Tag: Training

Have a lot of SCOM subscriptions?

You logged into SCOM because someone said they didn’t get a notification

Looked at subscriptions and it’s blank

 

Do you know if you backed up your subscriptions?

 

Hopefully, you read this and back up your management packs

Hope you read this blog, and it saved your life!

 

For those who love the Console UI

You can manually back up the MP

From the SCOM console

Click on the Administration Tab

Click on Management Packs (2012), or Installed Management Packs (2016)

Type ‘notification’ in the ‘Look for:’ bar

Hit Enter

Highlight the ‘Notifications Internal Library’ pack

Click on Export Management Pack

Name your path

Hit OK

 

For simple PowerShell

 

# Backup Management packs to C drive

# Set up your path, this example is monadmin\backup

$date = Get-Date -UFormat “%Y-%m-%d”

c:

cd monadmin\backup

new-item -itemtype directory -path c:\monadmin\backup\$date

cd $date

Get-SCOMManagementPack -Name *Notification* | Export-SCOMManagementPack -Path “C:\monadmin\backup\$date”

 

SQL Engineering Blog

hmmmm

Ever wonder when a SQL MP is published?

Wonder no longer, look for the SQL Engineering Blog!

 

New https://techcommunity.microsoft.com/t5/SQL-Server/bg-p/SQLServer/label-name/SQLReleases

Old – redirect in effect https://blogs.msdn.microsoft.com/sqlreleaseservices/

 

 

Verifying Custom MP overrides are valid when updating sealed MP’s

kidraisedhand

I will raise my hand when asked if I prefer Notepad++ for looking at XML (because I can shrink the sections I’m not concerned about).

 

Using Notepad++ (works best for color and concatenation of XML or quotes in case of syntax errors when editing)

 

Open Overrides management pack (XML)

Click on the (-) for Manifest

Click on the dash (-) for RelationshipTypes

Click on the dash (-) for each Discovery (if it exists)

simplifyingdiscoveryview

 

Verify targets exist in MP’s to be updated

Scroll to the right to view the Targets of your Override management pack

simplifyingview

 

If changes were overrides, look at the Monitor or Rule and verify this is in the pack to be updated

overridesmonitor

 

To understand which MP is being referenced, look at the example – Windows3!

Scroll to the top of your MP and click on the (+) plus sign to expand manifest

mpreference1

 

NOTE Windows3 is the server 2016 Monitoring MP

decodingmpreference

 

Verify your monitor/rule name still exists, and your Override should still apply

In Server Overrides MP, look at the Monitor= section for the Monitor name

verifyoverridemonitorhighlight

 

Go to the Windows Server 2008 Monitoring MP and look for that monitor

There is no monitor for 2008

notepadmonitortypes

 

Alternatively, you can look at the SCOM console as well (if MP is installed)

There is NO 2008 Memory Pages per second monitor

 scomconsolemonitorverify

 

Now to remove the override in our MP

In Notepad++, highlight the MonitorConfigurationOverride section, and delete

monitoroverridehighlight

Rinse and Repeat

Increment the version number and import MP when finished validating overrides.

 

 

Troubleshoot Office 365 SCOM MP Run As account

Run As Account

The Office 365 Run As account is used for Proxy access for an HTTPS connection from SCOM MS to Office 365 portal endpoint.

Must be a domain account, not an Azure account (particularly if they ‘re not the same tenant or AAD associated

Service Accounts are recommended to prevent impact should an employee leave

 

SCOM uses a domain account (example scom_action ID)

Verify that ID is in Azure tenant (contact your Azure Administrator if you don’t have access )

o365applicationazureidverify

To follow best practice, update the Run As account with the service account

o365applicationscomrunascredential

 

Verify Run As account

On SCOM console that there are no Operations Manager event log 7000 events for the ‘run as’ configured ID

Remote Desktop to SCOM MS Server

Verify if the ‘run as’ ID has a valid password

Look in the Operations Manager Event Log for Event ID 7000

Click on Find

Type in the user’s ID from the ‘run as’ account in SCOM

If no entries found, then ID is successfully authenticating against the domain

If errors found, correct ID/Password

Create a new subscription in SCOM to use the auto credentials option

NOTE New subscription may take 5-10 minutes to populate health data

From SCOM console

Click on Administration

Click on the Office 365 wizard

Click Add Subscription

o365applicationscomaddsubscription

 

Add Subscription Name

Click Next

o365applicationscomaddsubscriptionname

SCOM UI will prompt for Azure login

o365applicationscomazureauth

Enter ID and password

Click Sign in to authenticate

 

Click on Monitoring Tab

Click on Office 365 folder

Click on Office 365 Monitoring Dashboard

Verify state on the subscription in question

o365applicationscomnewsubscriptiondashboard

Verify SCOM ID used in O365 Subscription in Azure Portal

Verify SCOM ID used in O365 Subscription in Azure Portal

In Azure Portal

Verify the Application exists ( Azure tenant shows as SCOM O365MP )

o365applicationpermissions

NOTE In the right hand pane the Office 365 Management API’s has Application Permissions, and cannot be selected

o365application-requestpermissionsclean

Click Back to the Settings window

Click on Owners

o365applicationnoownersclean

NOTE NO owners show in this view

Click Add +

In the Add owner window, type the ID

Hit Select to add the user account (This example is the SCOM Service account)

o365application-scomidadded

Have user test

Office 365 subscription not monitored in SCOM

haiku-education-perplexed-bewildered-bemused-mystified-stumped-clipart

Yes this can leave you stumped, and wondering “why?”

