performance-monitor-disk-counters-explained.aspx

Don’t miss to read it. Happy learning..

You might get alerts your DFS-R management pack in SCOM about the DFS-R service inability to register itself with WMI and it can impact the replication. Exact error message is given below.

DFS Replication failed to register itself with WMI. Replication is disabled until WMI registration succeeds.

To resolve this issue, you may need to re-register DFS-R related DLL and other files that belongs to WMI. Before going there, just restart your DFS-R service once to confirm that your problem is not transient and happening all time. You will notice a error message with 6104 event ID in DFS Replication event log after you restart the service. If this event is present, then problem is live and you should fix it.

The following solution worked for me.

CD %windir%\system32\wbem

mofcomp dfsrprov.mof

mofcomp dfsrprov.mfl

wmiprvse /regserver

net stop dfsr

net start dfsr

All it does is re-register the WMI related files of DFS-R.

If you still notice issues, you may want to re-register everything under WBEM folder. This was suggested in Technet Forum.

CD %windir%\system32\wbem
For /f %s in (‘dir /b /s *.dll’) do regsvr32 /s %s
for /f %s in (‘dir /b *.mof *.mfl’) do mofcomp %s
wmiprvse /regserver
net stop dfsr
net start dfsr

if the problem is still not resolved, try rebooting the DFS-R server.

Sometimes, the compilation of MOF files might fail with below errors while performing above steps. In such cases, http://support.microsoft.com/kb/841619 might help you.

C:\WINNT\system32\wbem>mofcomp dfsrprov.mof
Microsoft (R) 32-bit MOF Compiler Version 5.2.3790.3959
Copyright (c) Microsoft Corp. 1997-2001. All rights reserved.
Parsing MOF file: dfsrprov.mof
MOF file has been successfully parsed
Storing data in the repository…
An error occurred while opening the namespace for object 1 defined on lines 4 -
4:
Error Number: 0x8007000e, Facility: Win32
Description: Not enough storage is available to complete this operation.
Compiler returned error 0x8007000e

A few more reference that might be useful for troubleshooting the issue:

1. DFSR Does Not Replicate Temporary Files : http://blogs.technet.com/b/askds/archive/2008/11/11/dfsr-does-not-replicate-temporary-files.aspx
2. http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/b8a8f0e6-9fcb-4a98-9951-bce109927dc8/

Thanks for reading my rambling. I wrote this for my quick reference and to help people who is searching for similar information.

WARNING: Above steps involves re-registration of WMI providers. So, test them in your lab and try in production at your own risk. I am not responsible for any damage that caused by above procedure.

Hope this helps…

Using powershell, we can query the status of a given windows cluster and instances inside it. With Windows 2008, MS is offering this ability. You need to import the failoverclusters  module to use the cmdlets available to manage windows cluster.

Import cluster module:

Import-module failoverclusters

Using this module you can do variety of things in cluster like adding and deleting disk, adding and deleting network interfaces, adding and deleting any other cluster resources, what not, you can do majority of operations with this powershell module.

Now I will give you a little example about how to connect to a cluster and get instances hosted on it.

Get-Cluster -Name cluster1.domain.com | Get-ClusterGroup

The above will connect to cluster1.domain.com and returns the status of groups/instances hosted on this cluster. You can also see preferred nodes, fail-over, fail-back settings for a given group, etc. I will try to post about them when I get a changes.

For your quick reference, I am posting the cluster cmdlets (source: technet)

While having some discussion with my wife today, I came across an interesting scenario where “Active Directory Users and Computers” MMC is not showing the “Live Communications Server” tab in user properties though the LCS administrator tools are installed. I searched about same problem in internet and looks like many people have already experienced this. For some, enabling the “advanced features” option in dsa.msc MMC fixed the issue and some people installed the console on XP computers to work around the problem.

In the particular case where my wife did the troubleshooting, she found that LCS administrator tools are of 32-bit version and they were installed on a 64-bit OS server. So, what is the problem? 64-bit OS supports 32-bit right? what is the problem?.

The problem is that, when you launch dsa.msc MMC from run command, it will fire-up 64-bit version of MMC which looks like has some troubles in taking with 32-bit version of LCS tools. Hence, it is not loading the LCS related tabs in the properties of any user accounts.

