JR

3 minute read

[Screenshot of inventoried replicated folders and their corresponding backlog counts][1]
Inventoried replicated folders and their corresponding backlog counts

Before you even get started, make sure your Powershell execution policy is set to RemoteSigned for your standard AND x86 Powershell console; Check_MK will generally execute PS scripts from the x86 console, so it’s critical to set the policy for both:

  1. Start > Accessories > Windows PowerShell
  2. Right-click ‘Windows PowerShell (x86)’, select ‘Run As Administrator’
  3. Execute: Set-Execution Policy RemoteSigned
  4. Repeat the same steps above, but for the standard ‘Windows PowerShell’ console.

Next you’ll need to configure the Check_MK_Agent Service along with WMI and Component Services Security settings:

  1. Configure the ‘Check_MK_Agent’ service to utilize a domain user account (non-administrative). Make certain the ‘Log On As’ user is a member of a security group configured for WMI/COM access. Restart the service when modifying ‘Log On As’ account
  2. Each DFS Replicated folder has two or more Sending or Receiving members. These members can be determined by examining the replication group connections in the DFS management console.
  3. Perform the following security/access edits for all DFS Sending/Receiving members of a replication group (it will fail if you don’t do this for every replication member)
    1. Update WMI Security
      1. Start > Run > wmimgmt.msc
      2. Right-click ‘WMI Control’ > Select ‘Properties’
      3. Select ‘Security’ Tab
      4. Navigate to the proper ROOT\MicrosoftDfs namespace and click the ‘Security’ button
      5. Click ‘Adavanced’, Click ‘Add’ and enter the user or security group used for WMI access
      6. Select the following ‘Allow’ permissions:
        1. Execute Method
        2. Enable Account
        3. Remote Enable
        4. Read Security
    2. Update Component Services Security
      1. Start > Administrative Tools > Component Services
      2. From the Console Root, navigate to ‘Component Services’ > ‘Computers’ > ‘My Computer’
      3. Right-click ‘My Computer’,  select ‘Properties’
      4. Select the ‘COM Security’ tab.
      5. For both ‘Access Permissions’ and ‘Launch and Activation Permissions’, click ‘Edit Limits’ and add the user/group. ‘Allow’ all available permissions. Click OK and close all open windows.
  4. Verify you can successfully poll DFS replication group counts by running a Powershell terminal as the ‘Log On As’ account you specified for the check_mk_agent service. Execute the script below. If you’re receiving backlog counts for each and every RG connection then everything is configured and you’re ready to copy the PS script to the check_mk/local directory.
  5. An additional note: if you have a TON of replication groups (like I do), then I highly suggest downloading the Check_MK agent Innovation release and tweaking the local check timeout & cache settings. This will help, but likely not solve, issues with backlog check timeouts. An alternative is using a scheduled task for backlog counts, output to a status file, and use a simple ‘Get-Content’ in PS to output the status file contents when requested by check_mk

https://gist.github.com/liveaverage/6324046

$computer = [System.Net.Dns]::GetHostName()
$Computer = [System.Net.Dns]::GetHostName()

# Fix issue with console text wrap:
$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size (500, 300)

$OK = 0
$Warn = 1
$Crit = 2
$Unk = 3

#Warning/Critical Backlog [File] Counts:
$w_count = 350
$c_count = 700

[string]$RGName = ""
[string]$RFName = ""

$DebugPreference = "SilentlyContinue"
$ErrorActionPreference = "SilentlyContinue"

#region DFSQuery

### These thresholds are irrelevant for the local Check_MK thresholds (native to Steve Grinker's script):
[int]$WarningThreshold = 50
[int]$ErrorThreshold = 500

Function PingCheck
{
    Param
comments powered by Disqus