Verifying Custom MP overrides are valid when updating sealed MP’s

kidraisedhand

I will raise my hand when asked if I prefer Notepad++ for looking at XML (because I can shrink the sections I’m not concerned about).

 

Using Notepad++ (works best for color and concatenation of XML or quotes in case of syntax errors when editing)

 

Open Overrides management pack (XML)

Click on the (-) for Manifest

Click on the dash (-) for RelationshipTypes

Click on the dash (-) for each Discovery (if it exists)

simplifyingdiscoveryview

 

Verify targets exist in MP’s to be updated

Scroll to the right to view the Targets of your Override management pack

simplifyingview

 

If changes were overrides, look at the Monitor or Rule and verify this is in the pack to be updated

overridesmonitor

 

To understand which MP is being referenced, look at the example – Windows3!

Scroll to the top of your MP and click on the (+) plus sign to expand manifest

mpreference1

 

NOTE Windows3 is the server 2016 Monitoring MP

decodingmpreference

 

Verify your monitor/rule name still exists, and your Override should still apply

In Server Overrides MP, look at the Monitor= section for the Monitor name

verifyoverridemonitorhighlight

 

Go to the Windows Server 2008 Monitoring MP and look for that monitor

There is no monitor for 2008

notepadmonitortypes

 

Alternatively, you can look at the SCOM console as well (if MP is installed)

There is NO 2008 Memory Pages per second monitor

 scomconsolemonitorverify

 

Now to remove the override in our MP

In Notepad++, highlight the MonitorConfigurationOverride section, and delete

monitoroverridehighlight

Rinse and Repeat

Increment the version number and import MP when finished validating overrides.

 

 

Troubleshoot Office 365 SCOM MP Run As account

Run As Account

The Office 365 Run As account is used for Proxy access for an HTTPS connection from SCOM MS to Office 365 portal endpoint.

Must be a domain account, not an Azure account (particularly if they ‘re not the same tenant or AAD associated

Service Accounts are recommended to prevent impact should an employee leave

 

SCOM uses a domain account (example scom_action ID)

Verify that ID is in Azure tenant (contact your Azure Administrator if you don’t have access )

o365applicationazureidverify

To follow best practice, update the Run As account with the service account

o365applicationscomrunascredential

 

Verify Run As account

On SCOM console that there are no Operations Manager event log 7000 events for the ‘run as’ configured ID

Remote Desktop to SCOM MS Server

Verify if the ‘run as’ ID has a valid password

Look in the Operations Manager Event Log for Event ID 7000

Click on Find

Type in the user’s ID from the ‘run as’ account in SCOM

If no entries found, then ID is successfully authenticating against the domain

If errors found, correct ID/Password

Create a new subscription in SCOM to use the auto credentials option

NOTE New subscription may take 5-10 minutes to populate health data

From SCOM console

Click on Administration

Click on the Office 365 wizard

Click Add Subscription

o365applicationscomaddsubscription

 

Add Subscription Name

Click Next

o365applicationscomaddsubscriptionname

SCOM UI will prompt for Azure login

o365applicationscomazureauth

Enter ID and password

Click Sign in to authenticate

 

Click on Monitoring Tab

Click on Office 365 folder

Click on Office 365 Monitoring Dashboard

Verify state on the subscription in question

o365applicationscomnewsubscriptiondashboard

Verify SCOM ID used in O365 Subscription in Azure Portal

Verify SCOM ID used in O365 Subscription in Azure Portal

In Azure Portal

Verify the Application exists ( Azure tenant shows as SCOM O365MP )

o365applicationpermissions

NOTE In the right hand pane the Office 365 Management API’s has Application Permissions, and cannot be selected

o365application-requestpermissionsclean

Click Back to the Settings window

Click on Owners

o365applicationnoownersclean

NOTE NO owners show in this view

Click Add +

In the Add owner window, type the ID

Hit Select to add the user account (This example is the SCOM Service account)

o365application-scomidadded

Have user test

Office 365 subscription not monitored in SCOM

haiku-education-perplexed-bewildered-bemused-mystified-stumped-clipart

Yes this can leave you stumped, and wondering “why?”