To work around this problem, one can open dsa.msc in 32-bit mode by just simply typing the below command.

dsa.msc -32

You can use the similar trick to launch any MMC in 32-bit mode. After opening, just look the process name in task manager, you will find mmc.exe*32 which indicates a 32-bit process name. You will find normal mmc.exe if you run mmc without -32 switch.

I somehow felt this is interested topic every systemadmin should aware. Hence authored this post.

Hope this helps. Happy learning…

You might see the error message outlined in subject while installing/uninstalling software on windows 2003 computer by connecting to terminal services. We all know that application installation has certain limitations when it comes to terminal services (anyone know why?). In such cases if you still want to install/uninstall the application on these terminal services enabled servers, you need to choose one of the following methods.

If this the requirement is just one of the case, then option#1 best suits you.

Option#1:

start mstsc with /console or /admin option and then connect to the server. This allows you to connect to the console of the server directly eliminating terminal services piece from you way.

Go to start -> Run -> type “mstsc /admin /v:servername” and click OK if you are using RDP client v6 or above

Go to start ->Run -> type “mstsc /console /v:servername” and click OK if you are using legacy version of RDP client.

Option#2:

If your administrators are expected to install applications on servers by connecting via terminal services, then you need to make sure that application installation is allowed. You can do it via group policies.

“computer configuration” -> “administrative templates” -> “windows components” -> “windows installer” -> “allow admin to install from terminal server session” should be enabled

Hope this helps.

Are you in need of a script which uninstall patches from both local and remote computers? You landed at right place. Today I came across a question in one of the forum asking for a way to uninstall patches/security updates/hotfixes from llocal or remote computers. While this is an easy thing to perform on local computers, it is little tricky when it comes to remote computers. I thought about it some time and finally came up with below code which works for both local and remote computers. All it does is, constructs a uninstall command for the given patch and executes that using WMI process class.

This script comes handy for you when you want to uninstall patches from Windows 2008 Core server which don’t have a GUI and can’t perform uninstallations the way you do in regular windows 2008 OS.

Here is the code:

function Uninstall-Hotfix {
[cmdletbinding()]
param(
$computername = $env:computername,
[string] $HotfixID
)            

$hotfixes = Get-WmiObject -ComputerName $computername -Class Win32_QuickFixEngineering | select hotfixid            

if($hotfixes -match $hotfixID) {
    $hotfixID = $HotfixID.Replace("KB","")
    Write-host "Found the hotfix KB" + $HotfixID
    Write-Host "Uninstalling the hotfix"
    $UninstallString = "cmd.exe /c wusa.exe /uninstall /KB:$hotfixID /quiet /norestart"
    ([WMICLASS]"\\$computername\ROOT\CIMV2:win32_process").Create($UninstallString) | out-null            

    while (@(Get-Process wusa -computername $computername -ErrorAction SilentlyContinue).Count -ne 0) {
        Start-Sleep 3
        Write-Host "Waiting for update removal to finish ..."
    }
write-host "Completed the uninstallation of $hotfixID"
}
else {            

write-host "Given hotfix($hotfixID) not found"
return
}            

}

Usage:

Uninstall-HotFix -ComputerName PC1 -HotfixID KB123456

After you install Windows 2008 R2 Core Server from media, you notice that powershell is installed by default. PowerShell is essential in Core environment to administer core operating system. So, it is recommended to install powershell after you install Core operating system to take full advantage of this powerful programming language in configuring the several OS parameters. Today, I installed a core server and thought of writing a articles on how to install powershell in Core.

Procedure to install powershell in Windows 2008 R2 Server Core:

1. Logon to the Server with administrator account and start server configuration wizard by typing “SCONFIG” in command prompt.
   
2. Select option “4” in Server Configuration wizard to enter into “Configure Remote Management”
   
3. Select option “2” to install powershell (Enable Windows PowerShell)
   
4. Reboot the server if prompted
   

This completes the installation. Now you can start powershell by starting the process “powershell.exe” either from command prompt or from task manager.

Hope this helps…