Cross Forest trusts are a possibility and merging one with the other (i.e having the Hosted Exchange solution bound to the existing domain) is another but there are many issues with that (mostly political).

What I intend to do is utilise the ‘Branch office’ concept that Read Only Domain Controllers were designed for to mock up a solution for Hosting the entire AD infrastructure remotely and having R/O DC’s on the customer premises.

What now?

For no other reason than that of satisifying my curiosity I built an entire AD infrastructure hosted at the data center and then had a remote ‘office’ running for a day without a local DC and then the following day with a Read Only Domain Controller sitting there.

There’s nothing new or crazy here other than maybe the fact that most people move bits of their AD infrastructure to the DC when its bandwidth requirements overwhelm their resources. What I’m playing with is the idea of having everything remote and only putting the stuff you need (NAS etc) in the office.

The Test

In the Red Corner we have a full Active Directory and Exchange infrastructure at the DC and then the ‘offices’ were built using a few Terminal Services servers running a respective amounts of users. The idea is to monitor traffic before dropping in a RO DC and then again afterwards.

The Infrastructure

Hosted Infrastructure

The Hosted infrastructure consists of a relatively standard Exchange 2007 deployment (if you follow the guidelines) visible to the world (selected ports only) is an Edge Transport server for handling the initial mail connections and the Client Access Server. Behind those is the Mailbox and Hub Transport (in reality these were on the same box but the diagram wasn’t as symmetrical then!).


The Domain controller is a special case because whilst we have no reason for the Internet at large to talk to it we need the read only Domain Controller at the client site to be able to communicate with it so an IPSEC LAN to LAN VPN was required.

The Results

AD Traffic From the TS to the Remote DC No Local DC

AD Traffic to the Remote DC with Local RODC

OWA Traffic During the Tests

Scripted behavior – so it was the same(ish) on both days

Conclusion

Well it did exactly what I expected it to do so nothing ground breaking there. It was interesting to see the spike just after I logged all the fake users off the Terminal Servers.

R/O DC’s were used because in an ideal world customers shouldn’t have write access to an AD infrastructure that a SysAdmin has an SLA to honor!

The cmdlet itself is written in C# and utilises a centralised LAMP backend as a repository and director.

Upon install psFetch will create a custom shortcut on your desktop which includes the psFetch cmdlet as one of the default set of commands available without having to use add-pssnapin each time.

Everytime you add a cmdlet or script they will be added to your console profile and will be available in any consoles you load from that point on. When you psFetch a custom script it’s alias will be added to your shell and any other shells launched from that point on to ensure a consistant experience.

In the next couple of months the PSFetch crawler will attempt to trawl CodePlex and various other sites to try and build up the initial repository. When the crawler goes live you will also be able to add your own cmdlets and scripts manually.

I am hoping to build up a Core team of Beta testers to ensure that when the initial release of psFetch is made available it will be as bug free as possible!

With the most tracks HOPE has ever had I was truly spoilt for choice but I spent most of my time [when I wasn't showing our US friends how drinking should be done] visiting talks that had potential datacenter impact.

Kevin Figueroa, Marco Figueroa and Anthony L. Williams reminded me that VLAN’s and other layer 2 stuff is still vulnerable to many attacks. Most are just Denial of Service stuff that would be detected almost instantly and very easily fixed (although not easily preventable) but the cross VLAN packet injection / snooping made me rethink some of my installations that packet injection / snooping would not be a critical issue but might not be desirable. Bare in mind though that in order to attack layer 2 someone needs to own a box on my layer 2 infrastructure which is much more of an issue!

The demonstration that stuck with me the most was Jacob Appelbaum, Dino Dai Zovi and Karsten Nohl’s talk regarding the Debian OpenSSL catastrophe. When I first heard about it there was much smugness (being as I only use Red Hat Enterprise / CentOS and FreeBSD) My fellow SysAdmins and I had many hours of fun reminding our collegues who had chosen Debian as their Distro of choice of this ‘little’ bug.

