Why not to use Local System for your core SCOM accounts

say-what-logo1

Stay with me here, this is for the SCOM management group installation

 

So first, let’s research and figure out what the experts are doing, and what the install guides exist.

Researching expert published documentation helps us understand the options, and we can dive into some of the reasons why.

 

SCOM Security

scom-kh-securityblogcapture

(KH blog )

 

 

SQLRights and roles

scom-sql_accountrightsmapping

(KH blog here to download the XLS (applies for 2012,2016 as well)

 

Experts separate out the various functions into dedicated ID’s

 

The reason for multiple ID’s is to lower the risk (less vulnerability if one ID is locked out, expired, disabled)

— If you use one ID for all SCOM functions, and something happens to the ID, your SCOM environment stops working.

— There’s always some associated risk with either scenario for LocalSystem or ID’s (decrypt RunAs ID’s UK blog )

If that is a concern, here is some great advice from Kevin Holman

  1. Control who has access to SCOM
  2. Control who has access to the servers using RunAs accounts, that are monitored by SCOM.

If you have lost control of local admin on a server, you are compromised, and I am not sure how gaining access to a RunAs account is no worse in some sense.

By the way – this is the entire reason “more secure” was introduced in SCOM 2007R2, to limit distribution of credentials only to servers that required it, to limit the potential for a local attack.

 

Another option (not recommended) is using Local System

— Cannot login to system to verify access concerns (quite honestly is why someone might sanction this approach)

— Scripts run as local system can be terminated, allowing a command window with Local System access

— Depending on which services LocalSystem is used, this could grant elevated privileges (like a Domain Controller DC)

localsystemaccount

— If ‘Local System’ was used for the core SCOM environment, a change made to the Local Security Policy, or group policy can break the environment.

Local Security Policy snapshot

localsystem-localsecuritypolicy

Security Options

localsystem-securityoptions-localsecuritypolicy

Group Policy

Locking down protocol blog here

gpo-snapshot-technetwebsite

 

 

 

Hope this helps you decide the ‘how to’ set up your environment

 

 

Related documentation

2019 Kevin Holman Deployment Guide

2016 Kevin Holman Deployment Guide

2012 R2 Kevin Holman Deployment Guide

Planning 2019 SCOM deployment Guide

Planning 2016 SCOM deployment Guide

2012 Technet Deployment Guide

2007R2 Technet Deployment Guide

 

 

 

Associating MPX files to Notepad++ for MP Fragment Authoring

holyschnikes

Sometimes it’s shocking when you make a simple change that helps you do something easier.

For the UNIX guys in the house, using VIM, GVIM, VIMRC, all helped back in the day to make sure you closed your loops, true tests, etc.

If you use Notepad++ like I do, let alone if you’re creating MP fragments, it helps for the easy color coding.

SO, do you always open the .mpx file and then click on Language, XML?

Time to add the file type to the Style Configurator in Notepad++

In Notepad++

Click on Settings

Click on Style Configurator

Highlight XML in the language column

Add .mpx to the ‘User ext. :’ section

Click ‘Save and Close’

notepadaddmpx

Open up your next MP fragment

Spend your time updating your XML not clicking to format the file!

Save clicks!

Channel9 MSDN site

Need an Easy button to keep your knowledge fresh?

easybutton

The answer is the Channel 9 website https://channel9.msdn.com/

Subscribe to shows that interest you @ https://channel9.msdn.com/Shows

 

Corey’s channel caught my interest for Azure Network watcher

Network Watcher in Azure https://channel9.msdn.com/Shows/Tuesdays-With-Corey/Tuesdays-with-Corey-with-cool-new-functionality-of-Azure-Network-Watcher

Good to know IaaS features are included that most organizations

 

 

 

SCOM Management Pack backup

nobackup

Ever wish you had a backup of your MP?

 

It’s quite easybutton

 

Tailor to your requirements, but you can run this as a scheduled task, Orchestrator job, etc.

I would recommend running the script on a server with the Operations Manager shell (or at least add the Operations Manager snapIn to a non SCOM server)

NOTE This will unseal sealed management packs

 

# Backup Management packs to C drive

# Set up your path, my example is monadmin\backup

$date = Get-Date -UFormat “%Y-%m-%d”

c:

cd monadmin\backup

new-item -itemtype directory -path c:\monadmin\backup\$date

cd $date

# Variants accepted

# Examples – begins with OR, or Company Name, or contains Lab

Get-SCOMManagementPack -Name OR* | Export-SCOMManagementPack -Path “C:\monadmin\backup\$date”

Get-SCOMManagementPack -Name <CompanyName>* | Export-SCOMManagementPack -Path “C:\monadmin\backup\$date”

Get-SCOMManagementPack -Name *Lab* | Export-SCOMManagementPack -Path “C:\monadmin\backup\$date”

 

# Backup Management packs to E drive

# Set up your path, this example is monadmin\backup

$date = Get-Date -UFormat “%Y-%m-%d”

E:

cd monadmin\backup

new-item -itemtype directory -path e:\monadmin\backup\$date

cd $date

Get-SCOMManagementPack -Name OR* | Export-SCOMManagementPack -Path “E:\monadmin\backup\$date”

Get-SCOMManagementPack -Name *Lab* | Export-SCOMManagementPack -Path “E:\monadmin\backup\$date”

 

 

New Unix MP’s for 2016 and 2012R2

 

 

If you didn’t catch this (I didn’t), the 2016 Universal Linux Monitoring MP is missing, but is in the 2012R2 bundle

Until the bundle is fixed, don’t forget to grab the Universal Linux Monitoring MP from the 2012R2 bundle

unixmpdownloadforscom2012r2

Export the 2012R2 bundle, grab the MP

unixmp_export

Import MP into SCOM

easybutton

 

If that’s just a tad bit annoying, remember Microsoft wants feedback.

Feedback can be about problems, product specific feature requests, and functionality.

 

Use the UserVoice website for SCOM (System Center Operations Manager) https://systemcenterom.uservoice.com/

There are a lot of good features and feedback on the site.   If you weren’t aware, the product team uses this to prioritize updates to the product.

Search, vote up feedback for what’s most near and dear to your heart

ivoted

Fix 2016 Universal Linux Monitoring MP

Universal Linux MP guide needs updating

Temp DB recommendations for SCOM 201x

When someone asks you about TempDB sizing, does your jaw hit the floor?

surprisesign

Time to pull out my handy detective skills

detectivehat

 

Context & Best Practices 
SQL Server uses the tempdb database to store temporary objects. This can include temporary tables, stored procedures, work tables, and row versions. In short, most changes to user databases are routed through the tempdb database. Increasing the number of tempdb data files enables SQL Server to perform more concurrent operations, by distributing activity over multiple physical files.

Tip Modify properties of tempdb data files to have identical initial size and growth increment.

 

Support article

sqlconcurrencytempdb

 

The Risk Assessment tool (RAS) states

Increase the number of tempdb files in line with best practice guidance. As a general guideline, in an environment where tempdb is used heavily, the number of tempdb data files should be between 0.25 to 1.0 times the number of physical processor cores. On servers with more than eight physical cores, start with eight data files, and then increase or decrease the number of data files as needed.

Example – 4 core SQL server needs at least 1 TempDB file

 

Supporting resources
2016 TempDB Database information https://msdn.microsoft.com/en-us/library/ms190768.aspx
TempDB sizing https://msdn.microsoft.com/en-us/library/ms345368.aspx
Optimizing TempDB Performance https://msdn.microsoft.com/en-us/library/ms175527.aspx

Console Errors in the new Active Directory Directory Services MP

New MP released that resolves this – v10.0.2.0 download here

 

Console Errors in the new Active Directory Directory Services MP

doh

 

At least it’s not the Security patch issue when you click on Health/State views, right?

https://support.microsoft.com/en-us/help/3200006/system-center-operations-manager-management-console-crashes-after-you

 

In the SCOM Console

Do you get an error when clicking on Authoring Tab, Management Pack Objects, Overrides?

overridesconsoleerror

If you are running the 2012-2016 Active Directory Directory Services v10.0.1.0 MP’s, you most likely get an error

“Microsoft.EnterpriseManagement.Common.ObjectNotFoundException: An object of class ManagementPackClass with ID <guid here>”

 

Unfortunately, the RODC group rule overrides were not referenced to the Discovery MP.

It’s an awesome MP, and I’m thankful for the new AD MP.

Check out Holman’s blog for all the fun and features.

 

Figure out which management pack has the issue with the ID

To find the offending item from the console error, see this blog.

Blog Summary = Using Ops Manager Shell, export the overrides

get-scomOverrides | out-file d:\monadmin\overrides.txt

Search for your GUID to know the ID and what in SCOM that ID is attached to.

Property          : Enabled
XmlTag            : RulePropertyOverride
Rule              : ManagementPackElementUniqueIdentifier=78ee983f-268d-0b99-0ca6-b1ca75c46621
Context           : ManagementPackElementUniqueIdentifier=0903521d-f768-3d26-a0af-ae52f8c09a29
ContextInstance   : 
Enforced          : False
Value             : false
ManagementGroup   : SCOM2012R2
ManagementGroupId : 28b70e43-4655-edfc-6127-ff4a72642488
Identifier        : 1|Microsoft.Windows.Server.AD.2012.Monitoring/31bf3856ad364e35|1.0.0.0|Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection.Override.RODCGroup||
Name              : Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection.Override.RODCGroup

The highlighted items show a Override for a Rule, named ‘DRA Outbound Bytes Comp’ (compressed)

 

Now, if you’re impatient like me, and can’t wait for the new sealed MP to fix the console error, here’s how you can fix the MP.

Unseal the three monitoring MP’s

After unsealing the MP, update the RulePropertyOverride(s) for 2012, 2012R2, and 2016 Monitoring management packs, and then import into your SCOM Management group.

MP Viewer How-To, Tool Download

 

Add Referencing MP to the Rule overrides
For 2012 – AD2012Core! was missing (See Manifest section for AD2012Core MP info)
For 2012R2 – AD2012R2Core! was missing (See Manifest section for AD2012R2Core MP info)
For 2016 – AD2016Core! was missing (See Manifest section for AD2016Core MP info)
The RODC group is created with each version of AD Directory Services (2008, 2012,2016)
In the 2008 MP the overrides exist in the Discovery MP
To correct the 2012, 2012R2, 2016 MP’s, the discovery MP reference must be added to the Rule

 

Verify overrides in SCOM Console

Click on Authoring Tab, Management Pack Objects, Overrides

overridesconsoleerror  “Microsoft.EnterpriseManagement.Common.ObjectNotFoundException: An object of class ManagementPackClass with ID <guid here>”

Through persistence, you may be able to search for Overrides

 

In ‘Look For’ bar, type RODC

Hit enter

Verify there are 4 (fyi there are 4 rules per AD version you have installed in your management group)

 

Remove Sealed AD Monitoring MP’s

Import unsealed MP’s

 

Verify in Console that overrides show up (No Errors seen)

 

Click on Authoring Tab, Management Pack Objects, Overrides

In ‘Look For’ bar, type RODC

Hit enter

 

Verify 16 (4 rules per AD version (2008, 2012,2012R2, 2016;  or 12 rules will display if AD 2008 packs are not installed)

Sample XML for Overrides
<Overrides>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAIntersiteOutBytes.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAIntersiteOutBytes.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesNotComp.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesNotComp.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesTotal.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesTotal.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
</Overrides>

 

Enjoy!

woohoo

 

 

Supported SQL version for System Center

I’ve also been asked what versions of SQL work with System Center, so here’s references to see what the latest supported SQL version and patch.

Here is the System Center SQL matrix

2016 https://docs.microsoft.com/en-us/system-center/scom/plan-sqlserver-design?view=sc-om-2016#sql-server-requirements

2019 https://docs.microsoft.com/en-us/system-center/scom/plan-sqlserver-design?view=sc-om-2019#sql-server-requirements

2012R2 https://technet.microsoft.com/en-us/library/dn281933.aspx

Sizing SCOM 2012R2 and 2016

Many times, the question comes up for Microsoft sizing guidelines for Operations Manager/SCOM.  The Sizing Calculator XLS is a great resource to use to help answer some of the storage and SQL DB questions as it relates to the various features you enable in your environment.

The sizing calculator takes features beyond windows agents to help size SQL and storage needs, as well as management servers.

The SCOM Sizing Calculator XLS from TechNet helps determine capacity and storage needs for 2012 and 2016.  Here is the 2016 System Center SQL matrix

http://download.microsoft.com/download/C/A/6/CA60425C-950B-456E-986C-C5F2FCD5668D/System%20Center%202012%20Operations%20Manager%20Sizing%20Helper%20Tool%20v1.xls

Other SCOM features that change the Operations Manager environment

# of Unix Servers

Network monitoring

Application Performance Monitoring (APM)

URL monitoring (transactional and availability)

DB Data retention requirements