Subscribe via Email

Subscribe via RSS/JSON


Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Service SIDs etc.

Just so I don’t forget. 

The SCOM Agent on a server is called “Microsoft Monitoring Agent”. The short service name is “HealthService” and is set to run as Local System (NT Authority\System). Although not used by default, this service also has a virtual account created automatically by Windows called “NT SERVICE\HealthService” (this was a change introduced in Server 2008). 

As a refresher to myself and any others – this is a virtual account. – i.e. a local account managed by Windows and one which we don’t have much control over (like change the password etc). All services, even though they may be set to run under Local System can also run in a restricted mode under an automatically created virtual account “NT Service\<ServiceName>”. As with Local System, when a service running under such an account accesses a remote system it does so using the credentials of the machine it is running on – i.e. “<DomainName>\<ComputerName>$“.

Since these virtual accounts correspond to a service, and each virtual account has a unique SID, such virtual accounts are also called service SIDs. 

Although all services have a virtual account, it is not used by default. To see whether a virtual account is used or not one can use the sc qsidtype command. This queries the type of the SID of the virtual account. 

A type of NONE as in the above case means this virtual account is not used by the service. If we want a service to use its virtual account we must change this type to “Unrestricted” (or one could set it to “Restricted” too which creates a “write restricted” token – see this and this post to understand what that means). 

The sc sidtype command can be used to change this. 

A service SID is of the form S-1-5-80-{SHA1 hash of short service name}. You can find this via the sc showsid command too:

Note the status “Active”? That’s because I ran the above command after changing the SID type to “Unrestricted”. Before that, when the service SID wasn’t being used, the status was “Inactive”. 

So why am I reading about service SIDs now? :) It’s because I am playing with SCOM and as part of adding one of our SQL servers to it for monitoring I started getting alerts like these:

I figured this would be because the account under which the Monitoring Agent runs has no permissions to the SQL databases, so I looked at RunAs accounts for SQL and came across this blog post. Apparently the in thing nowadays is to change the Monitoring Agent to use a service SID and give that service SID access to the databases. Neat, eh! :)

I did the first step above – changing the SID type to “Unrestricted” so the Monitoring Agent uses that service SID. So next step is to give it access to the databases. This can be done by executing the following in SQL Management Studio after connecting to the SQL server in question:

The comments explain what it does. And yes, it gives the “NT Service\HealthService” service SID admin rights to the server. I got this code snippet from this KB article but the original blog post I was reading has a version which gives minimal rights (it has some other cool goodies too, like a task to create this automatically). I was ok giving this service SID admin rights. 

Event ID 1046 – DHCP server says it is not authorized even though it is authorized!

This problem ate my head for the past 2 days and wasted a lot of time. For such a simple issue it drove me quite mad.

Built a bunch of DCs for our branch offices. One of them gave trouble with the DHCP server. I authorized it successfully, but the service kept complaining that it wasn’t authorized. Event ID 1046.

The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain mydomain.dom, has determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons for this: 

This machine is part of a directory service enterprise and is not authorized in the same domain.  (See help on the DHCP Service Management Tool for additional information). 

This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. 

Some unexpected network error occurred.

Did the obvious ones like reboot server :p and restart service :) and un-authorize and re-authorize the server (no errors either time). Also went ahead and removed the role itself and added back. Nothing helped!

Found a helpful post finally that pointed me in the right direction.

  1. I un-authorized the DHCP server.
  2. Opened up AD Sites and Services. 
  3. Browsed to the Services section (which can be enabled from the View menu if not already visible). 
  4. Browsed to the NetServices section within this. 
  5. On the right pane I had an entry for the IP address for the DHCP server I was trying to authorize. Not an entry by name, but by IP. Dunno why. (All other entries were by name, so I am guessing this is a leftover or a mistake by someone in the past). 
  6. I deleted this entry. 
  7. Waited a while, and then authorized the server. 
  8. No errors now!