Unfortunately our smugness was shortlived as these Debian keys can end up in a RedHat servers authorised_keys file which results in that server being vulnerable to Brute Forcing. Knowing how lazy people are and how widespread the careless use of root is there was likely to be a few machines out there just waiting to get rooted.

The majority of tools (asides from the official Debian tools) are designed for discovering vulnerable servers that don’t belong to you! The Debian tool is great unless for one reason or another you don’t / can’t have Perl installed.

Therefore I present to you another hacked together bash script that anyone could have put together in 5 minutes but maybe this’ll save someone the hassle.


#!/bin/bash
#--------------------------------------
# Looks for fscking debian client keys
# Gareth#NetworksAreMadeOfString.co.uk
#--------------------------------------

for KeysFile in `locate authorized_keys`; do
  echo
  echo Testing $KeysFile for weak keys
  echo -------------------------------------------------

  cat $KeysFile | while read line; do

   echo $line > pubkey.tmp

   RawFP=`ssh-keygen -l -f pubkey.tmp | awk '{print $2}'`

   FP=${RawFP//:/}

   MatchCount=`grep -c $FP FingerPrints.db`

   if [ $MatchCount -gt 0 ]; then
   echo -e '\E[40;31m'"\033[1m!!!!! WEAK KEY FOUND!!!!!!\033[0m"
   echo $line
   fi
   done
  done
 echo
 echo ------------- DONE -------------


The FingerPrints.db file can be found here

Hopefully you’ll find vulnerable user accounts before someone else does!

This post is going to be cut into the following sections:

Exchange 2007 Prerequisites on Windows Server 2008
The first thing to do is to run a Windows update as there are already several patches available. Once thats done the prequisite componants of Server 2008 can be installed via the command line (not powershell!), simply load up a command prompt and paste / type each one of these:

ServerManagerCmd -i RSAT-ADDS
ServerManagerCmd -i PowerShell
ServerManagerCmd -i Web-Server
ServerManagerCmd -i Web-ISAPI-Ext
ServerManagerCmd -i Web-Metabase
ServerManagerCmd -i Web-Lgcy-Mgmt-Console
ServerManagerCmd -i Web-Basic-Auth
ServerManagerCmd -i Web-Digest-Auth
ServerManagerCmd -i Web-Windows-Auth
ServerManagerCmd -i Web-Dyn-Compression


Once those are installed (the server may have to reboot a couple of times) then Exchange 2007 SP1 can be installed. Be aware that Exchange 2007 RTM can not be installed on Windows Server 2008.

Exchange Server 2008 Service Pack 1 is available here and is in effect a copy of Exchange with the service pack streamlined in (the warez kiddies are gonna love this). Get this extracted and installed. During the install it will complain about not finding a send connector for ‘*’ remember this for later.

Once Exchange is installed and configured it’d be recommendable to do another Windows Update as even being SP1 there are a few more updates.

Once the server has restarted its time to add the Send Connector that setup complained about earlier. Within Organisation Configuration select Hub Transport and then click on the Send Connector tab and choose the ‘New Send Connector’ option. Obviously whatever is required can be configured here but all I want to do at the moment is send email out to the world:

new-SendConnector -Name 'Default Connector' -Usage 'Internet' -AddressSpaces 'smtp:*;1' -DNSRoutingEnabled $true -UseExternalDNSServersEnabled $false -SourceTransportServers 'ServerName'

Now the Exchange 2007 server can send email out to the world, unfortunately there’s no-one on it yet!

Cross Forest Migration of Exchange 2007 Mailboxes and User Accounts
Whilst most people are unlikely to have come across this situation I decided to start my AD infrastructure completely from scratch. Unlike normal people I don’t have any Workstations bound to domain controllers I just have various forests in different parts of the world for Exchange, RADIUS and Kerberos based authentication.

Despite the lack of workstations asking people to start their mailboxes, calendars and contacts etc from scratch would just not have gone down well.

The Microsoft Press Exchange 2007 Pocket Handbook recommends the following PowerShell cmdlet to get the job done:

Move-Mailbox -Identity 'domain\username' -TargetDatabase 'servername\First Storage Group\DBName' -SourceDomainController 'SourceDC'] [-DomainController 'DestinationDC'] -SourceGlobalCatalog 'SourceGC'] [-GlobalCatalog 'DestinationGC'] -BadItemLimit 50 -IgnorePolicyMatch $true


Unfortunately this results in the following error:

A bit of poking around later and I finally get a cmdlet string that does what I need it to do:


$SourceCredential = Get-Credential
$TargetCredential = Get-Credential
Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity UserName -GlobalCatalog GCServerName -SourceForestGlobalCatalog GCServerName -NTAccountOU "OU=OUName,DC=DomainName,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential -SourceMailboxCleanupOptions DeleteSourceNTAccount

The use of get-credentials at the beginning is so there is a System.Security.SecureString object to pass to the Move-Mailbox cmdlet. I’ve set them as variables so I know exactly which popup dialog is for which server.

Unfortunately I hit another stumbling block; because of the -SourceMailboxCleanupOptions DeleteSourceNTAccount arguement the process insists on deleting all traces of the user from the source forest and replacing them with a Mail Contact so running that command will result in a nasty message:












Simply disable the user in the source Forest and run the command again.

Now the user is in the new forest along with their mailbox etc, unfortunately the user is still disabled and the users mailbox shows as a ‘linked mailbox’ rather than a user mailbox.

Because Microsoft still haven’t provided any proper Active Directory cmdlets and I hadn’t installed the Quest cmdlets I re-enabled the user via the Active Directory Users and Computers MMC so no PowerShell example I’m afraid.

Even after enabling the account I still couldn’t login. In hindsight it makes perfect sense that a cross forest move means the user no longer has a valid UPN however I have to admit I was stuck for a moment or two! Within the account tab in Active Directory Users and Computers give the user an account name and choose a domain suffix.

The user can now login and has all their mail etc. Unfortunately the mailbox shows as a ‘linked mailbox’. I expect this is linked to the UPN / SID issues. If the loss of custom rules / forwarders etc isn’t an issue then simply disconnect and reconnect the mailbox to the corrected user account:


Disable-Mailbox -Identity UserName
Connect-Mailbox -Identity UserName -Database "Mailbox Database" -User UserName


Creating SSL Certificates for use with Exchange 2007 on Windows Server 2008

The first thing to do is create the CSR but rather than using a single Common Name Exchange 2007 has some tricks up its sleeve with autodiscover etc so the CSR will need some Subject Alternative Names as well.


New-ExchangeCertificate -GenerateRequest -SubjectName "
DC=networksaremadeofstring, DC=co, DC=uk, O=NetworksAreMadeOfString, CN=
exch07.networksaremadeofstring.co.uk"
-DomainName mail.networksaremadeofstring.co.uk, smtp.networksaremadeofstring.co.uk, autodiscover.networksaremadeofstring.co.uk, networksaremadeofstring.co.uk, exchange.networksaremadeofstring.co.uk
-FriendlyName "New Exchange"
-Path c:\mail.networksaremadeofstring.co.uk.req

When this is complete the script will output something similar to the following:

Thumbprint Services Subject
---------- -------- -------
DED40CE5BD344F7FA9C76081E5412A8AF17FB8F2 ..... DC=cadogan-house, DC=ne...


Take note of the thumbprint which will be needed later to import and enable the certificate.

Send this to a Certificate Authority of choice (I use CACert.org).

