Zenoss Setup for Windows Servers

Add Comment | Sep 20, 2012
Recently I was saddled with standing up Zenoss for our enterprise.  We're running about 1200 servers, so manually touching each box was not an option.  We use LANDesk for a lot of automated installs and patching - more about that later.

The steps below may not necessarily have to be completed in this order - it's just the way I did it.

STEP ONE:
Setup a standard AD user.  We want to do this so there's minimal security exposure.  Call the account what ever you want "domain/zenoss" for our examples.
***********************************************************
STEP TWO:
Make the following local groups accessible by your zenoss account.
Distributed COM Users
Performance Monitor Users
Event Log Readers (which doesn't exist on pre-2008 machines)

Here's the Powershell script I used to setup access to these local groups:

# Created to add Active Directory account to local groups
# Must be run from elevated prompt, with permissions on the remote machine(s).

# Create txt file should contain the names of the machines that need the account added, one per line.
# Script will process machines line by line.
foreach($i in (gc c:\tmp\computers.txt)){

# Add the user to the first group
$objUser=[ADSI]("WinNT://domain/zenoss")
$objGroup=[ADSI]("WinNT://$i/Distributed COM Users")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)

# Add the user to the second group
$objUser=[ADSI]("WinNT://domain/zenoss")
$objGroup=[ADSI]("WinNT://$i/Performance Monitor Users")
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)

# Add the user to the third group - Group doesn't exist on < Server 2008
#$objUser=[ADSI]("WinNT://domain/zenoss")
#$objGroup=[ADSI]("WinNT://$i/Event Log Readers")
#$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)

}
**********************************************************

STEP THREE:
Setup security on the machines namespace so our domain/zenoss account can access it
The default namespace for zenoss is:  root/cimv2
Here's the Powershell script:

#Grant account defined below (line 11) access to WMI Namespace
#Has to be run as account with permissions on remote machine

function get-sid
{
Param (
$DSIdentity
)
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}
$sid = get-sid "domain\zenoss"
$SDDL = "A;;CCWP;;;$sid"
$DCOMSDDL = "A;;CCDCRP;;;$sid"
$computers = Get-Content "c:\tmp\computers.txt"
foreach ($strcomputer in $computers)
{
    $Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
    $DCOM = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
    $security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
    $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
    $binarySD = @($null)
    $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
    $outsddl = $converter.BinarySDToSDDL($binarySD[0])
    $outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)
    $newSDDL = $outsddl.SDDL += "(" + $SDDL + ")"
    $newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")"
    $WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)
    $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
    $DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)
    $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
    $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions)
    $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD)
}

***********************************************************
STEP FOUR:
Get the SID for our zenoss account.
Powershell

#Provide AD User get SID
$objUser = New-Object System.Security.Principal.NTAccount("domain", "zenoss")
 $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
******************************************************************
STEP FIVE:
Modify the Service Control Manager to allow access to the zenoss AD account.
This command can be run from an elevated command line, or through Powershell

sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
(A;;CCLCRPRC;;;PUT_YOUR_SID_HERE_FROM STEP_FOUR)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
******************************************************************
In step two the script plows through a txt file that processes each computer listed on each line.  For the other scripts I ran them on each machine using LANDesk.  You can probably edit those scripts to process a text file as well.

That's what got me off the ground monitoring the machines using Zenoss.  Hopefully this is helpful for you.  Watch the line breaks when copy the scripts.



Installation Guide to Install Windows 8 Developer Preview on Virtual Box

Add Comment | Sep 15, 2011


Step by Step Installation Guide to Install Windows 8 Developer Preview on Virtual Box

Microsoft revealed Developer Preview of Windows 8 on 13th September 2011. Windows 8 is adhering Metro Design Gudielines. Without going much into deep technical discussions on features of Windows 8 , in this post I have targeted to show you installation steps of Windows 8 on virtual box.

So to start with go and dowanlaod Windows 8 developer preview from below link. Choose appropirate link as for your system (32 bit or 64 bit) to download and install.

http://msdn.microsoft.com/en-us/windows/apps/br229516

Once downloaded , mount ISO image to virtual drive or if you want or, go ahead and burn it tgo DVD 9.

Next step is to download Virtual box and install it. When virtual box is installed we will install Windows 8 developer perview on virtual box.

