Wednesday, February 24, 2010

Dell system monitoring with WMI

For those who may be interested in checking Dell hardware through scripts there are several ways to do it. I will focus on Windows in this post, and skip over wmic and vbscript, to show some powershell examples of this. For background reference and WMI, there is a useful document at Dell for wmic and a reference guide for Common Information Model administration as well. For some background on Dell's WMI namespace, this has existed for quite some time in Dell OpenManage, starting sometime in version 4.x (I have seen in it 4.4 and higher, though I can't verify earlier versions). The namespace is unique branch on CIMV2, called root\CIMV2\Dell. Some examples of information provided inside this namespace: -Per component details and status -Hardware log retrieval -Component types installed and firmware information -Remote access card component information Using the same WMI capabilities that come with the Dell OpenManage software, we can use Powershell's Get-WMIObject commandlet to pull information from a machine. Using this, you can limit the results displayed similar to the examples of wmic, however the results are objects, so they are much easier to work with for further programming. Here is a basic example
PS C:\> gwmi -namespace root\cimv2\dell -class CIM_PhysicalMemory __GENUS : 2 __CLASS : CIM_PhysicalMemory __SUPERCLASS : CIM_Chip __DYNASTY : CIM_ManagedSystemElement __RELPATH : CIM_PhysicalMemory.CreationClassName="CIM_PhysicalMemory ",Tag="0" __PROPERTY_COUNT : 27 __DERIVATION : {CIM_Chip, CIM_PhysicalComponent, CIM_PhysicalElement, C IM_ManagedSystemElement} __SERVER : myserver __NAMESPACE : root\cimv2\dell __PATH : \\myserver\root\cimv2\dell:CIM_PhysicalMemory.Crea tionClassName="CIM_PhysicalMemory",Tag="0" BankLabel : Capacity : 2147483648 Caption : CreationClassName : CIM_PhysicalMemory DataWidth : 64 Description : FormFactor : 9 HotSwappable : InstallDate : InterleavePosition : Manufacturer : MemoryType : 19 Model : Name : DIMM1_A OtherIdentifyingInfo : PartNumber : PositionInRow : PoweredOn : Removable : Replaceable : SerialNumber : SKU : Speed : 2 Status : OK Tag : 0 TotalWidth : 72 Version : __GENUS : 2 __CLASS : CIM_PhysicalMemory __SUPERCLASS : CIM_Chip __DYNASTY : CIM_ManagedSystemElement __RELPATH : CIM_PhysicalMemory.CreationClassName="CIM_PhysicalMemory ",Tag="1" __PROPERTY_COUNT : 27 __DERIVATION : {CIM_Chip, CIM_PhysicalComponent, CIM_PhysicalElement, C IM_ManagedSystemElement} __SERVER : myserver __NAMESPACE : root\cimv2\dell __PATH : \\myserver\root\cimv2\dell:CIM_PhysicalMemory.Crea tionClassName="CIM_PhysicalMemory",Tag="1" BankLabel : Capacity : 2147483648 Caption : CreationClassName : CIM_PhysicalMemory DataWidth : 64 Description : FormFactor : 9 HotSwappable : InstallDate : InterleavePosition : Manufacturer : MemoryType : 19 Model : Name : DIMM1_B OtherIdentifyingInfo : PartNumber : PositionInRow : PoweredOn : Removable : Replaceable : SerialNumber : SKU : Speed : 2 Status : OK Tag : 1 TotalWidth : 72 Version :
As you can see, this provides a lot of attributes, many of which are not read by the system. You can filter out what you want with Select-Object, such as: PS C:\> gwmi -namespace root\cimv2\dell -class CIM_PhysicalMemory|select-object name,status name status ---- ------ DIMM1_A OK DIMM1_B OK This provides a nice summary of a component. You can easily do follow on processing to look for bad components, such as a foreach loop on the result and list where status does not match "OK". If you are looking for a solution in a mixed hardware environment where not all servers may be up to date for OMSA, and updating is not an easy task, a work around is to set your erroraction to silentlycontinue, read the error message of the wmi connection and direct the user to use the web interface for omsa or a command line tool like omreport to collect the information. For more examples of code, you can use scriptomatic to look through the namespace and test what information is available. I also have a few examples posted on Microsoft's technet script center.
1 comment:
Labels: , ,

