Category: Administration

OpsMgr 1801 All in One – Quick Start Deployment Guide

Maybe you want to play with the new SCOM version like me?

 

Following Kevin Holman’s Quick Start Deployment Guide for SCOM 2016, build out an All in One

 

High Level Deployment Process:

1.  In AD,  note the ID’s and groups used for Operations Manager for the technical preview

2.  Install Windows Server 2016 to all server role servers

3.  Install Prerequisites and SQL 2016.

4.  Install the Management Server and Database Components

5.  Deploy Agents

6.  Import Management packs

7.  Set up security (roles and run-as accounts)

 

 

Prerequisites:

1.  Install Windows Server 2016 on Server

2.  Join server to domain.

3.  Install the Report Viewer controls.  Install them from https://www.microsoft.com/en-us/download/details.aspx?id=45496

          NOTE If SQL is installed on the MS (remember All in One server) 

          “Microsoft System CLR Types for SQL Server 2014” (ENU\x64\SQLSysClrTypes.msi) is not needed. 

SQL SysClrTypes available here:   https://www.microsoft.com/en-us/download/details.aspx?id=42295

4.  Install all available Windows Updates.

5.  Add the “OMAdmins” domain global group to the Local Administrators group on each server.

6. Install IIS on any management server that will also host a web console:

Open PowerShell (as an administrator) and run the following:

Add-WindowsFeature NET-WCF-HTTP-Activation45,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Request-Monitor,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,Web-Metabase,Web-Asp-Net,Web-Windows-Auth –Restart

Note:  The server needs to be restarted at this point, even if you are not prompted to do so.  If you do not reboot, you will get false failures about prerequisites missing for ISAPI/CGI/ASP.net registration.

 

 

7. Install SQL 2016 to the server

  • Setup is fairly straightforward. This document will not go into details and best practices for SQL configuration. Consult your DBA team to ensure your SQL deployment is configured for best practices according to your corporate standards.
  • Run setup, choose Installation > New SQL Server stand-alone installation…

 

When prompted for feature selection, install ALL of the following:

  • Database Engine Services
  • Full-Text and Semantic Extractions for Search
  • On the Instance configuration, choose a default instance, or a named instance. Default instances are fine for testing, labs, and production deployments. Production clustered instances of SQL will generally be a named instance. For the purposes of the POC, choose default instance to keep things simple.
  • On the Server configuration screen, set SQL Server Agent to Automatic.  You can accept the defaults for the service accounts, but I recommend using a Domain account for the service account.  Input the DOMAIN\sqlsvc account and password for Agent, Engine, and Reporting.  Set the SQL Agent to AUTOMATIC.
  • On the Collation Tab – accept the default which is SQL_Latin1_General_CP1_CI_AS
  • On the Account provisioning tab – add your personal domain user account and/or a group you already have set up for SQL admins. Alternatively, you can use the OMAdmins global group here. This will grant more rights than is required to all OMAdmin accounts, but is fine for testing purposes of the POC.
  • On the Data Directories tab – set your drive letters correctly for your SQL databases, logs, TempDB, and backup.
  • Choose Install, and setup will complete.
  • You will need to disable Windows Firewall on the SQL server, or make the necessary modifications to the firewall to allow all SQL traffic.  See http://msdn.microsoft.com/en-us/library/ms175043.aspx
  • When you complete the installation – you might consider also downloading and installing SQL Server Management Studio Tools from the installation setup page, or https://msdn.microsoft.com/en-us/library/mt238290.aspx

 

 

 

 

 

SCOM Step by step deployment guide:

 

1.  Install the Management Server role on SCOM1.

  • Log on using your personal domain user account that is a member of the OMAdmins group, and has System Administrator (SA) rights over the SQL instances.
  • Run Setup.exe

  • Click Install

 

  • Select the following, and then click Next:
    • Management Server
    • Operations Console
    • Web Console

 

 

 

  • Accept or change the default install path and click Next.

 

  • You might see an error from the Prerequisites here. If so – read each error and try to resolve it.

 

  • On the Proceed with Setup screen – click Next.