 

This can be many parts, so choose carefully

Verify SCOM ID used in o365 subscription in Azure portal

Create a new subscription in SCOM to use the auto credentials option

Office 365 SCOM Run As Account

 

Verify O365 Subscription state in SCOM Console

In the SCOM console

Click on Monitoring Tab

Click on the O365 dashboard

Look at the health state

Error showed ‘endpoint not found’

Working with Azure Admin, we found the SCOM O365MP application did NOT have a service account assigned.

Verify SCOM ‘Run as’ account

Verify ‘run as’ ID (originally employee ID, not service account )

Remote Desktop to SCOM MS Server

Verify if the ‘run as’ ID has a valid password

Look in the Operations Manager Event Log for Event ID 7000

Click on Find

Type in the user’s ID from the ‘run as’ account in SCOM

If no entries found, then ID is successfully authenticating against the domain

If errors found, correct ID/Password in SCOM Console

 

Verify SCOM O365 Azure account

 

In the SCOM console

Click on Administration

Click on the O365 Wizard

Highlight the subscription

Choose Edit Subscription

 

Test ID (tested the Service Account)

With the radio button selected at ‘Use auto-created Azure Service Principal’

NOTE Name here is for SCOM purposes and does not have to match Azure Portal Application Name

o365applicationscomaddsubscriptionname

Click Next

SCOM UI will prompt for Azure login

o365applicationscomazureauth

Enter ID and password

Click Sign in to authenticate

 

If error is ‘Authentication Fails’, contact your Azure Administrator for assistance

References

Verify SCOM ID used in o365 subscription in Azure portal

Create a new subscription in SCOM to use the auto credentials option

Office 365 SCOM Run As Account

Uncommon Custom MP Fragments

new_icon_shiny_badge_svg

Building on Kevin Holman’s MP Fragment Library are additional Uncommon Custom MP Fragments

 

This is the SCOM Management Pack Fragment Library which includes VSAE Fragments you can use to make SCOM management packs quickly and easily.

V1.0 has two Event Monitors with two state, two or three criteria monitors

 

Assumptions

Visual Studio, and the VSAE Fragments are installed

Visual Studio has a powerful plugin called VSAE (Visual Studio Authoring Extensions)
https://www.microsoft.com/en-us/download/details.aspx?id=30169

If you aren’t familar with MP fragments for authoring, see instructions at:  https://blogs.technet.microsoft.com/kevinholman/2016/06/04/authoring-management-packs-the-fast-and-easy-way-using-visual-studio/

 

Background
A Management Pack fragment is simply a bit of XML, that contains all the “working parts” for a specific workflow….

Several authors have written about the power of fragments since VSAE launched, but the biggest gap I saw can be broken up into two major issues:
•Nobody provided a good “library” of workable MP fragments
•Nobody came up with a VERY simple method to reuse fragments quickly and easily

If you can do a FIND and REPLACE in notepad, you can use this.

Kevin Holman’s MP Fragments here

Gallery download for the uncommon MP fragments https://gallery.technet.microsoft.com/Uncommon-Custom-MP-c5a12a86

How to size your SCOM environment

update

Additional items to consider sizing a SCOM environment

# of Unix Servers

Network monitoring

Application Performance Monitoring (APM)

URL monitoring (transactional and availability)

DB Data retention requirements

 

Resources

The SCOM Sizing calculator XLS on TechNet to determine capacity and storage needs (2012 and 2016) http://download.microsoft.com/download/C/A/6/CA60425C-950B-456E-986C-C5F2FCD5668D/System%20Center%202012%20Operations%20Manager%20Sizing%20Helper%20Tool%20v1.xls

 

2016 Quick Start guide https://blogs.technet.microsoft.com/kevinholman/2016/10/22/opsmgr-2016-quickstart-deployment-guide/

How To upgrade to UR1 https://blogs.technet.microsoft.com/kevinholman/2016/10/22/ur1-for-scom-2016-step-by-step/

 

Here is the 2016 System Center SQL matrix (SCOM)

https://technet.microsoft.com/en-us/system-center-docs/system-requirements/sql-server-version-compatibility

System Center 2012 R2 Matrix (SCOM)

https://technet.microsoft.com/en-us/library/dn281933.aspx

 

Not quite related, but incase SCCM is to be upgraded (SCCM does show support for all SQL versions)

https://technet.microsoft.com/en-us/library/gg682077.aspx#Configurations for the SQL Server Site Database

Why not to use Local System for your core SCOM accounts

say-what-logo1

Stay with me here, this is for the SCOM management group installation

 

So first, let’s research and figure out what the experts are doing, and what the install guides exist.

