Predicting the future with Powershell and Mathemagic

Have you ever had the pleasure of being awoken in the middle of the night by a low disk space alert on one of your business-critical LOB systems?

Did you ever wish for a more proactive method for catching this than waiting for the yellow/red alerts to go “ping!”?

I know I did, so I sat down and played math for a couple of hours and then applied the result using Powershell and a scheduled task.  The result is a configurable script that sends you an email alert when the sustained disk consumption on the system is estimated to consume all freespace on one of the disks within the set amount of time you specify (by default 30 Days).

Download ChkBurn 0.8 – modify all references to Contoso to fit your domain.

Sample output:

ChkBurn

The Service Improvement Pipeline in Utopia

In any discussion about service improvement, one should keep the following in mind:

  1. There is always room for improvement – development is a never ending story
  2. Striving for perfection is healthy – but note that there will always be room for improvement (see #I)

Given that – the following is my visualization of a structured approach to engaging all parties in a service delivery relationship with the goal of maximizing the synergy of ideas from different sources while maintaining a reasonable level of control and accountability without clogging the works too much.

 

Frequent MSExchangeTransport 15004 events on Ex2k13 Sp1

Exchange 2013 Sp1 comes with built-in overload failsafe functionality that will either temporarily slow down mail flow (implement “tar pits”) or temporarily halt inbound and outbound mail delivery when certain key performance indicators get above the “Normal” levels (i.e. reach “Medium” or “High” levels).  This is to avoid an outage scenario (or DOS attacks) where the server is overrun by a sudden massive spike of delivery requests (f.x. mass mailing a large attachment to several hundred users).

Exchange will then proceed to process the items it already has in the queue and remove the tarpitting or resume the halted mailflow once the performance counters drop down to “Normal” or “Medium” levels.
At “Medium” you will mostly be seeing external delivery and reception being affected – at “High” both internal and external delivery and reception will be affected.

If you’re seeing multiple MSExchangeTransport 15004 and 15005 events on your Exchange 2013 Sp1 system with the component reporting an increase above “Normal” being Version Buckets then you should consider running the Fixit tool from KB2938053 (which essentially contains a Powershell script that makes format changes rather than being a hotfix binary) and monitor the I/O levels of the disk(s) that host the transport queues and logs.

Note: the formatting change that running the Fixit tool implements has a scope beyond what is indicated in the KB – Exchange itself uses the same formatting functionality in .NET that third-party transport agents use (which is presumably also why this KB is listed at the top of the Exchange 2013 SP1 download link on http://support.microsoft.com/kb/2926248)

 Ex2k13Sp1-postfix

Download Fixit tool on http://support.microsoft.com/kb/2938053/en-gb

 

Back Pressure

 

Back Pressure [and Tarpitting explained]
http://technet.microsoft.com/en-us/library/bb201658(v=exchg.150).aspx

Version Buckets Explained
http://blogs.technet.com/b/exchange/archive/2006/04/19/425722.aspx

Troubleshooting MSExchangeTransport Service Events
http://technet.microsoft.com/en-us/library/bb397220(v=EXCHG.80).aspx

 

Symptoms:

15004 – Exchange automatically halts mail transport when performance indicators increase to “High”:

TimeCreated  : 5/8/2014 3:50:34 PM
ProviderName : MSExchangeTransport
Id           : 15004
Message      : The resource pressure increased from Normal to High.

The following resources are under pressure:
Version buckets = 205 [High] [Normal=80 Medium=120 High=200]

               The following components are disabled due to back pressure:
               Inbound mail submission from Hub Transport servers
               Inbound mail submission from the Internet
               Mail submission from Pickup directory
               Mail submission from Replay directory
               Mail submission from Mailbox server
               Mail delivery to remote domains
               Content aggregation
               Mail resubmission from the Message Resubmission component.
               Mail resubmission from the Shadow Redundancy Component

The following resources are in normal state:
Queue database and disk space (“C:\Program Files\Microsoft\Exchange
Server\V15\TransportRoles\data\Queue\mail.que”) = 45% [Normal] [Normal=95% Medium=97% High=99%]
Queue database logging disk space (“C:\Program Files\Microsoft\Exchange
Server\V15\TransportRoles\data\Queue\”) = 45% [Normal] [Normal=95% Medium=97% High=99%]
Private bytes = 4% [Normal] [Normal=71% Medium=73% High=75%]
Physical memory load = 65% [limit is 94% to start dehydrating messages.]
Submission Queue = 0 [Normal] [Normal=2000 Medium=4000 High=10000]
Temporary Storage disk space (“C:\Program Files\Microsoft\Exchange
Server\V15\TransportRoles\data\Temp”) = 45% [Normal] [Normal=95% Medium=97% High=99%]

15005 – Exchange automatically resumes mail transport after performance indicators drop down to “Normal” ~4 minutes after increasing to “High”:

TimeCreated  : 5/8/2014 3:54:05 PM
ProviderName : MSExchangeTransport
Id           : 15005
Message      : The resource pressure decreased from High to Normal.