 

  • On the specify an installation screen – choose to create the first management server in a new management group.
  • Give your management group a name. Don’t use any special or Unicode characters, just simple text.
  • KEEP YOUR MANAGEMENT GROUP NAME SIMPLE, and don’t put version info in there.
  • Click Next.

 

 

  • Accept the license.  Next.

 

 

  • On the Configure the Operational Database screen, enter in the name of your SQL database server name and instance.
  • In my case this is “18MSB01”.
  • Leave the port at default unless you are using a special custom fixed port.
  • If necessary, change the database locations for the DB and log files.
  • I changed the default size to 5000 MB for now.
  • Click Next.

 

  • On the Configure the Data Warehouse Database screen, enter in the name of your SQL database server name and instance.
  • In my case this is “18MS01”.
  • Leave the port at default unless you are using a special custom fixed port.
  • If necessary, change the database locations for the DB and log files.
  • I changed the default size to 5000 MB. Click Next.

 

 

 

  • On the Web Console screen, choose the Default Web Site, and leave SSL unchecked. If you have already set up SSL for your default website with a certificate, you can choose SSL.  Click Next.

 

 

  • On the Web Console authentication screen, choose Mixed authentication and click Next.

 

 

  • On the accounts screen, change the accounts to Domain Account for ALL services,
  • Enter in the unique DOMAIN\OMAA, DOMAIN\OMDAS, DOMAIN\OMREAD, DOMAIN\OMWRITE
  • accounts we created previously.
  • It is a best practice to use separate accounts for distinct roles in OpsMgr
  • Although you can also just use the DOMAIN\OMDAS account for all SQL Database access roles to
  • simplify your installation (Data Access, Reader, and Writer accounts).
  • Click Next.

 

  • On the Diagnostic and Usage Data Click Next

 

  • Microsoft Update screen – choose to use updates or not.  Click Next
  • Click Install

 

  • Watch Installation progress

 

  • After a few minutes, when installation completes
  • Close when complete.

 

 

  • The Management Server will be very busy (CPU) for several minutes after the installation completes. Before continuing it is best to give the Management Server time to complete all post install processes, complete discoveries, database sync and configuration, etc. 10 minutes is typically sufficient.

 

 

 

Verify Console

Login to Management Group

 

 

Import Management Packs

Import your preferred management packs

 

 

Continue with Optional Activities

 

 

Verify any errors in the Operations Manager Event logs

Note the Maintenance permissions is still an issue

Operations Manager Event logs

 

SCOM 1801 dashboards (previously 1711)

Here dashboard dashboard <dong>

Come out, come out wherever you are!

 

 

Looking at SCOM dashboards in the new Technical Preview had me wondering.

I was totally excited after Ignite for System Center v.Next…

          Start at 16:34 in video – BRK1023 https://myignite.microsoft.com/videos/54778

 

 

Found the documents before I found the actual widgets

HTML5 overview https://docs.microsoft.com/en-us/system-center/scom/manage-overview-html5-webconsole?view=sc-om-1801

What’s new in 1801 https://docs.microsoft.com/en-us/system-center/scom/what-is-new-1801?view=sc-om-1801

Release Notes https://docs.microsoft.com/en-us/system-center/scom/release-notes-1801?view=sc-om-1801

 

What’s new in 1711 https://docs.microsoft.com/en-us/system-center/scom/what-is-new-1711?view=sc-om-1711

Release notes https://docs.microsoft.com/en-us/system-center/scom/release-notes-tp1711?view=sc-om-1711

 

We have lots of widgets to choose from

 

Unfortunately, the SQL MP visualizations are not yet HTML5 🙁

 

 

Web Console, well, okay, I can play

 

 

Alert Widget

Scope – Setup for a group or class (my example is All Windows Computers group, could be SQL Servers, SharePoint Servers, etc.)

Criteria – Selected Severity = Warning or Critical, changed Alert age to 1 day (default was 7)

Display – No changes made

Select Columns to display – looks like all the console options when you click on ‘Personalize view’

Group by – Last modified was selected

 

 

Completion  Click on Save Widget

Saving widget

 

Alert Widget

 

 

 

 

State Widget

Scope – Setup for a group AND class (my example is All Windows Computers group, could be SQL Servers, SharePoint Servers, etc.)