Screenshot of the offending entry just for the heck of it (the blacked out part was an IP address):

Alternatively one can open ADSI Edit and go to CN=NetServices,CN=Services,CN=Configuration,DC=myDomain,DC=dom. Then delete the entry (as above) from there. 

What’s odd in my case is that the IP that I deleted was assigned to the DHCP server I wanted to authorize. Am guessing the CNF (short for conflict?) following by the GUID indicates some issue.

Using Solarwinds to monitor Windows Performance Monitor (perfmon) Counters

Had a request from our Exchange admin to setup Solarwinds alerts for some of our Exchange servers based on Performance Monitor counters.

MSExchangeTransport Queues(_total)\Active Remote Delivery Queue Length       (above 200)
MSExchangeTransport Queues(_total)\Largest Delivery Queue Length                 (above 200)
MSExchangeTransport Queues(_total)\Messages Queued For Delivery                (above 200)
MSExchangeTransport Queues(_total)\Retry Remote Delivery Queue Length        (above 20)

Before setting up alerts I need to add them to Solarwinds first. Here’s how you do that.

First, open up the Solarwinds web console, go to Applications, and then SAM Settings.

applicationssam settings

Then go to Component Monitor Wizard.

component monitor


Select Windows Performance Counter Monitor.


Notice that it says the data is collected using RPC. This means (1) the server must be monitored by Solarwinds using WMI and not SNMP. In case of the latter, switch to monitoring via WMI. And (2) RPC ports must be open between the Solarwinds server and the target server. If not, monitoring will fail.

Enter the name of a server you wish to target. This server would be one that contains the perfmon counters you are interested in. You use this server to setup monitoring for the counters you are interested in. Change to 64bit if 32bit doesn’t work.


Change the “Choose Credential” drop down according to your environment. To select the server it’s better to click “Browse” and find the server you are interested in if Solarwinds complains that it cannot find the name you type in.

Note: The next step will fail if you have not opened the required RPC ports.

Select the counters you are interested in. First select the object you want to monitor (MSExchangeTransport Queues, in the screenshot below) and then the counters.

select counters

The next screen will list all the counters you selected and give you a chance to set warning and critical thresholds. Customize these.



Select where you would like these counters added to – a new application monitor/ monitor template, or an existing application monitor/ monitor template. I am going with a new application monitor template. Easier to make changes to templates than individual application monitors.



Choose more nodes you would like to assign this application monitor to. Am skipping this screenshot. This step is optional as you can assign the application monitor to nodes later too.

An optional step – I also went to Manage Application Templates screen after the above steps, selected the template I created, and assigned it some tags and set a custom view.


A custom view lets you define what details are shown when anyone clicks this application monitor template on a particular node in the Solarwinds web console. You can customize the view by going to Settings (of Solarwinds) and selecting Manage Views.

Next step is to create an alert. For that you have to logon to the Solarwinds server itself, go to Alert Manager, create a new alert (skipping screenshots for all these) and create a new alert whose condition is as follows:solarwinds trigger

Note that the type of property to monitor is “APM: Component”. This is important for the correct variables to be visible in the alert message. Also, note that I am triggering for each of the component (with an “any” condition) and not for the application monitor itself. This lets me get alerts for individual components; if I don’t do this, and instead trigger on the application monitor itself, I will get alert emails for each component including the ones that don’t have an issue.

Here’s the alert message:

solarwinds message

Azure IaaS for IT Pros Online Event #LevelUpAzure

I attended the Azure Iaas for IT Pros online event yesterday. It’s a four day event, day one was great! A good intro to Azure and what it can do. While I have been very curious about Azure I have also been lazy (and got too many other things going on) to actually play with Azure or learn more about it. So this felt like a good way to get up to speed. 

