One of the big issues we had in OpsMgr 2007 RTM was if you installed the Database and the Root Management Server(RMS) on a standalone server with the SDK and Config services running under a domain account users could not install the Web Console Server on a standalone machine and use Windows Authentication. The only other option was to use Forms based authentication which required you to enter a user ID and password every time the web console was launched, something even I hated doing. What was even worse was if your RMS was clustered you could not use Windows Authentication because we did not support installing the Web Console on a cluster. The good news is that we have fixed this issue in OpsMgr SP1 but users will still need to set up constraint delegation which basically allows a computer to be trusted for delegation, this is a AD-Kerberos limitation and not a product limitation. The attached doc has the steps to setup constraint delegation to support this scenario. I want to thank Marc, Manish and Ranga for helping get this scenario working in SP1.
The attached Word 2007 file written by Daniel Savage contains information about data retention and grooming that many of you might find useful.
Click the heading title to drill into the post and then a link to the attachment will appear.
What level of privileges are required to install the product?
Someone recently asked a question regarding what level of privileges are required to install the product and later they asked me why the accounts had to be what they were. I thought I would take some time to write this blogs and explain these accounts in a simple way.
The account doing the install on the server where the SQL server and Root Management Server are going to be installed needs to have local administrator privileges. To run MSI packages users must at a minimum have local admin privileges. In addition to this account would also require system administrator privileges on the instance of SQL where the Operations manager Database is going to be hosted. This would be required so that the setup can configure the necessary privileges for the SDK and Config service account and assign them the proper roles and rights on the Operations Manager Database as the SDK and the Config services read and write to the database Operations manager DB. The reason why we require the user installing to be an admin is because setup creates services, file/folders. It also creates SQL DB, SQL logins/roles so it needs to have necessary permission in order to do this.
Does the OpsMgr team support SQL 2005 database mirroring functionality?
Database mirroring is something that is OpsMgr team is not supporting at the moment (slight possibility we may support it in the future). But from what we know there should not be any reason why it would not work. SQL Full recovery mode is supported in OpsMgr 2007 and therefore log shipping is also supported. MSIT has built out their OpsMgr infrastructure which is using log shipping for their database; you can read more about their log shipping implementation here.
How do I know on which day the evaluation version of OpsMgr 2007 will expire?
Unfortunately there is no easy way to do this. But the one thing you can do is check the date installed in the registry and the eval expires after 180days (6months).
The registry key is
HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Setup\InstalledOn
Note: Trying to change the registry key to extend the evaluation period or change the license key will not work, all this data is encrypted in the database.
Capacity Planner for OpsMgr 2007 is currently only in Beta how do I plan my customers OpsMgr deployments?
There is an internal alias called OMCAPREQ (OpsMgr 2007 Capacity Planning Requests) where internal MS employees can email information on their customers environment such as number of agents they want to monitor, kind of management packs they are planning to deploy and if they are planning to leverage new features like AEM and ACS and we will give guidance on what hardware is recommended and if we can scale to your customers needs. If you are a customer and want to get your deployment reviewed please get in touch with your TAM or Consultant and ask them to email this alias at Microsoft. In would be helpful if you sent a pictorial diagram of what you think your environment looks like.
Is it supported to install the Gateway role onto a domain controller?
I have tried it out in my Virtual environment and it works. I can't day for sure we officially support it because I don’t think our test team has actually tested this scenario but if the customer runs into an issue we will help debug it but if there is no resolution to the problem then they will need to put it on a regular server. Just be aware of KB946428 and the likely need to run the HSLockdown tool.
Is MSIT using a three node cluster to host the database and root management server roles? Why is it not supported?
MSIT was at one point in time using the Active-Active-Passive scenario. However, since it is not a supported scenario by us they redeployed their RMS and SQL systems to two separate two node clusters prior to the RTM release. One of the limitations we have is not being able to monitor instances for SQL running on same cluster. If customer runs different databases on same HW, he would need to proceed with agentless monitoring for those instances.
How do I change the account the OpsMgr Services are running under?
Follow the steps in this KB article: http://support.microsoft.com/?kbid=936220
Satya Vel | Program Manager | System Center |
The question has recently come up, what about password expiration used for Run As Account (and action account) credentials? If you are using Local System, there is no password to expire. If you specified a domain account, we have you covered (for the most part).