Criteria – Selected Severity = Warning or Critical

Display

Selected 4 columns  (Health, Display Name, Path, Principal Name )

Group by – Health

Completion – Named widget and added Description

Click on Save Widget

 

Saved State Widget (NOTE no unhealthy windows computers)

 

 

 

 

Performance Widget

Scope – Setup for a group AND class (my example is SQL Server Computers, could be All Windows Computers, or SharePoint Servers, etc.)

Metrics – Use filter by keyword

Search string = Memory

Selected = Stolen Server Memory

Criteria – Time Range default is 24 hours

Recommend dropping time to 1-4 hours to display less data

Display

Left Default

See difference, checkbox is counter intuitive (uncheck gives visual graph)

Completion – Named widget and added Description

Click on Save Widget

Performance Widget (visualizations check box checked, NOTE NO visual)

 

Performance Widget (visualizations check box UN-checked)

 

 

 

 

 

 

Tile Widget

Simple, can setup for a group or class

Click on Save Widget

 

 

 

Topology Widget

Gotta have a little fun, right!?

Click on Save Widget

 

 

 

Tile and Topology Dashboards

 

 

Now let’s continue this further next week!

SCOM 1711 – Technical Preview for upcoming 1801

If you’re not aware, System Center will start doing 6 month releases, and will be YYDD named

 

Example 

SCOM released in Jan 2018 is 1801, then 180x, 190x, etc.

Technical previews will also exist prior (currently 1711 – the technical preview for 1801).

 

Register for Technical Preview

Evaluate and download https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-release

Save appropriate product(s)

 

Extract for ISO files

Go to path where files were saved

 

Double click on file to extract

 

Click on Run to run the file

 

Answer Yes to UAC prompt

Click ‘I accept for EULA

 

Click Next to begin the setup wizard

Select Path to save file

Click Next

 

File extract completes

 

Click Finish

 

 

Looks like SCOM ISO

 

 

Now it’s time to grab Holman’s quick start guide and set up new servers for 1801 management group (if you don’t already have the steps down pat!)

 

Logical Disks Dynamic Group

So what do you do when a team comes to you and asks for different values for logical disk alerts?

 

Work smarter vs. harder!

 

Harder

Use Explicit groups

As an Admin, someone should not have to update groups every time a server or app changes in the environment.

 

Smarter

Use Dynamic groups

One better, use regular expressions (see Kevin Holman’s blog if you need a refresher)

 

 

Great background information

Holman had a great article to make groups of logical disks

TechNet had some good example references in this wiki

Forum article where John Joyner (MVP) listed a way to make a dynamic group

Groups can consist of objects in a primary class and also includes Windows Computer attribute

 

How can this apply to  your environment?

Is there a unique attribute for the class you’ve chosen, or possibly to include Windows Computer class properties?

In my experience, the Windows Computer Class can be utilized to better specify the criteria, using Principal Name, NetBIOS name, etc.)

 

 

Let’s begin to see walk through the Logical Disk class attributes, and understand that we can look at the class, and the Windows Computer class.

 

From the SCOM Console

Click on the Monitoring Tab

Click on Discovered Inventory

On the Tasks pane (right hand pane), click on change target type

I chose Windows Server 2016 Logical Disk (corresponding for 2008,12 class structures exist)

 

Are there any unique class/object properties where we can differentiate?

Path stands out, possibly size

Display Name/Device Identifier/Device Name are of course the drive letter

 

Create a Dynamic group

From the SCOM Console

Click on the Authoring Tab

Click on Groups

On Task pane, click on ‘Create New group’

 

Name the group

Recommend naming convention – my example is TEAM Logical Disk group (where TEAM could be SQL, SharePoint, Exchange, Skype, etc.)

Don’t forget to add description comments to help the next guy who’s tracking down details!

Create Management pack, or add to the Team’s overrides or customizations management pack.

 

Click Next twice (to get to Dynamic Members tab)

Click Create/Edit Rules

 

Choose class

Our example was ‘Windows Server 2016 Logical Disk’

Click Add

 

Click the Property Drop down

 

Note the options – and refer back to your notes in the Discovered Inventory from the Monitoring Tab

The three D’s in the middle – Device Identifier, Device Name, and Device Description were all the drive letter

I chose Device Name as it seemed the logical choice

 

Click Insert + to add another property

Click again on the Class properties

Select the bottom choice – (Host=Windows Computer)

Select Principal name

In my case, the servers met a specific naming convention for the server name

 

In the Operator Column, choose ‘Matches regular expression’

In the Value field, enter your regular expression

 

My example is (?i)16[md]

Go back to my Discovered inventory output

 

 

Dissect the regular expression

(?i) case inclusive (don’t care upper or lower case – back to Unix roots!)

16m or 16d is in the server name

 

Click OK

Click Next twice to create group (and bypass Sub Groups, Excluded Members)

Click Create Group

Click Close

 

 

Verify expression

From the Authoring pane

Click on the Group and either right click ‘View Group members’, or in the task pane, click ‘View Group members’

Practice using regular expressions to get the desired results!

 

 

Now it’s time to go off and override the monitor for the newly created group!

 

OMS/Advisor Event ID 55002

 

This article is written for the Gateway CommunicationSecurityException event

At first I thought maybe this was TLS1.2 enabling, but backed off the change, the events kept pouring in every 5 minutes.

Tried to reconfigure the OMS/Advisor environment, and voila! Error resolved

 

Let’s go through the steps to re-configure the Operations Management Suite (OMS) in SCOM

 

Reconfigure OMS

  1. From the SCOM Console, click on Administration tab
  2. Expand Operations Management Suite (Advisor on 2012R2)
  3. Click on the Connection
  4. On the center pane, click on Re-configure Operations Management Suite

 

5. Add any trusted sites to IE if there are pop-ups

I had 2 missing websites

Secure.aadcdn.microsoftonline-p.com

az416426.vo.msecnd.net

( I hit Previous and next to verify the wizard would pass with the hopes the attempt would retry)

6. Exit the Reconfigure wizard to get a retry (then the second website popped up as an untrusted site)

7. Enter credentials to your OMS environment

 

Connection to OMS successful

 

Click Next twice

Reconfigure success

Click Close

 

Verify Event Log

Verify Operations Manager Event Log has no new events (this check runs every 5 minutes by default)

get-eventlog -logname “Operations Manager” | ? { $_.EventID -match 55002 } | select-object -last 2

 

 

Event ID 55002 from Operations Manager Event Log

Log Name:      Operations Manager
Source:        Advisor
Date:          12/11/2017 2:15:20 PM
Event ID:      55002
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      16MS01.testlab.net
Description:
Failed to synchronize the latest Management Package information from Advisor Cloud service. Wait for the next cycle to retry. Reason: Microsoft.SystemCenter.Advisor.Common.WebService.GatewayCommunicationSecurityException: Message security was invalid for the connection with web service when performing Get Intelligence Packs with client specified versions —> System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. —> System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
— End of inner exception stack trace —

Server stack trace:
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Request(Message message, TimeSpan timeout)

Exception rethrown at [0]:
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
at System.ServiceModel.Security.Tokens.IssuedSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.TryGetSupportingTokens(SecurityProtocolFactory factory, EndpointAddress target, Uri via, Message message, TimeSpan timeout, Boolean isBlockingCall, IList`1& supportingTokens)
at System.ServiceModel.Security.TransportSecurityProtocol.SecureOutgoingMessageAtInitiator(Message& message, String actor, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [1]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.AttachedServices.WebService.IIntelligenceService.GetIntelligencePacksInfo(ClientProperties clientProperties)
at Microsoft.SystemCenter.Advisor.Core.WebService.WebServiceCallHelper.CallWebService[T](Func`1 webServiceCall, String webServiceDescription)
— End of inner exception stack trace —
at Microsoft.SystemCenter.Advisor.Core.WebService.IntelligenceServiceClient.CallWebServiceWithRetry[T](Func`2 function)
at Microsoft.SystemCenter.Advisor.Core.WebService.IntelligenceServiceClient.GetIntelligencePacksInfo(ClientProperties clientProperties)
at Microsoft.SystemCenter.Advisor.Core.IntelligencePackWriteAction.UpdateIntelligencePacks()

VSAE support for 2017

VSAE support for VS2017 has been released!

https://systemcenterom.uservoice.com/forums/293064-general-operations-manager-feedback/suggestions/18560653-updated-vsae-to-support-visual-studio-2017

VSAE download https://www.microsoft.com/en-us/download/details.aspx?id=30169

MomTeam Blog https://techcommunity.microsoft.com/t5/System-Center-Blog/System-Center-Visual-Studio-Authoring-Extension-VSAE-support-for/ba-p/351872?search-action-id=139696432720&search-result-uid=351872/

Ruling out SCOM as the cause of SCHANNEL events

 

Ruling out SCOM notifications as the cause of SCHANNEL events

 

 

Still getting SCHANNEL error events and want to rule out SCOM

Management pack SQL events https://kevinjustin.com/blog/2017/11/08/sql-native-client-for-tls1-2/

SCHANNEL ciphers debugged https://kevinjustin.com/blog/2017/11/08/schannel-event-logging/

 

What command Channels are setup for notifications?

 

 

Validate Subscriptions aren’t the cause for email/text

Exchange 2013 and above typically use S/MIME to digitally sign/encrypt messages

 

Email communication can cause System 36871 events https://support.microsoft.com/en-us/help/305088/schannel-error-message-36871-when-receiving-an-ehlo-smtp-command

Do the events correlate with emailed alerts?
Tracing Notifications http://blog.scomskills.com/enable-tracing-of-the-notification-component-om07/

 

SCOM ETL traces

Run traces on suspect MS

2012R2 MS (adjust drive letter according to drive SCOM install)
cd “D:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\Tools”
2012R2 GW (adjust drive letter according to drive SCOM install)
cd “C:\Program Files\System Center Operations Manager\Gateway\Tools”
2016 MS
cd ‘C:\Program Files\Microsoft System Center 2016\Operations Manager\Server\Tools\’

# Stop Tracing
 .\StopTracing.cmd
# Clean up old files
remove-item C:\windows\Logs\OpsMgrTrace\*

 

# Start Traces

StartTracing.cmd VER

TraceLogSM.exe -stop TracingGuidsNative

TraceLogSM.exe -stop TracingGuidsUI

 

# Wait until notification fires and validate if 36871 SCHANNEL event ID is logged

# Stop and format the trace
 .\StopTracing.cmd
 .\FormatTracing.cmd

# Review txt files from C:\windows\Logs\OpsMgrTrace

 

 

SCHANNEL event logging

First, my thanks to Bhuvnesh Kumar for his help!

 

Time to figure out what’s going on behind the curtain!

 

 

Are you seeing System Event Log, Event ID 36871 events?

 

Why does this matter?

 

Depending on OS versions and patches, the TLS Cipher Suites may not match on the various SCOM servers.

  1. If you’re setting up TLS1.2, you need the SCOM servers to talk
  2. The bad part, is this isn’t logged much on the GW but log more often on MS
  3. Sometimes the 36871 events come with 36874, but in my experience they occur after Event Logging is enabled.

 

The unanswered question is “why are we seeing the 36871 events?”

 

In my example, the events only happened once a day, roughly 24 hours

 

Event Viewer

 

Are events related to the Cipher Suite, or is it a MP trying to run the old SQLOLEDB method?

 

This article will focus on verifying Cipher Suite on a server

See this article for MP analysis for SQL methods

 

 

 

SCHANNEL event logging setup

 

From Holman’s blog

DecimalDescription
0Do not log
1Log Error messages
2Log Warnings
3Log Error and Warning messages
4Log Informational and Success events
5Log Error, Informational and Success events
6Log Warnings, Informational and Success events
7Log Everything (Warnings, Errors, Informational and Success events

 

I’d recommend setting it to 3 to see errors and warnings, or 7 to see everything.

Remember to set this back to 1 when done resolving any issues.