Go ahead and download virtual box from here:  http://www.virtualbox.org/wiki/Downloads

Installation steps are farly straight forward . So I am not going to bore you to death by writing one or two sentences with each screen shorts. I am just posting all the screen you may get while installing , just follow the screens to get Windows 8 installed on Virtual box.

While installing virtual box wherever you get Oracle security warning click run and move ahead

clip_image002

clip_image003

clip_image004

clip_image005

clip_image006

Check the check box and click Install.


clip_image008

clip_image009

Give name of the virtual box and choose version of your host opearting system from the drop down.

clip_image010

Recommeneded memory is 1024MB. If you want you can amend it.

clip_image011

Select Create new hard disk option

clip_image012

Now you need to provide file location and size.

clip_image013

clip_image014

clip_image016

clip_image017

On create button click you will get below screen. Click on Seeetings menu .

clip_image019

Here you need to click on the Sysytem tab and make sure that Enable IO APIC is checked

clip_image020

In Processor tab make sure Enable PAE/NX is checked.

clip_image021

In Accelration tab make sure both the check box are checked.

clip_image022

Next go to storage tab and selcet Empty option. And from Attribute section select IDE Secondary Master from drop down

clip_image024

Choose Virtaul CD/DVD option here .

clip_image025

Select ISO file of Windows 8 developer preview you downloaded and then click on Ok button

clip_image027

clip_image028

Now click on the start button to start installation of Windows 8 .

clip_image030

clip_image031

clip_image033

clip_image035

clip_image037

clip_image039

clip_image041

clip_image043

clip_image045

clip_image047

clip_image049

You probably have it from here.

Enjoy.

How do I turn off Internet Explorer Enhanced Security Configuration in Windows Server 2008?

Add Comment | Aug 25, 2010

Unlike with previous versions of Windows Server--in which you could disable Internet Explorer Enhanced Security Configuration by removing the component in Add/Remove Programs, Windows Components--the Windows Server 2008 implementation of Internet Explorer Enhanced Security Configuration is configured through Server Manager.

Select the root of the Service Manager navigation pane, and under the Server Summary click Configure IE ESC, which is part of the Security Information section. A dialog box appears, letting Internet Explorer Enhanced Security Configuration be enabled/disable separately for normal users and administrators.
 

Infopath Timeout When You a Create/Edit a Workflow

One Comment | Aug 04, 2010

We recently had to open a ticket with MS regarding the creation of workflows when using Infopath.  Basically what would happen is that the connection to the SQL box was so slow that the XML was not getting created on the workflow.  We're running IE8 with Win 7, X64. 

THE SOLUTION: Go into IE -> choose tools -> connections -> LAN settings and uncheck the auto detect option. 

Hope that helps someone.

We Lost Power to the Windows 7 64 Bit Machines and Now We Can't Login to the Domain

Add Comment | Jul 27, 2010

Last night during an electrical storm, a portion of our building lost power (the entire building isn't protected by a generator).  Several client machines couldn't login to the domain when the power came back up.  We were seeing a message that basically said the machine didn't have a trust account on the domain, yet AD said the machine was a member of the domain.  We couldn't login with cached credentials, and local accounts failed too.  We tried the restore procedure many people had suggested and that wouldn't work either.  The solution ended up being simple.  We physically disconnected the machines from the network - unplugged the network cable, and successfully logged in using cached AD credentials.  The downside is that some users lost some data.  Since none of our XP machines were effected, we're thinking Microsoft needs to address the issue since with Windows 7.  It seems to be related to machines being in sleep mode and encountering a power failure.

TechEd 2010 - New Orleans

Add Comment | Jun 09, 2010

We're a little more than half way through TechEd 2010 in New Orleans and I am having a hard time finding interesting breakout sessions to attend.  Laura Chappell has completed all of her sessions, and Andy Malone is almost done.  Laura's sessions on Wireshark have been amazing.  Andy is always entertaining and informative.

 I did sit through a session this afternoon on IPv6 that was interesting.  I will spend the final day in the Hands on Labs area working through some PowerShell, and Communication Server 14 labs.  The speakers for two of my breakouts had written interesting books.  I went to the conference bookstore to pick them up and found both to be sold out.  They did offer to ship the books to me with the TechEd 20 percent discount.