Once the Authority returns the Certificate import it into the Certificate store:

Import-ExchangeCertificate -path C:\certificate.cer


Once imported its time to enable it for various services:

Enable-ExchangeCertificate -thumbprint 493C50CFFF8B65344F1FBEAF8BE6740044F1842B -services "IIS,SMTP"


At this point I got hit with another error message about the private key being missing:

It turns out that Windows Server 2008 / Exchange 2007 doesn’t import / set the Private Key for generated certificates. In the Certificate MMC certificates are usually shown with an icon depicting a certificate and ones with a corresponding Private key also show a little key icon. The self generated certificate has a little key icon but the imported one does not.

To fix this do the following:

Refreshing the Certificate store will now show both certificates with Private Keys. Run the Enable-Certificate cmdlet again to import the certificates and enable SSL.

So there it is, a fully working Exchange 2007 server installed on Windows Server 2008. Now the Service Packs are rolling in and more drivers are being released I’m looking forward to seeing more Server 2008 and Exchange 2007 deployments!

Once we’ve crossed a particular hurdle then we need to go about disseminating this new found information to the other SysAdmins.

So far the best way I’ve found of doing this is to take a VM image, break it in the same way that we encountered and then make it available for deployment to the VM infrastructure (minus of course the malicious payload if it was part of a botnet). These VM’s are then made available to the teams to deploy at their will or used as part of the weekly inter-team training sessions. The VM’s are ‘tagged’ and a description of the issue with the fixes found to date are attached.

This allows people to either:

a) Simply follow what was done so they know how to go about it themselves.

b) Find new ways of fixing the issue

c) Use it as an example of a particular technologies issues and the diagnostic methods used to ascertain what is wrong and fix it in classroom style training.

There is no additional hardware cost and with the use of snapshots people can experiment with various methodologies other than the ones that we initially used. If a quicker, cleaner or better way of fixing the issue is discovered this can be put on the wiki and tagged to the VM image. This practice really starts to pay off once you’ve got the ball rolling and people are experimenting, contributing or using it as teaching material and all without any further downtime or additional hardware cost.

At the recent IIS7 for Managed Hosting seminar in London we saw Microsoft make heavy use of ‘model’ VM Machines in conjunction with projected slides and Step-by-Step walkthroughs to show us the features and improvements of IIS7 (I still prefer apache if anyone is wondering) which just goes to prove that this is an effective and cost-effective method of hands on training.

This might seem like common sense to some people and may already be in place for some companies, but if its not then why not try it out and let me know how it works out for you?

As always I use VMWare technology.

The solution consisted of two machines each with Dual Core 2.13Ghz Intel’s, 2Gb of RAM & SATA disks behind a hardware load balancer. Unfortunately the combination of having to use swap due to the volume of incoming mail coupled with BackScatter attacks [the BackScatter attacks would of course require the original mail and the NDA to be written to disk for later delivery] was killing the disks and the sheer volume of mail was overwhelming the I/O available to just two servers (in terms of Hardware and Postfix postdrop etc).

Whilst scaling out was considered, space and power consumption would have been an issue. I made the decision to go with two machines but this time one would be a virtualisation power-house and virtualise the anti-spam ‘appliances’.

The Machines:
Machine 1:
2x 2.4Ghz Quad Core XEON’s
8Gb ECC RAM
80Gb RAID5 SATA (Host OS)
300Gb RAID1 15k SCSI (Guest Stores)
Gigabit uplink to Load Balancer

Machine 2:
2.13Ghz Core2 Duo
2Gb RAM
80Gb RAID1 SATA
Gigabit uplink to Load Balancer

Machine 1 hosts 6 virtual servers which run the usual combination of Postfix, SpamAssassin & Amavis. These are Load Balanced via a hardware load balancer. Machine 2 runs the same software but with an extremely strict set of rules, the idea is that if all 6 of the Virtual Machines fail the Load Balancers fail over to Machine 2 but this will only talk to the most well behaved clients and only let the cleanest of mail into the mail queue to be processed by the Anti-Spam processes.

To ensure that these servers aren’t the source of BackScatter attacks the servers only accept truly legitimate mail (i.e it doesn’t accept mail for any destination, attempt to deliver it to the backend server and then bounce an undeliverable to the [usually faked] from address.)

