KB949969 Some data partition tables that exceed the data retention period are not groomed from the Audit Collection Services database in Operations Manager 2007
New KB https://support.microsoft.com/kb/949969/en-us and hotfix
SYMPTOMS
Consider the following scenario:
•
You use the Audit Collection Services (ACS) feature in Microsoft System Center Operations Manager 2007 to collect security events from managed computers.
•
You configure database grooming policies for the ACS database.
However, some data partition tables that exceed the data retention period are not groomed from the database as expected. Over time, the ACS database may run out of disk space.
When this problem occurs, you may discover that these partition tables have a status of 1.
CAUSE
This problem occurs for one or more of the following reasons:
•
When a partition is closing, ACS tries to calculate the last event insertion time for the partition. ACS uses the last event insertion time to determine whether the partition is still within the retention period. However, the calculation operation may time out if the partition is too large. In this situation, ACS saves an invalid time to the last event insertion time field.
•
ACS marks the partition status to 1 (This means that the partition status is "in transition") when a partition is closing. ACS sets the partition status to 2 (This means that the partition status is "closed") only after re-indexing is completed. However, the re-indexing operation may time out if the partition is too large. In this situation, the partition remains in the "in transition" status indefinitely.
RESOLUTION
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
https://support.microsoft.com/contactus/?ws=support (https://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Hotfix installation instructions
To apply this hotfix, follow these steps:
1.
Copy the following file from the hotfix package to a local folder or to a shared folder. Then, run this file:
SystemCenterOperationsManager2007-SP1-KB949969-X86-X64-ENU.MSI
2.
By default, this hotfix is installed into the following folder:
%ProgramFiles%\System Center 2007 Hotfix Utility\Q949969
The Q949969 folder contains the following subfolders:
•
An x86 subfolder for x86 platforms
•
An x64 subfolder for x64 platforms
Open the x86 subfolder or the x64 subfolder, as appropriate for your situation.
3.
Locate the AdtSrvDll.dll file in the following folder:
%WINDIR%\system32\Security\AdtServer
4.
Verify that the version of the AdtSrvDll.dll file is greater than or equal to version 6.0.6278.0 and less than version 6.0.6278.7. To do this, right-click the AdtSrvDll.dll file in Windows Explorer, and then click Properties. The File version field on the Version tab displays the version of the file.
Note If the file version is greater than or equal to version 6.0.6278.7, this file already contains the current hotfix. If the file version is less than version 6.0.6278.0, you cannot apply this hotfix.
5.
On the ACS Collector server, stop the Operations Manager Audit Collection Service.
6.
Copy the following files from the Q949969 folder into the AdtServer folder that you located in step 3.
•
AdtSrvdll.dll
•
DbClosePartition.sql
•
DbCreatePartition.sql
When you do this, you replace the existing files with the hotfix files.
7.
On the server that hosts the ACS database or that has a connection to the ACS database, open SQL Server Management Studio.
8.
In SQL Server Management Studio, connect to the ACS database. By default, the ACS database is named "OperationsManagerAC."
9.
In SQL Server Management Studio, open a new query, and then run the following statements:
Use OperationsManagerAC
Update dtPartition Set Status = 2 Where Status = 1
10.
Verify that you receive the following message in the result pane:
(n row(s) affected)
11.
Restart the Operations Manager Audit Collection Service that you stopped in step 5.
Post-hotfix behavior
After you apply this hotfix, ACS uses the partition close time instead of the last event insertion time to determine whether a partition exceeds the retention period. In addition, when a partition is closing, the status of the partition is set from 0 directly to 2, instead of being set to 1.
Prerequisites
To apply this hotfix, you must have the following prerequisites installed on the computer:
•
System Center Operations Manager 2007 Service Pack 1
•
ACS Collector
Restart requirement
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.