Configuring Run As Accounts and Profiles in OpsMgr – A SQL Management Pack Example

re: Configuring Run As Accounts and Profiles in OpsMgr – A SQL Management Pack Example

Keithk — Fri, 19 Apr 2013 22:08:20 GMT

Kevin,

Thanks for your work here. I am having a problem recently where a SQL instance was recently encrypted and as a result the SCOM agent is not able to query the MSCluster namespace via WMI. I am getting repeating event 5605 in the app log of the cluster node. Here is an article that appears to describe the problem I am having.

support.microsoft.com/.../2590230

As a nice bonus for me, this seemed to cause all SQL and cluster monitors on that SQLcluster to thrash offline and online causing an impressive state storm filling up our Ops DB and taking the RMS offline. Temporarily placing the SQL/cluster objects in maintenanace mode addressed the state storm and allowed me to free space and make sure the RMS was back online again. However now I am not monitoring the SQL or clustered objects on that cluster so I need to find a way to address the root cause.

I am not sure, but could perhaps you could confirm if setting up a Run as account with higher level permissions to execute the SCOM SQL/Cluster workloads on these encrypted instances would address this issue?

I am concerned that it won't because the eventid suggests that the resolution has to do with changing the authentication level to Pkt_Privacy.

Any thoughts?

Thanks,

Keith

re: Configuring Run As Accounts and Profiles in OpsMgr – A SQL Management Pack Example

Aaron — Wed, 20 Feb 2013 01:45:15 GMT

Hi Kevin, thanks for this information. My concern is if you are using the Local System account for the “Default Agent Action Account”, what would stop someone from making the agent run scripts that could potentally do damage to the system?

re: Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

Chris — Wed, 28 Mar 2012 08:47:46 GMT

You wrote: "Our goal is to make the initial discoveries – which target the “Windows Server” class, run under the default agent action account. THEN – ALL subsequent discoveries should run under the SQL Discovery Profile/Run As account. Therefore – we should add the “SQL DB Engine” class."

Most of my sql servers can be monitored using the default action account (local system), but I have some sql servers that need to be monitored using another account (domain account). How do I target this runas account? I can not use the SQL DB Engine class because then all sql servers will use this run as account.

Regards,

Chris

re: Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

JohnB — Mon, 12 Dec 2011 13:49:12 GMT

And how do I distribute it?

re: Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

Kevin Holman — Fri, 09 Dec 2011 16:36:53 GMT

Cannot be resolved generally means you did not distribute the run-as account to that particular health service.

re: Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

JohnB — Fri, 09 Dec 2011 16:24:13 GMT

I went through your directions.. Now I just got dozens of alerts saying "An account specified in the Run As profile "Microsoft.SQLServer.SQLDefaultAccount" cannot be resolved."

What is causing that?

re: Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

Matthew Cater — Thu, 12 May 2011 14:25:30 GMT

Hi Kevin - I have maybe a little bit different problem. I would like to configure a custom RunAs profile for agent installation, and use a RunAs account associated with it. The reason for this is I'm an admin for SCOM, but not domain admin, and our domain security policy has things pretty tightly locked down. There is an installation account configured with Local Admin rights on the servers, and we are using a domain user service account for the agent action account. All the documentation I've found says the agent installation is only able to be performed by the Managemnt Server action account, or an optional account that doesn't save credentials. Is there any way around this that you know of?

re: Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

Kevin Holman — Mon, 07 Mar 2011 18:05:03 GMT

Hi Graham -

I didnt. I started to... got some SDK code in C#, but what I really want is for this to be included in the product, or it to be portable to PS script.

re: Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

Graham — Fri, 25 Feb 2011 10:23:19 GMT

Hi Kevin

Did you ever get a chance to look at this in more depth?

"Yes - that will be a soon to come post - I am going to get some assistance and figure out a good way to handle dynamic run as account distribution using the SDK - since the UI leaves a lot to be desired. Stay tuned. "

Cheers

Graham

re: Configuring Run As Accounts and Profiles in R2–A SQL Management Pack Example

Kevin Holman — Mon, 07 Feb 2011 19:38:17 GMT

@Vivak -

Since your SQL server is ON the RMS.... this wont use Local System. This will use the Management Server Action Account as the default action account for all monitoring workflows.

Therefore - your MSAA needs the rights to SQL.... OR you need to set up the Run-As account and profile to be used by the SQL MP for the RMS.