SCOM 2007 R2 Unable to verify the run as account

Summary

This issue occurs after an Agent has been pushed to a specified managed agent machine. The alert level is a warning and can be seen after selecting the Administrator view ribbon and double clicking on the Agent Managed folder just under Device Management.

Causes

Possible causes include:

•	An older existing account from a previous install of SCOM 2007 R2 was chosen by SCOM during the Agent deployment process.
•	The assigned run as account does not have the necessary permissions across the domain to be used as a universal run as account.
•	The account is so new, it has populated across the domain forest.
•	A trust relationship has not been created across sub domains across the domain forest.

Resolutions

Do one or more of the following:

1. Uninstall the agents with this error.

2. If the account is correct and relatively new, wait for ten minutes and install the agent again.

3. If the issue still persists, uninstall the agent and acquire the password needed to log into the target machine. Use the Remote Desktop Connection program in the Accessories folder of your local to log into it.

Any issues dealing with logging into the machine will prove trust relation issues.

SCOM 2007 R2 The System Center Operations Manager SDK service failed to register an SPN.

Summary

The System Center Operations Manager SDK service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/rmscomputer and MSOMSdkSvc/rmscomputer.domain.com to the servicePrincipalName of DOMAIN\sdkaccount

Cause

This seems to appear in the RC1-SP1 build of OpsMgr.

Every time the SDK service starts, it tries to update the SPN’s on the AD account that the SDK service runs under.  It fails, because by default, a user cannot update its own SPNs.  Therefore we see this error logged.

Resolution

If the SDK account is a domain admin – it does not fail – because a domain admin would have the necessary rights.  Obviously – we don’t want the SDK account being a domain admin…. That isn’t required nor is it a best practice.

Therefore – to resolve this error, we need to allow the SDK service account rights to update the SPN.  The easiest way, is to go to the user account object for the SDK account in AD – and grant SELF to have full control.

A better, more granular way – is to only grant SELF the right of modifying the SPN:

• Run ADSIEdit as a domain admin.
• Find the SDK domain account, right click, properties.
• Select the Security tab, click Advanced.
• Click Add.  Type “SELF” in the object box.  Click OK.
• Select the Properties Tab.
• Scroll down and check the “Allow” box for “Read servicePrincipalName” and “Write servicePrincipalName”
• Click OK.  Click OK.  Click OK.
• Restart your SDK service – if AD has replicated from where you made the change – all should be resolved.

 To check SPN's:

The following command will show all the HealthService SPN's in the domain:

    Ldifde -f c:\ldifde.txt -t 3268 -d DC=DOMAIN,DC=COM -r "(serviceprincipalname=MSOMHSvc/*)" -l serviceprincipalname -p subtree
 

To view SPN's for a specific server: 

    "setspn -L servername"

SCOM 2007 R2 SPNs Not registering on Cluster

Summary

 In System Center Operations Manager 2007, a node in an RMS cluster registers the servicePrincipalName (SPN) for the Health Service with the physical node's computer account. This is a problem because the SPN must be registered with the account of the RMS cluster computer. When the SPN registration is duplicated or the registration is with the wrong computer account, mutual authentication fails. This causes the RMS and agents to go into gray state.

Additionally, when the RMS cluster group is active on the affected node, the service state folders for the Config Service, SDK Service and Health Service are on the node's local drive instead of the shared cluster drive.

Cause

This can occur when the ManagementServerConfigTool.exe has not been run successfully on an RMS cluster node.

When you run ManagementServerConfigTool.exe with the InstallCluster or AddRMSNode argument, the tool creates a registry value named HealthServiceVirtualHost in the following registry sub-key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0

When the Health Service starts, it tries to read the HealthServiceVirtualHost registry value. If that value exists, Health Service skips SPN registration and logs the following Information event in the Native trace log:

0              00000000             [0]7592.8548::10/15/2008-15:32:47.019 [MOMConnector]  Information CConnectorSolutionSharedState::TryRegisterServiceSpn(ConnectorSolutionSharedState_cpp2788)Received value for GetHealthServiceVirtualHostName.  Assuming that this is clustered RHS so not trying to register SPN.

