Have you ever found yourself in a situation where an SMS Advanced client ends up getting policy or advertisements from the wrong site, or they are using the wrong MP/DP? This is a very common issue for our customers and determining root cause can be difficult. When AD Sites and IP Ranges were included in SMS 2003 overlapping boundary issues became much more common and much harder to control. In many larger environments the administrator managing SMS is not responsible for managing AD sites causing even more confusion.
Back in early 2005 I wrote an executable called SMSBoundaries.exe that is used to troubleshoot such issues. SMSBoundaries.exe would query AD and convert all subnets specified in any SMS AD Site boundary to IP ranges. It would then convert those ranges to integer format and look for overlaps between all boundaries. This tool is still widely used by Microsoft support but it has several flaws. One of the flaws is that it won’t find overlapping situations due to orphaned data left in AD, or data from a separate hierarchy. Another flaw is that it couldn’t really find all the possible overlaps if SMS Subnets were specified because it didn’t know the subnet mask of the clients (hence it couldn’t really derive the appropriate IP Range to use for comparison).
Despite these flaws I intended to make sure this tool was included in the next release of the toolkit (then toolkit3). Obviously this toolkit never came out therefore the tool remained for use by only Microsoft support to help solve issues related to overlapping boundaries.
Over the years I’ve been asked to convert this tool to vbscript. The reason for doing this is because it’s easier to include in other tools support uses to troubleshoot SMS (like the new version of MPSReports that support uses to collect technical data to diagnose customer issues) and it’s easier to get in more people’s hands.
Back in October 2006 I converted the tool to vbscript and added the missing functionality to the new tool. I have since added a few more things with the help of Jeff Tondt from Microsoft Consulting Services. This script is intended to be an example demonstrating how to find overlapping SMS boundaries in your environment. Like the rest of the examples on this blog this script is not supported. Here is a description of this script:
Cscript.exe smsboundaries.vbs verbose <clientname>
The verbose and <clientname> parameters are both optional.
The output of the script is an XML and Log file created in the same directory where the tool is run. The tool should be run on the SMS Central Site using an account that has rights to the SMS Central site, AD, and the client if one is specified on the command line. The XML file should be used for general viewing and the log file should be used when troubleshooting an issue with the script, viewing which boundaries are overlapping in the case where you have many overlapping boundaries, or when looking to see what sites a client specified on the command line falls under.
How it works:
- Gets Command Line arguments
- Starts logging to SMSBoundaries.log (In SMS Logging format so SMS Trace can be used to view the log).
- Gets the site boundaries of all sites in the hierarchy by querying the SMS Central Site database through the SMS WMI SDK provider. Each boundary is stored in an array of Boundary objects. For the IP Ranges the script automatically converts the range to an integer IP Range which is later used to find overlapping boundaries.
- If any SMS Subnets are configured the script gets the IP subnet information for every client that reports up through this hierarchy.
- For every SMS Subnet specified, the script finds the first client that falls in this subnet and creates a new Boundary object using the client IP information gathered previously. The script will create additional client Boundary objects for any clients that fall within that subnet but have a different range (so they have a different subnet mask). This process is important otherwise the script couldn’t identify all possible overlapping conditions. Of course this is also dependant on having clients that meet this condition in inventory. If you can think of a better way of doing this please let me know.
- Use a simple LDAP query to get all the AD sites specified in the mSSMSSiteBoundaries and mSSMSRoamingBoundaryRange namespaces and create a new Boundary object for each.
- Create new Boundary objects for each AD Subnet found (by using another LDAP query to get the subnets) that is associated with an AD Site found in either SMS or AD.
- Sort the array of Boundary objects by site code.
- Find overlapping boundaries by looking for explicit boundary matches for AD site names or IP Subnets specified in SMS.
- Find overlapping boundaries by looking for any overlapping integer IP ranges of which we have for every type of boundary.
- Mark any Boundary object found to be overlapping as such.
- Dump all boundaries to a log and XML file.
- Connect to the client if specified and determine what sites the client falls under.
Things to consider:
- Boundary objects are created where they are found. What this means is that it may appear you have duplicate boundary objects. For instance, an AD Site Boundary specified in one SMS site under both the “Roaming Boundaries” and “Site Boundaries” sections will generate at least 5 boundary objects. None of these will appear overlapping but can cause confusion. This occurs because the boundary is found in two places in SMS (one legacy boundary and one roaming boundary), two places in AD (one legacy boundary and one roaming boundary), and at least one additional boundary for any subnets that are linked to the AD Site.
- The old SMSBoundaries.exe used a nicely formatted log file to display the output. The SMSBoundaries script uses a nicely formatted xml file and poorly formatted log file. Many people have requested either a better log file or output to a csv file. I’m glad I converted this to vbscript so someone else can do this . It’s on my list of things to do but it’s a low priority. If anyone can comment on how to easily convert the XML to a nicely formatted spreadsheet please do (I know Office 2007 has some options for this).
- If a client is specified on the command line that information won’t be written to the XML, you have to view the log file. This is really only useful if you’re troubleshooting a specific client or site.
- Verbose logging is helpful if you think you’ve found an issue with the script.
- If you have any SMS Subnets specified in any of the sites in your hierarchy then the script will query the IP information for every client in the hierarchy. In large hierarchies (50k + clients) the script may run for over an hour because of this.
- If you have lots of overlapping boundaries the best way to figure out which boundary is overlapping it is to use the log. Just search for the boundary range or subnet that is listed as overlapping in the XML and if you’re in the overlapping section of the log it will show you the boundary that it found which overlapped it.
*This is an example of how to find overlapping boundaries in your environment. If you find any issues with this example or can think of additional functionality which should be added please comment on this blog entry. If any updates to this example are needed I will upload the script changes to this blog entry and update the version number in the title.*