Postfix Config:

#-------------------------------------------------------------
# Additional non-standard bits
#-------------------------------------------------------------
#Max message of 15mb
message_size_limit = 15728640
#
#Transport maps - i.e where are we sending this stuff
transport_maps = hash:/etc/postfix/transport
#
#Stop people trying to farm addresses
disable_vrfy_command = yes
#
#Stop people hammering the hell out of us
smtpd_data_restrictions = reject_unauth_pipelining
#
#Pass off content checking to amavis
content_filter = smtp-amavis:[127.0.0.1]:10024
#
#Fed up of mailer-daemon fucking up my queue
#fallback_relay = xx.xx.xx.xx
#
#If the above doesn't work we can always make sure the
#mails don't live for more than one bounce
bounce_queue_lifetime = 0
#
#Spam still went crazy - lets speed up delivery at the cost of resources
maximal_backoff_time = 120s
minimal_backoff_time = 10s
#
#This might adversely affect legitimate mail
maximal_queue_lifetime = 900s
#
#-------------------------------------------------------------
# These things are the bits that can really cause us some issues
# with false positives etc etc
#
# Consult Pages 139 - 142 of postfix book for more info
#-------------------------------------------------------------
#
#Start off with some blacklisting
# Check our black / white list | RealtimeBlacklist | Realtime blacklist
smtpd_client_restrictions = permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_access, reject_rbl_client sbl.spamhaus.org, reject_rbl_client dul.dnsbl.sorbs.net
#
#Make clients use EHLO / HELO verbs
smtpd_helo_required = yes
#
#If we are being REALLY strict make them conform to the RFC
#strict_rfc821_envelopes = yes
#
#Now we make them say hello politely
# Crap remote hostname remote host not FQDN
smtpd_helo_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname
#
#When a user says who they are we had better check what they are telling us
# Sender address not FQ | Might want to remove this
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
#
#Rejects crap / faked / bad recipiants - This might be overkill
# Non FQDN target email Allow inside Only relay our domains
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination


The VM’s
With 8Gb of RAM and only 6 machines we can ‘scale out’ if more machines are needed or leverage that ‘spare’ RAM to improve I/O.

Anything that needs to be written to disk is written to a RAM disk which will prevent the disk wear and will improve I/O. The VM’s are restricted to the Physical RAM of the Host machine so there will be no swapping to the Host disk which once again improves I/O and reduces mechanical wear and tear.

The Results
As mentioned at the beginning the servers were seeing a massive spike in mail, mails were taking a week to arrive and many of them were spam. As soon as the Virtualised Solutuion went live the emails hitting the back-end servers dropped from almost 14,000 (per 5 minute MRTG interval) to around 800 and with zero false positives! Emails were making it through in less than 2 seconds despite the spam attacks becoming increasingly aggressive!

Links:
www.DNSStuff.com
http://spamlinks.net/prevent-secure-backscatter.htm
http://www.postfix.org/docs.html
http://www.vmware.com/

Feature List
Where to get it

Update – 22/11/2007
In little under 2 weeks I’ve seeded nearly 40Gb! Ubuntu 7.10 has only seeded 33Gb and has been out for twice as long. Read into that what you will!

Windows didn’t like that and hung, VMware Virtual Center disliked it even more. Once I recovered the machine (ohhh AD was in a mess!) VMVC refused to launch and spewed some messages to the console. The sole purpose for this entry is to list the event log errors and list the solution so hopefully some one else out there won’t be in the dark.

The errors always happen in batches as follows:

[2376] [VpxdMutex] Locking InvtLock (5) conflicts with InvtHostBarrier (0)

[3372] (HY000) – [Microsoft][ODBC Microsoft Access Driver] Not a valid bookmark.

[3372] [ARCHIVER] Q: SELECT COUNT(*) FROM STATS_HOST_DATA WHERE HOST_ID=? AND HIST_ID=? AND COL_ID=? AND ROW_ID=?