 

Add

From Command Prompt or PowerShell (as administrator)

reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL” /v “EventLogging” /t REG_DWORD /d 7 /f

Disable

reg delete “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL” /v “EventLogging”

Verification

reg query “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL” /v “EventLogging”

 

PowerShell verification

RegEdit Verification

Time to reboot!

 

 

Verify SCHANNEL events

Look at the System Event log, and filter for 36880 and 36874 events for clues

 

36880 provides Cipher Suite details

 

Event ID 36874 definitely describes the scenario

 

The easy answer to solve the cipher suite is to ask – is this server patched with latest security and .NET patches?

After all this, in my example, we confirmed that simple step was assumed, and inaccurate.

 

 

 

 

References
36871 event https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786445(v=ws.11)

SCHANNEL events https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786445(v=ws.11)

SChannel error codes https://docs.microsoft.com/en-us/windows/win32/secauthn/schannel-error-codes-for-tls-and-ssl-alerts

SChannel events https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786445(v=ws.11)

SSL errors https://www.experts-exchange.com/questions/28996780/event-id-36871-Schannel.html

Troubleshooting https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-ssl-related-issues-server-certificate

SQL native client for TLS1.2

Ever try to talk to someone when language is a barrier?

 

Sure, we can run an app, or search our phrase to pronounce, but it’s so much better when we can communicate seamlessly.

 

Post TLS1.2 for SCOM

Let’s talk SQL

Part of TLS1.2 is updating SQL Native Client to talk using a secure client that uses TLS1.2

That means a different executable should be called.

 

Why is that important in SCOM?

Maybe you have management packs that connect to SQL or run external commands.

 

 

On MS, there are multiple clues for various errors on Management Packs that use SSL or talk to SQL via a non-TLS method.  NOTE this may mean that the SQL DB that management pack is connecting to may need the same pre-req SQL updates to a TLS 1.2 enabled version.

  1. Do you have custom SQL queries being run, CMDB get’s, OLE DB Data Source checks?
  2. Any Event ID 1401 or 11854 events in the Operations Manager Event log?
    1. These events identify management pack scripts creating SCHANNEL events
      a. Event ID 1401 event example

 

 

Cause

SQLOLEDB connection strings will cause 36871 Sytem Log events

 

Example (TLS1.0)
sConnectString = “PROVIDER=SQLOLEDB;DATA SOURCE=<databaseServerFQDN>;DATABASE=MSSQLSERVER;trusted_connection=yes”
 SQLNCLI11 driver for TLS1.2 connection strings

Example (TLS1.2)
 sConnectString = “Provider=SQLNCLI11;DATA SOURCE=<databaseServerFQDN>;DATABASE=MSSQLSERVER;trusted_connection=yes”
 

 

Identify
Look for management packs with SQLOLEDB as the Connect string to reduce 36871 SCHANNEL events

In Windows Explorer, use the Advanced Options dropdown to select File Contents
In the Search bar (top right), enter SQLOLEDB (example shows SQLNCLI11)
NOTE SQL Discovery group pack IS compliant

 

 

In Windows Explorer, use the Advanced Options dropdown to select File Contents
In the Search bar (top right), enter SQLNCLI11

 

 

Additional offenders
HP Topology MP
SQL 2005 discovery MP (discontinued)
SQL Addendum MP’s (will work to update these with Holman)
SharePoint Foundation server (v15.0.4557.1000)
PRE TLS Microsoft.SystemCenter.2007

 

Resolution
Unseal (if necessary), update connection string, and reimport management packs
If Sealed vendor MP, request new MP via support Incident (and/or UserVoice if Microsoft sourced pack)
If Vendor will not release MP’s, accept risk with the logged errors, update MP, or remove from SCOM

 

 

 

Getting started with OMS Update Compliance

Do you already have Upgrade Readiness or Device Health deployed in OMS?

If not, read this blog

 

Need to know more about Windows 10 patch compliance and don’t want to access Config Man (SCCM)?

 

 

Update Compliance is the answer!

 

It’s just as simple as adding the OMS Update Compliance Solution

Click on the Shopping bag (on left hand pane)

Scroll right to Update Compliance

 

Click Add (this will be Add not View, if you don’t already have the solution loaded)

 

Voila! (time elapsed as the solution gathers data every 12 hours )