Stefan Stranger's Weblog - Manage your IT Infrastructure

"People are strange when you're a stranger" (The Doors) Link to my personal Lifestream

June, 2009

  • The failure code on the certificate was 0x800B010A (A certificate chain could not be built to a trusted root authority.)

    Last week I was helping a customer with some OpsMgr certificate issues with their monitoring Agents in a non-trusted domain. More info on Monitoring an Agent in a non-trusted domain can be found here:

    These were the events in the OperationsManager Eventlog:

    Event Type:       Warning
    Event Source:   OpsMgr Connector
    Event Category:               None
    Event ID:             20067
    Date:                    6/17/2009
    Time:                    3:33:31 PM
    User:                    N/A
    Computer:         computername
    A device at IP attempted to connect but the certificate presented by the device was invalid.  The connection from the device has been rejected.  The failure code on the certificate was 0x800B010A (A certificate chain could not be built to a trusted root authority.).

    For more information, see Help and Support Center at

    Event Type:       Warning
    Event Source:   OpsMgr Connector
    Event Category:               None
    Event ID:             21002
    Date:                    6/17/2009
    Time:                    3:33:31 PM
    User:                    N/A
    Computer:         computername
    The OpsMgr Connector could not accept a connection from because mutual authentication failed.

    For more information, see Help and Support Center at

    Event Type:       Error
    Event Source:   OpsMgr Connector
    Event Category:               None
    Event ID:             20070
    Date:                    6/17/2009
    Time:                    3:33:31 PM
    User:                    N/A
    Computer:         computername
    The OpsMgr Connector connected to, but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.

    For more information, see Help and Support Center at

    Event Type:       Error
    Event Source:   OpsMgr Connector
    Event Category:               None
    Event ID:             21016
    Date:                    6/17/2009
    Time:                    3:33:33 PM
    User:                    N/A
    Computer:         computername
    OpsMgr was unable to set up a communications channel to and there are no failover hosts.  Communication will resume when is available and communication from this computer is allowed.

    For more information, see Help and Support Center at

    So it was clear the agent could not communicate with the Management Server in the un-trusted domain using certificates. So we needed to check if the certificates were ok. And in this case it turned out that Certutil was our friend ;-). Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows Server 2003 family (and higher). Here are the steps we took to verify that there was certificate issue and how we solved it.

    Agent needing a certificate to communicate with Management Server are generating “A certificate chain could not be built to a trusted root authority” event ids (20067, 20070,  21016)  errors in the Operations Manager eventlog.

    Wrong proxy settings, so the (Intermediate) Root CA could not be contacted.

    See next line in output from certutil -urlfetch -verify <cert.cer> tool:

    Failed "AIA" Time: 0
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)

    Complete output from certutil see attachment certutil_output.txt

    Steps to solve issue:

    1. Check for eventids (20067, 20070,  21016)
    2. Export certificate from Local\Computer\Personal\Certificate Folder
      Save as DER encoded binary X.509 (.CER) file.
    3. Run certutil -urlfetch -verify <cert.cer> tool on cer file exported in step 2.
    4. Search certutil output for errors, like “retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)”
    5. Open Internet Explorer and copy URL that cannot be resolved. If you cannot download the *.crt file look at your proxy settings. These should be empty of correct.
    6. Correct proxy settings.
    7. [not sure if step 7 is really needed] Remove certificates from Local\Computer\Personal\Certificate Folder and Local\Computer\Operations Manager\Certificate folder
    8. Import certificate again in Local\Computer\Personal\Certificate folder
      You can run certutil -urlfetch -verify <cert.cer> tool again to see if there are still any errors.
    9. Run MomCertImport <nameofcertexport>.pfx again.
    10. Check eventlog for restart of HealthService (will be restarted after running MOMCertImport) and if everything is ok now ;-)
  • NEW nworks MP 5.0

    Source: Gerben’s Blog On Virtualization

    “Veeam released a new version of it’s plug-in (Management Pack [StS]) for Operations Manager monitoring products from HP or Microsoft. The plug-in (Management Pack [StS]) is a significant add-on to the monitoring products in order to keep in touch with what happens in your virtual environment within a single monitoring solution.

    What’s new in version 5:

    • nworks management center
      a new component that allows centralized configuration, load balancing and high availability for multiple nworks collectors
    • Full (native) support for VMware vSphere 4
    • a business approach (reports) for the new vSphere features like DPM, Host profiles and Fault Tolerance

    Veeam released a short video at and offers a free trial for it’s new management pack.

    When would this be interesting for your organization?