ManagementServerConfigTool.exe creates the HealthServiceVirtualHost registry value using the name specified in the /vs argument. It also changes the service state path for the OpsMgr services to the drive specified in the /Disk argument. That way, the service state folders will be on the shared cluster drive instead of the local installation directory.

For more information about installing an RMS cluster and using ManagementServerConfigTool.exe, refer to the following topic in the OpsMgr 2007 Deployment Guide:

Deploying a Root Management Server on a Windows Cluster in Operations Manager 2007

http://technet.microsoft.com/en-us/library/bb432140.aspx

Resolution

Run ManagementServerConfigTool.exe on the affected cluster node with the AddRMSNode argument. This will configure the HealthServiceVirtualHost registry value and prevent the incorrect SPN registration. It will also configure the clustered OpsMgr services to use the shared cluster drive for storage state instead of a local drive. To do this, use the following steps:

1. Using Cluster Administrator, move the RMS cluster group to the affected node.

2. Take the Config Service, SDK Service and Health Service resources offline.

3. Copy the latest version of ManagementServerConfigTool.exe from the OpsMgr source media (in the SupportTools folder) to the System Center Operations Manager 2007 installation folder.

4. From a command prompt, run the following command:

ManagementServerConfigTool.exe AddRMSNode /vs:<VirtualServerNetbiosName> /Disk:<VirtualServer Disk Resource>

In the above command, VirtualServerNetbiosName is the Network Name resource in the RMS cluster group. The value you enter for VirtualServerNetbiosName must be the value that appears in the Name text box located on the Parameters tab of the Properties dialog box for the Network Name cluster resource. VirtualServerDiskResource is the disk resource allocated to the RMS cluster group . The Disk location can be found by on the Parameters tab of the Properties dialog box for the Disk Resource.

5. After this command completes, verify that the HealthServiceVirtualHost registry value exists in the following registry sub-key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0

6. Use adsiedit.msc or setspn.exe to remove the Health Service SPN from the computer account for the physical node. Make sure that the SPN is registered correctly with the account of the RMS cluster computer.

7. Bring the OpsMgr services online and verify that the invalid Health Service SPN registration does not recur.

SCOM 2007 R2 SCOM 2007 R2 Agent Proxy Issues and Concerns

Summary

Critical Error:  Agent proxying needs to be enabled for a health service to submit discovery data about other computers.

Details:       Health service (xyy) should not generate data about this managed object (xyy).

Nearly every management pack that is coming in the future will not function adequately or at all if proxy isn’t enabled.

Causes

Possible causes include:

•	Agent proxy needs to be enabled when health service discovers instance of some managed entity type for which management context doesn’t provide information that this exact health service will also monitor this instance.

Concerns

Concerns include:

1.     Enabling proxy can potentially expose the company’s internal network to the intranet if both exist and both are essentially on the same system.

2.     Enabling proxy is an issue because of the agent’s ability to discover agentless machines such as cluster servers.

3.     Since the proxy-enabled attack is most likely to come from inside your company, you may want to put a process in place to design-check every management pack before it is ready to be used in production environments

4.     This error may be bogus and a symptom of the lack of credentials the run as account has on the agent generating the error.

Resolution

Do one or more of the following:

1. Open the Operations Manager Console.

2. Click on the Administrators ribbon near the bottom left of the console.

3. Go to Agent Managed under Device Management.

4. Select the Agent requiring proxy to be enabled and right click on it.

5. Select the properties view.  After the tab dialog window is displayed, click on the security tab.

6. Check the checkbox enabling proxy.

SCOM 2007 R2 Inside Disable and Override functions

The purpose of this article is to focus on SCOM 2007 R2’s ability to disable or override objects in SCOM.  With that said, rules will be used as an example.

There is a concept known as noise. This is produced when an action such as a rule runs and sends the data it has collected to SCOM for processing.

