And the content is even better. Check it out your self and go here.
Tuesday, March 30, 2010
Are MVPs rock stars?
How to configure the SCOM R2 Web Console to use SSL only
For this posting I have used one of mine SCOM R2 test environments based on Windows Server 2008 R2 with an enterprise CA in place. The SCOM R2 Web Console installation uses Windows Authentication. The procedure described in the posting will also work with Web Consoles using the Forms Authentication.
Also good to know is that in this scenario the SCOM R2 Web Console is NOT going to be accessed by any external party. So no external CA is needed here for obtaining a SSL certificate, so the own enterprise CA will suffice.
01 – Test your Web Console
First and foremost, TEST your Web Console while SSL is not in place! Be sure the SCOM R2 Web Console is up & running. Also test it from a system which is NOT the server hosting that Web Console. This way you are sure all is well.
02 - Requesting a certificate
- On the server hosting the SCOM R2 Web Console, start the Internet Information Services 7.0 IIS Manager console and double click on the IIS server.
Double click on the icon Server Certificates.
- The Actions Pane will show the available options. Click Create Domain Certificate.
What? Why I do not choose Create Certificate Request? Good question! This option is at order when an external CA like VeriSign is going to be used. That would be interesting when the SCOM R2 Web Console is going to be accessible for external parties who use systems which are outside your forest where your CA reside.
- The Create Certificate wizard appears with the Distinguished Name Properties options. One of the most important fields here is the Common name field. The name being used here needs to match the name of the website. For this one needs to drop the prefix http:// and the needed port as well. So the web address http://SV01:51908/default.aspx becomes just SV01.
Click Next.
- Hit the Next button near the field Specify Online Certification Authority:
Select your CA and click OK
Give a Friendly Name and click Finish.
- The certificate is successfully created:
03 - Adjusting the Bindings of the Web Console
All these actions are done from the Internet Information Services 7.0 IIS Manager console.
- Go to the node Sites under the IIS server hosting the SCOM R2 Web Console. Select the website which is the SCOM R2 Web Console. In the Actions Pane under the header Edit Site the option Bindings is displayed. Click it.
- Click Add and select as Type: https with Port: 443. From the drop down menu for the SSL Certificate select the earlier created SSL certificate.
Click OK.
- Now two bindings are shown:
Click Close.
04 – Requiring SSL connections only to the SCOM R2 Web Console
All these actions are done from the Internet Information Services 7.0 IIS Manager console. Make sure to have the website which is the SCOM R2 Web Console selected. For this see step 1 of procedure 03.
- In the middle section of the IIS console there is an icon named SSL Settings.
Double click it.
- Change the settings to the website so SSL is required.
In the Action Pane click Apply. This message will be shown:
05 – Adjusting the settings in the SCOM R2 Console
- Open the SCOM R2 Console with SCOM Admin permissions. Go to Administration > Administration > Settings > General > Web Addresses. Double click it.
- Change the settings for the Web Console to https:// and drop the :51908 stuff. Click Apply.
- Click the button Test and check it out:
06 – Redirection from HTTP to HTTPS
HTTP will not work any more and will show a 403.4 error instead. This can be easily circumvented by using some code. This webpage describes exactly how to go about that. It is best to use the option where the custom code page is being used at server level, not at website level.
Friday, March 26, 2010
SCOM Web Console with form based authentication throws an unexpected error
The Application log of tells more about the reason of this error:
and this is what is to be found in the event description:
Exception information: Exception type: HttpException Exception message: The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL. |
So when form based authentication is being used SSL is REQUIRED. So the above mentioned error is BY DESIGN and meant as security measure.
How ever, in order to test the website before implementing SSL (I strongly advise to implement SSL since all the passwords are send over the network in clear text as long SSL is not enabled) one has to perform these steps on the server hosting the Web Console:
- Open an elevated cmd-prompt
- Start Notepad from that cmd-prompt
- In Notepad, open the file web.config located in C:\Program Files\System Center Operations Manager 2007\Web Console
- Change this value:
<authentication mode="Forms">
<forms requireSSL="true" />
</authentication>
to:<authentication mode="Forms">
<forms requireSSL="false" />
</authentication> - Save the file.
Now you can run the SCOM Web Console with form based authentication WITHOUT SSL. But again: use this only for testing purposes. When all is working as intended, make sure to revert to the original settings so SSL is required again.
In a future posting I will describe how to implement SSL on the SCOM R2 Web Console based on IIS 7.0.
EventID 26322: A database exception was thrown in the Operations Manager SDK service.
This posting is provided "AS IS" with no warranties, and confers no rights. Use of the included sql query is at your own risk.
Got this error in one of mine SCOM R2 test environments. I tried to start the SCOM Console but all I got was an error message stating the SDK service wasn’t running. So I checked that first but all was OK. All RMS related services were up and running. Time to checkout the OpsMgr event log on the RMS.
That looks bad. Seems like some serious issues with the SCOM database:
Log Name: Operations Manager |
Time to open SQL Server Management Studio. And yes, the OperationsManager database was in suspect mode. In normal worlds one creates BACKUPS of their systems and databases. But as already stated, this is one of mine test environments WITHOUT a backup plan…
Normally databases don’t die on you like that. But that test environment hadn’t been switched off neatly by me. So I had only myself to blame…
Now what?
But it is only a test environment which is already down the drain for 80%. So I had nothing to loose. Time for some heavy stuff which I normally never ever would do in a real life situation since their is a possibility to wreck it totally. But then again, in real life there are things like working and properly tested BACKUP & RESTORE PLANS in place and servers are switched off in a neatly manner…
So after stopping all SCOM related services on the RMS and MS, I run this query against the OperationsManager database:
EXEC sp_resetstatus OperationsManager; |
It took a while to run but when finished the database was OK again. I started all SCOM related services on the RMS and MS and started the SCOM Console. It ran just fine without a glitch and the OpsMgr event log on the RMS was totally clean. No error messages what so ever.
But BEWARE. The fourth query line can really kill your database since data loss is allowed! It is a one-way street only with NO way back! Don’t run this SQL query in production environments since the changes are to end up with an unsupported configuration. Above mentioned approach is only meant for test environments and labs. But even when those environments are important, run a daily BACKUP of the databases…
Thursday, March 25, 2010
SCOM Unleashed R2 available for preorder
- For US residents, printed edition: http://www.amazon.com/System-Center-Operations-Manager-Unleashed/dp/0672333414/
- For the whole world, electronic edition (cannot be preordered): http://www.informit.com/store/product.aspx?isbn=0672331179
- For Dutch residents, printed: http://www.comcol.nl/detail/71016.htm
Also a bundle (the printed and electronic editions) for a special price will be available from March the 30th.
Expected availability
Electronic edition: March the 30th.
Printed edition: April the 26th.
Table of contents
Chapter 1 - Introduction and What's New
Chapter 2 - Unix/Linux Management: Cross Platform Extensions
Chapter 3 - Operations Manager 2007 R2 and Windows Server 2008
Chapter 4 - Using SQL Server 2008 in OpsMgr 2007 R2
Chapter 5 - PowerShell Extensions for Operations Manager 2007
Chapter 6 - Management Solutions for Small and Midsize Business
Chapter 7 - Operations Manager and Virtualization
Chapter 8 - Management Pack Authoring
Chapter 9 - Unleashing Operations Manager 2007
Appendix A - OpsMgr R2 by Example
Appendix B - Reference URLs
Appendix C - Available Online
Since I can’t wait I have preordered the printed version. Don’t mind spending the extra money since I know many of the authors and I do hope they will get a good fee for it when the sales are good :).
Tuesday, March 23, 2010
Importing MPs with the MP Catalog Web Service and dependencies
Since I do get questions from some of my customers about this I have written this blog posting. And today, when updating the Server OS MP in one of mine test environments, I also needed two runs in order to get it right. So I had the change to get some nice screenshots for this posting.
Lets take a look. First I will show what happens and then I will explain why it happens.
First I connected from the OpsMgr R2 Console to the MP Catalog Web Service. I selected the option to check for any updates for the loaded MPs. And yes, the Server OS MP was found. This MP comes in three parts:
- Windows Server 2008 Operating System (Discovery)
- Windows Server 2008 Operating System (Monitoring)
- Windows Server Operating System Library
I selected all three parts of this MP and hit the OK > Install buttons. First the MPs were downloaded and then the import started. Oops! Something is not going well here:
The first two parts of the Server OS MP did not import. The library part of this MP imported successfully however. I started a second run. And now the two parts of this MP which failed on the first run were neatly shown:
I hit the OK > Install buttons again and now all went well:
So two runs were needed in order to update the Server OS MP properly.
But why?
In order to get to the bottom of this we need to take a deeper look into the Server OS MP itself and check out the dependencies in this MP.
During the first run the part of the Server OS MP which gets updated first is the Discovery part. Lets take a look at the dependencies of that part of the Server OS MP (double click the MP, go to the third tab Dependencies and check out the first field ‘Management Packs this Management Pack depends on’):
Hmm. It depends on the NEWEST version of the Library part of the Server OS MP. But that isn’t loaded yet…
Lets take a look at the Monitoring part which gets secondly updated during the first run:
It also depends on the NEWEST version of the Library part which isn’t loaded yet.
Lets visualize the dependencies a bit more where the blue arrows depict the dependencies:
During the first run the requirements for the first two parts of the Server OS MP aren’t completely met: the required Library part AND the required version of that MP isn’t in place. So the Discovery and Monitoring part will not load.
However during the same first run the Library part is loaded which enables a successful second run of the import of this MP.
Sometimes when updating/importing MPs by using the MP Catalog Web Service the order in which the parts of the MPs are loaded is not entirely correct. So not all the parts of the related MP aren’t loaded on the first run and some errors will be shown. Do not panic, do a second run and you will be just fine.
Updated Server OS MP available
The updated MP can be found here.
Monday, March 22, 2010
AEM: how to remove it?
First, how to disable AEM? Actually, it is this blog posting in reverse. So:
- Remove the GPO containing the AEM settings
Wait some days for this change to take effect since not all client systems will be running on the day you change the GPO. So patience is needed here. For this customer I waited a week before continuing with the next steps.
- Disable Client Monitoring on the SCOM Management Server
Go to the Administration pane > Administration > Device Management > Management Servers. Select the MS handles AEM and right click it > select Disable Client Monitoring
> Click Yes. It takes some time in order to complete. No message will be shown.
- Remove the share
Now the share from the folder containing the ErrorData can be removed. Per OS this is done in a different kind of way.
- Permissions
Adjust the permissions on the folder containing the ErrorData so the two Global Groups created by AEM (AEMAgent & AEMUsers) can be deleted from AD and the Domain Admins do have full permissions on that folder and its contents. - Removal
This last step is permanent. So think about it before proceeding. Remove the folder containing the ErrorData.
So AEM is disabled now. However, the amount of computers with an Unknown Status remains the same. So how to get this number down? As already stated, by accident I found the solution when configuring the Exchange 2007 MP.
In a nutshell this is what happened.
As you know the Exchange 2007 MP is disabled by default when imported. It only runs a Discovery process known as the ‘Discovery Helper’. With this process one can see whether the correct Exchange 2007 servers are discovered and correct it when needed.
At the customers site where AEM was removed, this MP ran the Discovery Helper process and some non-Exchange 2007 servers were discovered. So I created an override, disabling the Discovery Helper process.
Then I had to empty the group which became populated based on that discovery. For that a PS one-liner is needed: Remove-DisabledMonitoringObject.
I had run this PS cmdlet sometimes before and it always ran fast. But now it took some time to run and the RMS took a big hit. The cmdlet was finished after 15+ minutes but then I had a nice surprise: the amount of computers with the Unknown Status was reduced from a couple of thousand to less then 20! All the computers that were previously AEM Clients got groomed out!
I must add that I have experienced this only once (Until now I have removed AEM only one time) AND that there were some months of time between the date I removed/disabled AEM and imported the Exchange 2007 MP. So I do not know whether this PS cmdlet will help right after having removed/disabled AEM but is still worth sharing.
Let me know about your experiences so I can update this posting accordingly.
Tuesday, March 16, 2010
AEM and SCOM: where do all these computers with Unknown Status come from?
Even though it might seem strange at first hand, there is a logical explanation for it.
The A of AEM comes into play here why SCOM notices these clients as computers with an Unknown Status. The A means Agentless. And that is exactly what any AEM client is from SCOMs perspective. Since no SCOM Agent is in place, SCOM only knows about the clients existence but has no clue what so ever about its status. Therefore the AEM client will be looked upon as a computer with an Unknown Status.
When AEM is in place there is nothing which can be done about it. It is as designed. Period. However, in larger environments with AEM in place this is not something nice to look at. First it seems alarming and later on it gets ignored. Since SCOM is a product that Microsoft takes very seriously, input based on field experiences is very welcome. This input will be used in future editions/releases of SCOM to come.
Therefore I have posted a suggestion on Microsoft Connect where I propose to approach AEM clients in future editions/releases of SCOM in a different kind of way. However, your help is needed here. Simply because only ONE person making this suggestion will not have a huge impact. But when many more people say ‘Yeah! That would be a good idea!’ Microsoft will pay more attention to it.
So when you want to make the difference go here and pump it up!
In a future posting I will describe an approach when AEM is phased out and one wants to get rid of the computers with an unknown status which got there because of being AEM clients. I bumped into this solution by accident some time ago but still it is nice to know how to resolve this issue.
Monday, March 15, 2010
Exchange 2010 MP guide and a typo…
This is what the guide states:
(Taken directly from the guide, page 6.)
However, this is not the case. As stated by Microsoft:
The Exchange 2010 MP supports any virtualized environment supported by both Exchange 2010 and Operations Manager 2007/2007 R2.
For every MP Guide a template is used. The template contains the high lighted ‘statement’. Somehow it slipped through. Still, the MP is very good :).
SCOM R2 Unleashed: also as a printed version!
The SCOM R2 Unleashed book will not only be available in electronic format, but printed as well!
Based on the current information the printed edition will be available sometime in April (2010 I hope…) and be available through Amazone.com and other electronic resellers.
Bang for the Buck…
As I have been told by my Russian peer (Alexey Zhuralev) a bundle (printed version AND EBook) will be available on the publishers site (www.sams.com). Nice! I know what I am going to buy within some weeks…
Friday, March 12, 2010
Running a Customized Report, showing detailed information about the DCs
How? it goes without saying that the latest version of the AD MP must be loaded, configured and in working order.
- Display Name
- AD Site
- DNS Domain Name
- DNS Forest Name
- IP Address
- Infrastructure Master
- Global Catalog Server
- DC Hostname
- PDC Emulator
- RID Master
- Schema Master
- RODC
(Beware: the list of Report Fields isn’t set in alphabetical order..)
This Report can be Published as well. As start date select an offset like –7 days. Give the Report a Logical Name AND a good explanation and publish it. This way this Report is always available and runs when double clicked, without the need to add/adjust any parameters.
Monday, March 8, 2010
SCOM R2 Unleashed: Availability Date is known…
The PDF will available only on Pearson's InformIT site. Want to know more about the printed version: Go here.
Even though there is much to be found in this book it is a SUPPLEMENT to System Center Operations Manager 2007 Unleashed. All I can say is that when you don’t have that book and you are in to SCOM: buy it! This book answered tons of questions I had about SCOM.
Want to know more? Visit the SCOM Unleashed Blog and this thread on Microsoft TechNet Forum.
New AEM Reports for SCOM R2 to be released soon…
Just blogged about AEM and soon Microsoft will release some new AEM Reports. These Reports – in Beta format - can be tested now when you want to test drive them. Feedback is much appreciated. The new AEM Reports are:
Reports can be downloaded from here.
Friday, March 5, 2010
CEIP, ODR and the lot. What are they and why should I use them? Part IV: AEM explained, how to configure it
Postings in the same series:
Part I: ODR explained
Part II: CEIP explained
Part III: AEM explained, its origin
---------------------------------------------------------------------------------
This is the last posting in this series. It will be about how to configure AEM. Also some ‘Need-To-Knows’ will be shared since without it, AEM might end up in a bad working way. Besides that, it is good to know what AEM can do and can NOT do. So lets start.
Need-To-Knows
- AEM works only for clients residing in the same fully trusted environment where the related SCOM Management Group resides. So it will NOT work for clients residing behind a SCOM Gateway for instance. There needs to be a full trust in place.
- AEM needs planning AND sizing. So it is not just ‘Set-and-Forget’ but it needs RTFM and the lot. Where to get that information? The OpsMgr R2 Sizing Helper will help you out for sizing questions. Taken directly from that tool:
Also the help file of SCOM (R2) will tell you more about it, the online guides of Microsoft and last but not least, SCOM Unleashed.
- AEM also creates Alerts within SCOM (R2). You get Alerts like: ‘Application X stopped on Computer Y while User Z was using it’ and the like. You must ask yourself the question whether your organization wants this since every Alert needs at least some attention. So additional time is needed for the operators which has to be taken into account as well.
- Even though AEM gives an opportunity to get a deeper insight of the crashes and application errors, it is not a total solution. Meaning that when for a given application error a solution is known and shown, it still has to be applied in some kind of way. AEM won’t take care of that part.
- Make sure you got the AD (Active Directory) engineers involved since deploying AEM means that a GPO has to be created in order to configure the Clients. So get the AD guys/girls in to the loop as well. Even better, do this in an earlier stage and not at the moment when the GPO needs to be created. Somehow AD people do not like that….. :)
- There is much more to AEM then this blog posting will reveal. So when you start using AEM and you don’t have the book SCOM Unleashed already NOW it is the time to buy it. This book takes a real deep dive into many aspects of SCOM and AEM is covered in all detail.
How to configure AEM? (*)
(*: This procedure is based on SCOM R2, so when you are running SCOM SP1, there might be some differences.)
- Design and build a relevant AEM environment, based on the OpsMgr R2 Sizing Tool and the SCOM R2 Design Guide
- Start the SCOM (R2) Console with an account that has SCOM Admin permissions. Also when running the Console from a W2K08 based server, run it with elevated permissions.
- Go to the Administration pane > Administration > Device Management > Management Servers. Select the MS that will handle AEM and right click this server. Select the option Configure Client Monitoring:
- Now the wizard Client Monitoring Configuration Wizard will start. As the Introduction screen tells you, you will not only configure AEM but you also have the change to configure how CEIP data is treated:
Do not just click Next like a robot. You are a human being after all with the capabilities to READ and to UNDERSTAND. So when this is the first time you see this Wizard, do take your time, and READ it since much valuable information is shown. It can save you many hours of trouble shooting so it is worthwhile the time taken…
- The next screen is about CEIP Forwarding. Do you want it send it directly to Microsoft or not? Or do you want to use a MS as a collection point which sends it to Microsoft? SSL can be chosen as well here.
Since this posting is all about AEM, I leave it at the default option, RTFM the screen and click Next.
- Before doing anything in this screen (Error Collection) I have created on the MS which is going to be used for AEM a folder with the name ErrorData on the D drive:
Besides that, I have NOT changed anything. Only created the folder. Now it is time to RTFM the screen and to enter the needed information. Now I have screen like this:
One does not have to enter a File Share Path. A local drive path will do as well since the Wizard will create a File Share later on. Also security will be set as well. SSL can be chosen here as well. For the convenience of this posting I have deselected it. Default the Organization Name is set to Microsoft. This can be changed as needed. This name will be shown on the local computer by the error reporting client. Click Next.
- The screen Error Forwarding shows what options are available for Error Forwarding. By default nothing is selected. When you choose to leave like that you are missing out on a huge advantage since whenever a solution is available it will not be shown. Not because Microsoft wants to punish you for not forwarding the Error Reports, but simply because Microsoft does NOT KNOW what is going on in your environment…
When you choose to forward all collected errors, you will receive the link to the solution. And you have the possibility to choose what kind of reports are forwarded to Microsoft: Basic or Detailed. So to a certain level you can control what goes out. Click Next.
- Now the File Share will be created. Here it is important, when running the Console from a W2K08 based server, to use elevated permissions when starting the Console, as stated in step 2. Otherwise the changes are likely that an error message will pop up while the share is being created.
Even though one might RFTM this screen, something important will happen in the back ground as well: two AD accounts will be created. So be sure that the user being used does have that permission as well. Click Next.
- Now the task status of the File Share creation process (and the creation of the two AD Global Groups and setting permissions on the File Share) is being shown. After a short while this message appears:
Lets take a look at what has been done by the Wizard. In AD two additional Global Groups have been added:
The earlier mentioned folder has been shared:
Security has been set, Share Permissions:
and NTFS Permissions:
- Click Next. Now the needed template for the GPO will be created. One can choose where this template must be saved. Best practice is to use a separate folder for this.
Click Finish.
Whoa! That’s a lot of work! But now we’re done? AEM is running now? No. Not just jet. The GPO Template must be added to a GPO AND set as well. So lets start.
Adding the template to a new GPO (*)
(*: This procedure is based on W2K08 R2, so when you are running older versions of Windows, there might be some differences.)
- Go to Start > type GPMC.msc <enter>. In this example there is Organizational Unit named Client Systems. All client systems reside just here (How convenient :) ).
- Right-click this OU and choose Create a GPO in this Domain and Link it here. Give it a logical name. This is the name I gave it: ‘C_SCOM_AEM_Policy’. The first character tells me it is a GPO targeted at the Computer Configuration node. And the rest is clear I guess… Click OK.
- Right-click this new GPO and select Edit. Expand Computer Configuration > right-click Administrative Templates and select Add/Remove Templates…
Click Add, browse to the location where the GPO Template has been saved, select it and click Open.
Now you are back in the Add/Remove Templates screen. The template has been selected. Click Close.
- A new node has been added (or was there before when other Templates have been previously added), the Classic Administrative Templates (ADM).
- Expand that node > Microsoft Applications > System Center Operations Manager (SCOM) and this will be shown:
In total 11 settings are to be found. By default these are all disabled. Enable each setting as needed. For most settings when enabled the answers given when the Client Monitoring Configuration Wizard was run, will be shown. Like this:
Not Configured (default setting):
Enabled:
as you can see it matches the earlier mentioned Wizard (Step 6, How to Configure AEM?):
- In my days being a Systems Engineer I always created GPO’s per subject. So not one GPO containing settings for multiple subjects. Also when I created a GPO it was targeted at the Computer Configuration or User Configuration. Never both. This way it was much easier to differentiate between the GPOs. Made life much easier.
Another good practice was to disable the part not being used. So for a GPO targeted solely at the Computer Configuration, I disabled by default the User Configuration Settings. This way the GPO gets processed way much faster. Don’t get me wrong here. I am a SCOM specialist and not a AD/GPO specialist. I am sure there are other good practices as well which I do not know about. So feel free to comment.
Go to the top level in the GPO Editor and right click the GPO. Select Properties and select Disable User Configuration settings. When you click OK a warning is shown. Read it, understand it and click Yes and then OK.
- Now you must tell the WER (Windows Error Reporting) client not to send the Error Reports to Microsoft directly. For this the same GPO is being used. Go to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings.
The setting you need is: Turn off Windows Error Reporting.
This setting is set to Not Configured by default. You need to set it to Disabled (thanks to Jon Sykes pointing this out to me).
- Close the GPO Editor. Now you are back in GPMC.msc. Select the correct OU and the linked GPO. Go to the Settings tab of this GPO and check it out:
- A final check: In the SCOM Console go to the Monitoring pane > Monitoring > Agentless Exception Monitoring > Crash Listener View. When all is well something like this is being shown:
And now (finally?) AEM is running. Yeeha!
Used resources
Besides my own personal experience I have used the good and detailed guides which Microsoft provides and last, but not least, SCOM Unleashed the BEST book on SCOM. as I have been told, the R2 edition of this book will available on the 25th of March 2010…