SCOM 2012 Certificate check script

This script will help you to figure out if your certificate is installed correctly or not. This will help you to find where is an issue with your certificate for SCOM 2012 SP1 to monitor DMZ servers through certificates



#
# SCOMCertCheck.ps1
# 
#
#
# Considering all certificates are in the Local Machine "Personal" folder


$certs = [Array] (dir cert:\LocalMachine\my\)

write-host "Checking that there are certs in the Local Machine Personal store..."
if ($certs -eq $null)
{
    Write-Host "There are no certs in the Local Machine `"Personal`" store."
    Write-Host "This is where the client authentication certificate should be imported."
    Write-Host "Check if certificates were mistakenly imported to the Current User"
    Write-Host "`"Personal`" store or the `"Operations Manager`" store."
    exit
}

write-host "Verifying each cert..."
foreach ($cert in $certs)
{
    write-host "`nExamining cert - Serial number $($cert.SerialNumber)"
    write-host "---------------------------------------------------"

    $pass = $true
      
    # Check subjectname
          
    $pass = &{
        $fqdn = $env:ComputerName
        $fqdn += "." + [DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name
        trap [DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException]
        {
            # Not part of a domain
            continue;
        }
            
        $fqdnRegexPattern = "CN=" + $fqdn.Replace(".","\.") + '(,.*)?$'
            
        if (!( $cert.SubjectName.Name -match $fqdnRegexPattern ))
        {
            Write-Host "Cert subjectname" -BackgroundColor Red -ForegroundColor Black
            Write-Host "`tThe SubjectName of this cert does not match the FQDN of this machine."
            Write-Host "`tActual - $($cert.SubjectName.Name)"
            Write-Host "`tExpected (case insensitive)- CN=$fqdn"
            $false
        } else { $true; Write-Host "Cert subjectname" -BackgroundColor Green -ForegroundColor Black }
    }
      
    # Verify private key
            
    if (!( $cert.HasPrivateKey ))
    {
        Write-Host "Private key" -BackgroundColor Red -ForegroundColor Black
        Write-Host "`tThis certificate does not have a private key."
        Write-Host "`tVerify that proper steps were taken when installing this cert."
        $pass = $false
    } elseif (!($cert.PrivateKey.CspKeyContainerInfo.MachineKeyStore))
    {
        Write-Host "Private key" -BackgroundColor Red -ForegroundColor Black
        Write-Host "`tThis certificate's private key is not issued to a machine account."
        Write-Host "`tOne possible cause of this is that the certificate"
        Write-Host "`twas issued to a user account rather than the machine,"
        Write-Host "`tthen copy/pasted from the Current User store to the Local"
        Write-Host "`tMachine store.  A full export/import is required to switch"
        Write-Host "`tbetween these stores."
        $pass = $false
    }
    else { Write-Host "Private key" -BackgroundColor Green -ForegroundColor Black }

    # Check expiration dates
            
    if (($cert.NotBefore -gt [DateTime]::Now) -or ($cert.NotAfter -lt [DateTime]::Now))
    {
        Write-Host "Expiration" -BackgroundColor Red -ForegroundColor Black
        Write-Host "`tThis certificate is not currently valid."
        Write-Host "`tIt will be valid between $($cert.NotBefore) and $($cert.NotAfter)"
        $pass = $false
    } else { Write-Host "Expiration" -BackgroundColor Green -ForegroundColor Black }
      
      
    # Enhanced key usage extension
            
    $enhancedKeyUsageExtension = $cert.Extensions |? {$_.ToString() -match "X509EnhancedKeyUsageExtension"}
    if ($enhancedKeyUsageExtension -eq $null)
    {
        Write-Host "Enhanced Key Usage Extension" -BackgroundColor Red -ForegroundColor Black
        Write-Host "`tNo enhanced key usage extension found.`n"
        $pass = $false
    }
    else
    {
        $usages = $enhancedKeyUsageExtension.EnhancedKeyUsages
        if ($usages -eq $null)
        {
            Write-Host "Enhanced Key Usage Extension" -BackgroundColor Red -ForegroundColor Black
            Write-Host "`tNo enhanced key usages found.`n"
            $pass = $false
        }
        else
        {
            $srvAuth = $cliAuth = $false
            foreach ($usage in $usages)
            {
                if ($usage.Value -eq "1.3.6.1.5.5.7.3.1") { $srvAuth = $true}
                if ($usage.Value -eq "1.3.6.1.5.5.7.3.2") { $cliAuth = $true}
            }
            if ((!$srvAuth) -or (!$cliAuth))
            {
                Write-Host "Enhanced Key Usage Extension" -BackgroundColor Red -ForegroundColor Black
                Write-Host "`tEnhanced key usage extension does not meet requirements."
                Write-Host "`tRequired EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2"
                Write-Host "`tEKUs found on this cert are:"
                $usages |%{ Write-Host "`t$($_.Value)" }
                $pass = $false
            }
            else { Write-Host "Enhanced Key Usage Extension" -BackgroundColor Green -ForegroundColor Black }
        }
    }
      