I'm not real sure who thought it would be a good idea to hold a conference in June in New Orleans.  It has been HUMID.  On top of that TechEd 2011 will be in my hometown, Atlanta.

 

Krusader To The Rescue

Add Comment | Mar 03, 2010

Krusader is one of those must-have computing tools that turns difficult or tedious computing tasks into easy, point-and-click operations. It's an advanced twin-panel file manager that's loaded with features.

When I made the switch from the Windows to the Linux operating system, I had a short list of program requirements. This list was a match to critical computing procedures I relied upon in Windows. I quickly discovered that Linux offers numerous twin-panel file managers, but very few have the power built into Krusader.

One of my favorite Windows file managers was Norton Commander. Years after using it, I found even more features in a program called "Power Desk." That program set a high standard to match when I began searching for an equivalent Linux file manager.

One of the great joys of Linux computing is the variety of installed programs that come with different distributions. Krusader is available in most of the popular distros' package management systems. See the list on the download page here.

This location also provides basic steps for installing Krusader in distros that do not include it in the resident package manager. If you are new to the Linux desktop, this lack of a uniform installation routine like Windows uses can be a deal-breaker.

One of my favorite uses for Krusader is managing archives. I receive attached files compressed in many different file compression formats. With Krusader, everything I need to work with archived files as well as a variety of graphic image types is right there on the toolbar.

I never have to track down a decompression app or waste hours figuring out manual commands. Instead, Krusader lets me transparently view archives as if I were viewing a directory on the hard drive. Sure, other Linux apps do the same thing, but Krusader puts that function along with many others all in one place.

Krusader unpacks and packs files using nearly every file format known to Linux. For instance, it supports formats for ace, arj, bzip2, deb, iso, lha, rar, rpm, tar, zip and 7zip. Plus, it handles KIOSlaves such as smb:// or fish://.

It's the ease of use that I really love about Krusader. Linux, like Microsoft Windows, provides multiple ways of doing the same task. With Krusader, multiple ways of doing a task are bundled within the menus and displayed buttons.

For instance, I store data on several primary thumb drives. These drives sit in USB sockets of whichever of my array of computers I am using, so all of my data is readily at hand. To keep tabs on remaining free space, I click on the Tools drop-down menu and click on the Disk Usage function. I then browse to whichever drive or hard disk directory I'm using and click OK. Krusader shows a multi-colored graph with the space each file consumes and the total space in use.

Similarly, dozens of file maintenance tasks are simply handled through point-and-click navigation. For example, I store backup copies of all my critical files on each computer -- desktops, laptops and netbook. Using Krusader, I display the file location on the hard drive in the left-hand panel and the file directories of the large-capacity external hard drives or thumb drive on the right-hand panel. Then I click Synchronize Directories in the Tools drop-down menu to sync both locations.

Exchange/Outlook - iPhone Calendar Problem

3 Comments | Aug 14, 2009

We have identified a serious issue with responding to calendar invitations using an iPhone with the latest 3.0 update. When you accept an invitation, the meeting organizer sees the response coming from the first person to respond to the invitation and leaves your attendee status set to "no response". This means that using your iPhone to accept/reject calendar invitations will significantly interfere with organizing meetings.

This is only the case when  iPhone users accepting from the same domain...ie "Internal Meetings".

 

When using the iPhoneOS 3.0 to accept an invitation, the invite gets returned to the meeting organizer as the incorrect user. It appears that meeting organizers show responses from iPhones running OS 3.0 as the first person to accept that particular invitation.

The meeting organizer sees these acceptance messages but they do not match who it actually came from:

iPhones that accept the meeting do not show “No Response”. The response that goes back to the organizer of the meeting is "User Outlook accepted" when it should say "User iPhone1/2 Accepted". the meeting organizer never sees the attendee status of iPhone 1/2 as they set the status of the first user to accept the meeting.

 

Initially, it looked to be an issue with just Exchange 2003 SP2 and Outlook 2007 clients.  That is NOT the case.  Shops using Exchange 2007 are experiencing the same problem.  The problem seems limited to iPhones running the 3.x OS.  The apparent remedy is to not accept invitations using your iPhone and wait for a fix from Apple.  It is unknown if the problem will exist with Exchange 2010.

