‘File Services Addendum’, named Microsoft Windows Server FileServices 2016 Addendum, adds replication health/backlog script, seed and group classes, replication/service monitors, recovery tasks, and overrides to tune monitored environment.
Addendum assumes the file services version agnostic version 10. pack is installed.
Looking at XML file in Notepad++, the pack references are what packs the workflows refer to (other management packs). Kevin Holman taught building backwards compatibility with MP authoring. Backwards compatibility allows SCOM2012+ import without errors. To take this one step further, the v10.0.0.0 file services packs referenced represent the version agnostic packs.
NOTE: File Services Addendum references may need updates if the whole file services management packs are NOT installed.
References screenshot
Addendum logic
Capabilities
Daily report and close automation, on-demand tasks for reports
DFS backlog script errors
SmSvc, DFSN, DFSR service recovery and rule alerts (from Holman fragments library)
DFS replication backlog watcher, script, alerts
Notepad++ screenshot
Next, we look at the group/class discoveries
Update the Class/Group discoveries for DFS servers or script install paths for replication script.
Update Class/Group discoveries for DFS servers or script install paths for replication script.
Find and replace FilePath and ##DFSServerNamingConvention## variable.
IIS addendum packs to tune IIS from 2012 forward.’IIS addendum packs’ to tune IIS from 2012 forward. The GitHub repository has two packs 2012/2016+ (version agnostic pack). This includes an IIS enabled group, Daily report and cleanup DataSource and WriteAction (tasks), as well as a regular expression to set up the IIS enabled group. The IIS enabled group is to enable IIS monitoring on servers IIS monitoring is needed.
Customize for environment
Update addendums to server naming conventions for enabled IIS monitoring. Read below to better understand addendum functionality.
First, the addendums include class/group, datasource and write action alert reports and automated alert closure workflows, as well as event count logic/reset monitorType.
Second, the group discovery, find/replace the pattern to various application/web server naming conventions where IIS monitoring IS wanted.
Third, the version agnostic has overrides to disable most perf and rule alerts. Can provide OFF packs to turn off performance counter collection rules, to keep both the OperationsManager, and OperationsManagerDW databases cleaner, thereby faster with less data.
IIS2012 overrides
Lastly, once addendum updated, save file, move to SCOM MS, and import.
Enjoy the ‘IIS addendum packs’ for how few alerts, perhaps life changing?! (sarcasm)
DC Security bundle pack is much like the various universe/multiverse sci fi storylines.
Proactive Security bundle to help with three (3) various DC authentication event sets encompassing Kerberos, NetLogon, and DCOM. These events were enabled as part of the server cumulative patches. The management packs run workflows on the servers, then combine into a daily alert report of the unique event description details.
Save the files from GitHub to your local SCOM MS and import.
Proactive Security bundle components
Proactive DC Kerberos KDC Authentications 1.0.0.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC Kerberos authentication alerts on CA, DC role servers, as well as any operating system. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Proactive DC NetLogon Allowed Sessions 1.0.3.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC NetLogon authentication alerts on DC role servers. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Proactive Microsoft Windows DCOM Server Security Bypass 1.0.0.8
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC DCOM security bypass event ID’s 10036,7,8 in Security EventLog. Pull from DC and run SCOM alert report, as well as on-demand report task.
Change Impact: Low
Security Impact: Low
Any testing needed: No
The ‘MECM/SCCM Addendum pack’ encompasses Endpoint Management which as of late, has taken on a number of names over the past few years.
The ‘MECM/SCCM Addendum pack’ started from administrators and field engineers’ inputs on actionable/manual intervention required alerts. While Endpoint Management has taken on a number of names over the past few years, monitoring the platform functionality has stayed pretty much the same. The underlying application infrastructure is based on registry key discovery of installed roles.
Add monitoring for MECM servers per health model through daily team report, alert cleanup, custom groups to address subscription objects, servers, custom disk and client cache cleanup workflows, and lastly service restart automation.
Quick overview
The classes and DataSource/WriteAction alert reports require updates to target server naming convention(s). The alert report is most effective this way, only giving the administrator/AppOwner alerts relevant to owned/supported servers. Why – make the changes most effective, i.e. alert when manual intervention required.
Workflows, classes, and MonitorType
Update Discovery to find/replace hashtags
Leveraging Kevin Holman’s MP fragment find/replace common variables notated by the ##variable##, we begin by updating the ##MECMServerNamingConvention## with a regular expression of the servers involved with Configuration Management.