So, every once in a while, you may be tasked to modify or disable a rule. This can sound like a formidable task until you realize that the functionality to perform these tasks are built into SCOM.

You can disable a rule, re-enable it and change the rule’s settings. There are four options for each action and offer the same functionality for each primary action.

DISABLE FUNCTIONS:

·         For all objects of Class: Windows Server 2008 Operating System

·         For a  Group

·         For a specific object of Class:  Windows Server 2008 Operating System

·         For all objects of another Class.

OVERRIDE FUNCTIONS:

·         For all objects of Class: Windows Server 2008 Operating System

·         For a  Group

·         For a specific object of Class:  Windows Server 2008 Operating System

·         For all objects of another Class.

Okay, so what is an object? Simply put the object is the target of the Class being discovered. It could be a role, a group, or the computer.

In the case of the first option for both disable and override, it is all the objects the class targets.  Meaning every machine where the class is being discovered will be affected.

In the case of the second, the group of computers would be affected.

In the case of the third option for both disable and override, it is a single machine the class targets.

The last implies that another ManagementPack may have a similar rule.  That is, a rule that needs to be disabled or overridden because the intention here is to shut all rules that perform the same function off.

How to add A Management Pack To SCOM 2007 R2

Situation:

Your boss has just asked you to import a ManagementPack into SCOM 2007 R2 and has provided you with the ManagementPack to import.  But you have never done it before. How do you install a ManagementPack?

 

Resolution:

1.       Go to start -> All Programs->System  Center Operations Manager 2007 R2. Expand the view.

2.       Move down to Operations Console and double click on it to start the program.

3.       After the console is up, move the cursor to the Administration ribbon on the left of the console window and double click on it.

4.       Move down the options on the left until you find Management Packs and double click it.

5.       Once the ManagementPacks are in the middle window, you can either right click on the Management Pack option on the left and double click on Import Management Packs or go to the right side of the console and click on the option to Import Management Packs.

6.       A new dialog window will appear.  Move across the top of the dialog window just like the picture above shows you.  Select the Add From Disk Option and click it.

How To Enable A Rule

SITUATION:

You have been asked to disable a rule contained within a ManagementPack that has been imported into the SCOM Console.

RESOLUTION:

1.       Go to start -> All Programs->System  Center Operations Manager 2007 R2. Expand the view.

2.       Move down to Operations Console and double click on it to start the program.

3.       After the console is up, move the cursor to the Authoring  ribbon on the left of the console window and double click on it.

4.       Expand the Management Pack Object.

5.       Select Rules.

6.       Either click on the Scope toolstripbutton just to the left and above the Rules caption or click the like that is titled: Change Scope. You can use this tool to narrow down your search.  If you don’t know what you’re looking at, this may not be the best way to filter your search.

7.       After you’ve limited your search, use the search option and type in the exact name of the rule you want to override.

8.       This document will use the “Duplicate IP Address has been detected” rule as an example.

9.       There are three. You will need to do all three if you want to have the rule completely disabled.

10.    Click on the top one if it isn’t already highlighted.

11.    Right click on it. Click on the Override Summary. I no one else has performed any overrides, this should be empty.

12.    Right Click on the rule, go to Overrides and click on Disable Rule. You will see:

13.    For All Objects of Class: Windows Server 2008 R2 Core Operating System. Select it.

14.    A window prompt will pop up and ask you if you’re sure this is what you want to do. Click yes.

15.    Again, right click on the rule.  Go to Override Summary and select it.  You’re new override should now be listed in the summary.

16.    Repeat the process.

How to create an Operations Manager Database

Summary

If you have chosen to use SQL Server R2, SCOM 2007 R2 will not install correctly. You must create the Operations Manager database first.  This document will help you create that database.