Great Plains for remote users

Add Comment | May 28, 2009

We recently went through a Great Plains upgrade to v. 10.  After the database was setup, I wanted a script I could run on the clients that would pretty much automate the setup.  What I came up with doesn't completely automate the process, but it does greatly simplify it.

*************************************************************************************

net use B: \\servername\Groups\GPData\GP10\GPInstall

RD "C:\Program Files\Microsoft Dynamics\GP" /S /Q

B:\OfficeWebComponents\owc11.exe

B:\Client\setup.exe

B:\Mekorma\Mekorma_MICR_10.00.045.00.exe

B:\CRGChanger\setup.exe

B:\CRGReverser\setup.exe

xcopy B:\_VchSel10_D1_20090402\NAMB00001.cnk "C:\Program Files\Microsoft Dynamics\GP\"

xcopy B:\Client\Dex.ini "C:\Program Files\Microsoft Dynamics\GP\Data\" /Y

B:\IntMgr\IntegrationManager.exe

xcopy B:\IntMgr\*.ini "C:\Program Files\Microsoft Dynamics\Integration Manager 10\" /Y

xcopy B:\IntMgr\*.xml "C:\Program Files\Microsoft Dynamics\Integration Manager 10\" /Y

net use b: /delete

**************************************************************

After the clients were installed I needed a solution for remote users.  Now I came to the realzation that GP doesn't support remote clients, so I ran the script above on a server running terminal services.  That seemed to work like a champ.  That solution then became a great fit for our DR location.  I repeated the process for the DR terminal server with slight tweaks of the pathing and ini files.  The DR terminal server eliminated the need for making changes to the client machine ini, and xml file.

Microsoft.Dynamics.GP.IntegrationManager.ini

*********************************

[IMBaseProvider]
AutoUpgradeIntegrations=1
CommandTimeout=30
HideMsgBox=True
UseOptimizedFiltering=True
DBPath=\\servername\Groups\GPData\GP10\IM\GP10.0_IM.Mdb
[IMGPPrv]
ShowDynamics=False
DoUIRedraw=False
AllowOpenWindows=False
HideMsgBox=True
[IMGPeConnect]
SuppressIntegration=False
HideMsgBox=True

*********************************************************

Microsoft.Dynamics.GP.IntegrationManager.IMRun.ini

[IMBaseProvider]
AutoUpgradeIntegrations=1
CommandTimeout=30
HideMsgBox=True
UseOptimizedFiltering=True
DBPath=\\servername\Groups\GPData\GP10\IM\GP10.0_IM.Mdb
[IMGPPrv]
ShowDynamics=False
DoUIRedraw=False
AllowOpenWindows=False
HideMsgBox=True
[IMGPeConnect]
SuppressIntegration=False
HideMsgBox=True


Windows 7 Admin Tools

One Comment | May 19, 2009

OK, so yesterday I installed the RC for Windows 7 and today I really had some catching up to do with the normal tasks.  First thing I needed were the server admin tools.  It took me a while to find them.....lots of broken links, but here's where I found them.

• Microsoft Remote Server Administration Tools for Windows 7 Beta (x86): http://download.microsoft.com/download/A/D/4/AD4D3903-E06D-456D-AED4-D53895D2C1A9/Windows6.1-KB958830-x86.msu

• Microsoft Remote Server Administration Tools for Windows 7 Beta (x64): http://download.microsoft.com/download/A/D/4/AD4D3903-E06D-456D-AED4-D53895D2C1A9/Windows6.1-KB958830-x64.msu

RSAT Client is available to all customers as part of the supplemental Microsoft Software License Terms to Windows 7 licenses.

What Is Included in RSAT?
This is the list of Windows Server 2008 administration tools which are included in Win7 RSAT Client:

Server Administration Tools:
• Server Manager

Role Administration Tools:
• Active Directory Certificate Services (AD CS) Tools
• Active Directory Domain Services (AD DS) Tools
• Active Directory Lightweight Directory Services (AD LDS) Tools
• DHCP Server Tools
• DNS Server Tools
• File Services Tools
• Hyper-V Tools
• Terminal Services Tools

Feature Administration Tools:
• BitLocker Password Recovery Viewer
• Failover Clustering Tools
• Group Policy Management Tools
• Network Load Balancing Tools
• SMTP Server Tools
• Storage Explorer Tools
• Storage Manager for SANs Tools
• Windows System Resource Manager Tools