Consider the following scenario:
- You use the Audit Collection Services (ACS) feature in Microsoft System Center Operations Manager 2007 to collect security events from managed computers.
- You configure database grooming policies for the ACS database.
However, some data partition tables that exceed the data retention period are not groomed from the database as expected. Over time, the ACS database may run out of disk space.
When this problem occurs, you may discover that these partition tables have a status of 1.
This problem occurs for one or more of the following reasons:
- When a partition is closing, ACS tries to calculate the last event insertion time for the partition. ACS uses the last event insertion time to determine whether the partition is still within the retention period. However, the calculation operation may time out if the partition is too large. In this situation, ACS saves an invalid time to the last event insertion time field.
- ACS marks the partition status to 1 (This means that the partition status is "in transition") when a partition is closing. ACS sets the partition status to 2 (This means that the partition status is "closed") only after re-indexing is completed. However, the re-indexing operation may time out if the partition is too large. In this situation, the partition remains in the "in transition" status indefinitely.
Update Information
To resolve this problem, obtain the latest version of Microsoft System Center Operations Manager 2007. For more information, refer to this Microsoft Web site:
http://www.microsoft.com/systemcenter/operationsmanager/en/us/how-to-buy.aspx
(http://www.microsoft.com/systemcenter/operationsmanager/en/us/how-to-buy.aspx)
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Hotfix installation instructions
To apply this hotfix, follow these steps:
- Copy the following file from the hotfix package to a local folder or to a shared folder. Then, run this file:
SystemCenterOperationsManager2007-SP1-KB949969-X86-X64-ENU.MSI
- By default, this hotfix is installed into the following folder:
%ProgramFiles%\System Center 2007 Hotfix Utility\Q949969
The Q949969 folder contains the following subfolders: - An x86 subfolder for x86 platforms
- An x64 subfolder for x64 platforms
Open the x86 subfolder or the x64 subfolder, as appropriate for your situation. - Locate the AdtSrvDll.dll file in the following folder:
%WINDIR%\system32\Security\AdtServer
- Verify that the version of the AdtSrvDll.dll file is greater than or equal to version 6.0.6278.0 and less than version 6.0.6278.7. To do this, right-click the AdtSrvDll.dll file in Windows Explorer, and then click Properties. The File version field on the Version tab displays the version of the file.
Note If the file version is greater than or equal to version 6.0.6278.7, this file already contains the current hotfix. If the file version is less than version 6.0.6278.0, you cannot apply this hotfix. - On the ACS Collector server, stop the Operations Manager Audit Collection Service.
- Copy the following files from the Q949969 folder into the AdtServer folder that you located in step 3.
- AdtSrvdll.dll
- DbClosePartition.sql
- DbCreatePartition.sql
When you do this, you replace the existing files with the hotfix files. - On the server that hosts the ACS database or that has a connection to the ACS database, open SQL Server Management Studio.
- In SQL Server Management Studio, connect to the ACS database. By default, the ACS database is named "OperationsManagerAC."
- In SQL Server Management Studio, open a new query, and then run the following statements:
Use OperationsManagerAC
Update dtPartition Set Status = 2 Where Status = 1
- Verify that you receive the following message in the result pane:
(n row(s) affected)
- Restart the Operations Manager Audit Collection Service that you stopped in step 5.
Post-hotfix behavior
After you apply this hotfix, ACS uses the partition close time instead of the last event insertion time to determine whether a partition exceeds the retention period. In addition, when a partition is closing, the status of the partition is set from 0 directly to 2, instead of being set to 1.
Prerequisites
To apply this hotfix, you must have the following prerequisites installed on the computer:
- System Center Operations Manager 2007 Service Pack 1
- ACS Collector
Restart requirement
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the
Date and Time item in Control Panel.
System Center Operations Manager 2007, x86-based version
Collapse this tableExpand this table
| File name | File version | File size | Date | Time | Platform |
|---|
| Adtsrvdll.dll | 6.0.6278.7 | 374,328 | 13-May-2008 | 08:38 | x86 |
| Dbclosepartition.sql | Not Applicable | 4,503 | 27-Mar-2008 | 06:01 | Not Applicable |
| Dbcreatepartition.sql | Not Applicable | 19,569 | 27-Mar-2008 | 06:01 | Not Applicable |
System Center Operations Manager 2007, x64-based version
Collapse this tableExpand this table
| File name | File version | File size | Date | Time | Platform |
|---|
| Adtsrvdll.dll | 6.0.6278.7 | 566,328 | 13-May-2008 | 08:38 | x64 |
| Dbclosepartition.sql | Not Applicable | 4,503 | 25-Apr-2008 | 01:21 | Not Applicable |
| Dbcreatepartition.sql | Not Applicable | 19,569 | 25-Apr-2008 | 01:21 | Not Applicable |
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.This problem was first corrected in Microsoft System Center Operations Manager 2007 R2.
Audit Collection Services
Audit Collection Services (ACS) is a solution that collects and stores events from the Security event log on monitored computers. Events are stored in a separate ACS database in Microsoft SQL Server 2005. Then, you can use a separate ACS Reporting component to generate reports from the stored ACS data. For more information, visit the following Microsoft TechNet Web site:
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684Â
(http://kbalertz.com/Feedback.aspx?kbNumber=824684/
)
Description of the standard terminology that is used to describe Microsoft software updates
For a list of issues that are fixed in Microsoft System Center Operations Manager 2007 R2, refer to the following article in the Microsoft Knowledge base:
971410Â
(http://kbalertz.com/Feedback.aspx?kbNumber=971410/
)
List of issues that are fixed in System Center Operations Manager 2007 R2