June, 2008 | Aidan Finn, IT Pro

Operations Manager 2007, WSUS and Scheduled Maintenance Mode Windows

I’m a believer in using WSUS to deploy updates to servers on a scheduled basis. I know from experience that updates don’t get installed on medium to large farms if you rely on manual intervention.

There’s a problem though; if you run something like System Center Operations Manager 2007 to monitor your servers then it’s going to throw a wobbly when servers get updated. The answer is to use maintenance windows by enabling maintenance mode on the servers you are updating. But who is going to put the servers in maintenance mode?

The answer is to run a script that does it for you according to a schedule. Here’s what I’m going to try to do:

A CSV will detail day, time and server FWQN, i.e. when a monitored server is to be put in maintenance mode.
A script will run every minute on the SCOM server. It will parse the script and and server that’s due to be but in maintenance mode in the next minute will trigger a command.
The script will us AgentMM to put the server in maintenance mode.
This window will coincide with the schedule applied to the server for updating.

If you have a simpler network then this might be a simpler process. For me, I have servers with varying times that are suitable for updates so I have to be very flexible.

I’ll post the script when I have it tested and validated.

EDIT: I’ve added a link to my script.

WSUS SP1

WSUS SP1 was recently deployed via WSUS. To install this update I had to do some of the <NEXT>, <NEXT> thing that you’re probably familiar with from when you deployed IE7 via WSUS.

There is a warning from MS that you should install and update on your W2003 servers first. If you don’t, your WSUS server might continually download updates.

SMS 2003 R2: Custom Updates for Vista and W2008

Microsoft has released a patch for the Custom Updates Publishing Tool so that you can publish custom updates in SMS 2003 R2 for Windows Vista and Windows Server 2008.

"The Custom Updates Publishing Tool in SMS 2003 R2 and the Patchinstall in Systems Management Server 2003 SP3 clients do not support update packages for Windows Vista and Windows Server 2008, which are in Microsoft Update Standalone Package (.msu) format. Windows Vista and Windows Server 2008 updates obtained from Microsoft Product Support or the Microsoft Download Center cannot be authored and published using the Custom Updates Publishing Tool.

To resolve this problem this hotfix will update the publishingtool.dll (in the Custom Updates Publishing Tool) and the patchinstall.dll (in the SMS 2003 SP3 client) to provide support for update packages which are in .msu format".

Windows Server 2008 IIS7 and FTPS

It’s a pain in the backside but sometimes you’ve got to make FTP available for file transfers. This usually means some sort of authentication is required. Here’s the problem: this means usernames and passwords are communicated unencrypted across the Internet.

The solution when using IIS7 is to enable FTPS aka SSL FTP. You might think of it as secure FTP. I went looking this up and spent ages looking for a solution and nothing was doing. If you check out FTP in the RTM release of W2008 you will see IIS6 backwards compatibility is required for FTP. Yuck! That means you need two consoles, the IIS7 one and the IIS6 one.

Hold on; MS did not leave us in the lurch. Confusingly (just like with Hyper-V), there is an update to IIS7 that will include native FTP functionality. It’s called "FTP Publishing Service for IIS7" or "FTP7" and you can get it from here:

There is also some online documentation.

This package adds FTP capabilities to your IIS7 server. It does not create a default FTP site but that’s easy to do. The docs are very clear and do it all step-by-step.

Now you can create an FTP site, associate a cert with it and require SSL access. This gives you your FTPS service. Now all you need to do is distribute FTPS clients and you’re sorted. The documentation shows you how to do this with a self-signed certificate.

60,000+ Hits

Thanks folks! I never thought I’d even get to 1,000 when I started this thing off.

EDIT:

Heck! The site is closing in on 2,000 this week.

HP NC373i Multifunction Driver, Hyper-V and VLAN Tagging

It’s critical that I be able to set up separate and secured VLAN’s in Hyper-V. To do this you set up an External Virtual Switch with VLAN tagging enabled.

I’m using a HP DL380 G5 with the following configuration:

Windows Server 2008 x64
HP PSP 8.0
2 * NIC’s: HP NC373i Multifunction Gigabit Server Adapter (V4.1.3.0)
Hyper-V RC1

The first NIC is set up for the parent partition (that OS you install first and manages Hyper-V locally). It is attached to a normal Cisco switch port. The second NIC will be used for the virtual switch. It’s connected to a Cisco switch that’s configured to trunk a set of VLAN’s that the VM’s will run on.

