Posts tagged: monitoring

Jan 06 2013

Powershell: Monitor the trusted root certification authorities store, Event Schannel ID 36885-36887

The root update package KB931125, when applied might break the authentication process on servers using certificate based authentication: This problem was reported for LDAP over SSL authentication on a Domain Controller, IIS authentication on a webserver and IAS authentication on a Radius server (called Network Policy Server under Windows 2008). The symptoms, patch and workarounds of this issue are explained in this KB. The patch is only available under Windows 2003 and the root update package (KB931125) cannot be uninstalled via WSUS once applied.
Read more »

Mar 02 2011

Windows 2008 Event Collector: XP and 2003 clients

In this post we will describe how to configure a Windows 2008 Event Collector server to process events forwarded from Windows XP and Windows 2003 clients. The event forwarding system (aka syslog) relies on WinRM, there are two versions of the WinRM service: v1.1 and v2.0, each version of the service listen on a different default port (HTTP 80 + HTTPS 443 for WinRM 1.1, HTTP 5985 + HTTPS 5986 for WinRM 2.0). That is why you should upgrade WinRM 1.1 to WinRM v2.0 on your XP and 2003 clients in order to use event forwarding. For more details abour WinRM I suggest you read this article.

Read more »

Nov 19 2010

Powershell: AD replication

Repadmin monitors the replication in your Active Directory Forest, you can read this AskDs post about this tool. The command line “repadmin /replsum” helps you retrieve the global forest replication status. The data retrieved for a given Domain Controller is:

  • Largest Delta: longest time since he successfully replicated all the Naming Contexts with his replication partners.
  • Number of failed replications that occured for all the Naming Contexts (aka Directory Partitions) with his replication partners.

The purpose of the powershell script is to analyse DC’s inbound replication thanks to the command line “repadmin /replsum /bydest”. If there are RODCs in your domain they do not show up if you use the /bysrc switch. You can read this post if you need to know more about running the repadmin /replsum command in a domain with RODCs.

If for a given DC the “largest delta” exceeds a given threshold (in minutes), or there are replication failures, we will read on the RootDSE object the msDS-ReplAllInboundNeighbors attribute. With that information we will retrieve which replication partners and “Naming Contexts” that are having trouble to replicate. You can retrieve the same type of information with the “replsum /showrepl %dc_name% /csv” command line, but the data stored in the msDS-ReplAllInboundNeighbors attribute is in XML format, which easy and convenient to manipulate with Powershell.

Read more »

Apr 07 2010

Monitor GPO Links modifications

You can track GPO links changes by analyzing the security eventlog, GPO links will give you information on which objects your GPO is applied to. We will monitor GPLink attribute changes.

In order to analyze in real time the security log of all your DCs you need to pay for a Syslog solution, like Snare or Kiwi. Or you can try to setup an eventlog forwarding solution if you are under Windows 2008, you can also try to run a script that catches security log events, but you might encounter some performance issues.
Read more »

Mar 31 2010

Track GPO changes: Monitoring GPT

We will explain in this post how to monitor GPO changes by tracking modifications on the GPT. Only deletion, computer/user configuration modification and creation can be overlooked. About GPO monitoring you can read this article,which shows you how to activate auditing on your Sysvol share \\domainname\sysvol\domainfqdn\Policies and retrieve GPO changes via the eventlog. We will use another method, taking advantage of the replication of this folder.
Read more »

WordPress Themes

Blossom Icon Set

Software Top Blogs