Stale/Gray objects in Operations Manager

Occasionally you'll have grayed out agents in your Monitoring view in SCOM.  This can be due to the fact that a server was decommissioned before you had a chance to properly uninstall the agent and delete it from the Administration pane.  Even after you delete it from the Administration pane the object may still appear grayed out.  For this, I turned to SQL Management Studio.

First I run this query against the OperationsManager DB:
SELECT * FROM dbo.[BasemanagedEntity] where FullName Like '%computername%'

This shows me all instances that still reside in the DB for that computer.  Scroll over the the IsManaged and IsDeleted column.  You'll often, not always, notice a mixture of 1's and 0's.  Ideally if you want this server deleted IsManaged = 0 and IsDeleted = 1.  All it takes is one of the items in the IsDeleted column to show 0 for the object to show in the console in a gray state.

Which leads us to the SQL query to remove these from the console:

USE [OperationsManager]
UPDATE dbo.[BaseManagedEntity]
SET
[IsManaged] = 0,
[IsDeleted] = 1,
[LastModified] = getutcdate()
WHERE FullName like '%computername%'

Now IsManaged = 0 and IsDeleted = 1.  Refresh your SCOM Console and...

No more gray agent :)

The query to run the data purging Stored Proc is as follows:


DECLARE @GroomingThresholdUTC datetime
SET @GroomingThresholdUTC = DATEADD(d,-2,GETUTCDATE())
UPDATE BaseManagedEntity
SET LastModified = @GroomingThresholdUTC
WHERE [IsDeleted] = 1
UPDATE Relationship
SET LastModified = @GroomingThresholdUTC
WHERE [IsDeleted] = 1
UPDATE TypedManagedEntity
SET LastModified = @GroomingThresholdUTC
WHERE [IsDeleted] = 1
EXEC p_DataPurging

I believe this runs each night but just in case you want to force it.  Should only take a few seconds.

If that doesn't fix it, follow this guide: http://blogs.technet.com/b/kevinholman/archive/2008/09/29/agent-pending-actions-can-get-out-of-synch-between-the-console-and-the-database.aspx

Failed to create process due to error '0x80070002 : The system cannot find the file specified. ', this workflow will be unloaded.

I recently was receiving this message on one of my monitored DC's....

Event Type: Error
Event Source: Health Service Modules
Event Category: None
Event ID: 21400
Date: 8/24/2011
Time: 9:08:02 AM
User: N/A
Computer: SERVERNAME
Description:
Failed to create process due to error '0x80070002 : The system cannot find the file specified.
', this workflow will be unloaded.

Command executed: "C:\WINDOWS\System32\cscript.exe" /nologo "C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 1\84\DiscoverVMMSelfService.vbs" {E68CED9E-FB3F-B856-E3D5-F3A91FCA395B} {72BEBFB5-0B16-F3BA-8B9A-281D81DBA0C3} SERVERNAME
Working Directory: C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 1\84\

One or more workflows were affected by this.

Workflow name: Microsoft.SystemCenter.VirtualMachineManager.2008.SelfService.DiscoveryRule
Instance name: SERVERNAME
Instance ID: {72BEBFB5-0B16-F3BA-8B9A-281D81DBA0C3}
Management group: SCOMManagementGroup

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

>>>

Turns out the issue was that cscript.exe was not in C:\WINDOWS\SYSTEM32.  Another issue could be that  Windows Server Support Tools are not installed to C:\Program Files\.

getting vmware components to show up in service manager

if you have quest's qmx xtensions for vmware monitoring, it's easy to get that information into service manager so you can report on those components.

once the scom ci connector is setup, you'll need to import the sealed eXcSoftware.nonWindows MP (mine is version 7.0.0.23).  once that is imported you'll need to import the Network Device Library MP.  once that is imported you can then import the unsealed QMX.VMWare MP (mine is version 7.0.0.19).  they must be done in this order.


once the MPs are imported, you'll need to allow those classes:
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.WindowsProxyComputer
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.AVAILABILITY
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.CONFIGURATION
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.CPU
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.DISK
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.FAN
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.MEMORY
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.NETWORK
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.POWER
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.PROCESS
add-scsmallowlistclass -ClassName eXcSoftware.nonWindows.nonWindowsObject.SECURITY
add-scsmallowlistclass -ClassName QMX_Monitor_VMWare_OpsMgrMP.Group

open the scom ci connector > click on management packs and refresh.  type in your account password for the connector and eXcSoftware.nonWindows and QMX_Monitor_VMWare_OpsMgrMP should now show up.  put a checkbox next to those and click 'ok'.

keep in mind, if you use the free version of QMX for VMware then ONLY your vCenter host will show up (not the ESX hosts or guests).  in my case i'm also monitoring some IronPort's so those show up as well.  if you want all the ESX hosts to show up then you need to get paid licenses for EACH ESX host ~ costly.

service manager 2010 MP for operations manager not monitoring workflows availability

after importing the service manager management pack, you might find that the workflows availability monitors (grooming, linking and wf) are not monitored.  this is because you haven't configured a database write action account for service manager inside scom yet.

in scom:
navigate to the administration pane > accounts
create a windows run as account.  name it something like "service manager database write action account".
the credentials will be whatever account you've configured already in service manager to be the database account.
for distribution, i always choose "more secure" and in this instance i'll target all my service manager and sql servers.

now click on profiles and find the "service manager database account" which is automatically created when you import the service manager mp.  double-click this account profile, click run as accounts on the left and click "add".  choose the account from the drop down list that you created in the previous steps and target 'all objects'.  save you changes and wait a few hours unless you feel like altering the discoveries.

if you have a clustered RMS...

You may encounter this error on the primary node of the RMS cluster:
A container for the management group MG2 either does not exist in domain demoxxx.net or the Run As Account associated with the AD based agent assignment rule does not have access to the container. Please run MomADAdmin for this Management Group before configuring assignment rules and make sure the associated Run As Account is the member of the Operations Manager Administrator role ---


Workflow name: _DEMOWMP_VCDEMON230_CAP_demowmp.net
Instance name: VCDEMON230-CAP.demowmp.net
Instance ID: {A5B7E322-E737-EA17-25C1-B52097AAD4AF}

Management group: MG2

The issue is that each node in the cluster doesn't not have permission to create a service connection point in Active Directory.

Here is the command to run to grant permissions to each node of an RMS cluster in Active Directory:


dsacls CN=MG2,CN=OperationsManager,DC=yourdomain,DC=com /G CLUSTERNODE1COMPUTERNAME$:CC;serviceConnectionPoint;
CLUSTERNODE1COMPUTERNAME$:CC;group; CLUSTERNODE1COMPUTERNAME$:RCLCRPDTLO;;


(all one line)
Run this command for each node of the cluster.

Next, open Active Directory Users and Computers. On the View menu, select "Advanced Features". Navigate to the OperationsManager -> Group Name> container. Right click on your Management Group's name (container), then point to All Tasks -> click Delegate Control. Click Next. Click Add. Click Object Types, and select Computers. Click OK. Enter the name of each RMS cluster node, and enter the RMS cluster service name as well. Click OK. Click Next. Check the box for "Modify the membership of a group", then click Next. Click Finish. Finally, use Cluster Management to restart the entire RMS cluster "service".

Thanks to Frank for basically figuring this out.

High-Level SCOM 2007 Install

Pre-Requisities

• Determine IP addresses and server names
• server names CANNOT be changed once SCOM is installed
• From the SCOM 2007 R2 media, run SetupOM.exe and click “Check Prerequisites”.
• Choose what components will be installed on the machine (do this for each server)
• Root Role Components – Server, Console , Power Shell, Web Console
• Install .NET 2.0 and 3.0 Framework, Powershell, IIS and anything else it advises
• Register the 64-bit version of ASP.NET (if installing on 64-bit OS)
• http://support.microsoft.com/kb/894435
• Install 4 required Windows Server 2008 hot-fixes to support OpsMgr Server roles on Windows Server 2008 – 951327, 952664, 953290, 951116
• Create five (5) service accounts and one (1) security group in Active Directory
• sa_opsmgradmin
• sa_sdkconfig
• sa_mgmtsvraction
• sa_datareader
• sa_datawhwrite
• Create a Security Group - sa_opsmgradmins > add sa_opsmgradmin & any other OpsMgr admins
• On the SQL server & SCOM server(s), add the security group created above to the local administrators group

SQL Installation & Configuration

• Install SQL Server – Reporting components and Tools (Management Studio)
• Note: Reporting Services can be installed on any server if there is an issue with installing the SCOM Reporting component on the SQL Server
• Install SQL SP3 (if SQL 2005), Install SQL SP1 (if SQL 2008) *Service Packs are included in the slip stream CD.
• Take snapshot if virtual
• Run Reporting Services Configuration Wizard (steps will vary slightly between SQL 2005 and 2008)
• Wizard will create two DBs – ReportServer & ReportServerTemp and two virtual directories - http://technet.microsoft.com/en-us/library/bb432146.aspx
• Select and create a web service URL > accept defaults > click apply
• Select and create report manager URL, accept defaults, click apply
• Confirm Report Server website is up and running – http://localhost/reportserver, http://localhost/reports (navagable from the server that Reporting Services is installed to)
• Confirm Reporting services is configured correctly. Take a snapshot
• Install OperationsManager database on SQL server (click “Install Operations Manager 2007 R2” from the media and select only the Operations Manager DB – not the Management Server, Web Console or any other options)
• Set DB to autogrow – do this in the SQL Management Studio after the DB is created
• Install OperationsManagerDW on SQL server (click “Install Operations Manager 2007 R2 Reporting” from the media and select only Operations Manager Datawarehouse – not the Reporting Server option)
• Set DB to autogrow – do this in the SQL Management Studio after the DB is created
• Add login in SQL MGMT Studio for sa_opsmgradmin - set default DB to OperationsManager (or you can run install as sa_sql)
• Server Roles - public, sysadmin
• User Mapping - public, dbowner (on OperationsManager)
• From the SCOM 2007 R2 media, run SetupOM.exe and click “Check Prerequisites”.

SCOM Installation & Configuration

• Install SCOM - http://technet.microsoft.com/en-us/library/bb432146.aspx
• Install Management Server first (will become Root MS since it’s the first MS in the environment) Roles: Management Server, User Interfaces, Command Shell, Web Console
• Update mommodules kb941811 if issues
• If installing to default SQL Instance, use only server name when specifying SC Database Server Instance
• Use Windows Auth if installing the Web Console
• Confirm Health of Mgmt Group by opening the console
• Take registry backup/snapshot if virtual
• Import the Windows Server Core OS MP to get base metrics
• Adminstration Console, Right-Click, Import Mgmt Packs
• Install Reporting once it’s confirmed that the Management Group is healthy (optional)
• http://technet.microsoft.com/en-us/library/dd788945.aspx
• Allow ample time (~2 hours) for report(s) generation.
• Install Audit Collection Services once it’s confirmed that Reporting & the Management Group are healthy
• http://technet.microsoft.com/en-us/library/bb309607.aspx
• Navigate to http:// \Reports_
• Click on Audit Reports
• Click Show Details in top right corner
• Click DB Audit
• Edit Connection String to point to the correct data source and catalog
• Select “Credentials stored securely in the Report Server”
• Use SQL Service Account
• Check “use as windows credentials” when connecting to the data source”.
• Open SQL Management Studio
• Navigate to Security>Logins, Right Click Data Reader Service Account, Select Properties
• Click User Mapping
• Select “OperationsManagerAC”
• Add “DB_Owner” and “Public” mappings
• Click OK
• If errors are still occurring for remote access. Try enabling Remote Errors (http://technet.microsoft.com/en-us/library/aa337165.aspx)
• Requires a new database to be created (best practice)
• http://technet.microsoft.com/en-us/library/bb381332.aspx
• Requires ACS Reporting services to be installed
• http://technet.microsoft.com/en-us/library/bb381332.aspx

Best Practices

• Enabled Network Adapter monitoring state (include Override Mgmt Pack)

Service Level Dashboard (Dundas Gauges)

• Ensure sa_opsmgradmins group has local admin access

SCOM 2007 R2 Active Directory Integration

SCOM Active Direcotry Integration is used to publish the Service Connection Points (SCP) in Active Directory. This will allow manually installed agents to query AD to determine which management group they belong to for automatic management when they come ‘online’.

• Ensure the domain functional level is at least 2003
• On the RMS, login as a DOMAIN ADMIN and open a command prompt and navigate to c:\program files\system center operations manager 2007
• MOMADAdmin.exe syntax is MomADAdmin ManagementGroupName MOMAdminSecurityGroup PrincipalManagementServerComputerName Domain
• ManagementGroupName is the name of the OM Management Group. For each management group to be integrated, you need to run this tool so that a separate container is created.
• MOMAdminSecurityGroup is the name of your OM Admin Security Group
• PrincipalManagementServerComputerName is the name of the primary management server for this group.
• Domain is the domain name of the domain being prepared.
• When you run the tool, the following occurs:
• Creates an Operations Manager container under the root of the domain specified.
• Creates a container under the Operations Manager container the tool just created with the name of the management group specified.
• Within the management group container, the tool creates two service connection points (SCP) and one security group
• To verify:
• Open Active Directory Users and Computers (DSA.msc)
• Select View\Advanced Features from the toolbar and expand the domain
• Expand OperationsManager and select the management group name to verify the HealthServiceSCP point was created successfully for the management group.
• Note the addition of the RMS machine account (Root Management Server) to the management group name container. (Right-click, Properties, Security tab).
• Open the “Administration” and click the top-level Administration container in the Operations Console.
• Click the “Configure Active Directory (AD) Integration” link under “Optional Configuration”.
• On the “Configure Active Directory (AD) Integration” screen select “Add” and then “Next” to continue.
• Leave "domain name" selected as the domain name. Select “Next” to continue.
• Create inclusion criteria by selecting “Configure”.
• If we wanted to, for example create an inclusion rule for all machines that started with EXCH (for Exchange) we would create an inclusion rule similar to the following (Enter the following ):
• Computer name: EXCH*
• Role: Exchange Server
• Select “OK” to continue. Run through the rest of the screens.

scom doesn't detect exchange 2007 servers

this is by design in scom 2007 r2. a few simple steps will get you there though.

verify discovery helpers
-don't scope your views and click on "discovered inventory" in the monitoring pane
-right-click and click "choose target type"
-type "Exchange 2007 Discovery Helper" in the look for field
-exchange 2007 servers should appear w/ "not monitored" status

enable the discoveries (see note2 and image below for more info)- http://blogs.technet.com/momteam/archive/2010/02/23/exchange-2007-management-packs-do-not-automatically-monitor-exchange-servers.aspx

note1: discoveries only run every 24 hours (86400 seconds), so i'd recommend changing that override as well when enabling the discovery for each exchange 2007 role. change it something like 120 or 180 seconds, wait for the discovery and verify in the monitoring pane, then remember to change it back to the default (86400 seconds).

note2: hub transport and client-access are easy to find in the list of object discoveries. mailbox role is under the rule named "Exchange 2007 Standalone CCR Node Discovery". everything else is pretty self-explanatory.