    # KeyUsage extension
      
    $keyUsageExtension = $cert.Extensions |? {$_.ToString() -match "X509KeyUsageExtension"}
    if ($keyUsageExtension -eq $null)
    {
        Write-Host "Key Usage Extensions" -BackgroundColor Red -ForegroundColor Black
        Write-Host "`tNo key usage extension found."
        Write-Host "`tA KeyUsage extension matching 0xA0 (Digital Signature, Key Encipherment)"
        Write-Host "`tor better is required."
        $pass = $false
    }
    else
    {
        $usages = $keyUsageExtension.KeyUsages
        if ($usages -eq $null)
        {
            Write-Host "Key Usage Extensions" -BackgroundColor Red -ForegroundColor Black
            Write-Host "`tNo key usages found."
            Write-Host "`tA KeyUsage extension matching 0xA0 (DigitalSignature, KeyEncipherment)"
            Write-Host "`tor better is required."
            $pass = $false
        }
        else
        {
            if (($usages.value__ -band 0xA0) -ne 0xA0)
            {
                Write-Host "Key Usage Extensions" -BackgroundColor Red -ForegroundColor Black
                Write-Host "`tKey usage extension exists but does not meet requirements."
                Write-Host "`tA KeyUsage extension matching 0xA0 (Digital Signature, Key Encipherment)"
                Write-Host "`tor better is required."
                Write-Host "`tKeyUsage found on this cert matches:"
                Write-Host "`t$usages"
                $pass = $false
            } else { Write-Host "Key Usage Extensions" -BackgroundColor Green -ForegroundColor Black }
        }
    }
      
    # KeySpec
            
    $keySpec = $cert.PrivateKey.CspKeyContainerInfo.KeyNumber
    if ($keySpec -eq $null)
    {
        Write-Host "KeySpec" -BackgroundColor Red -ForegroundColor Black
        Write-Host "`tKeyspec not found.  A KeySpec of 1 is required"
        $pass = $false
    }
    elseif ($keySpec.value__ -ne 1)
    {
        Write-Host "KeySpec" -BackgroundColor Red -ForegroundColor Black
        Write-Host "`tKeyspec exists but does not meet requirements."
        Write-Host "`tA KeySpec of 1 is required."
        Write-Host "`tKeySpec for this cert: $($keySpec.value__)"
        $pass = $false
    } else {Write-Host "KeySpec" -BackgroundColor Green -ForegroundColor Black}
      
      
    # Check that serial is written to proper reg
            
    $certSerial = $cert.SerialNumber
    $certSerialReversed = ""
    -1..-10 |% {$certSerialReversed += $certSerial[2*$_] + $certSerial[2*$_ + 1]}
  
    if (! (Test-Path "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings"))
    {
        Write-Host "Serial number written to registry" -BackgroundColor Red -ForegroundColor Black
        Write-Host "`tThe cert serial number is not written to registry."
        Write-Host "`tNeed to run MomCertImport.exe"
        $pass = $false
    }
    else
    {
        $regKeys = get-itemproperty -path "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings"
        if ($regKeys.ChannelCertificateSerialNumber -eq $null)
        {
            Write-Host "Serial number written to registry" -BackgroundColor Red -ForegroundColor Black
            Write-Host "`tThe cert serial number is not written to registry."
            Write-Host "`tNeed to run MomCertImport.exe"
            $pass = $false
        }
        else
        {
            $regSerial = ""
            $regKeys.ChannelCertificateSerialNumber |% {$regSerial += $_.ToString("X2")}
                  
            if ($regSerial -ne $certSerialReversed)
            {
                Write-Host "Serial number written to registry" -BackgroundColor Red -ForegroundColor Black
                Write-Host "`tThe serial number written to the registry does not match this certificate"
                Write-Host "`tExpected registry entry: $certSerialReversed"
                Write-Host "`tActual registry entry:   $regSerial"
                $pass = $false
            } else { Write-Host "Serial number written to registry" -BackgroundColor Green -ForegroundColor Black }
        }
    }