Second, we update the disk specific alerts if drives fill, where different amounts of space is required to alert before application/server crashes, different than the OS Logical Disk full composite alerts for % and MB free alerts. These disk specific updates allowing administrator to get unique alerts for common disk full scenarios.
Third, update MECM Group discoveries for various regular expressions.
Lastly, review MECM Rules, Tasks, Monitor and Overrides for pack functionality.
After updating relevant pieces, save file, move to SCOM MS, and Import.
My customers have loved this, hopefully this experience is shared!
Trellix bought McAfee, and rebranded, but the service, application, registry keys, etc. have not yet changed. Many times, the pack fills in the gaps that the admin misses. Examples when Application services crash or become non-responsive, or just adding the capability to summarize issues seen in a daily alert report.
System Event ID 7031 is logged for each application/service when the process has issues?
Trellix agent services have a monitor alert when System Event Log, EventID 7031 events have the agent services in the event description.
Second, my own spin for Application monitoring starts with the mantra ‘smarter vs. harder. Besides dynamic discovery based on registry key, adding the Service MonitorType gives additional monitorign flexibility adding Samples and Intervals to decrease false positive alerts. Simply put – count logic – x failures in y time before alerting.
Service MonitorType adds Samples and Intervals to decrease false positive alerts.
Third, the pack adds Trellix Agent rules, monitors, on-demand report task, and recovery scripts build out the manual intervention required alert action mantra.
Trellix Agent rules, monitors, on-demand report task, and recovery scripts build out the manual intervention required alert action mantra.
SCOMCore Addendum pack – having a strong core makes bigger gains
Time to configure the Microsoft System Center Core Monitoring pack per health model and best practice. That’s where the SCOMCore Addendum pack comes in. Addendum adds High Agent Handle count group, daily report and alert closure automation, and rule/monitor overrides. Some assembly required – update the discovery pattern for offending high handle counts, and high handle count group ContextInstance GUID after import.
While High Agent Handle count was more an issue before the x365 platform migrated UC, SharePoint, and email (i.e. Lync/Skype, SharePoint, Exchange on prem) went to the cloud. This is still seen where cloud scalability options and virtualization/storage limitations exist. Example typically is an over-utilized virtual machine in hybrid/IaaS/premise scenarios. Kevin Holman caught this performance issue years back, creating monitoring alerts pack and blog. In case you’re on SCOM jeopardy, the LAW/OMS/Microsoft Monitoring Agent/SCOM agent has a built-in health check. The built-in health check restarts service when Handle Count or memory of the HealthService (aka Microsoft Monitoring Agent service) ran too hot per SCOM PG. SCOM agent restarts caused config churn, and high compute, as workflows re-ran after the service restarted.
OS Addendum packs for Windows Server from 2012 forward
Download the ‘OS Addendum packs’ for new capabilities contains Event count logic monitor type, Disk cleanup, Group Policy, self-healing/reset monitors, as well as ‘eventLog full’ logic and reports. Additional monitors reduce alert noise. Examples of common alert scenarios are: StorPort storage errors, Group Policy 1096 identification and rebuild. Disk Cleanup & EventLog service recovery, which includes Event Log file expansion and rollover.
Update logical disk paths and retentions. The default report contains quite a few common checks, including root folders broken out by path, highest to lowest GB’. The workflow is scalable to add additional application paths, as well as file retention timeframes. Workflow runs on a weekly basis to cleanup/archive log files, paths. See Disk cleanup logic blog for more details.
‘ OS Addendum packs’ contains Logical disk breakdown of root folders to list paths were files stored, highest to lowest
UpdateStorPortCountForRepeatedStorageErrors
StorPort storage errors typically cut lots of alerts with storage reads/writes. The ‘count’ monitors decrease the alerts, and the daily alert report consolidates the warning alerts (critical by default). If you’re seeing these alerts, the default should decrease overall alerts to near zero. Tune as needed for disk alerts, by updating MatchCount or TimerWait in Seconds (the x events in y time piece of the monitor logic)
Update StorPort Count for Repeated Storage read/write errors
Logical disk cleanup, most times is harder vs. smarter manual intervention required, why not smarter vs. harder?