Causes

Causes include:

o   Assuming you’ve installed everything correctly up to this point, The SCOM installer will guide you up to here:

o  

o   At this point, you would normally not have the database red X. When you click next, an error would stop you from continuing. The SCOM 2007 R2 installation wizard was not designed to support  SLQ Server R2

 Resolution

Do one or more of the following:

1. Go to the directory where you have your SCOM install files and click on the Support Tools. There are three folders under this folder.  Each folder has programs for the specific OS your currently running. In the case of 64bit, there is the AMD64 folder. Double click the appropriate folder. Once open, you will find DBCreateWizard.exe almost at the very top.  Double Click on it. After the program is up and running, click next.

At this point, add 1433 for SQL Server and change the directory paths for the database.

WARNING:  The ownership of the database by default will be the logged on user at the time it was created. You can change ownership later.

Click Next to continue.

If successful, the program will bring up a message box to that effect or, if it fails, it will tell you why.

When you’re done and you’re back into the install, click on the database and select: This component will not be available.

The setup program should continue running with an issue.

How to create an Operations Manager Data Warehouse Database

Summary

If you have chosen to use SQL Server R2, SCOM 2007 R2 will not create the Operations Manager DW database through the Operations Manager 2007 R2 Reporting Wizard. Instead, you have to create it yourself.

Causes

Causes include:

o   Assuming you’ve installed everything correctly up to this point, The SCOM installer will guide you up to here:

o  

o   At this point, you would normally not have the database red X. The wizard would fail. The SCOM 2007 R2 installation wizard was not designed to support  SLQ Server R2

 Resolution

Do one or more of the following:

1. Go to the directory where you have your SCOM install files and click on the Support Tools. There are three folders under this folder.  Each folder has programs for the specific OS your currently running. In the case of 64bit, there is the AMD64 folder. Double click the appropriate folder. Once open, you will find DBCreateWizard.exe almost at the very top.  Double Click on it. After the program is up and running, click next.

At this point, change the database type from Operations Manager Database to the Operations Manager Data Warehouse Database. You can  add 1433 for SQL Server and change the directory paths for the database.

WARNING:  The ownership of the database by default will be the logged on user at the time it was created. You can change ownership later.

Click Next to continue.

If successful, the program will bring up a message box to that effect or, if it fails, it will tell you why.

When you’re done and you’re back into the install, click on the database and select: This component will not be available.

The setup program should continue running and may have some installation errors involving reporting.

How To Convert a ManagementPack to an Excel document.

Situation:

Your boss wants you to provide him/her with an Excel spreadsheet view of the rules inside a ManagementPack. There are hundreds of them in this ManagementPack and it will take you a solid week to do by hand.

Solution:

Inside the tools folder are two programs that address this issue. One produces the Excel information through automation.  It opens the ManagementPack, converts it to an XML file, opens Excel and populates the sheet with all the details of each area or group.

The other opens the ManagementPack, converts it to an XML file, creates an Excel spreadsheet file and populates it with all the details of each area or group.

How does computer discovery work in OpsMgr 2007

Summary

After you discovered the machine successfully, the Agent install fails with the above error

This is a visual diagram of how computer discovery works in OpsMgr 2007. The list of prerequisites required to discover servers and install an agents are listed below as well:

Description: RPC endpoint mapper

Port number: 135

Protocol: TCP/UDP

Description: NetBIOS name service

Port number: 137

Protocol: TCP/UDP

Description: NetBIOS session service

Port number: 139

Protocol: TCP/UDP

Description: SMB over IP

Port number: 445

Protocol: TCP

Display Name: Netlogon

Started: True

State: Running

Description: MOM Channel

Port number: 5723

Protocol: TCP/UDP

Display Name: Windows Installer

Started: True

State: Running

Enable: File and Print Sharing

Steps on how to enable F&P can be found here: http://technet2.microsoft.com/windowsserver/en/library/0cf7e1a7-f7a2-49f9-8fee-730d9d1ea2071033.mspx?mfr=true

Enable: Remote Administration Exception

Steps on how to enable Remote Admin can be found here: http://technet2.microsoft.com/windowsserver/en/library/b8057a7a-a0d3-40b5-8224-ea6a4f5e17231033.mspx?mfr=true