Some data partition tables that exceed the data retention period are not groomed from the Audit Collection Services database in Operations Manager 2007

Article translations Article translations
Article ID: 949969 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You use the Audit Collection Services (ACS) feature in Microsoft System Center Operations Manager 2007 to collect security events from managed computers.
  • You configure database grooming policies for the ACS database.
However, some data partition tables that exceed the data retention period are not groomed from the database as expected. Over time, the ACS database may run out of disk space.

When this problem occurs, you may discover that these partition tables have a status of 1.

CAUSE

This problem occurs for one or more of the following reasons:
  • When a partition is closing, ACS tries to calculate the last event insertion time for the partition. ACS uses the last event insertion time to determine whether the partition is still within the retention period. However, the calculation operation may time out if the partition is too large. In this situation, ACS saves an invalid time to the last event insertion time field.
  • ACS marks the partition status to 1 (This means that the partition status is "in transition") when a partition is closing. ACS sets the partition status to 2 (This means that the partition status is "closed") only after re-indexing is completed. However, the re-indexing operation may time out if the partition is too large. In this situation, the partition remains in the "in transition" status indefinitely.

RESOLUTION

Update Information

To resolve this problem, obtain the latest version of Microsoft System Center Operations Manager 2007. For more information, refer to this Microsoft Web site: http://www.microsoft.com/systemcenter/operationsmanager/en/us/how-to-buy.aspx

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Hotfix installation instructions

To apply this hotfix, follow these steps:
  1. Copy the following file from the hotfix package to a local folder or to a shared folder. Then, run this file:
    SystemCenterOperationsManager2007-SP1-KB949969-X86-X64-ENU.MSI
  2. By default, this hotfix is installed into the following folder:
    %ProgramFiles%\System Center 2007 Hotfix Utility\Q949969
    The Q949969 folder contains the following subfolders:
    • An x86 subfolder for x86 platforms
    • An x64 subfolder for x64 platforms
    Open the x86 subfolder or the x64 subfolder, as appropriate for your situation.
  3. Locate the AdtSrvDll.dll file in the following folder:
    %WINDIR%\system32\Security\AdtServer
  4. Verify that the version of the AdtSrvDll.dll file is greater than or equal to version 6.0.6278.0 and less than version 6.0.6278.7. To do this, right-click the AdtSrvDll.dll file in Windows Explorer, and then click Properties. The File version field on the Version tab displays the version of the file.

    Note If the file version is greater than or equal to version 6.0.6278.7, this file already contains the current hotfix. If the file version is less than version 6.0.6278.0, you cannot apply this hotfix.
  5. On the ACS Collector server, stop the Operations Manager Audit Collection Service.
  6. Copy the following files from the Q949969 folder into the AdtServer folder that you located in step 3.
    • AdtSrvdll.dll
    • DbClosePartition.sql
    • DbCreatePartition.sql
    When you do this, you replace the existing files with the hotfix files.
  7. On the server that hosts the ACS database or that has a connection to the ACS database, open SQL Server Management Studio.
  8. In SQL Server Management Studio, connect to the ACS database. By default, the ACS database is named "OperationsManagerAC."
  9. In SQL Server Management Studio, open a new query, and then run the following statements:
    Use OperationsManagerAC
    Update dtPartition Set Status = 2 Where Status = 1
  10. Verify that you receive the following message in the result pane:
    (n row(s) affected)
  11. Restart the Operations Manager Audit Collection Service that you stopped in step 5.

Post-hotfix behavior

After you apply this hotfix, ACS uses the partition close time instead of the last event insertion time to determine whether a partition exceeds the retention period. In addition, when a partition is closing, the status of the partition is set from 0 directly to 2, instead of being set to 1.

Prerequisites

To apply this hotfix, you must have the following prerequisites installed on the computer:
  • System Center Operations Manager 2007 Service Pack 1
  • ACS Collector

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
System Center Operations Manager 2007, x86-based version
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Adtsrvdll.dll6.0.6278.7374,32813-May-200808:38x86
Dbclosepartition.sqlNot Applicable4,50327-Mar-200806:01Not Applicable
Dbcreatepartition.sqlNot Applicable19,56927-Mar-200806:01Not Applicable
System Center Operations Manager 2007, x64-based version
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Adtsrvdll.dll6.0.6278.7566,32813-May-200808:38x64
Dbclosepartition.sqlNot Applicable4,50325-Apr-200801:21Not Applicable
Dbcreatepartition.sqlNot Applicable19,56925-Apr-200801:21Not Applicable

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.This problem was first corrected in Microsoft System Center Operations Manager 2007 R2.

MORE INFORMATION

Audit Collection Services

Audit Collection Services (ACS) is a solution that collects and stores events from the Security event log on monitored computers. Events are stored in a separate ACS database in Microsoft SQL Server 2005. Then, you can use a separate ACS Reporting component to generate reports from the stored ACS data. For more information, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/bb381258.aspx
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

MORE INFORMATION

For a list of issues that are fixed in Microsoft System Center Operations Manager 2007 R2, refer to the following article in the Microsoft Knowledge base:
971410 List of issues that are fixed in System Center Operations Manager 2007 R2

Properties

Article ID: 949969 - Last Review: October 8, 2011 - Revision: 2.0
APPLIES TO
  • Microsoft System Center Operations Manager 2007
Keywords: 
kbautohotfix kbexpertiseinter kbbug kbfix kbqfe KB949969

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com