Researching expert published documentation helps us understand the options, and we can dive into some of the reasons why.

 

SCOM Security

scom-kh-securityblogcapture

(KH blog )

 

 

SQLRights and roles

scom-sql_accountrightsmapping

(KH blog here to download the XLS (applies for 2012,2016 as well)

 

Experts separate out the various functions into dedicated ID’s

 

The reason for multiple ID’s is to lower the risk (less vulnerability if one ID is locked out, expired, disabled)

— If you use one ID for all SCOM functions, and something happens to the ID, your SCOM environment stops working.

— There’s always some associated risk with either scenario for LocalSystem or ID’s (decrypt RunAs ID’s UK blog )

If that is a concern, here is some great advice from Kevin Holman

  1. Control who has access to SCOM
  2. Control who has access to the servers using RunAs accounts, that are monitored by SCOM.

If you have lost control of local admin on a server, you are compromised, and I am not sure how gaining access to a RunAs account is no worse in some sense.

By the way – this is the entire reason “more secure” was introduced in SCOM 2007R2, to limit distribution of credentials only to servers that required it, to limit the potential for a local attack.

 

Another option (not recommended) is using Local System

— Cannot login to system to verify access concerns (quite honestly is why someone might sanction this approach)

— Scripts run as local system can be terminated, allowing a command window with Local System access

— Depending on which services LocalSystem is used, this could grant elevated privileges (like a Domain Controller DC)

localsystemaccount

— If ‘Local System’ was used for the core SCOM environment, a change made to the Local Security Policy, or group policy can break the environment.

Local Security Policy snapshot

localsystem-localsecuritypolicy

Security Options

localsystem-securityoptions-localsecuritypolicy

Group Policy

Locking down protocol blog here

gpo-snapshot-technetwebsite

 

 

 

Hope this helps you decide the ‘how to’ set up your environment

 

 

Related documentation

2019 Kevin Holman Deployment Guide

2016 Kevin Holman Deployment Guide

2012 R2 Kevin Holman Deployment Guide

Planning 2019 SCOM deployment Guide

Planning 2016 SCOM deployment Guide

2012 Technet Deployment Guide

2007R2 Technet Deployment Guide

 

 

 

Associating MPX files to Notepad++ for MP Fragment Authoring

holyschnikes

Sometimes it’s shocking when you make a simple change that helps you do something easier.

For the UNIX guys in the house, using VIM, GVIM, VIMRC, all helped back in the day to make sure you closed your loops, true tests, etc.

If you use Notepad++ like I do, let alone if you’re creating MP fragments, it helps for the easy color coding.

SO, do you always open the .mpx file and then click on Language, XML?

Time to add the file type to the Style Configurator in Notepad++

In Notepad++

Click on Settings

Click on Style Configurator

Highlight XML in the language column

Add .mpx to the ‘User ext. :’ section

Click ‘Save and Close’

notepadaddmpx

Open up your next MP fragment

Spend your time updating your XML not clicking to format the file!

Save clicks!

Channel9 MSDN site

Need an Easy button to keep your knowledge fresh?

easybutton

The answer is the Channel 9 website https://channel9.msdn.com/

Subscribe to shows that interest you @ https://channel9.msdn.com/Shows

 

Corey’s channel caught my interest for Azure Network watcher

Network Watcher in Azure https://channel9.msdn.com/Shows/Tuesdays-With-Corey/Tuesdays-with-Corey-with-cool-new-functionality-of-Azure-Network-Watcher

Good to know IaaS features are included that most organizations