[3372] [ARCHIVER] Failed to count stats. ODBC error=-1

[3372] [Vpxd] Initiating shutting down

[3352] [Vpxd] Shutting down…

[3352] [Vpxd] Shutting down now

The description for Event ID ( 1 ) in Source ( VMware Virtual Mount Service Extended ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: vmount2 service stopped 1.5.2 build-32167.
Then the VMVC process hangs, it shows as ‘Started’ in the Services MMC but any connection attempts are met with an active refusal.

Taking the hint that a database was corrupted I made a copy of the Template / Uploads directory and bit the bullet; initiated the dreaded MSI Repair mode.

Answering ‘Yes’ to keeping the existing database followed by a swift reboot and all was working again.

One of the VMWare servers had hung (it was deploying from a template when this happened!) and had to be kill -9′d but after that all came up fine again.

Fun eh?

As part of my drive to monitor as much as possible of my systems I realised that creating an intermediate daemon for WMI would allow me to access some of the WMI properties that wouldn’t normally be exposed via SNMP and graph them with MRTG.

I’m not going to cover WMI in any great detail so if you’d like to do a bit more reading I would recommend reading through the Microsoft Knowledge Base article on WMI.

As the title suggests the Windows Daemon has been written in C# and the basic idea behind it is that it will sit on the server listening on an specified UDP port waiting for a particular type of packet to arrive. That packet will contain the originating IP, the UDP port it will be waiting for a reply on, the WMI Class from which we will be extracting a property and the property itself.


//Receive DataGram
byte[] recData = server.Receive(ref ServerReceivePoint);
System.Text.ASCIIEncoding encode = new System.Text.ASCIIEncoding();
//Split it up [IP/Port/WMIClass/WMIQueryItem]
string[] temp = encode.GetString(recData).Split(new Char[] { '/' });
string Class = temp[2].ToString();
string Query = temp[3].ToString();
string WMIResult = "";
WMIResult = DoWMIQuery(Class, Query);


So far the code just sits waiting to receive some data, when it does it writes a nice little entry to a log and then throws the packet data into a string array named temp split on the / character (this shouldn’t appear in either a WMI Class or a Method / Property). The 3rd entry is the WMI Class and the 4th entry is the property we are asking for. These values are then passed to a function named DoWMIQuery (can you guess what that does?).

First we have to set up the options for connecting to WMI:

ConnectionOptions ConOpt = new ConnectionOptions();
string strNameSpace = @"\\";
strNameSpace += ".";
strNameSpace += @"\root\cimv2";


With that done a new Management Scope and Object Query can be created:

 System.Management.ManagementScope oMs =
  new System.Management.ManagementScope(strNameSpace, ConOpt);
 System.Management.ObjectQuery oQuery = oQuery =
  new System.Management.ObjectQuery("select " + QUERYITEM + " from " + CLASS);

‘Executing’ the query requires the utilisation of a Management Object Searcher (its searches for objects!!) and returns a nice array of objects (assuming of course there are more than one otherwise it’ll only return the one). By looping through the array I can grab all the requested data and then it can be returned.


 ManagementObjectSearcher oSearcher = new ManagementObjectSearcher(oMs, oQuery);

 try
 {
  //Get the results
  ManagementObjectCollection oReturnCollection = oSearcher.Get();

  //loop through and return what was asked for!
  foreach (ManagementObject oReturn in oReturnCollection)
  {
   ReturnValue = oReturn[QUERYITEM].ToString();
  }
  return ReturnValue;


There is no checking to make sure that ‘hostile’ WQL isn’t being passed mainly because I couldn’t be bothered but mostly because the inter-vlan firewalls don’t let clients send to these ports. Anyhow, basically all that happens is that the WMI property requested is extracted from the WMI class that was defined. If there are several instances (say for example free space on x amount of disk drives) then they get added together and then returned.