Azure looks great, of course! One thing that struck me during the sessions was how all the speakers constantly call out to Linux and Open Source technologies. That’s just amazing considering how just a few years away Microsoft was so anti-Open Source. They kept showing Ubuntu VMs as something you can deploy on Azure, and did you know you can manage Azure (or maybe the Windows/ Linux VMs in it, I am not sure) using Chef and Puppet?! Wow! That’s just cool. In fact the sessions on day 3 are totally Linux/ Open Source oriented – on how to use Chef and Puppet, how to use Docker, and how to deploy Linux. Nice! :)

I think I’ll play around a bit with Azure today just to get the hang of it. I think I didn’t appreciate some of the stuff they presented because I haven’t worked with it and so wasn’t sure how it all fit together/ affected an IT pro like me. 

Coming soon … fingers crossed!

October was a good month. I had the good fortune to attend a Microsoft workshop on Active Directory troubleshooting last month. And before that, I was at our Amman office for an upgrade from Windows XP (yeah we still had that!) to Windows 7 and I got to build a standard Windows 7 image with all our software and updates and create a bootable USB key that lets users install the OS and apps to a fresh machine. I want to write some posts on both of these – especially the Active Directory workshop, which was ah-maa-zing! – but also on the Windows 7 USB stuff (which is nothing novel but I’d like to write a post nevertheless).

I don’t know if I’ll manage to. I have ambitious plans on the Active Directory posts. It was a 4 day course and we covered many interesting topics such as replication, Kerberos, DNS, as well as a lot of troubleshooting. Many of these were familiar concepts to me but this was the first time I was presented with all of them together and that too someone was teaching the concepts rather than me Googling and/ or reading. I have already forgotten most of what I learnt, I think, but before I forget the rest I want to write multiple posts about the topics of each day, supplemented with more reading and notes from the Internet sort of as a revision to myself. Like I said – ambitious! – and the more ambitious I aim the less likely I am to achieve it (going by my track record). For starters, ever since the training finished I have been down with a stomach bug and so been too wasted to sit at the computer and write a blog post, let alone collect all my thoughts together. This post itself is sort of a last ditch attempt at getting the ball rolling by putting something out there, just so I have a commitment out in the open to get this done.

Fingers crossed, there’ll be more technical posts appearing soon! :)

Disabling Connected Standby

As you know a few days ago I purchased a Notion Ink Cain, a Windows 8.1 tablet-slash-laptop. This is my first Windows tablet so while it doubles as both, I have slightly different expectations and use cases from this.

One of these is the battery life. Whereas I always hibernate my regular laptop, the Cain is just put to sleep once I am done with it. I put it to sleep either via the Power button or the device goes to sleep on its own. This is fine but for two problems – (1) since the device is only sleeping and I usually dock it into the keyboard and use the flap as the cover, any key presses when the device is asleep results in it waking up and thus some battery draining; (2) since the Cain supports Connected Standby (nowadays called InstantGo) the device does not really sleep in the way we usually expect Windows devices to sleep, the sleep here is more like a “light sleep” wherein the device is kind of awake and able to let some background stuff like email and other programs run and do their bit.

I work around the first issue either by rotating the Cain and then docking it, such that the keyboard is behind the device and so keypresses don’t get registered (the Cain requires the docking to be correct for the keyboard to be recognize). I also put the Cain in a pouch without the keyboard. It’s not very elegant but that’s what I was doing until today.

The second was an irritating issue. When I first read about Connected Standby I was very impressed with it. It’s not supposed to drain much battery. The requirement is that when on Connected Standby the device will lose less than 5% of its power over a 16 hour idle period, but that didn’t seem to be the case for me (try a powercfg /sleepstudy to get some results) and I wasn’t happy with the battery drain. Maybe it’s because I had set apps such as email to update in real time and so the device was regularly waking up to check email, I found that it barely lasted 2-3 days even when fully idle. That’s not great, and even putting it in airplane mode only made it slightly better.

To work around this I decided to start hibernating the device. I enabled the hibernation option in the Power menu and also created a shortcut to hibernate in the start menu. But these are manual approaches didn’t seem “neat”. I wanted something where the Cain would automatically hibernate after a period of inactivity. I remembered back in Windows 7 (and even on my Windows 8 laptops) there are options under the Power menu in Control Panel to make the laptop sleep after a certain period and then hibernate. On the Cain though, this option was missing and I wasn’t sure why. I had a suspicion it must be because the Cain uses Connected Standby and so perhaps disabling it will reveal these options. I Google’d a bit to see if there’s a way to disable Connect Standby. Surprisingly I couldn’t find anything until finally some forum post mentioned another forum post that gave a registry key setting which disables Connected Standby. Applied that to the Cain and now I have the option to hibernate after a certain period. Yaay!

Unboxing the Cain

I got my Notion Ink Cain tablet day-before. I unboxed it in the car itself! Below are some pics.

Bubble wrap packaging in which I got the Cain

Bubble wrap packaging in which I got the Cain

Out of the bubble wrap. Good quality box.

Out of the bubble wrap. Good quality box.

Close up of the box, showing price and specs

Close up of the box, showing price and specs



A nice touch. The box includes a letter and some mints (not shown).

A nice touch. The box includes a letter and some mints (not shown).

The letter and mints

The letter and mints

The tablet.

The tablet.

Tablet minus the wrapping.

Tablet minus the wrapping.

Tablet in portrait orientation.

Tablet in portrait orientation.

The keyboard-cum-cover. Notice the dock connector in the middle. That's where you dock the tablet.

The keyboard-cum-cover. Notice the dock connector in the middle. That’s where you dock the tablet.

Tablet docked into the keyboard

Tablet docked into the keyboard

Tablet docked and powered on.

Tablet docked and powered on.

Laptop next to my office desktop

Laptop next to my office desktop

Very irritatingly the tablet came with a screen protector. I hate screen protectors. I hate it when they have bubbles, and I hate the way they feel when I touch. One of my first tasks then was to a piece of paper (a good quality paper, one that wouldn’t bend easily) and poke around the screen where there were bubbles between the screen and protector, and slide the paper in to one of these bubbles and thus pry the protector off. Such a relief!

The next step was to set up encryption on the Cain. That’s a bit more detailed so I’ll post it later.

New gadgets

The Internet is full of people praising the new iPhone 6 Plus and how it’s larger size is great and how they are much more productive with it. I am tempted to buy it, and my wife has very sweetly offered to gift me one as she knows I love iPhones (thank you Sari!) – but I am holding off so far.

Couple of reasons really:

1) I am happy with the iPhone 5S. It’s barely 8 months old with me and I feel bad giving it up just because a new device is around the corner. A silly notion probably – these are just devices after all – but I love them and I feel heartless leaving behind the 5S so soon.

2) The iPhone 5S is still performing well. I haven’t moved to iOS 8 yet (due to lack of space for an OTA update) and maybe the upgrade will slow things, but as of now I am happy with it. Mind you, I was in a similar state with the 4S too when I switched to the 5S last year, but then I had used the 4S for two years and the 5S had many newer features. After switching the 5S I realised what I had been with the 4S and how slow the latter is, so keeping that in mind I wouldn’t give too much importance to the current point.

3) I like the small size of the 5S. Sure a bigger device has it’s conveniences and maybe I will love the 6 Plus once I begin using it, but why change if I am already happy? I was one of those people who preferred the smaller size of the iPhones. And I appreciated the fact that iPhone 5 only added an addition row of icons while keeping the width same.

4) I like to skip Apple’s first iteration devices. Like the first iPhone, first iPod Touch, first iPad, and am pretty sure the first Apple Watch. I feel (and this was mentioned by John Gruber I think) that the first iterations are where Apple releases it with some features missing or not optimised and by the second iteration they fix all that. Anyone who’s used the first iPhones and iPads will attest to it too – how they had many limitations and how the second versions were way better.

As a corollary to this I skip the odd iPhone releases too as that’s why Apple makes new changes. Examples: iPhone 4 (Retina and other changes such as the body and internals), iPhone 5 (size and other changes), iPhone 6 (size and a whole lot of software changes). The S versions of all these improved upon the previous version. So I always associate the S with “subtle”. To me they are subtle improvements of their predecessors. That’s one more reason why I would prefer waiting for the iPhone 6S Plus (what a mouthful! I think Apple might just make the Plus the main device by then depending on sales).

5) For the money spent on the new iPhone – which I have no real craving for – I can buy a Nexus 6 when it’s released. Or the new Sony Xperia Z3 or the soon-to-be-released HTC M8 variant with the better camera. This way I get to use an Android phone too for a while. Hopefully the Nexus 6 is also cheaper than the other two. I have an eye on Nokia Windows phones too but the good ones are very pricey – same level as the iPhones and high end Android, and while that’s justified I find it unreasonable considering those phones don’t have much market share or apps. Microsoft should reduce the price so more people adopt it for that reason at least.

Speaking of Windows though I placed an order for a new device today. A tablet laptop called Cain by an Indian manufacturer called Notion Ink. This is one of those convertible devices and the price seems reasonable (a bit on the higher side though). I love Windows 8 but haven’t used it as a tablet yet so this would be a good opportunity to do so. Moreover being a convertible I can use this as a laptop too when I am travelling. No need to carry my usual laptop along. (Me thinks in the future laptops will be what people use instead of Desktops nowadays. The device they use at home and maybe longer travel. Tablets and convertibles will be used for travelling and on the go. And Desktops would be for advanced people who want to upgrade the hardware or custom specs etc. Plus a second hand market where the Desktops can be upgraded or faulty parts replaced and resold. Of course this is probably the near future. Much later Desktops will be obsolete as Laptops too become upgradeable and/ or cheap so that no one cares about upgrading or repairing).

The Cain uses Intel Bay Trail SoCs which supposedly combine the performance of Haswell and such with mobile device features. The Cain also comes with one USB 3.0 slot and a microSD slot. Since it only has 32GB free space I ordered a small 64GB USB 3.0 flash drive as well as a 64GB microSD card to beef up the storage. Useful for storing movies when travelling.

I ordered all these today so am excitedly looking forward to them now! This is the period when you order a new toy and keep refreshing your tracking page to see if they have shipped it and where the heck it has reached. This is followed by a few weeks/ months when you are always playing with this new toy and constantly gushing over it. And that is followed by a phase when you finally get used to it and it becomes a part of your life like everything else. :)

Update: There are some reasons why I might buy the iPhone 6 Plus. Maybe in Jan.

1) I use the iPhone 4S as my travel phone and with the latest iOS 8 update the phone sucks. Sometimes the keyboard is slow, sometimes Safari slows and hangs, the phone in general feels so lethargic. I’ve got angry at it numerous times this past month as I am traveling and use it exclusively, and I hate having to do that. Apple should have just left this device at iOS 6. Heck, I should have just left this device at iOS 6 jail broken, which is what I was at before upgrading to iOS 7 last year. Upgrading was a bad idea! iOS 6 plus custom themes were giving me a near identical look anyways; the only reason I upgraded was because many apps started asking for iOS 7 as a minimum requirement (as they are now with iOS 8).

2) If I buy a 6 Plus I will be going for the 64GB version and that’s useful. When I bought the 5S I was cheap and went with the 16GB version (in fairness the larger versions weren’t available in Oman either). A 16GB version has limitations in that I can’t keep too many songs on the phone, I have to constantly keep copying away photos and videos, I can’t keep too many apps around, and so on.

3) It’s unlikely I will be buying an Android device. They are great, but I use many iPhone specific apps such as Fantastical (and the iPhone reminders), Prismatic, Byword, Litely, etc so I don’t want to go through that hassle.

One advantage the iPhone 4S has is it’s micro SIM. Much easier to get a micro SIM (or chop a regular SIM to micro) when travelling. Nano SIMs are harder to come by.