Tuesday, February 9, 2010

DSL problems

I have been having a frustrating month with my ISP and their apparent inability to fix on going DSL problems. The only plus side to all of this is finding a new reply from linux's ping command. My connection is often so bad that a high level of packet corruption occurs. Its nice to know this can be easily seen. Its too bad you don't see this from Microsoft's ping.exe. 
>ping 202.188.0.133
PING 202.188.0.133 (202.188.0.133) 56(84) bytes of data.
64 bytes from 202.188.0.133: icmp_seq=3 ttl=247 time=22.1 ms
64 bytes from 202.188.0.133: icmp_seq=4 ttl=247 time=18.4 ms
64 bytes from 202.188.0.133: icmp_seq=5 ttl=247 time=18.1 ms
64 bytes from 202.188.0.133: icmp_seq=6 ttl=247 time=43.2 ms
64 bytes from 202.188.0.133: icmp_seq=7 ttl=247 time=15.8 ms
64 bytes from 202.188.0.133: icmp_seq=8 ttl=247 time=18.5 ms
64 bytes from 202.188.0.133: icmp_seq=9 ttl=247 time=24.3 ms
64 bytes from 202.188.0.133: icmp_seq=10 ttl=247 time=20.1 ms
64 bytes from 202.188.0.133: icmp_seq=11 ttl=247 time=33.1 ms
64 bytes from 202.188.0.133: icmp_seq=12 ttl=247 time=35.6 ms
64 bytes from 202.188.0.133: icmp_seq=13 ttl=247 time=18.8 ms
64 bytes from 202.188.0.133: icmp_seq=14 ttl=247 time=17.3 ms
64 bytes from 202.188.0.133: icmp_seq=15 ttl=247 time=35.4 ms
64 bytes from 202.188.0.133: icmp_seq=16 ttl=247 time=64.2 ms
64 bytes from 202.188.0.133: icmp_seq=17 ttl=247 time=61.0 ms
64 bytes from 202.188.0.133: icmp_seq=19 ttl=247 time=25.2 ms
64 bytes from 202.188.0.133: icmp_seq=21 ttl=247 time=33.1 ms
64 bytes from 202.188.0.133: icmp_seq=22 ttl=247 time=24.4 ms
64 bytes from 202.188.0.133: icmp_seq=23 ttl=247 time=20.4 ms
wrong data byte #25 should be 0x19 but was 0x18
#16     10 11 12 13 14 15 16 17 18 18 1a 1b 1c 1d 1e 3f 20 21 22 23 24 25 26 27 
28 29 2a 2b 2c 2f 2e 2f 
#48     30 31 32 73 34 35 36 37 
64 bytes from 202.188.0.133: icmp_seq=24 ttl=247 time=18.4 ms
64 bytes from 202.188.0.133: icmp_seq=25 ttl=247 time=30.2 ms
64 bytes from 202.188.0.133: icmp_seq=26 ttl=247 time=24.5 ms
64 bytes from 202.188.0.133: icmp_seq=27 ttl=247 time=41.2 ms
64 bytes from 202.188.0.133: icmp_seq=28 ttl=247 time=17.8 ms
64 bytes from 202.188.0.133: icmp_seq=29 ttl=247 time=20.8 ms
^C
--- 202.188.0.133 ping statistics ---
29 packets transmitted, 25 received, 13% packet loss, time 28110ms
rtt min/avg/max/mdev = 15.864/28.132/64.273/12.732 ms
Hopefully being shuffled around to 4 different technicians (not counting SLA nazi's and phone support) and finally having some cards replaced on the switch is getting somewhere, but from the lack of communication between the telco and their repair contractors it looks like it is time to try my luck with some 3G broadband. Since the problem only really happens between 8am and 8pm, I'm thinking it is heat and bad equipment related...but i'm just a customer, what would I know? Connection dropped 2 times while writing this.
No comments:
Labels: , , ,

