Are you occasionally seeing this in the Application log in Event Viewer on your FCS server?

Event ID: 81
The execution of the following DTS Package failed:
Error Source: Microsoft Data Transformation Services (DTS) Package
Error Description: Execution was canceled by user

The Problem:

This event can be caused by one of two problems:

1. On Windows Server 2008, the configuration of the DTS job may be missing a switch. This switch, /MaxConn: , controls how many DTS steps can run in parallel. Without the switch, the default number is used, which is 8 steps. By specifying the minimum value of 5, there is a fewer number of parallel steps, with less of a chance they will conflict with one another.
2. A thread in the DTS job is running into contention with another thread that hasn’t finished writing to the same table due to disk write performance. In this cause, you essentially have too many FCS clients and too little hardware to handle them. The physical disks for the SystemCenterReporting database are too few, or you are using the same disks for both the SystemCenterReporting and OnePoint databases.

The Fix:

For issue #1, the /MaxConn: switch, you can change the configuration of the scheduled task that runs the DTS job to contain the switch, as follows:

"<installpath>\MOM.Datawarehousing.DTSPackageGenerator.exe" /silent /srcserver:<server> /srcdb:OnePoint /dwserver: <server>/dwdb:SystemCenterReporting /product:"Microsoft Operations Manager" /maxconn:5

Note: Before you save changes to the task, ensure that the text in the Program/script text box in double quotes (“). Saving without the double quotes will result in a corrupted task.

If after you implement the preceding fix you still see Event ID 81, you are likely also experiencing a performance issue, and you should move the OnePoint database and/or the SystemCenterReporting database to reside on separate physical disks.

Note: If the DTS job has failed for multiple days, you may have outstanding data in OnePoint waiting to be transferred to SystemCenterReporting. If this is the case, see Microsoft Knowledge Base article 899158 for information about how to configure the DTS job to transfer data in smaller chunks.

OnePoint is fine on a single mirrored set of disks. However, SystemCenterReporting needs multiple spindles; see this article for guidance:

http://blogs.technet.com/fcsnerds/archive/2008/09/25/fcs-with-mom-2005-database-guidance.aspx

If you have more than 5000 clients reporting to your FCS server, the SQL Server that hosts the SystemCenterReporting database should be SQL Server 2005 Enterprise Edition and have 8GB of RAM available for SQL.

The Workaround (until you can get more disks for the databases):

If the scheduled task DTS job is failing intermittently (once every few days), you can change the schedule of the DTS task to run more than once a day. Each time it runs, it picks up where it left the time before. Usually running 2 times a day will guarantee that it succeeds at least one time a day.

To change the scheduled tasks on Windows Server 2003:

1. Open the Control Panel, and start Scheduled Tasks.
2. Right-click on SystemCenterDTSPackageTask and chose Properties.
3. On the Schedule tab, click to turn on the checkbox for Show Multiple Schedules.
4. Click the New button and set it to run 12 hours apart of the previous tasks (1pm).
5. Click OK, and enter the DAS account credentials when prompted.

To change the scheduled tasks on Windows Server 2008:

1. In Server Manager, expand Configuration\Task Scheduler and then click Task Scheduler Library.
2. You should see the SystemCenterDTSPackageTask.
3. Right-click the task and click Properties.
4. On the Triggers tab, click the New button.
5. Create a new schedule 12 hours apart from the previous one (1pm).
6. Click OK, and enter the DAS account credentials when prompted.

Hi folks,

I know I’ve blogged about this earlier, but I wanted to take time to note that the TechNet Wiki is now officially open for business.

What do I mean by ‘open for business’?

If you head over to TechNet’s website, you’ll see a new tab available:

Click that tab, and it takes you to the newly-redesigned TechNet Wiki home page:

Everyone can contribute to this effort - all you have to do is join. Start a whole new article, add your knowledge or draw from your experience to improve an existing article. You can start small or large...

Join us: http://social.technet.microsoft.com/wiki/

Greetings blog readers!

I’m happy to announce that we will release a new antimalware engine update for FCS. Full information on the updates included with the release will be published in a KB article once the update is released. The KB article is Microsoft Knowledge Base article 979536 (http://support.microsoft.com/kb/979536).

Currently, we are slated to release the update (and the KB) on 13 April 2010 – if there is a change in this schedule, this blog post will be updated.

The items included in the update are summarized below:

• Malware detected while a user is not logged on will have the default action (defined either in policy or by the definitions) taken. Previously, the malware was suspended (making the malware unable to run, and unavailable to other applications), thereby rendering the computer protected, but the default action was not taken.
• Update to the installer to no longer use DIFx for Applications. This fixes update and uninstall issues on computers running Windows 2000.
• The FCS antimalware service sometimes unexpectedly exits on Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

This update also replaces some earlier fixes and updates – the full list is in the KB article.