No components disabled due to back pressure.
The following resources are in normal state:
Queue database and disk space (“C:\Program Files\Microsoft\Exchange
Server\V15\TransportRoles\data\Queue\mail.que”) = 45% [Normal] [Normal=95% Medium=97% High=99%]
Queue database logging disk space (“C:\Program Files\Microsoft\Exchange
Server\V15\TransportRoles\data\Queue\”) = 45% [Normal] [Normal=95% Medium=97% High=99%]
Version buckets = 2 [Normal] [Normal=80 Medium=120 High=200]
Private bytes = 4% [Normal] [Normal=71% Medium=73% High=75%]
Physical memory load = 63% [limit is 94% to start dehydrating messages.]
Submission Queue = 0 [Normal] [Normal=2000 Medium=4000 High=10000]
Temporary Storage disk space (“C:\Program Files\Microsoft\Exchange
Server\V15\TransportRoles\data\Temp”) = 45% [Normal] [Normal=95% Medium=97% High=99%]

Powershell parsing of archived event logs

Problem:

You want to find specific events from multiple archived event logs.

I wonder why he put a gorilla picture in here?

I wonder why he put a gorilla picture in here?

Solution:

EventScrape.ps1 – uses Powershell Get-WinEvent to parse offline event logs and sort them into chronological order.

[array]$TotalSearch=””
# *App* is targeting archived Application logs – change to suit your needs
Get-ChildItem -include *App*.evt,*App*.evtx -Path E:\EventLogs\Winevt\logs\ -recurse |

ForEach-Object {“Parsing $($_.fullname)`r`n”

Try {

$TotalSearch+=Get-WinEvent -FilterHashtable @{

Path=$_.fullname
Id=15004;
#StartTime=”1/14/2011″ ; #in case you want to limit the search to a certain time range
#EndTime=”1/15/2016″
} -EA Stop
$TotalSearch+=Get-WinEvent -FilterHashtable @{

Path=$_.fullname
Id=15005;
#StartTime=”1/14/2011″ ; #in case you want to limit the search to a certain time range
#EndTime=”1/15/2016″
} -EA Stop

} Catch [System.Exception] {“Done”}}

$TotalSearch| sort-object TimeCreated|fl|out-file “BackPressure.txt”
$searchCSV=$TotalSearch| sort-object TimeCreated|convertto-csv -useculture
$searchCSV|out-file “SearchCSV.csv”

gc .\BackPressure.txt |select-string “resource pressure” -context 5,7 |out-file Presures.txt
invoke-item .\Presures.txt

 

Details:

Use PowerShell to Parse Saved Event Logs for Errors
http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/25/use-powershell-to-parse-saved-event-logs-for-errors.aspx

Name Reference is invalid when creating Group-Managed Service Account with New-ADServiceAccount

Name Reference is Invalid

This tycically happens when running the Powershell CMDLet New-ADServiceAccount and the SPN you’re trying to add on the command line is either incorrectly formatted (backslash or forward-slash anyone?) or the container for it is missing in AD.  For confirmation run the command without the SPN and try adding the same within the ADSIEdit.msc console – you should see the error message above.

Resolution: fix the format of your SPN obviously 🙂

 

Recommend this excellent post from my former PFE colleagues for beefing up on GMSA in Windows Server 2012+:

Windows Server 2012: Group Managed Service Accounts
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx

 

…and other more verbose but less focused Technet material if you want the whole book and not just the summary:

ms-DS-Group-Managed-Service-Account class
http://msdn.microsoft.com/en-us/library/windows/desktop/hh404221(v=vs.85).aspx

Group Managed Service Accounts Overview
http://technet.microsoft.com/en-us/library/hh831782.aspx

Why doesn’t Sharepoint see my attribute?

Legolas visited the Belelvue Square Lego store and came back with this...

Legolas visited the Bellevue Square Lego store and came back with this…

When working with Sharepoint and attributes that you want to make available, keep in mind that Sharepoint uses a Global Catalog search on port 3268/3269 rather than a standard LDAP query on port 389/636.  However, not all attributes in the AD schema are a part of the Global Catalog attribute set.

This means that if the attribute you’re trying to search for isn’t in the GC then Sharepoint won’t see it until you add it to the list of attributes in the AD schema that should be a part of the GC set.

Example: the serialNumber attribute in AD

SerialNumber

Add an attribute to the global catalog
http://technet.microsoft.com/en-us/library/cc737521(v=WS.10).aspx
All Attributes [in Active Directory]
http://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx