Notes

Ping losses in CheckMK

I had to replace a non-working Icinga, so I decided to give CheckMK a try. Although the configuration workflow is a little bit different to other solutions, it is a nice monitoring tool.

When monitoring some hosts behind a firewall, I got a lot of error messages for the PING service:

CRITICAL - 10.0.0.1: rta nan, lost 100%

The strange thing was that host was marked as UP, only the service showed that behaviour.

Because some of the hosts were connected using IPsec, I tried to change the timeout values, but it had no effect.

In the end, the solution was simple: CheckMK generated lots of ICMP packets and so they were blocked by the firewall (a Sophos UTM). I created a bypass rule for the CheckMK host in both directions and the problems were gone :)

Published on 2023-01-14, 16:28 +0000

Cleaning up a WSUS database

We thought it was a good idea to include drivers in our WSUS. Well, it wasn't… WSUS downloaded tens of thousands of drivers which caused the database to grow larger than 10 GB (we're using MSSQL Express instead of WID). This made our primary WSUS and a downstream server stop working. The cleanup wizard wasn't working anymore, because MSSQL Express didn't allow to do anything with the database. Shrinking the database using SQL Management Studio didn't work either.

I know it is pretty easy to setup just a new WSUS, but I didn't want to lose all the settings and the approved updates. So I tried to find a way to cleanup the database. The downstream was not that problem, because it was a replica.

First thing was stop WSUS and IIS and to copy the database to another server where a licensed MSSQL was running. I attached it and gave the computer account (like mycompany.local\my-wsus$) the db_owner and the webService roles. Then I edited the following registry value to point to the other MSSQL server:

HKLM\SOFTWARE\Microsoft\UpdateServices\Server\Setup\SqlServerNameStart

After restarting the WSUS and IIS services, I was able to start the WSUS MMC and to see all the settings. So I had a working WSUS again and now could try to remove the drivers. Of course I turned off the setting that made WSUS download drivers ;)

Just to decline the drivers didn't work. The metadata was still in the database. Luckily, I found a german article providing some PowerShell snippets that actually delete the metadata from the database.

First I initialized the connection to the WSUS server:

[String]$WsusServer = "my-wsus"
[Boolean]$UseSSL    = $False
[Int32]$PortNumber  = 8530
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer($WsusServer,$UseSSL,$PortNumber)

Now I could delete the drivers from the database (note that even on a german operating system, I had to use the english term "Drivers"):

$wsus.GetUpdates() | 
Where {$_.UpdateClassificationTitle -eq "Drivers"} | 
ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateID);Write-Host $_.Title "is removed."}

This removed all the metadata of the drivers from the database. This removed nearly 3 GB of data from the database and I was able to shrink it.

I gained another GB by removing the language packs I accidentally downloaded some months ago:

$wsus.GetUpdates() | 
Where {$_.Title.contains("Language Pack")} |
ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateID);Write-Host $_.Title "is removed."}

I repeated the step above with the terms Language Interface Pack and Language Features.

After that, the database was down to 7 GB and I was able to attach it to MSSQL Express.

As a last step, I reset the replica by first removing the database and the repository and then running wsusutil:

wsusutil postinstall SQL_INSTANCE_NAME=my-replica\sqlexpress CONTENT_DIR=D:\WSUS

I did it :) Both the primary WSUS and the replica were working again!

Published on 2022-12-23, 15:56 +0000

Wrong advice: Reseeding is not defragmenting

I once visited a trainig course for Microsoft Exchange where the teacher said that you can defrag an Exchange database by simpling removing a DAG copy and then reseed it. This sounded much better than offline defrag, where you have to take the database offline.

It sounds logical, but it doesn't work. I tried it using a database that has no mailboxes anymore (I previously used that database for a forest migration), Get-MailboxDatabase showed that there was a lot of free space (AvailableNewMailboxSpace). I reseeded the database using Update-MailboxDatabaseCopy. But the reseeded copy had the same size as the original.

Nice idea, but it doesn't work.

Published on 2022-12-13, 20:39 +0000

Dynamic distribution group based on security group membership - part 2

I extended the recipient filter for a dynamic distribution group described in an earlier article.

As a short recap, the distribution group should have two kinds of members:

  1. Users where the Company field has a specific value
  2. Users that are members of a specific security group

But there was now a kind of user, where the Company field has this specific value, but the user must not be a member of the distribution group. It was not possible to put the user in its own organizational unit, because the distribution group includes all organizational unit.

So I extended the recipient filter to exclude users being member of an other security group:

(
    (
        (
            (MemberOfGroup -ne 'CN=my-other-group,OU=groups,DC=mycompany,DC=local')
            -and
            (
                (Company -eq 'My company')
                -or
                (MemberOfGroup -eq 'CN=my-group,OU=groups,DC=mycompany,DC=local')

            )
            -and
            (
                (
                    (RecipientType -eq 'UserMailbox')
                    -or
                    (RecipientType -eq 'MailUser')
                )
            )
        )
    )


    -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox'))-and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox'))
)

The important (and new) part is (MemberOfGroup -ne 'CN=my-other-group,OU=groups,DC=mycompany,DC=local') -and …. It excludes users that are members of the security group named my-other-group. Again you have to address the group by its distinguished name and users must be direct members of the group.

Published on 2022-11-27, 13:13 +0000

Backup user for MySQL / MariaDB

Since I don't like the fact to use a superuser for that, I wanted to create a user for MySQL / MariaDB, that will be able just to read all databases and to back them up using AutoMySQLBackup or my own PowerShell script.

It works when the user has the following global privileges:

  • SELECT
  • SHOW DATABASES
  • LOCK TABLES
  • EXECUTE
  • SHOW VIEW
  • EVENT
  • TRIGGER

You can assign these privileges using the following SQL statement (assuming your user is called backup):

GRANT SELECT, SHOW DATABASES, LOCK TABLES, EXECUTE, SHOW VIEW, EVENT, TRIGGER ON *.* TO `backup`@`localhost`;

Published on 2022-11-06, 11:08 +0000