The update is available via Microsoft Update and WSUS. The KB article also includes instructions for downloading it separately for distribution via some other method.

Enterprise Manager is a great way for Client Security customers to do centralized management and reporting across two or more down-level deployments. Enterprise Manager is a separate FCS server installation that does not support client connectivity and is used for management of down-level deployments. Typically this is done when the down-level deployments would exceed the 10,000 client supportability limit, but on occasion it is done for network bandwidth or division of responsibility reasons.

Enterprise Manager (EM) has three main features:

• Aggregation of reporting and alerting information from multiple Client Security deployments in the enterprise. The aggregated information is then viewable in a single console, and reports can be generated on this aggregated information.
• Single location for management of Client Security policies.
• Single location for initiation of enterprise-wide antimalware scanning.

The architecture of Enterprise Manager is such that it remotely accesses the down-level deployments to perform this work:

Reporting

To do reporting, Enterprise Manager calls stored procedures on the down-level Collection and Reporting databases and aggregates the information into the reports. It does not use a store-and-forward approach which would duplicate the entire contents of the down-level databases; this would result in extremely large EM databases, not to mention network congestion. In fact, the EM databases really only store information about those client computers which have experienced an alert that has been forward from a down-level deployment.

FCS reporting is HTTP-based and can be viewed from any system which has connectivity and permission to the reporting server. The down-level reporting servers will continue to be able to generate reports for their clients in an EM environment. The scope of the EM reports will be all down-level deployments; the scope of the down-level reporting servers will be strictly their respective deployment. This enables both a centralized and decentralized reporting.

Alerting

Alerts are generated on client computers based upon the alert level set in the applicable Client Security policy and events which occur on those computers (e.g. malware successfully cleaned). If an alert is generated, it is first sent to the down-level Collection server to which that client reports. In an Enterprise Manager environment, that alert is then forwarded through the MOM-to-MOM connector to the EM server Collection component. The alert is then sent to the “Client Security Notification Group” on the EM server. The recipients of the alert are centrally managed in the MOM Administrator console by controlling the operators in that notification group.

Client Security policies

Policy deployment with Enterprise Manager works just like it does with down-level deployments: you can deploy to either Active Directory or a file. The exception is that you need to ensure that client computers report to their down-level Collection servers, not directly to the EM server. If your deployment method calls clientsetup.exe directly, this is easy to do with command line parameters. If you are using WSUS client deployment, or another method which does not use command line parameters, an additional policy is necessary to override certain EM registry keys to point new clients to the right down-level Collection server. This "caretaker" policy is described in the EM deployment documentation.

Enterprise-wide antimalware scanning

The Scan Now button in the FCS dashboard will queue both an antimalware and security state assessment scan for client computers. As mentioned above, Enterprise Manager does not store information about every computer in the environment. Therefore, to scan clients it will remotely request each of the down-level deployments to enumerate their clients and initiate the scans.

This is similar to reporting in that the down-level management consoles will continue to be able to generate scans in an EM environment. The scope of the EM scans will be all down-level deployments, the scope of the down-level management consoles will be strictly their respective deployment.

Happy managing,

Craig Wiand
Microsoft Forefront Escalation Engineer

The final installment in our series on registry keys for FCS is a big one – there are a lot of registry keys that can be used to control the behavior of the FCS real-time protection agent.

The following tables describe the keys (these are in addition to the ones described here and here, in the FCS Technical Reference).

For the registry keys located in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection, all data types are RED_DWORD, and by default are enabled. To disable the setting, you must create the registry key, and then set the DWORD value to 0x00000000 (0) (which sets the value to false):

How would you use these keys? Well, for example, you may have a need to prevent FCS from scanning the IE add-ins area – perhaps you are a developer working on a new add-in.

You could create an ADM file, using the following format:

CLASS MACHINE
CATEGORY !!FCSCategory
              POLICY !!AgentKeys_Name
                     KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection"
                     EXPLAIN !!AgentKeys_Explain
                     VALUENAME ValuetoConfigure
                       VALUEON NUMERIC 0
                       VALUEOFF NUMERIC 1
              END POLICY
END CATEGORY

[strings]
FCSCategory="Microsoft Forefront Client Security"
AgentKeys_Name="Configuring Real-time protection agent"
AgentKeys_Explain="This setting configures the FCS antimalware real-time protection agent."

Replace the ValuetoConfigure with the actual name of the key to you want to change (from the table above).

One of our support engineers, CraigW, has already blogged about the DisableCatchupScan key here. He included a sample ADM in his article as well – so for more information about catch-up scans, take a look.

Thanks!