    # Check that the cert's issuing CA is trusted (This is not technically required
    # as it is the remote machine cert's CA that must be trusted.  Most users leverage
    # the same CA for all machines, though, so it's worth checking

    $chain = new-object Security.Cryptography.X509Certificates.X509Chain
    $chain.ChainPolicy.RevocationMode = 0
    if ($chain.Build($cert) -eq $false )
    {
        Write-Host "Certification chain" -BackgroundColor Yellow -ForegroundColor Black
        Write-Host "`tThe following error occurred building a certification chain with this cert:"
        Write-Host "`t$($chain.ChainStatus[0].StatusInformation)"
        write-host "`tThis is an error if the certificates on the remote machines are issued"
        write-host "`tfrom this same CA - $($cert.Issuer)"
        write-host "`tPlease ensure the certificates for the CAs which issued the certificates configured"
        write-host "`ton the remote machines is installed to the Local Machine Trusted Root Authorities"
        write-host "`tstore on this machine."
    }
    else
    {
        $rootCaCert = $chain.ChainElements | select -property Certificate -last 1
        $localMachineRootCert = dir cert:\LocalMachine\Root |? {$_ -eq $rootCaCert.Certificate}
        if ($localMachineRootCert -eq $null)
        {
            Write-Host "Certification chain" -BackgroundColor Yellow -ForegroundColor Black
            Write-Host "`tThis certificate has a valid certification chain installed, but"
            Write-Host "`ta root CA certificate verifying the issuer $($cert.Issuer)"
            Write-Host "`twas not found in the Local Machine Trusted Root Authorities store."
            Write-Host "`tMake sure the proper root CA certificate is installed there, and not in"
            Write-Host "`tthe Current User Trusted Root Authorities store."
        }
        else
        {
            Write-Host "Certification chain" -BackgroundColor Green -ForegroundColor Black
            Write-Host "`tThere is a valid certification chain installed for this cert,"
            Write-Host "`tbut the remote machines' certificates could potentially be issued from"
            Write-Host "`tdifferent CAs.  Make sure the proper CA certificates are installed"
            Write-Host "`tfor these CAs."
        }

    }


    if ($pass) { Write-Host "`n***This certificate is properly configured and imported for Ops Manager use.***" }
}

Reference: http://blogs.technet.com/b/momteam/archive/2009/01/23/troubleshooting-ops-mgr-certificate-issues-with-powershell.aspx

Turn windows features on or off blank

Windows 7 Turn windows features on or off is blank
Turn Windows features on or  off is empty
optionalfeatures.exe is blank or empty

After you open Turn windows features on or off and after few second it will remain blank

Solutions

1) rum below command in command prompt

SFC /scannow

It will take 15 to 20 mins and it will fix lost or corrupt files. If this doesn't work try next steps

2) refer to few blogs on google, found below solution if it works

reg de;ete HKLM\COMPONENTS /v StoreDirty 

If this doesn't work, try next one

3) Download System update readiness tool according to your operating system

Install system update readiness tool, if this doesn't work try next step

4) In my case, try reinstalling .net framwork as optionalfeatures.exe uses .Net framework

If this doesn't work, try more research

PowerCLI command to get VMware tools and VMware hardware version information

*Command to find out VMware tool status
*How to find out VMware tools status from Command / PowerCLI



It is easy to find VMware hardware version by using below command

Get-VM | Select name, Version | FT -AutoSize

As version is a root property of get-vm command.

However if we want to get VMware tool status, we need to deep dive into their extension property data and create a custom field as given below*

New-VIProperty -Name ToolsVersionStatus -ObjectType VirtualMachine -ValueFromExtensionProperty 'Guest.ToolsVersionStatus' -force

now rerun above command with ToolsVersionStatus

Get-VM | Select Name, Version, ToolsVersionStatus | FT -AutoSize




If you want to export it

Get-VM | Select Name, Version, ToolsVersionStatus | Export-Csv  -NoTypeInformation -UseCulture -Path c:\yourfile.csv




To get this information on Datacenter level

Get-Datacenter Datacentername | Get-VM | Select name, Version, ToolsVersionStatus | FT -AutoSize

To get this information on Cluster Level

Get-Cluster ClusterName | Get-VM | Select name, Version, ToolsVersionStatus | FT -AutoSize

To get this information on Host level

Get-VMHost hostname.domain | Get-VM | Select name, Version, ToolsVersionStatus | FT -AutoSize

*taken reference for this blog from blogs.vmware.com

Post your question and comment 

Remove LUN from ESXi host correctly

Delete LUN from ESXi host 

Source : http://blogs.vmware.com/vsphere/2011/11/best-practice-how-to-correctly-remove-a-lun-from-an-esx-host.html

For ESXi 4.0

1. Unregister all objects from the datastore including VMs and Templates
2. Ensure that no 3rd party tools are accessing the datastore
3. Ensure that no vSphere features, such as Storage I/O Control, are using the device
4. Mask the LUN from the ESX host by creating new rules in the PSA (Pluggable Storage Architecture)
5. Physically unpresent the LUN from the ESX host using the appropriate array tools
6. Rescan the SAN
7. Clean up the rules created earlier to mask the LUN
8. Unclaim any paths left over after the LUN has been removed

For ESXi 5.0

1. Unregister all objects from the datastore including VMs and Templates
2. Ensure that no 3rd party tools are accessing the datastore
3. Ensure that no vSphere features, such as Storage I/O Control or Storage DRS, are using the device
4. Detach the device from the ESX host; this will also initiate an unmount operation
5. Physically unpresent the LUN from the ESX host using the appropriate array tools
6. Rescan the SAN

New feature in SCOM 2012

Added feature

• .Net application monitoring
• Resource pool
• Dashboard View
• Removal of Root Management Server
• introduced RMS Emulator, eliminating RMS need
• Improved network monitoring
• Improved Web Console
• Improved Operation Console

Remove snapshot using PowerCLI

* Remove snapshot using PowerCLI
* Remove snapshot using command line
* Remove all VM's snapshot at once using command prompt


To get information about snapshot use following command in PowerCLI

Get-VM | Get-snapshot

This will give all the VM's list which are running on snapshot

Now review it and if you want to delete all the snapshots just add another command

Get-VM | Get-Snapshot | Remove-Snapshot

Thats it, with the help of just one simple command, it will remove all the snapshots from virtual environment

Post your comment or question

Thanks

Powershell script to read log file

Powershell script to read log file with specific content
Powershell script to read a txt, log, html file with specific content
Powershell script to read multiple content from log file and send an email
Powershell script to read log file which recently changed

Script

$date1 can be modified to any variable or any content
$date is variable which judges that log was changed before 60 mins
Log.txt file will store match content $date1


Post your comment and question

The Cluster Service Detects RPC Errors 1722

When you try to access the Microsoft Cluster Server (MSCS) through the cluster command using command line, the following error message may appear:

Command: c:\>CLUSTER "CLUSTER NAME" GROUP "GROUP NAME" /OPTION

System error 1722 has occurred (0x000006ba.)

The RPC server is unavailable

Resolution:

Ensure that the server is operational and that both the Cluster Service and the RPC services are running. Also, check the name resolution of the cluster; it is possible that you are using the wrong name or that the name is not being properly resolved by WINS or DNS

In my case DNS was the issue, fixed the DNS problem was resolved

Applies :

Windows Server 2000
Windows Server 2003



Post your question or comment

Snapshot can not be deleted, snapshot issues

Error messages:

Remove snapshot servers01 The virtual disk is either corrupted or not a supported format.

or

Remove snapshot servers01 Unable to access file <unspecified filename> since it is locked

Suspected reason behind snapshot problem is VMFS3 Heap size

Referring to Knowledge base article from VMware

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004424

Log entries in ESXiS00004:

VMKernel Log entries:

vmkernel: 5 cpu9:0000000)World: vm 5281127: 1540: Starting world vmm1:server01 with flags 4008

vmkernel: cpu9:0000000)WARNING: Heap: 2218: Heap cow already at its maximumSize. Cannot expand.

vmkernel:  cpu9:00000000)WARNING: Heap: 2481: Heap_Align(cow, 3276800/3276800 bytes, 8 align) failed.  caller: 0x41800a84d6d1

vmkernel:  cpu9:00000000)WARNING: Cow: 549: No memory available! Called from 0x41800a84d6d1

vmkernel:  cpu9:0000000)Cow: 1759: Failed on handle 3 (75243021) of 4 with Out of memory

HostD Log entries:

[10:00.979 29486B90 info 'Libs'] Vix_TranslateMsgPostError: No translation found for error message "Cannot open the disk '/vmfs/volumes/519f966e-75ee85a7-c2c4-00151791f2bc/nrshrs0_1/server001-000003.vmdk' or one of the snapshot disks it depends on.

Reason: Cannot allocate memory.".

Resolution:

Try  to change Heap size to at maximum value 128MB for ESXi 4.1, after changing this value, ESXi need to restart the host to take effect and this process which might take 10 mins of downtime

Location of Heapsize:

• Go to ESXi host
• Go to configuration tab
• Under software column, go to Advance Settings
• New windows will pop up, on that windows go to VMFS3 tab
• on right hand side, VMFS3.MaxHeapSizeMB changed its value to max (128)

Post your question or comment

Send-MailMessage : Unable to connect to remote server Line 1 character 17 error in PowerShell 2.0

After running below code 

Send-MailMessage -to "someone@somedomain.com" -from "DhimantR@somedomain.com" -Subject " Test message" -Body " Test message" -SmtpServer " 10.10.10.10"


If you run into error given below

Send-MailMessage : Unable to connect to the remote server 
At line:1 char:17
+ Send-MailMessage <<<< -to someone@somedomain.com -from "DhimantR@someDomain.com" -subject " Troubleshooting"  -Body   "Some Text or file attachement" -sntpserver "smtpserver" 
       + CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpException 
       + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.Send MailMessage

Try this solution

Solution: one of the possible problem is your anti-virus software blocking to connect SMTP server using PowerShell

In my case it is McAfee

Steps:

Right click on McAfee icon 
Click on Virus Scan Console
Double click on Access Protection on VirusScan Console
On Access Protection tab
Go to Anti-Virus Standard Protection
On right hand side, double click on Prevent mass mailing worms from sending mail
On process to exclude tab, add PowerShell.exe at the end
Click ok 
Click apply on Access Protection
Click ok


That's it and try again to send mail using Send-MailMessage 


Post  your question or comment

SCOM 2012 SP1 Power shell script for Maintenance Mode for group of servers at once and using Batch file

This blog will help putting group of computers in maintenance mode with just two double click in SCOM 2012 SP1


Three files needed

1)Server names in txt file
2) Powershell script
3) Batch file for execution

Prerequisites: This script needs to run in Management Server with admin or SCOM admin privileges

1

First create a txt file with your server names or group of servers

server1.domain.com
server2.domain.com
server3.domain.com
server4.domain.com

2

Now create a script named it script.ps1 

script content will be as below

_________________________________________________________________________________

Import-module -name OperationsManager;
new-SCOMManagementGroupConnection -ComputerName Localhost;
$Class = get-SCOMclass | where-object {$_.Name -eq "Microsoft.Windows.Computer"};
$time = [DateTime]::Now;
$service = get-content d:\psscript\Servers_1AM.txt | where{$_}
foreach ($i in $service)
{
echo "$i";
$Instance = get-SCOMClassInstance -class $Class | Where-Object {$_.Displayname -eq "$i"};
Start-SCOMMaintenanceMode -instance $Instance -endtime $time.addMinutes(15) -reason "Plannedother" -comment "Test of MM for AppPool";
echo "Starting maintenance mode";
}
_______________________________________________________________________________

This script will than be passed to power shell in batch file for execution

3

Now create a batch file servergroup1.bat, this file will help you with a double click your entire group will be put under maintenance mode

________________________________________________________________________________

powershell.exe -noexit d:\locationof script\script1.ps1                                                                                  _________________________________________________________________________________

Post your question or comment