 

This can be many parts, so choose carefully

Verify SCOM ID used in o365 subscription in Azure portal

Create a new subscription in SCOM to use the auto credentials option

Office 365 SCOM Run As Account

 

Verify O365 Subscription state in SCOM Console

In the SCOM console

Click on Monitoring Tab

Click on the O365 dashboard

Look at the health state

Error showed ‘endpoint not found’

Working with Azure Admin, we found the SCOM O365MP application did NOT have a service account assigned.

Verify SCOM ‘Run as’ account

Verify ‘run as’ ID (originally employee ID, not service account )

Remote Desktop to SCOM MS Server

Verify if the ‘run as’ ID has a valid password

Look in the Operations Manager Event Log for Event ID 7000

Click on Find

Type in the user’s ID from the ‘run as’ account in SCOM

If no entries found, then ID is successfully authenticating against the domain

If errors found, correct ID/Password in SCOM Console

 

Verify SCOM O365 Azure account

 

In the SCOM console

Click on Administration

Click on the O365 Wizard

Highlight the subscription

Choose Edit Subscription

 

Test ID (tested the Service Account)

With the radio button selected at ‘Use auto-created Azure Service Principal’

NOTE Name here is for SCOM purposes and does not have to match Azure Portal Application Name

o365applicationscomaddsubscriptionname

Click Next

SCOM UI will prompt for Azure login

o365applicationscomazureauth

Enter ID and password

Click Sign in to authenticate

 

If error is ‘Authentication Fails’, contact your Azure Administrator for assistance

References

Verify SCOM ID used in o365 subscription in Azure portal

Create a new subscription in SCOM to use the auto credentials option

Office 365 SCOM Run As Account

Why not to use Local System for your core SCOM accounts

say-what-logo1

Stay with me here, this is for the SCOM management group installation

 

So first, let’s research and figure out what the experts are doing, and what the install guides exist.

Researching expert published documentation helps us understand the options, and we can dive into some of the reasons why.

 

SCOM Security

scom-kh-securityblogcapture

(KH blog )

 

 

SQLRights and roles

scom-sql_accountrightsmapping

(KH blog here to download the XLS (applies for 2012,2016 as well)

 

Experts separate out the various functions into dedicated ID’s

 

The reason for multiple ID’s is to lower the risk (less vulnerability if one ID is locked out, expired, disabled)

— If you use one ID for all SCOM functions, and something happens to the ID, your SCOM environment stops working.

— There’s always some associated risk with either scenario for LocalSystem or ID’s (decrypt RunAs ID’s UK blog )

If that is a concern, here is some great advice from Kevin Holman

  1. Control who has access to SCOM
  2. Control who has access to the servers using RunAs accounts, that are monitored by SCOM.

If you have lost control of local admin on a server, you are compromised, and I am not sure how gaining access to a RunAs account is no worse in some sense.

By the way – this is the entire reason “more secure” was introduced in SCOM 2007R2, to limit distribution of credentials only to servers that required it, to limit the potential for a local attack.

 

Another option (not recommended) is using Local System

— Cannot login to system to verify access concerns (quite honestly is why someone might sanction this approach)

— Scripts run as local system can be terminated, allowing a command window with Local System access

— Depending on which services LocalSystem is used, this could grant elevated privileges (like a Domain Controller DC)

localsystemaccount

— If ‘Local System’ was used for the core SCOM environment, a change made to the Local Security Policy, or group policy can break the environment.

Local Security Policy snapshot

localsystem-localsecuritypolicy

Security Options

localsystem-securityoptions-localsecuritypolicy

Group Policy

Locking down protocol blog here

gpo-snapshot-technetwebsite

 

 

 

Hope this helps you decide the ‘how to’ set up your environment

 

 

Related documentation

2019 Kevin Holman Deployment Guide

2016 Kevin Holman Deployment Guide

2012 R2 Kevin Holman Deployment Guide

Planning 2019 SCOM deployment Guide

Planning 2016 SCOM deployment Guide

2012 Technet Deployment Guide

2007R2 Technet Deployment Guide

 

 

 

Associating MPX files to Notepad++ for MP Fragment Authoring

holyschnikes

Sometimes it’s shocking when you make a simple change that helps you do something easier.

For the UNIX guys in the house, using VIM, GVIM, VIMRC, all helped back in the day to make sure you closed your loops, true tests, etc.

If you use Notepad++ like I do, let alone if you’re creating MP fragments, it helps for the easy color coding.

SO, do you always open the .mpx file and then click on Language, XML?

Time to add the file type to the Style Configurator in Notepad++

In Notepad++

Click on Settings

Click on Style Configurator

Highlight XML in the language column

Add .mpx to the ‘User ext. :’ section

Click ‘Save and Close’

notepadaddmpx

Open up your next MP fragment

Spend your time updating your XML not clicking to format the file!

Save clicks!

Channel9 MSDN site

Need an Easy button to keep your knowledge fresh?

easybutton

The answer is the Channel 9 website https://channel9.msdn.com/

Subscribe to shows that interest you @ https://channel9.msdn.com/Shows

 

Corey’s channel caught my interest for Azure Network watcher

Network Watcher in Azure https://channel9.msdn.com/Shows/Tuesdays-With-Corey/Tuesdays-with-Corey-with-cool-new-functionality-of-Azure-Network-Watcher

Good to know IaaS features are included that most organizations