    • You have or plan to have a virtual environment
    • You are a current user of MOM/SCOM or HP Operations Manager
    • It completely integrates with the existing monitoring solution so no new or extra monitoring solutions which require additional training etc.. Especially in large organizations with critical 24/7 business applications the response to failures in the underlying infrastructure is a critical issue regarding service levels that have to be met. These organizations depend heavily on their monitoring solutions, not having to introduce new monitoring helps in reducing complexity for maintenance etc.
    • Even smaller companies can profit from the plugin if they use the Service Center Essentials package from Microsoft, if not other products are in scope like Veeam Monitor (or the special SMB-package), but vFoglight from Quest/Vizioncore and vWire from Tripwire are serious candidates as well.”

    Read more at source.

  • Tip on Custom OpsMgr Report Parameters

    Sorry for not posting any new OpsMgr posts lately, but I’m just too busy right now. Hopefully I’ve some more time in the future, because I’ve quite some things to blog about. But today I was creating a Custom OpsMgr Report in Microsoft Visual Studio for a customer and needed to have some Default Parameters for this Report.

    This Report has only two parameters Report Year and Report Month, because this Report only needs to show data for a whole month. So if you want some Default Year and Month values for your Report Parameters you need to do this in Visual Studio:

    1. Go to Layout Tab and select Report – Report Parameters
    2. Select the Parameter you want to create a Default value for (in my case ReportYear)
    3. Select Non-queried Default Value and use the next function:

      This will create a Default ReportYear Parameter of ‘2009’ using the NOW() Scalar Function which returns the current system date and time. And by using DatePart you get an integer representing the specified datepart of the specified date.
    4. For the ReportMonth Default value you can use the next Function:
      =cint(DatePart(“m”,Now())-1) which return the previous month.


    You could use those Report Year and Month Parameters in your SQL query like this example:


    Off course in your Report query you would not declare the @ReportYear and @ReportMonth variables but use the (Default) Parameter values ;-)

    The result of using Default Parameters in a Report is 2009 as ReportYear Parameter and 5 as ReportMonth Parameter (I changed it manually to 6 because in May I did not any data ;-))


  • When does my OpsMgr 2007 R2 Eval versions ends?

    Today I am at a customer who has installed the OpsMgr 2007 R2 Evaluation version and wanted to know when the evaluation periods ends. I thought the easiest way would be look at the install date of the RMS and add 180 days.

    So I created a PowerShell script to do that for me.

    $InstallDate = get-managementserver | where {$_.IsRootManagementServer -eq "True"} | select InstallTime
    Write-host "RMS is installed on: " $InstallDate.InstallTime
    $InstallDate2 = $InstallDate.InstallTime
    Write-host "OpsMgr Eval ends on: " $InstallDate2.AddDays(180)

    Just copy the above lines and run them from the OpsMgr Command Shell.

  • The Partner Pack Newsletter: Subject related to MP Best Practices

    Source: MOMTeam

    Maybe you have missed the blog post from Chris Fox about The Partner Pack Newsletter on the MOMTeam blog.

    What is  The Partner Pack? 

    The Partner Pack is a bi-weekly newsletter that  focuses on topical subjects related to Management Pack best practices.  

    Started by the System Center Operations  Manager team at Microsoft, this newsletter has been a way of building awareness of and interest  in management packs across many teams at Microsoft. It is part of a much larger effort across  the company to bring focus to the concepts of manageability and management packs. What  initially started out as a relatively small operation has rapidly grown into a wealth of knowledge  available company-wide about the topic of MP authoring through technical guidance, best  practices, one-on-one consulting, training sessions, and more.  

    As measures of the momentum that this program  is gaining, we are excited to take what we have learned with internal MP development, and  engage with our partner teams with the mission of growing our MP community as a whole to  develop management packs that are beneficial for customers. This newsletter provides a  glimpse into the world of management packs by  providing in-depth technical content, happenings and highlights in the MP world, and more!

    Take a look at the OpsManJam website for the latest Partner Pack Newsletters.

  • New bi-weekly news letter focused on MP Best Practices on OpsManJam

    Source: OpsManJam

    This time in “Tech Talk”: “Managing noise with your management pack. A frequent complaint heard regarding management packs is that once it is deployed in an environment, it is too noisy! In this article, we cover all aspects of “noise” – what noise is, some common sources of noise, and how to make sure that your management pack is not noisy.”

    Read more here.

  • Microsoft Technet: Tip: Uncover Memory-Related Bottlenecks

    Source: Microsoft Technet

    “Memory is often the source of performance problems, and you should always rule out memory problems before examining other areas of the system. Systems use both physical and virtual memory. To rule out memory problems with a system, you should configure application performance, memory usage, and data throughput settings, and then monitor the server’s memory usage to check for problems.
    Application performance and memory usage settings determine how system resources are allocated. In most cases you want to give the operating system and background applications the lion’s share of resources. This is especially true for Active Directory, file, print, and network and communications servers. On the other hand, for application, database, and streaming media servers, you’ll want to give the programs the server is running the most resources.

    Here’s an overview of counters that you’ll want to track to uncover memory, caching, and virtual memory (paging) bottlenecks.”

    Read more on source.

  • New website about Interoperability @ Microsoft

    Source: @dehaaspeter

    Microsoft has launched a new website Interoperability @ Microsoft.

    The Interoperability Bridges and Labs Center is dedicated to technical collaborative work between Microsoft, customers, partners and open sources communities to improve interoperability between Microsoft and non-Microsoft technologies.

    The Center is run by the Microsoft Interoperability Strategy Group working with many other teams at Microsoft, with customers input and with the community at large to build technical bridges, labs and solutions to improve interoperability in mixed IT environments.

    In this site, you will find a live directory of these technical and freely downloadable interoperability Bridges with related content such as demos, technical articles, helpful best practices from the projects leads and sharing technical guidance. You will also find Labs, which contain technical guidance explaining how to best achieve interoperability in specific product scenarios.

    The vast majority of the projects are run as Open Source projects with third party and community members and released under a broad BSD license, or other licenses such as MS-PL or Apache, so that our customers, partners and the community can use them in many open and broad reaching scenarios.

  • Reblog: Submit questions for the Operator's Manual

    Source: Word and Software (Jeanie Decker)

    Jeanie Decker want you to submit questions for the OpsMgr Operator’s Manual. Please help her!

    “There are two ways to approach content on using the Operations console and Web console for Operations Manager:

    1. Explain what information is available in each section of the consoles.
    2. Take examples of information that an operator would want to locate, and tell them how to find it in the consoles.

    I've decided to do it both ways, in a guide that I'm putting together for new Ops Mgr operators. Here are a few questions for #2 that I harvested from an email discussion:

    • I have added a Management Group in the console and I also added few computers, how do I know if these computers belong to the management group that I added?
    • How do I know if a management pack is applied or connected to the servers that I added in the console?

    What other questions might an operator want to answer in the console? Submit your suggestions to jdecker AT microsoft DOT com!”

  • Reblog: Tool: OpsMgr 2007 - RuntimeHealthExplorer

    Source: Notes on System Center Operations Manager

    I’ve updated my OpsMgr toolbox collection with a new tool from Marius Sutara called RuntimeHealthExplorer. This tool helps someone with investigation of health state issues. This is what Marius tells about this new OpsMgr tool.

    “Did you ever wonder what is the state of the instance as known to the runtime (health service) monitoring it? Did you believe that some state changes are unaccounted for? Did you see discrepancy in Health Explorer?

    I believe many of you may answer yes to one of these questions.

    Right now, there really is not a good guidance on how to troubleshoot state change problems, but since OpsMgr 2007 SP1 release, there was a way to at least display states of the monitors targeting the instance as recorded by runtime during state calculation. This led me to creation of the tool returning those states from runtime. It also provides visual comparison against “real” Health Explorer (states are returned from Ops DB) while integrated with OpsMgr console thru console task. This task targets instance of “HealthService” managed entity type. Tool uses Health Explorer like view of monitors for each active instance monitored by specific runtime. Following is a snapshot of the tool executed against my Root Management Server. Please observe that I created view listing all health service instances as well as console task associated with this type and accessible thru “Actions” pane.���

    Please read disclaimer before using.

  • Reblog: Integrating VMM and OpsMgr Maintenance Mode

    Source: System Center Virtual Machine Manager

    Alan Goodman: “Since the introduction of this feature we have gotten several questions/comments about integrating this new VMM feature with maintenance mode in System Center Operations Manager.   Well check out the attached MP.  This MP will monitor the VMM server and track when hosts are put into maintenance mode and then call into Operations Manager and put the respective host object into maintenance mode and vice versa, watch for hosts being removed from maintenance mode in VMM and then taking the respective host object in OpsMgr out of maintenance mode.”

    For those of you familiar with management packs, you can see with a pretty simple and straight forward MP you can easily tie together the states of your hosts.  While the MP has not been extensively tested it should give you a good idea on how to accomplish the task at hand.

    Installation Note:  This management pack is intended for use with Operations Manager 2007 or Operations Manager 2007 R2 with Virtual Machine Manager 2008 R2, and requires at least the beta version or later or the VMM 2008 R2 management pack.

    Read more and get MP from source.