I set up the VM’s and tried to set up the External Virtual Switch with VLAN tagging. Problem – It failed with this error:

"Error Applying New Virtual Network Changes

Cannot enable virtual LAN (VLAN) identification. The virtual network switch is connected to a physical network adapter that does not support VLAN identification."

No matter what I did I couldn’t resolve this: driver updates (N/A), reinstalling the NIC, uninstalling HP software, etc. I fired up a post on the Minasi forum and a server whiz called Willem Kasdorp sorted me out. MS had documented a workaround which my hour of googling failed to turn up. The cause of the problem was the NIC driver. The solution was to open the properties of the parent partition’s NIC#2, configure the driver and set the VLAN ID to "1". Now I could create my virtual switch and everything worked perfectly.

Credit: Willem Kasdorp.

EDIT:

While having this problem I opened a call with MS via my IT Pro Momentum account. I got a quick response and they confirmed this solution. Setting the VLAN ID of the physical card to a "non zero value" resolves the issue.

Hyper-V and VLAN’s

Following up on my recent posts on Hyper-V, I thought I’d write up a quick post on setting up multiple VLAN’s in Hyper-V. In my research I found these posts:

They pretty much say everything that’s needed so you don’t need any whitepapers from me – I’m sure you’re glad to hear!

The concept is that you create a trunk on any physical switch ports that are connected to your VM’s. You then publish the required VLAN’s to that trunk (forgive me – I’m not a Cisco guy; I just ask a local expert for what I want and he does a great job in doing it). You can then VLAN tag either your virtual network in Hyper-V (if everything on that network, i.e. on that physical NIC, should be in the VLAN) or you assign VLAN tags to the VM’s.

This is quite secure. You’re pretty much doing what you do in VMware ESX. The machines with different VLAN tags cannot talk directly to each other without going through either a router or a firewall that connect the VLAN’s. The VM’s can co-exist on a VLAN with physical hosts.

The thing you’ve got to watch out for is that the NIC associated with the virtual switch must support VLAN’s and accept packets with VLAN tags.

Credit: Virtual PC Guy.

BTW: I highly recommend that blog because it’s full of great information and sample VBS/Powershell scripts.

HP and Hyper-V

I installed Hyper-V on a decent spec HP DL380 G5. Before I did, I read a guide on configuring a HP Proliant for Hyper-V. It’ll guide you on how to enable virtualisation assistance in the CPU and enabling DEP (both in the BIOS). HP also has a Hyper-V web page.

SQL Server 2008 RC0

It looks like the release candidate program for SQL 2008 will duplicate that of W2008. RC0 has just been released.

"SQL Server 2008 provides a comprehensive data platform that is secure, reliable, manageable, and scalable for your mission critical applications. With it, developers can create new applications that can store and consume any type of data on any device, enabling your users to make informed decisions with relevant insights.

SQL Server 2008 RC0 will automatically expire after 180 days".

More Insight Manager Agent Fun With SCOM 2007

I keep finding funnies with the HP Insight Manager agents. I deployed a HP DL380 G5 server on Friday but a funny appeared on Saturday that I’ve not been able to diagnose. SNMP availability keeps appearing with a warning in the Health view for the server with no associated alert. I found a warning in Event Viewer related to a HP iSCSI agent and I though it was that. I disabled it and the alert returned an hour later. Armed with some time stamps I trawled through the server. The HP logs showed a healthy server.

However the Operations Manager log for the agent showed the health scripts weren’t able to pull the performance metrics from the HP (Broadcom) NC multifunction NIC driver. The time stamp matches the health status change.

The only thing I can think of to resolve it is to upgrade the driver. The server in question is located remotely so I’ll not be able to do the upgrade until I am onsite. The latest PSP (8.0) seems to include an older driver. I’d upgraded the agents to 8.1 to resolve other issues so I guess there might be a problem with the older NIC driver?

Jeez, I wish HP’s developers would do a better job. There’s this, the raft of SIM errors I’ve encountered a few weeks ago and the scandal with the Intel drivers on AMD computers that screwed up Windows Service Packs recently. Is HP quality control is slipping?