//Re-send the DataGram
byte[] sendData = encode.GetBytes(WMIResult);


//We use the IP and Port sent by the user to send the DataGram back
server.Send(sendData, sendData.Length, temp[0], Int32.Parse(temp[1]));


If anyone noticed the potential for foul play (Hint: Smurf stylee) then yes I was indeed too lazy to work out where the connection came from and send it back to that host.

Once the host is happily sitting there doing what it needs to do (listening for packets that is) we need to send it something. Whilst I love scripting in Bash I felt that PHP would be a better avenue to explore (mainly because I could create a few intranet pages with ‘on demand’ stats generation!).

First I grab the command line arguements that were passed and add a couple of my own:

$ScriptName = $argv[0]; // Script name
$TargetIP = $argv[1]; // Target IP
$Class1 = $argv[2]; // WMI Class1
$Prop1 = $argv[3]; // WMI Property1
$Class2 = $argv[4]; // WMI Class2
$Prop2 = $argv[5]; // WMI Property2
$UptimeClass = "Win32_PerfFormattedData_PerfOS_System";
$UptimeProperty = "SystemUpTime";


Then it calls the DoQuery function a couple of times and does a reverse DNS lookup of the host. This is because MRTG expects Input, Output, Uptime and System name as the 4 variables returned to it from an external script!

DoQuery($TargetIP,$Class1,$Prop1);
DoQuery($TargetIP,$Class2,$Prop2);
DoQuery($TargetIP,$UptimeClass,$UptimeProperty);
print(gethostbyaddr($TargetIP));


Create the SourcePort (a bit of randomisation as there could be 10′s of these triggering at the same time!) and the socket:

$SourcePort = rand(2200, 4500);
$socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);

With that done its time to create the packet:

$packet = "172.16.0.2/".$SourcePort."/".$WMIClass."/".$WMIProperty;


Sending the UDP request packet is painfully simple:

socket_sendto($socket, $packet, strlen($packet), 0x100, '172.16.0.3', 6868);


With that done we need to create the listening socket and then wait for a reply:

 $sock2 = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);

 if(!socket_bind($sock2, '172.16.0.2', $SourcePort))
 {
  socket_close($sock2);
  die( 'socket_bind failed: '.socket_strerror(socket_last_error()));
 }


 //Set up a nonblocking socket
 socket_set_nonblock($sock2);


I’ve decided on 2 seconds as an acceptable time out:

//Initiate the timeout
$timeout = time() + (2); // 2 seconds timeout


//While the time is less than 2 seconds from when we started this
while (time() <= $timeout)
{
while (@socket_recv($sock2, $data, $SourcePort, 0)) //8192
{
print($data);
print("\n");
}
usleep(100000); // 100ms wait
}
//Close the socket
socket_close($sock2);
?>


With all that done you can simply add something like the following to your MRTG scripts:

Directory[S411-1-cpu]: cpu
Target[S411-1-cpu]: `php /etc/mrtg/scripts/WMIUDPMRTG.php 172.16.0.3 Win32_PerfFormattedData_PerfOS_Processor PercentProcessorTime Win32_PerfFormattedData_PerfOS_Processor PercentUserTime`
MaxBytes[S411-1-cpu]: 10000
Options[S411-1-cpu]: gauge,growright,nopercent,absolute
ShortLegend[S411-1-cpu]: CPU
#LegendI[S411-1-cpu]:CPU Usage
WithPeak[S411-1-cpu]: wmy
LegendI[S411-1-cpu]:CPU Time
LegendO[S411-1-cpu]:User Time
YLegend[S411-1-cpu]:CPU Usage
Title[S411-1-cpu]: CPU Usage
PageTop[S411-1-cpu]: CPU Usage


And you’ll be able to graph previously unreachable data:

Win32_PerfFormattedData_PerfOS_Processor:

Win32_PerfFormattedData_ASP_ActiveServerPages:

Win32_PerfFormattedData_RemoteAccess_RASTotal:

The full source code (if you dare) is here. (edit: fixed link)

ToDo: