Thursday, November 11, 2010

if you have a clustered RMS...

You may encounter this error on the primary node of the RMS cluster:
A container for the management group MG2 either does not exist in domain demoxxx.net or the Run As Account associated with the AD based agent assignment rule does not have access to the container. Please run MomADAdmin for this Management Group before configuring assignment rules and make sure the associated Run As Account is the member of the Operations Manager Administrator role ---


Workflow name: _DEMOWMP_VCDEMON230_CAP_demowmp.net
Instance name: VCDEMON230-CAP.demowmp.net
Instance ID: {A5B7E322-E737-EA17-25C1-B52097AAD4AF}

Management group: MG2

The issue is that each node in the cluster doesn't not have permission to create a service connection point in Active Directory.

Here is the command to run to grant permissions to each node of an RMS cluster in Active Directory:


dsacls CN=MG2,CN=OperationsManager,DC=yourdomain,DC=com /G CLUSTERNODE1COMPUTERNAME$:CC;serviceConnectionPoint;
CLUSTERNODE1COMPUTERNAME$:CC;group; CLUSTERNODE1COMPUTERNAME$:RCLCRPDTLO;;


(all one line)
Run this command for each node of the cluster.

Next, open Active Directory Users and Computers. On the View menu, select "Advanced Features". Navigate to the OperationsManager -> Group Name> container. Right click on your Management Group's name (container), then point to All Tasks -> click Delegate Control. Click Next. Click Add. Click Object Types, and select Computers. Click OK. Enter the name of each RMS cluster node, and enter the RMS cluster service name as well. Click OK. Click Next. Check the box for "Modify the membership of a group", then click Next. Click Finish. Finally, use Cluster Management to restart the entire RMS cluster "service".

Thanks to Frank for basically figuring this out.
Posted by at 1 comment:
Labels: , ,

Monday, November 1, 2010

High-Level SCOM 2007 Install

Pre-Requisities
  • Determine IP addresses and server names
    • server names CANNOT be changed once SCOM is installed
  • From the SCOM 2007 R2 media, run SetupOM.exe and click “Check Prerequisites”.
  • Choose what components will be installed on the machine (do this for each server)
  • Root Role Components – Server, Console , Power Shell, Web Console
  • Install .NET 2.0 and 3.0 Framework, Powershell, IIS and anything else it advises
  • Register the 64-bit version of ASP.NET (if installing on 64-bit OS)
  • Install 4 required Windows Server 2008 hot-fixes to support OpsMgr Server roles on Windows Server 2008 – 951327, 952664, 953290, 951116
  • Create five (5) service accounts and one (1) security group in Active Directory
    • sa_opsmgradmin
    • sa_sdkconfig
    • sa_mgmtsvraction
    • sa_datareader
    • sa_datawhwrite
  • Create a Security Group - sa_opsmgradmins > add sa_opsmgradmin & any other OpsMgr admins
  • On the SQL server & SCOM server(s), add the security group created above to the local administrators group
SQL Installation & Configuration

  • Install SQL Server – Reporting components and Tools (Management Studio)
    • Note: Reporting Services can be installed on any server if there is an issue with installing the SCOM Reporting component on the SQL Server
  • Install SQL SP3 (if SQL 2005), Install SQL SP1 (if SQL 2008) *Service Packs are included in the slip stream CD.
  • Take snapshot if virtual
  • Run Reporting Services Configuration Wizard (steps will vary slightly between SQL 2005 and 2008)
    • Wizard will create two DBs – ReportServer & ReportServerTemp and two virtual directories - http://technet.microsoft.com/en-us/library/bb432146.aspx
    • Select and create a web service URL > accept defaults > click apply
    • Select and create report manager URL, accept defaults, click apply
    • Confirm Report Server website is up and running – http://localhost/reportserver, http://localhost/reports (navagable from the server that Reporting Services is installed to)
    • Confirm Reporting services is configured correctly. Take a snapshot
  • Install OperationsManager database on SQL server (click “Install Operations Manager 2007 R2” from the media and select only the Operations Manager DB – not the Management Server, Web Console or any other options)
  • Set DB to autogrow – do this in the SQL Management Studio after the DB is created
  • Install OperationsManagerDW on SQL server (click “Install Operations Manager 2007 R2 Reporting” from the media and select only Operations Manager Datawarehouse – not the Reporting Server option)
  • Set DB to autogrow – do this in the SQL Management Studio after the DB is created
  • Add login in SQL MGMT Studio for sa_opsmgradmin - set default DB to OperationsManager (or you can run install as sa_sql)
    • Server Roles - public, sysadmin
    • User Mapping - public, dbowner (on OperationsManager)
  • From the SCOM 2007 R2 media, run SetupOM.exe and click “Check Prerequisites”.
SCOM Installation & Configuration

  • Install SCOM - http://technet.microsoft.com/en-us/library/bb432146.aspx
  • Install Management Server first (will become Root MS since it’s the first MS in the environment) Roles: Management Server, User Interfaces, Command Shell, Web Console
    • Update mommodules kb941811 if issues
  • If installing to default SQL Instance, use only server name when specifying SC Database Server Instance
  • Use Windows Auth if installing the Web Console
  • Confirm Health of Mgmt Group by opening the console
  • Take registry backup/snapshot if virtual
  • Import the Windows Server Core OS MP to get base metrics
    • Adminstration Console, Right-Click, Import Mgmt Packs
  • Install Reporting once it’s confirmed that the Management Group is healthy (optional)
  • Install Audit Collection Services once it’s confirmed that Reporting & the Management Group are healthy
  • Navigate to http:// \Reports_
  • Click on Audit Reports
  • Click Show Details in top right corner
  • Click DB Audit
  • Edit Connection String to point to the correct data source and catalog
  • Select “Credentials stored securely in the Report Server”
  • Use SQL Service Account
  • Check “use as windows credentials” when connecting to the data source”.
  • Open SQL Management Studio
  • Navigate to Security>Logins, Right Click Data Reader Service Account, Select Properties
  • Click User Mapping
  • Select “OperationsManagerAC”
  • Add “DB_Owner” and “Public” mappings
  • Click OK
  • If errors are still occurring for remote access. Try enabling Remote Errors (http://technet.microsoft.com/en-us/library/aa337165.aspx)
  • Requires a new database to be created (best practice)
  • Requires ACS Reporting services to be installed
Best Practices
  • Enabled Network Adapter monitoring state (include Override Mgmt Pack)
Service Level Dashboard (Dundas Gauges)
  • Ensure sa_opsmgradmins group has local admin access
Posted by at No comments:
Labels: ,

SCOM 2007 R2 Active Directory Integration

SCOM Active Direcotry Integration is used to publish the Service Connection Points (SCP) in Active Directory. This will allow manually installed agents to query AD to determine which management group they belong to for automatic management when they come ‘online’.
  • Ensure the domain functional level is at least 2003
  • On the RMS, login as a DOMAIN ADMIN and open a command prompt and navigate to c:\program files\system center operations manager 2007
    • MOMADAdmin.exe syntax is MomADAdmin ManagementGroupName MOMAdminSecurityGroup PrincipalManagementServerComputerName Domain
      • ManagementGroupName is the name of the OM Management Group. For each management group to be integrated, you need to run this tool so that a separate container is created.
      • MOMAdminSecurityGroup is the name of your OM Admin Security Group
      • PrincipalManagementServerComputerName is the name of the primary management server for this group.
      • Domain is the domain name of the domain being prepared.
  • When you run the tool, the following occurs:
    • Creates an Operations Manager container under the root of the domain specified.
    • Creates a container under the Operations Manager container the tool just created with the name of the management group specified.
    • Within the management group container, the tool creates two service connection points (SCP) and one security group
  • To verify:
    • Open Active Directory Users and Computers (DSA.msc)
    • Select View\Advanced Features from the toolbar and expand the domain
    • Expand OperationsManager and select the management group name to verify the HealthServiceSCP point was created successfully for the management group.
      • Note the addition of the RMS machine account (Root Management Server) to the management group name container. (Right-click, Properties, Security tab).
  • Open the “Administration” and click the top-level Administration container in the Operations Console.
  • Click the “Configure Active Directory (AD) Integration” link under “Optional Configuration”.
  • On the “Configure Active Directory (AD) Integration” screen select “Add” and then “Next” to continue.
  • Leave "domain name" selected as the domain name. Select “Next” to continue.
  • Create inclusion criteria by selecting “Configure”.
  • If we wanted to, for example create an inclusion rule for all machines that started with EXCH (for Exchange) we would create an inclusion rule similar to the following (Enter the following ):
  • Computer name: EXCH*
  • Role: Exchange Server
  • Select “OK” to continue. Run through the rest of the screens.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)