When you specify a domain account, Operations Manager 2007 will monitor the expiration policy for that account. When the password for your domain account is about to expire, a monitor in the Operations Manager Management Pack changes to yellow and a warning alert is generated. Hopefully before the password expires, you change the password in the domain account and make the same password change for the Run As Account (or action account) in Operations Manager.
So what happens in Operations Manager if the password for the domain account expires? Pretty much the same experience if your password expires. Without the proper password, you, and the Run As Account or action account will not be able to log in and perform any work. If the password does expire, the monitor in the Operations Manager Management Pack goes from yellow to red and an alert is generated.
So what happens if Operations Manager is unable to monitor password expirations? There is another monitor in the Operations Manager Management Pack that checks to see if Operations Manager can check password expiration dates and if not, the monitor changes to yellow.
So, to keep Operations Manager 2007 running smoothly, keep your passwords up to date.
We got a query through the blog email about how to get started writing connectors and I've heard of a few other requests for this type of information. For starters, take a look at this MSDN topic on creating connectors: http://msdn2.microsoft.com/en-us/library/bb437511.aspx
You can also find a good quick start for connectors document over at Jakub's blog, here: http://blogs.msdn.com/jakuboleksy/archive/2008/01/09/scom-connector-quickstart-guide.aspx
-Jonobie
Walter Chomak is a Senior Consultant with Microsoft out of the Boston area and does some really great work with our OpsMgr customers. Check out his blog here:
Everything OpsMgr 2007
http://wchomak.spaces.live.com/default.aspx
We got a question through the blog email about how to tell which version of Operations Manager was installed on a computer. This is easy to check, so I thought I'd throw up a quick tip about it.
In the console, click Help->About and take a look at the number after version:
Version number
Common name
4.0.0.66
MOM 2000
4.0.1300.0
MOM 2000 SP1
5.0.2749
MOM 2005
5.0.2911.0000
MOM 2005 SP1
6.0.5000.0
OpsMgr 2007 RTM
6.0.6246.0
OpsMgr 2007 SP1 RC
A lot of good stuff is going on in Seattle these days, Seahawks have made it to the playoffs, we have actually been seeing some sunshine in month of January and Windows Server 2008 aka Longhorn is picking up a lot of good buzz at least that’s what I hear from the few articles I have been reading. I wanted to update everyone on our plans to support Windows Server 2008 for MOM 2005, OpsMgr 2007 and SCE. Below, I refer to “all roles” which includes DB, DW, RMS, MS, Console, Gateway, Reporting Server, Web Console, ACS DB and ACS Collector. For most of the support statement below we mention 90 days after the of Windows Server 2008 the reason for this is in the past the OS team has made last minute changes that have broken our installs which have required us to ship a QFE. So far, I do not believe we will need any QFE’s or SP to support W2K8 but we are waiting on the final build to run our full test pass. So there is a good possibility especially for our agent that we will support W2K8 earlier than the 90 days after they ship which we have committed.
W2K8 Server Core is a new SKU that has no UI and is a stripped down version of the OS where you can add the roles you need. The only way to install other software is to use the command prompt window. The roles that come out of the box for the Server Core SKU can be found here.
Microsoft’s Virtualization technology which is now integrated as part of the OS is called Hyper-V. Hyper-V is currently scheduled to be available 180 days after the release of W2K8 and we will support it 90days after that.
Microsoft Operations Manager 2005 with SP1
Windows Server 2008
(STD, ENT, DATA, WEB)
(Server Core)
Windows Server 2008 with Hyper-V
All Roles
Not Supported
Agent
RTM + 90days
Recommendations for MOM 2005: I would not waste my time trying to install MOM 2005 SP1 on W2K8. There are a number of architectural changes in the operating system such as the way IIS works in W2K8 that I don’t see MOM 2005 SP1 working on W2K8. This given I haven’t tried to run MOM 2005 SP1 on W2K8 so if anyone has tried and was successful please let us know. The agent currently runs on W2K8 but we are waiting on the official RTM build to run a final test pass.