‘Disk cleanup logic’ traditionally follows manual intervention. Why would you want harder and manual? This article will present options to clean up system and non-system disks, by leveraging largest root folder, API’s and more. This is one step in the OS Addendum pack that needs explanation and can be tailored to applications where admins have regular manual cleanup actions.
Breakdown of Disk cleanup
We want to check system disks and non-system disks for different scenarios. Figure out Disk free space, user profiles, largest folder on root of disk, IIS cleanup, and MECM/SCCM client cache clear API. Second, utilize different behaviors depending on PowerShell version, application log(s) cleanup, and expand drive alerts when NO space after cleanup action.
Check Software Distribution for ConfigMgr/SCCM/MECM client
Checking software distribution path was an item for discussion where the folder was larger than 3GB, stemming from customer and field engineers recommendations.
If ($DiskFreeSpace.FreeSpace -lt 15 )
{
# Audit Software Distribution
#==================================
If ( $SoftwareDistribution -lt “3000” )
{
Write-host “NO SME/SystemOwner/SysAdmin/Server Action required”
}
If ( $SoftwareDistribution -gt “3000” )
{
Write-host “SME/SystemOwner/SysAdmin/Server Action required, stopping Windows Update service, removing SoftwareDIstribution folder and restarting”
Get-Service -Name wuauserv | Stop-Service
Remove-Item -Path C:\Windows\SoftwareDistribution -Recurse
Get-Service -Name wuauserv | Start-Service
Write-host “Windows Update wuauserv service restarted after SoftwareDistribution directory removed”
}
Cleanup Application log folders
The nice part of this is you can reuse this by changing the path and deletion actions to tailor to customer environment. The script comes in handy for VEEAM, SQL, IIS instances and log directory on multiple drives.
Still running Server2012R2 servers with AD DCs with AD integrated DNS?
In case you’re still running Windows Server 2012R2, here’s the ‘DNS2012R2 Addendum pack’ giving the same functionality as the version agnostic 2016+ addendum. Why? DNS is a translation method to convert names to IP’s. Can you imagine if we wanted to connect to google via IP? The number of workflows in the SCOM DNS pack (built by the DNS Product Group) makes for an astounding number of workflows running on your DC every minute. Forward and reverse lookups are a good check, verifying DNS is functioning. In a complex environment with 100’s of zones, SCOM becomes a utilization culprit for a DC’s primary missions – authenticate and resolve. This article will help you understand how the pack will add new capabilities and tune DNS monitoring to best practice.
One more admin process and workflow is to ‘update SCAP tools’ on servers. Many times overlooked, this can save many headaches with the newest version installed on servers.
Check DOD Cyber Exchange
Check the website here, to search for Win in SCAP tools, then download & Install
SCAP tool download from DOD Cyber Exchange public website.
Navigation steps:
Control Panel > Programs > Programs and Features
In the search bar (top right) enter scap (and hit enter)
SCAP Control panel output showing multiple versions installed. Need to install latest application, then remove the old versions (in this case, all three!)
SCAP Control panel output showing multiple versions installed.
Install SCAP application
Extract files from ZIP
Copy folder to repository (my path example below)
Save SCAP zip and files to folder repository and on server to install SCAP on.
Save SCAP zip and files to folder repository and on server to install SCAP on.
Run SCAP application
Take the defaults (unless you want the checker icon on desktop). Run SCAP application from PowerShell (as admin) window.
Open PowerShell as admin window
Example:
cd “D:\MonAdmin\STIGS\scc-5.7.2_Windows”; gci; .\SCC_5.7.2_Windows_Setup.exe
Hit enter to begin install
Run SCAP install from PowerShell (as admin) window.
On the SCAP EULA radio button application install screen, click ‘I accept’ radio button and click Next.
SCAP EULA radio button application install screen.
Select Destination location (preferably on non-system disk), and click Next
Click on Start > start typing SCAP > Click on SCAP Compliance Checker
From the SCAP checker UAC prompt, click Yes to continue
SCAP checker UAC prompt, click Yes to continue
Click OK to end the install
SCAN new features popup after install
Run Local Scan
Run local scan to prove functionality.
Select STIG(s) in the middle pane > Click Start Scan
Run SCAP scan against server, choose your STIGs and Start Scan
Verify SCAP tool modified files after installation
Recheck Windows Explorer for OpenSSL; look at file properties for version details. Interesting, NONE of these files have versions (openssl, x509 searches show nothing file version wise)
Verify SCAP tool modified files after installation
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
