ACS Internals

Database:

The ACS DB is primarily made up of daily partition tables.... we create a new one every day during the nightly maintenance, which defaults to 1AM.  We create a new partition, then close the previous one.  Then, we kick off a reindex of the previous day's table for reporting performance.
To view all this.... first, lets have a look at the dtconfig table:
Select * from dtconfig

The only thing we would change in this table is the "number of partitions".  This value is essentially the number of partitions to keep, or number of days worth of data we will retain in the ACS DB.  The default is 14, and you need to adjust this based on your retention requirements and DB sizing capability.
Next, lets check out the dtpartition table:
select * from dtpartition order by partitionstarttime



Essentially.... these are your daily partitions.  At any given time... you should have one partition with a status of "0" and the rest should be status of "2".  "2" means they are ready to be groomed.   Pre-SP1, if the online indexing of a closed partition failed during the nightly maintenance, we would leave them in a status of "1".  This is bad, because they would never groom, and fill the database if this kept up.  If you have any that are left in a status = 1, then just run this in SQL:
Use OperationsManagerAC
UPDATE dtPartition
SET Status = 2
WHERE Status = 1
This will fix the grooming issue, and the tables will groom at the next maintenance interval.  This is a very common issue prior to SP1.


UPDATE 6/3/08
Even in SP1 - occasionally people have reported issues where some partitions are left in a status of "1" and these partitions never groom.  If left unchecked, this can eventually fill the database/database volume.  Microsoft has released an internal hotfix that you can request from PSS if you feel you are impacted by this.  I have seen this happen in many large environments.  Request hotfix/KB 949969


Ok - enough on grooming.  On to bigger and better things.

Audit Collector

The audit collector really does all the work in ACS.  It keeps track of the forwarders (agents), maintains the queue, filters the data, and then writes to the ACS DB.
Lets first talk about the basics.  The audit collector runs a service, "Adtserver" which is running Adtserver.exe from the %systemroot%\system32\security\Adtserver directory.
Speaking of that directory - there is a lot of cool stuff in there!  Also present, are the .SQL files... which are called during maintenance.....  the primary ones to look at are DbCreatepartition.sql, DbClosepartition.sql, and DbDeletePartition.sql.  Pretty self explanatory.... these run to create new partition tables, close and reindex the previous day's table, and then to delete old tables that are ready to be groomed out.  These are called from the audit collector to the ACS database, and should not be run manually.
Also present in this directory is a little gem of a file, by the name of AcsConfig.XML.  This file has a list of ALL the audit forwarders ever known to the collector, and their last contact time, and sequence number of the last event they have sent to the collector.  You can copy this out - open it with Excel, and see all the data in a very readable format.  This data is kept in memory on the collector, and updates the file every 5 minutes.
Probably the biggest problem I see in an ACS environment, is just lack of proper sizing.  The Perf and Scale guide has really good guidance here for ACS, and should be followed:  http://download.microsoft.com/download/d/3/6/d3633fa3-ce15-4071-be51-5e036a36f965/OM2007_PerfScal.doc
One of the best things you can do is to apply a proper filter on the collector.  By default, ACS will collect and store every single event in the security event logs from forwarders.  This is good and bad.  Good - because you are getting everything.  Bad - because "everything" doesn't help you.  A large amount of the events logged in the security logs, are not very useful... depending on how draconian your audit policy is.  You really want to just collect the security events that are needed to meet your audit and security compliance requirements.  A couple good resources:
http://www.microsoft.com/technet/security/guidance/auditingandmonitoring/securitymonitoring/default.mspx
http://www.securevantage.com/Products/2007%20Solutions/Docs/ACS%20Guides/Secure%20Vantage%20ACS%20Noise%20Filter%20Guide.pdf
Here is a good, basic filter, to remove a lot of what most consider "not good info":
SELECT * FROM AdtsEvent WHERE NOT (((EventId=528 AND String01='5') OR (EventId=576 AND (String01='SeChangeNotifyPrivilege' OR HeaderDomain='NT Authority')) OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680)))
How do you apply a filter???  Well, I am glad you asked!  We will run adtadmin.  Here is a link to all the parameters:
http://technet.microsoft.com/en-us/library/bb309436.aspx
To examine the current filter, open a command prompt on the collector... and lets run a command in the %systemroot%\system32\security\Adtserver directory:    adtadmin -getquery
That will show you what you are currently filtering.  The default is "select * from AdtsEvent"  which is no filtering.  To use the filter posted above.... run the following:
adtadmin /setquery /collector:"collectorname" /query:"SELECT * FROM AdtsEvent WHERE NOT (((EventId=528 AND String01='5') OR (EventId=576 AND (String01='SeChangeNotifyPrivilege' OR HeaderDomain='NT Authority')) OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680)))"

SCCM reports by email

$URL = “http://SERVERURL/SMSReporting_000/Report.asp?ReportID=68&variable=4.00.6487.2157&type=1″
$SMTPServer = “mail.domain.com”
$sendername = “SCCM”
$senderAddress = “Sccm@domain.com”
$Recipient = “user@domain.com”
$strSubject = “Test”
$ie = new-object -comobject InternetExplorer.Application
$ie.navigate($URL)
While ($ie.Busy)
{ Start-Sleep -Milliseconds 400 }
$doc = $ie.document
$strbody = $doc.body.outerhtml
$ie.quit()
$Sender = “`”$SenderName`” `”
$msg = new-Object -comobject “CDO.Message”;
$msg.Configuration.Fields.Item(“http://schemas.microsoft.com/cdo/configuration/sendusing”) = 2
$msg.Configuration.Fields.Item(“http://schemas.microsoft.com/cdo/configuration/smtpserver”) = $SMTPServer
$msg.Configuration.Fields.item(“http://schemas.microsoft.com/cdo/configuration/smtpauthenticate”) = 2
$msg.Configuration.Fields.Item(“http://schemas.microsoft.com/cdo/configuration/smtpserverport”) = 25
$msg.Configuration.Fields.Update()
$msg.From = $Sender
$msg.To = $Recipient
$msg.Subject = $strSubject
$msg.HTMLBody = $strbody
$msg.Send()

How to: Import a Microsoft Update into ConfigMgr

Many of us try to enable as few categories as possible in ConfigMgr for software updates synchronization.  You may encounter a need to deploy an update from a classification or product you don’t normally synchronize.  To accomplish this task, you could choose one of the following:

1. Create a standard Package/Program/Advertisement, which means you will have to take care of proper targeting
2. Modify the Software Update Component on your central site to allow synchronization of the new classification and/or product, but then you may end up synchronizing a lot more than you did previously.
3. Use System Center Updates Publisher (SCUP) to create deployment rules.  This would work great, but requires additional effort on your part also.
4. Use the Windows Update Catalog to import the update. This works great for many reasons: 1) it requires the least effort, 2) has the least database bloat, 3) will handle the detection rules for you, and 3) deploy like a ‘normal’ Microsoft Update, giving you the best end-user experience possible. 

What is the Microsoft Update Catalog? “It's a service from Microsoft that provides a listing of updates that can be distributed over a corporate network. You can use it as a one-stop location for finding Microsoft software updates, drivers, and hotfixes.” It allows you to search the catalog (kind of like a shopping experience), add updates to the basket, then import them to WSUS. After importing, you then launch the “Run Synchronization” action on the ConfigMgr Update Repository to make the updates visible in the ConfigMgr console.
Follow these steps to import an update from the Windows Update Catalog:

1. From your ConfigMgr Central Site server, launch the Windows Server Update Services console.
2. Expand the tree to “Updates”, then select “Import Updates” from the action pane. This launches the Microsoft Update Catalog in your web browser (internet access required).
3. Search by keyword, KB number, or even plug-and-play ID!
4. Click “Add” on desired updates:
5. 
6. Click “View basket”
7. Click “Import” – this action imports the update into your top WSUS Server for ConfigMgr.
8. From ConfigMgr, launch the “Run Synchronization” action on the ConfigMgr Update Repository node.
9. Select and deploy updates as you normally do.

As you can see, the Microsoft Update Catalog can be a very handy tool, and it’s there to make your job easier, so take advantage of it!

Happy Patching!

Show All “Succeeded” Advertisement Counts for the Past 30 Days

We rely on Run Advertised Programs (RAP) quite heavily at Dell – we have approximately 400 applications available in RAP, available to almost all systems.  I was asked to provide a quick report that shows the number of successful installs for each Advertisement over the past 30 days, so I thought I would share with you!

SELECT     COUNT(*) AS Count, v_ClientAdvertisementStatus.AdvertisementID, v_Advertisement.AdvertisementName
FROM         v_ClientAdvertisementStatus LEFT OUTER JOIN
                      v_Advertisement ON v_Advertisement.AdvertisementID = v_ClientAdvertisementStatus.AdvertisementID
WHERE     (v_ClientAdvertisementStatus.LastStateName = 'succeeded') AND (v_ClientAdvertisementStatus.LastStatusTime > DATEADD(day, - 30, GETDATE()))
GROUP BY v_ClientAdvertisementStatus.AdvertisementID, v_Advertisement.AdvertisementName
ORDER BY v_Advertisement.AdvertisementName

Enjoy!

Some things to consider before installing the ConfigMgr database on a SQL cluster

The System Center Configuration Manager 2007 (ConfigMgr) database can be installed on a clustered SQL Server, some things work different though compared to installing ConfigMgr on a normal SQL server installation, and you should be aware of them before starting your installation.
To summarize in front, what you should take into account before starting your installation:

1. Make sure that the SQL administrators are aware that during installation extra righs are needed and that after installation the Site server must stay local administrator on the cluster nodes
2. Make sure that the SQL administrators are aware of the fact that ConfigMgr will install a service on the Cluster Nodes, which is used for creating the backup using VSS
3. Make sure that each shared cluster disk contains a no_sms_on_drive.sms file on the disk
4. Configure the Site Backup tasks, so that it is either configured to backup to an UNC path or a drive which is suitable for storing the backup files on both the site server and the cluster nodes using the “Different Paths for the Site Backup and Database backup” option

First off all, before you can even start the installation, you must make sure the following prerequisites are taken care off:

• The computer account of the site server and the account used to execute the installation should be made local administrator on all the cluster nodes.

• The user running the ConfigMgr installation must have sysadmin rights on the instance of the remote SQL server

• The correct Service Principal Names must be registered in Active Directory

Please note that after installation, the user performing the installation can be removed from the local administrators group on the cluster nodes, and its sysadmin rights on the SQL instance can be removed.
Before actually starting the installation, you should run the prerequisite checker in order to determine if al prerequisites are met.
The installation procedure creates the database on the SQL cluster, including the necessary rights for ConfigMgr to function normally, unfortunately there is no SQL script available to create the database upfront.
The installation also installs a service on each of the cluster nodes, used for backing up the database. This service is called SMS_SITE_SQLBackup_ and this service is reponsible for creating the database backup, which you configure as a maintenance task later on.
There are two caveats here, which aren’t clearly explained in the documentation on technet:

1. First of all, the service is installed on the disk which has the most free space available, and ConfigMgr setup doesn’t take into account whether this disk as a cluster resource or not. In order to prevent ConfigMgr to install its binaries on a cluster shared disk, make sure that you create a no_sms_on_drive.sms file on each of the cluster disks before starting the installation of ConfigMgr
2. As just mentioned, you configure the backup using a maintenance task. When configuring this maintenance task, you also provide a location to store the backup. In this case though, the location on where to store the backup files should be configured differently between the Site server and each of the cluster nodes. You can accomplish this by choosing the “Different Paths for the Site Backup and Database backup” option and provide a suitable location on where to store the backup files.

The above solution has some disadvantages though, if you choose a cluster shared disk to store the backup files on the cluster, there is no problem. But if you choose a local disk you should be aware that the most recent SQL backup resides on the drive of the cluster node which was the owner of the resource at the time the backup was made.
It may be better to store the backup on a central location though, so that you have one location which you backup using your normal backup solution. In order for this to work, you should choose the option: “Network path (UNC Name) for site data and database”

Keep in mind that when using UNC Backup, that you need to authorize the computer accounts of the Site server and each cluster node, with write access to the share.
What to do if you forgot this upfront:
At the blog of the Mad Virtualizer, someone who provides Virtualization and Manageability Support at Microsoft, I found a solution to a similar problem, for me the solution worked a little bit differently, so therefore i described the solution the way i implemented it below.
If you didn’t put the no_sms_on_drive.sms file on each of the cluster shared disks, and you only have a C: drive on your cluster nodes, there is a big chance that on the non-active cluster node the files needed for the backup service are installed on the c: drive, and on the active cluster node on the shared cluster disk with the most free space available at that time. As long as the resources stay on that node nothing is wrong, but once the cluster resource moves, things start to go wrong resulting in non-working backups.
In order to reconfigure the cluster node so that the files are installed locally instead on a cluster shared disk you should use the following procedure to reconfigure the server:

1. Stop the SMS_Site_SQLBackup_ service on the cluster node on which the binaries are installed on a shared cluster disk
2. Remove the following registry key on the cluster node (make sure you make a backup first in case something goes wrong) HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\SMS\Components on a 64-bit installation or HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\Components on a 32-bit installation
3. Browse to the following registry key on the site server:HKLM\Software\(Wow6432Node\)Microsoft\SMS\Components\SMS_SITE_Component_Manager\Multisite Component Servers\ and modify the value of path to a path on the C: drive
4. Browse to the following registry key on the site server: HKLM\Software\Microsoft\SMS\Components\SMS_SITE_Component_Manager\Multisite Component Servers\\SMS_Site_SQL_Backup and modify the value of “Installed At Least One File” to 0
5. Restart the SMS_SITE_COMPONENT_MANAGER service on the Site Server
6. Monitor the Sitecomp.log file on the site server for succesfull installation can be found in the ,\Logs folder
7. Check the backup by starting the SMS_SITE_BACKUP service on the Site server and checking the logfile to determine if the backup succeeded.

References:
How to Install Configuration Manager Using a Clustered SQL Server Instance- http://technet.microsoft.com/en-us/library/bb680513.aspx
Prerequisites for Installing Configuration Manager – http://technet.microsoft.com/en-us/library/bb694113.aspx
Setup Prerequisite Checks – http://technet.microsoft.com/en-us/library/bb680951.aspx
Troubleshooting Duplicate or Missing SPNs for a ConfigMgr 2007 SQL Database – http://blogs.technet.com/b/configurationmgr/archive/2010/10/26/troubleshooting-duplicate-or-missing-spns-for-a-configmgr-2007-sql-database.aspx
How to Prevent Configuration Manager From Installing Files on a Specific Drive – http://technet.microsoft.com/en-us/library/bb632890.aspx
SCCM (Configuration Manager) Installed Component Provider Binaries on SQL Clustered Drive (or other shared clustered drive) by Mistake. – https://madvirtualizer.wordpress.com/2011/01/14/sccm-configuration-manager-installed-component-provider-binaries-on-sql-clustered-drive-or-other-shared-clustered-drive-by-mistake/
Backup ConfigMgr Site Server Task Overview – http://technet.microsoft.com/en-us/library/bb633003.aspx

Configuring Group Policies for your ConfigMgr Servers

When you are installing System Center Configuration Manager (ConfigMgr) 2007 in environments where group policies are used to control the User Rights Assignment and Security Options security settings of the Servers, because if you don’t the settings coming from the ConfigMgr installation will be overwritten at the next policy refresh, which could result in interesting scenario’s. To mitigate this you have to provide the settings needed to make the Server work correctly to the Group Policy Administrators.
How to determine the Policy Settings:
In order to determine the correct settings, its best to build ConfigMgr in a test environment, where the servers are isolated from Group Policies when you are installing them. Start with detailing the configuration of the Security Settings of the machine in the state which you received it, or just after you installed the machine yourself. This can be easily done by exporting the User Rights Assigment and the Security Options settings using the Export List… options when you rights click the User Rights Assignment or Security Options node. Save the output, and make sure you detail the fact that this settings reflect your start position. (more)

The Second step should be that you configure the requirements needed on the Server in order to be able to install Configuration Manager, like IIS, WSUS etc.. (detailed here). When finished repeat the same procedure and make sure you name the output files to reflect the pre ConfigMgr installation state.
The Third step, is the ConfigMgr installation itself, install ConfigMgr and make sure the Site (or site system) is working properly. Repeat the described procedure and make sure you name the output files to reflect the post ConfigMgr installation state. There are probably more ways to achieve this goal, but this works with out of the box functionality.
The outcome of my investigation, which is the difference between the first and the last output saved, resulted in the following settings:

User Rights Assignment:
Adjust Memory Quotas for a process: Add Classic .NET AppPool,DefaultAppPool
Generate Security audits: Add Classic .NET AppPool,DefaultAppPool
Impersonate a client after authentication: Add IIS_IUSRS
Log on as a batch job: Add IIS_IUSRS
Log on as a service: Add Classic .NET AppPool,DefaultAppPool
Replace a process level token: Add Classic .NET AppPool,DefaultAppPool
Security Options:
Network access: Remotely accessible registry paths and sub-paths: Add Software\Microsoft\SMS

Keep in mind, that when you configure a so called Delta Policy for your ConfigMgr servers – which only contain the settings needed for that type of machine, you have to provide the default settings plus the above settings in the policy in order for the setting to be applied successfully.
The Caveat (without it it wouldn’t be fun…)
As always, when implementing these settings you run into some other “Challenges”, in my case it was because of the fact that the IIS Classic .NET AppPool and DefaultAppPool accounts weren’t added successfully to the registry after applying the newly configured policy. When you run a GPResult /H Report.html the report details that the settings are successfully applied, but when opening the local policy editor (Gpedit.msc) or the Resultant Set of Policy tool (RSOP.msc) when troubleshooting further you will notice that the settings are not applied.

The fact that the settings are not applied is also logged in the Application event log and searching for eventid 1202, resulting in the following error:

You can also see how Group Policies are applied by looking at the winlogon.log file created in the %windir%\security\logs\ folder during logon.

Configuring SeImpersonatePrivilege for this account is not supported.
Configure Classic .NET AppPool.
Error 1332: No mapping between account names and security IDs was done.

After this, then Google or you other favorite search engine is your friend, eventually resulting in finding the following KB article 977695: http://support.microsoft.com/kb/977695
The KB Article describes that when the Group Policy Management Editor changes settings under User Rights Assignment, it translates per-Service SIDs to service names, it does not add the NT Service or IIS AppPool prefix when doing so though, resulting in the behavior that only the supplied name in the Group Policy Management Editor (for example Classic .NET AppPool) is written to the GptTmpl.inf file while this should be IIS AppPool\Classic .NET AppPool instead.
The KB Article provides two solutions, by either requesting a hotfix to fix the Group Policy Management Editor, or by manually editing the GptTmpl.inf file. I decided to just the last option to edit the GptTmpl.inf file directly (search for the GUID of the Policy, and locate the correct .inf file)

[Privilege Rights]
SeIncreaseQuotaPrivilege = IIS AppPool\DefaultAppPool,IIS AppPool\Classic .NET AppPool,*S-1-5-32-544
SeAuditPrivilege = IIS AppPool\Classic .NET AppPool,IIS AppPool\DefaultAppPool
SeBatchLogonRight = IIS_IUSRS
SeServiceLogonRight = IIS AppPool\Classic .NET AppPool,IIS AppPool\DefaultAppPool
SeAssignPrimaryTokenPrivilege = IIS AppPool\DefaultAppPool,IIS AppPool\Classic .NET AppPool
SeImpersonatePrivilege = *S-1-5-6,IIS_IUSRS,*S-1-5-32-544

After modifying the GptTmpl.inf file and running a GPUpdate /force, i was able to check a Resultant Set of Policy, which gave the expected result.
Challenge solved

Checklist for Configuration Manager 2007

Many have been asking for what i need to check to make sure SCCM is healthy. According to me if I were you these are things I would have checked :)
This might not be complete but had tried to include what ever I could think of.

Administrative Activities: 

Daily Administrative Task

Daily Site Monitoring Tasks
To best maintain your system, perform the following monitoring tasks on a daily basis. If there is any indication of a problem, isolate and repair the problem to ensure that the site remains healthy.
Daily site monitoring tasks include:

• Checking SCCM site database status.
• Checking site server status.
• Checking site systems status.
• Checking client status.
• Checking the operating system event log.
• Checking the SQL Server error log.
• Checking system performance.
• Checking SCCM system folders.

Check SCCM Site Database Status

Use the SQL Server DBCC command to check the health of the SCCM site database. Use any other tools available to test the health of the SCCM site database.

 

Check Site Server Status

View site status summary information in the SCCM Administrator console, or create reports that summarize the server activity and status (such as the Clients that Received a Specific Advertised Program report). If necessary, check status messages of individual components. For further details, in case status messages indicate that a problem exists, view the relevant log files. Isolate and fix conditions that generate errors or warnings. If appropriate, reconfigure the status system so that only relevant and helpful messages are recorded.
Check the status of items such as:

• Site components and services. Check if any site server component or service is experiencing any problems.
• Packages and advertisements. Check the status of packages and advertisements in your site. Check package and advertisement status messages to ensure that package source files reach distribution points, and that advertised programs reach clients. Check status messages that are returned from clients to see whether the clients run programs successfully or not.
• Site-to-Site Communication. Check communication between the site and its parent and child sites (if they exist). Check status messages and, if necessary, check log files of the Replication Manager, Scheduler, and Senders on the site to determine whether the site is having communication problems.

 Check Site Systems Status

Check the state of site systems throughout the SCCM hierarchy. Use the status system and, if necessary, use log files to determine if site systems are having problems, such as:

• Low level of available disk space.
• SCCM components that cannot connect with a site system.

Check Clients Status

Check the state of clients in the hierarchy. Run queries on status messages to detect any problems that clients might be having, such as:

• Client components are experiencing problems.
• Clients are failing to install.
• Clients are not reporting software inventory or hardware inventory.
• Clients that are not reporting heartbeat discovery data regularly (or for the past x days).
• Client count unexpectedly increasing or decreasing at a fast rate.

You can monitor a client's status only if it creates status messages, and these status messages reach the site server.To detect clients from which you are missing status messages, you need to run a query that returns all clients that have not reported a status message within the last days. In this query, is the length of time you would expect to receive a status message from that client (taking into account the frequency of hardware or software inventory and the regular time it takes for status messages to reach the site server.)

 

Check the Operating System Event Log

On key servers, check the application, system, and security system event logs. You can access those through the Event Viewer administrative tool. Look for messages that indicate error conditions or developing problems. Isolate and repair the conditions that generate error or warning messages.
When installing an SCCM site server, its default configuration is to write status messages to the event log. This helps you identify any developing problems with SCCM.
Note :When SCCM is configured to write status messages to Windows event logs, SCCM error status messages are written as Information events, not Error events.
Save instances of the most recent event log files for future comparison. When you can compare current log files with previous log files, it is easier to detect problems that are developing. After saving the log files, you can clear them from the event log so it is easier to detect new problems.

 

Check the SQL Server Error Log

Check the SQL Server error log in SQL Enterprise Manager. Look for messages that indicate error conditions. Isolate and repair the conditions that generate error or warning messages.

 Check System Performance

To check whether the site server and component servers have sufficient resources and that SCCM site services are running optimally, you must monitor site server and component server performance. Use performance-monitoring tools such as System Monitor in the Performance console. Check the status of critical components on the site server, on the computer running SQL Server, and other SCCM site systems.
SCCM installs many performance monitor counters, but you can add, remove and configure counters as needed. You can also use the SQL Server performance counters.
Save performance log files for future comparison. It is easier to detect performance trends, and to identify potential bottlenecks, when comparing current performance log file to previous performance log files.

Check Status Filter Rules

Check whether it is possible to reduce the amount of traffic generated by status messages being replicated throughout the hierarchy. If the site is currently healthy, it might be possible to add status filter rules to prevent replication of status messages, which are not necessary.

Check the Inboxes to Monitor

Listed here is a list of the ConfigMgr 2007 inboxes that should be checked on a regular basis to ensure that your site(s) function as expected.
Auth\Dataldr.Box : A backlog of files can indicate problems accessing the site database.
Auth\Dataldr.Box\Process :A backlog of files can indicate problems accessing the site database.
Auth\Ddm.box\Bad_DDRs :A backlog of files can indicate a network corruption problem or a problem with the DDM
Auth\Sinv.Box :A backlog of files can indicate that the Software Inventory Processor cannot connect to the site database or that too many files were received.
Auth\Sinv.Box\Orphans :A backlog of files can indicate problems with specific clients, with management points, or with the network that could cause data corruption.
Compsumm.Box : A backlog of files can indicate that the Component Status Summarizer cannot process the volume of messages.
Dataldr.Box :A backlog of files can indicate problems accessing the Systems Management Server (SCCM) database
Dataldr.Box\Badmifs :A backlog of files can indicate a bad custom MIF file or that a client computer cannot transfer the file correctly.
Ddm.Box :A backlog of files can indicate a bad DDR is preventing other DDR’s to process.
Ddm.Box\Bad_DDRs :A backlog of files can indicate a network corruption problem or a problem with the DDM
OfferSum.Box : A backlog of files can indicate a performance problem that is caused by a large number of messages.
Policypv.Box :A backlog of files in the policypv.box folder indicates that the policy provider component is not running.
Replmgr.Box\Ready:A backlog of files can indicate that the Scheduler is backlogged or is already processing files of the same priority
Schedule.Box:A backlog of files can indicate that the Sender cannot connect to or cannot transfer data to another site.
Schedule.Box\Outboxes :A backlog of .srq files indicates that the sender cannot process the number of jobs scheduled for that sender or that the sender cannot connect to or transfer data to another site.
Schedule.Box\Tosend  :A backlog of files can indicate that many send requests are not completed or that the Scheduler has not yet deleted the files.
Sinv.Box :A backlog of files can indicate that the Software Inventory Processor cannot connect to the site database or that too many files were received.
Sinv.Box\BadSinv :A backlog of files can indicate problems with specific clients, with management points, or with the network, causing data corruption.

SiteStat.Box :A backlog of files can indicate a performance problem. Examine status messages for the Site System Status Summarizer for possible problems.
Statmgr.Box\Futureq :A backlog of files can indicate that some site systems' clocks are not synchronized with the site server.
Statmgr.Box\Queue :A backlog of files can indicate a problem with the Status Manager or that the component is trying to process too many messages.
Statmgr.Box\Retry :A backlog of files can indicate problems with the connection to the computer that is running SQL Server.
Statmgr.Box\Statmsgs :A backlog of files can indicate a problem with the Status Manager or that the Status Manager is trying to process too many messages
Swmproc.Box :A backlog of .sum and .sur files can indicate that the Software Metering Processor component cannot connect to the SCCM database.


Check Daily Maintenance Task

Check and make sure that the daily Maintenance Task if any. We can use the smsdbmon.log for more details.


Weekly Administrative Task

Weekly Site Monitoring Tasks
To best maintain your system, perform the following monitoring tasks on a weekly basis. If there is any indication of a problem, isolate and repair the problem, to ensure that the site remains healthy.
Weekly site monitoring tasks include:

• Checking SCCM site database available space.
• Checking available disk space.

Check SCCM Site Database Available Space

To find the amount of space used by database devices, run the SQL Server stored procedure sp_spaceused against the SCCM site database. For more details about sp_spaceused, see the SQL Server Help. Check the tempdb device at peak usage, when several instances of the SCCM Administrator console are using the database and the site is actively processing objects.

 Check Available Disk Space

Check the amount of available disk space on the site server, the SCCM site database server, and other SCCM servers. Ensure that the amount of free disk space is sufficient for SCCM and SQL Server to perform properly during regular and increased activity load.
To use the Status System to view information about site system disk space

1. In the SCCM Administrator console, navigate to Site System Status.

Configuration Manager > Site Database > System Status> Site Status> > Site System Status

1. In the details pane, view status information of site systems such as free disk space.

Weekly Site Maintenance Tasks
To best maintain your system, perform the maintenance tasks in this section on a weekly basis. You can automate some tasks by scheduling predefined maintenance tasks or custom maintenance tasks, as appropriate, to run on a weekly basis.

Weekly site maintenance tasks are:

• Weekly automated tasks.
• Delete unnecessary files.
• Delete unnecessary SCCM objects.
• Produce and distribute end-user reports.
• Run disk defragmentation tools.
• Back up application, security, and system event logs.

 Weekly Automated Tasks
The following predefined maintenance tasks should be scheduled to run on a weekly basis. For more information about these tasks, see the "Predefined Site Maintenance Tasks" section earlier in this chapter.

• Rebuilding Indexes
• Monitor keys
• Delete aged inventory history
• Delete aged discovery data
• Delete aged collected files
• Delete aged software metering data
• Delete aged software metering summary data
• Summarize software metering data
• Summarize software metering periodic usage data

Delete Unnecessary Files

If Management Information Format (MIF) files or IDMIFs are used to extend hardware inventory in your site, then any MIF files that are not valid are placed in the SCCM\inboxes\dataldr.box\BADMIFS folder and SCCM never removes them. You must empty this folder manually. If a large number of MIFs are placed in the BADMIFS folder, it is likely that a MIF generating tool is producing the MIFs with an incorrect format. Investigate and repair the cause of the bad MIFs.

 Delete Unnecessary SCCM Objects

Delete objects such as collections, queries, and packages that are no longer needed at the site. Deleting unnecessary objects saves disk space, reduces intersite replications, and increases performance.
Caution :When deleting a collection, any advertisements to that collection are also deleted.

 Run Disk Defragmentation Tools

Over time, disk volumes on SCCM site systems become fragmented. Site operations such as distributing large software packages might significantly increase fragmentation on site servers and distribution points. As fragmentation increases, disk operations take longer, thus, the overall site performance decreases.
Run disk defragmentation tools on the SCCM site server and all other site systems to maintain the performance level of disk operations.

 Back Up Application, Security, and System Event Logs

Windows event logs can get full, and by default, new items will start to overwrite older items. To diagnose problems, and for other reasons, it might be necessary to refer to an older event log. It is recommended that you back up Windows event logs, and store the backups in a safe and accessible location. If necessary, increase default logs file size to accommodate larger amounts of data.


Periodic Administrative Task

Periodic Site Maintenance Tasks
To best maintain your system, perform the following tasks periodically. Use the predefined maintenance tasks when appropriate.
Periodic site maintenance tasks include:

• Backing up account data.
• Changing accounts and passwords.
• Checking network performance.
• Reviewing the security plan.
• Reviewing the maintenance plan.
• Performing recovery tests.

Back Up Account Data

To properly recover a site server, you must have information about the accounts that SCCM used before the site failed. Account data is stored in domain controllers.
Use Microsoft tools, such as the NTBackup.exe tool that comes with Windows Server, or third-party tools to back up account data as follows:

• If there are multiple domain controllers in your infrastructure that contain the SCCM account database, you need to periodically back up the account database. (If Active Directory® directory service is implemented in your organization, then such a task might be included in the Active Directory maintenance plan.)
• If the account database is stored on a single domain controller, then back up the account database frequently. Depending on the frequency of changes to account data, you might need to add this task to the site's daily or weekly maintenance tasks.
• If the account data is stored on member servers, then regularly back up the whole operating system that contains the account data, using software that backs up account lists and the account database.
• Whenever there is a change to the password of the Client Push Installation account or to the site system connection accounts, you should note that change. For security reasons, SCCM  encrypts the Client Push Installation account and the site system connection accounts. You need to be able to retrieve these accounts' passwords so that you can re-enter them during a site recovery operation.
• In between account database backups, document any changes to accounts. Write down and save any changes made to SCCM accounts and share rights so that you can apply those changes again after recovering the site.

Change Accounts and Passwords

To maintain the level of security in your hierarchy, you must periodically change the passwords and the accounts that SCCM sites use. Report any changes to the security staff so that security administrators know that these changes are planned and authorized.
To develop an effective security maintenance plan for your SCCM hierarchy, you must thoroughly understand how security is deployed in your hierarchy and make the following decisions:

• Which accounts need to be changed, and for which accounts is it sufficient to change only the password.
• How often to change passwords and accounts.
• How to change passwords and accounts (such as by running SCCM site reset).
• Which accounts cannot be configured by the administrator (either the account name cannot be changed, or the password cannot be manually modified).

 Check Network Performance

Check the available bandwidth and error rates on the networks used by the SCCM hierarchy. Use Network Monitor to capture and analyze network frames so you can diagnose network problems and look for optimization opportunities.

 Review the Security Plan

SCCM evolves with time. User roles change, and people might no longer need access to some or any of the SCCM functions. Although most changes in access permission should be implemented after role or staff changes, you should also periodically review the access for all users or groups to identify and delete unauthorized access permissions.
The security plan implemented for the SCCM hierarchy in your organization needs to support the risk assessment of your organization. As your organization changes, policies can become ineffective.
Review security-related settings such as:

• Who has access to SQL Server and to the SCCM site database.
• Who can download from SCCM distribution points.
• Which accounts have permissions within SCCM security.
• Periodically, re-evaluate the risk assessment of your organization, and then review and update the security plan accordingly.

 Review the Maintenance Plan

Use the maintenance plan document to review the SCCM maintenance plan. SCCM evolves with time, and it might be necessary to adjust the maintenance plan to accommodate growth, development, and other changes in your organization.
If there were any changes in your organization's security strategy, backup and recovery strategy, or any other strategy that affects SCCM, then determine if the maintenance plan needs to be adjusted to reflect these changes.
Review maintenance tasks configuration. Check the amount of data in the site database and evaluate the usefulness of that data against the amount of space that it occupies in the database. If necessary, adjust the settings that determine the number of days that data is retained in the database.

Update the maintenance plan document to reflect any changes to the maintenance plan, and then distribute it to all SCCM administrators that are using it.

 Perform Recovery Tests in a Test Lab

 The best way to be fully prepared for a site recovery operation is to ensure that the recovery plan is adequate and that administrators are familiar with the recovery process. After you develop a recovery plan for your site, it is recommended that you perform periodic recovery tests in a test lab.

A recovery test should follow the recovery plan developed for the production environment. Plan to perform a recovery test of the central site, and of any other systems deployed in your hierarchy. A recovery test should test all phases of recovery, including:

• Backing up a site.
• Archiving the backup snapshot.
• Simulating a site failure, such as by turning a server off.
• Recovering the failed site.
• Verifying the success of the recovery operation.
• You might schedule periodic recovery tests. Company policy might require that new administrators always perform a recovery test. It is strongly recommended that you always include a recovery test when testing major changes to the hierarchy.
• For example, before upgrading site server operating systems, you should probably first test the upgrade in the test lab. After completing the upgrade in the test lab, you should perform a recovery test to identify any issues or adjustments to the recovery plan associated with the operating system upgrade. This ensures that if you upgrade the servers in the production environment, you will still be able to successfully recover a failed site.
• Include a recovery test in every major deployment test, such as:
• A major operating system upgrade (not service pack).
• A major change to the networking infrastructure.
• New equipment deployment or building relocation.
• An SCCM major version site upgrade.

Periodic Site Monitoring Tasks
To best maintain your system, perform the following monitoring tasks periodically. If there is any indication of a problem, isolate and repair the problem to ensure that the site remains healthy.
Periodic site monitoring tasks include:

• Checking hardware.
• Checking site's overall health.
• Checking the backup snapshot.

 

Check Hardware

Even high-quality hardware occasionally fails. Sometimes, it fails gradually, so there might be early signs. Replacing hardware before it completely fails is a key step in preventing site failure. Both Windows and SCCM provide performance counters, which you can use to monitor the performance and state of the hardware used in the site.
As soon as you notice any signs of hardware-related unreliable behavior of an SCCM server, replace the hardware. To properly replace server hardware, you must use the Recovery Expert. For more information about swapping the computer of SCCM servers, see the "Swapping the Computer of a Site Server" section later in this chapter.

 Check Site's Overall Health

It is recommended that you periodically perform a more thorough health check, as follows:

• Ensure that all SCCM services are running.
• Review the Status Message System for Critical status.
• Ensure that all the latest service packs are installed.
• Ensure that the latest critical security patches are installed.
• Examine the System and Application Event logs for errors.
• Note
  • When SCCM is configured to write status messages to the system's event log, SCCM error status messages are written as information events, not error events.
• Run a query to determine if discovery data is being updated correctly in the SCCM site database. The query should list all installed clients in which System Resource - Agent Time is not within the heartbeat interval. It is expected that some clients might be offline, but in other cases, it might indicate a problem.
• Run a query to determine if software inventory data is being updated correctly in the SCCM site database. The query should list all installed clients in which Last Software Scan - Last Inventory Collection is not within the software inventory interval. It is expected that some clients might be offline, but in other cases, it might indicate a problem.
• Run a query to determine if hardware inventory data is being updated correctly in the SCCM site database. The query should list all installed clients in which Workstation Status - Last Hardware Scan is not within the hardware inventory interval. It is expected that some clients might be offline, but in other cases, it might indicate a problem.

If any of these tests fail, you need to diagnose the problem and repair it.

 Check the Backup Snapshot

At the end of every site backup cycle you should check the validity of the backup snapshot. Periodically, you should perform a more thorough check to ensure that the site's backup snapshots can be successfully used for recovery.
Restore a recent backup snapshot to a disk and examine file continuity, file size, and other file properties to ensure that they do not seem corrupted. Check critical files by restoring these files to their respective applications to ensure that the application can use the restored file.