Operations Manager 2007 with SP1
Recommendations for OpsMgr 2007: I have tried this out myself and was able to install the DB, DW, RMS, Gateway and Console without any issues I had to use a hack for installing the Reporting Server role which I have blogged about in one of my previous articles. Andrzej Lipka one of our consultants recently brought it to my notice that .Net Framework 3.0 is not a part of the server core SKU and cannot be added to the OS either and therefore we cannot support our core roles on .Net 3.0.
System Center Essentials with SP1
Recommendations for SCE: Make sure to get a beefy box to run SCE and W2K8. I don’t recommend using anything under 4GB of RAM if you are running SCE and W2K8.
Happy New Year!!! One of my colleagues had shared with me some detailed information on how Active Directory (AD) integration works (in particular how the service connection points (SCP) are created) and I thought it would be a good blog post for this week. For those of you who have never heard about AD integration in OpsMgr it is the ability for an OpsMgr agent to query active directory and know which management server it needs to report to. AD integration is useful to those customers that have larger deployment of over a thousand agents and helps reduce manageability costs. By using AD integration you can specify the primary and secondary management server for agents something that cannot be done using push agent where users can only specify the primary management server.
The MOMADAdmin.exe command line tool does the following:
1. Creates a top level OperationsManager container in AD under the root of the specified DomainUnder that container, it creates a management group container - whose name consists of the management group name and the suffix “Root”
2. Adds Machine account of the root management server to the MOM Admin security group.
3. Adds the MOM Admin security group to the container's ACL with WriteChild access (only with rights to create Security Groups and SCP objects, but not other objects like user account) This allows members of the MOM administrator role and the root management server to manage the objects within the container. Only Domain Administrators have the right to remove or change the OperationsManager and <ManagementGroup> container.
Note: The MOM Admin Security Group is the sole member of the MOM Administrator role. The MOM AD based agent assignment feature requires it to be a domain global group or universal group.It can be modified in the MOM Console -> Administration space -> User Role node, right click the MOM Administrator role and select properties.
4. Creates 2 default SCPs and one security group within the container: One is HealthServiceSCP which represents the management group and the other one is SDKServiceSCP which represents the root management server. The security group is ACL’d to the HealthServiceSCP with Read permission – its membership will control which computers can “read” (hence discover) a particular management group, represented by the HealthServiceSCP. The Root MS and MOM Admins are given full rights over these objects.
Note: SCP (service connection point) is an AD object for publishing information that client applications can use to bind to a service. MOM AD based agent assignment feature uses SCP to represent a MOM server and contain connection info to that server. MOM Agents can automatically discover MOM servers by querying for SCPs.
Note: If the root management server or the MOM admin security group is changed, the domain administrator will have to either 1) modify the container ACL, HealthServiceSCP and SDKServiceSCP manually to reflect the change, or 2) delete the container, re-run MOMADAdmin.exe with updated parameter
After MOMADAdmin.exe is successfully ran by the Domain Administrator, a MOM Administrator can use the MOM Console to specify the set of agents he/she wanted to assign to particular management server, in the form of a LDAP query (the query should return a list of computer accounts).
The Ldap query and the other assignment settings are captured as configuration in a MOM rule.
When the rule runs the first time, it will create a SCP (if not already exist) in AD for the management server and domain specified in its configuration.
The SCP name is the management server netbios name with the suffix “_SCP”.
The rule also creates 2 security groups with the name of the management server netbios name, the first one with the suffix “_PrimarySG<random number>” and the second one “_SecondarySG<random number>”
The first security group is ACL’d to the management server SCP with Read and Read permission rights.
This SG contains the machine account of agents that report to the management server as the primary server.
It is also added as a member to the HealthServiceSCP’s security group.
The second security group is ACL’d to the management server SCP with Read right only.
This security group contains the machine account of agents that would failover to the management server (hence ‘secondary’) in the event that the Primary server is not responsive.
The rule would run every hour to update the members of the security groups (acl’d to the management server SCP) with results from the specified LDAP query (machine accounts of agents that the administrator intend to assign to the server)
When an agent starts up (& periodically thereafter) to check AD for connection info using its machine account, it would look in each Management Group container to find the management server (represented by the SCP) that it should connect to. It will only see SCPs where its machine account is a member of the associated security group.
Satya Vel