Tuesday, February 2, 2010

Group policy editing access denied, and sysvol

Hello again, We were recently working out an issue that our "group policy creator owners" members were running into for certain domains. They would be able to create group policies, but when editing the same policy they were receive access denied messages inside the editor. Normally changes for GPO's are made on the primary domain controller (PDC). We checked where they were pointing in GPMC, and checked all permissions for the GPO, no issues found. Sysvol permissions for PDC's were also correct, and these users had access. Looking at bit deeper into the problem with netmon, we noticed that not all GPO editing is done on the PDC. Some of our connections were hitting the nearest domain controller's Sysvol (based on dfs site costing). When checking sysvol permissions there, we realized some issues. Standard Sysvol share permissions give BUILTIN\Authenticated users: Full control permissions. Our build guide for domain controllers removed the full control permissions, but missed the addition of Group policy creator owners (KB article). Some of our older domain controllers still had full control permissions for Authenticated Users. This inconsistent set of permissions explained why certain users in certain regions could make an edit, while another user in a different region with same permission could not. So, to fix a few hundred domain controllers with least administrative effor.... powershell and old resource kit utilities (rmtshare.exe). In my standard code library for powershell I have a function called get-dclist which will give me all domain controllers in a specified domain. With this, it is a 4 line powershell script to fix one domain. More than one domain can be looped in an extra foreach loop. 
  $domaincontrollers = get-dclist contoso.com /a

foreach ($controller in $domaincontrollers) {
rmtshare \\$controller\sysvol /GRANT "group policy creator owners":full
rmtshare \\$controller\sysvol /GRANT "authenticated users":read
}
GET-DCLIST function 

#note: I have modified this function to simplify it and remove all options
#processing.  The code below may not be 100% correct syntax

function get-dclist ([string]$domain) {

 if (($domain -eq $null) -or ($domain -eq "")) {
  write-host -foregroundcolor "yellow" "Usage:  get-dclist domainname opt"
  write-host -foregroundcolor "yellow" "     Enter name of domain (fqdn or netbios name) to list all domain controllers."

  return
   
 }
 
 $returnarr = new-object collections.arraylist

 $error.clear()
 $remotecon = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $domain)
 $remotedom = [system.directoryservices.activedirectory.domain]::getdomain($remotecon)
 if ($?) {
  foreach ($dc in $remotedom.domaincontrollers) {
   $returnarr.add($dc.name) >$null
  }
 } else {
  write-host
  write-host
  write-host -foregroundcolor "red"  "Domain name entered was not valid or failed to connect"
 }
 return $returnarr
}
If you want to audit your current sysvol share settings with powershell and rmtshare, you can run a loop for all your domain controllers and run "rmtshare \\$servername\sysvol" to output, and dump all to text file. You can use a script like this for basic clean up and a more usable csv output. 
Syvol-clean.ps1

$smatch=$false
$pmatch = $true
$outline = ""
$file = get-content c:\temp\sysvol-dump.txt
foreach ($line in $file) {

 if ($line -match "Share name") { 
  $pmatch = $false
  echo $outline
  $marker = $line.indexof("\")
  $server = $line.substring($marker) 
  $smatch = $true
  $outline = $server + ","
 }
 if ($line -match "The command completed") {
  $pmatch = $false
  $smatch = $false
 }
 if ($pmatch -eq $true -and $smatch -eq $false) {
  $marker2 = $line.indexof("\")
  $perm = $line.substring($marker2)
  $perm = $perm + ","
  $outline = $outline + $perm
 }
 if ($line -match "Permissions") {
  $pmatch = $true
  $smatch = $false
 }
 

}
No comments:
Labels: , ,
Subscribe to: Posts (Atom)