Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

The following posts are based on how to monitor SCOM clients which are not member of the Kerberos domain. To monitor these “non-domain member” servers it requires some steps. This is the second of my series about monitoring.

The description which is provided ‘from the ground up’. If you have already steps installed you can skip and go to the next section.

This section explains how to make a SCOM certificate template in Windows 2012 Server.

In this series of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

1. To Configure the SCOM Certificate Template
In my Lab I installed the Root CA on the Domain Controller
-1. Open Server Manager, click Tools, click Certificate Authority

-2. Select the Enterprise CA, right click Certificate Templates, Right click Manage,
-3. Console click with right click on IPSec (Offline request) and select Duplicate Template
4. Leave the default to Windows Server 2003 and Windows XP/ Server 2003. This way we are always backwards compatible

-5. Go to the General tab and type a logical Template Display name and Template Name (we used OpsMgr Certificate and OpsMgrCertificate) and we changed the validity period to 5 years

-6. Go to the tab Request Handling.   Checkmark the option Allow private key to be exported

7. Go to Cryptography and choose the minimum key size we selected 2048. This is sufficient and takes less cpu time to process. Further check the Microsoft Enhanced Cryptographic Provider v1.0 button.


8. Go to the tab Extensions. Select the option Applications Policies and click Edit. Remove IP security IKE intermediate and add the following policies: Client Authentication and Server Authentication and click OK

9. Go to the tab Security. Authenticated Users need to have Read access. Click Apply and OK, the template is now created.

10. Click Apply and OK, the template is now created.

Now that we have created the template it’s time to make it available

-11. Open Server Manager, click Tools, click Certificate Authority, Right click Certificate Templates, New, Certificate Template to Issue

-12. Choose the OpsMgr Certificate, and click OK

After these steps the OpsMgr Certificate template is displayed in the certificate templates.
Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 1. Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012; the complete story

Part 1. Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012

The following posts are based on how to monitor SCOM clients which are not member of the Kerberos domain.
To monitor these “non-domain member” servers require some steps. This is the first of my series blogs about monitoring untrusted clients.
The description which is provided is ‘from the ground up’. If you have already steps installed you can skip and go to the next section.

NOTE: If there is already a Enterprise CA in place continue to Part 2!

In this serie of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM
Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server
Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server


– Install a Root Certification Authority
For most organizations, a root certification authority (CA) certificate is the first Active Directory Certificate Services (AD CS) role service that you install.
These steps describe how to install a Enterprise Root Certificate Authority on Windows 2012.

– To install a root CA 
1. Open Server Manager,click Add Roles and Features, click Next,and click Active Directory Certificate Services. Click Next two times.
2. Select the server where you want to install the role on; click Next

3. On the Select Role Services page, click Active Directory Certification Authority. Click Next three times.
4. Choose the following Features; Certificate Authority, Certificate Enrollment Web Service and Certificate Authority Web Enrollment. Click Next three times

5. On the last page check settings and choose Install
6. After the installation finished successfully restart the machine
– To Configure the root CA 
1. Open Server Manager, click AD CS
2. On the Configuration Required for AD Certificate Services; choose More
3. Choose Configure Active Directory Certificate Service on the destination server

4. Check the credentials and click Next
5. Select Certificate Authority and Certification Authority Web Enrollment end click Next(we will cover the web enrollment later)

6. Choose Enterprise Root CA, click Next
7. On the CA Type section choose Root CA and click Next
8. Choose Create a new private key and click Next
9. Specify the Certificate Server Cryptographic options (we left if default and click Next

10. Fill in the Common name for this CA; tip use a logical name. (we used Enterprise-CA), click Next
11. Choose the Validity Period and choose Next two times (we left it default)
12. Check the Confirmation page and choose Configure
13. In the “Do you want to configure additional Role Services” choose Yes
14. Choose Next and now choose the Certificate Enrollment Web Service
15. Click Next three times and on the Specify the Service account section choose the service user which is member of the IIS_IUSRS group (this group is in the Active Directory) and choose Next
16. Select the Enterprise CA and click Next
17. Check the Confirmation page and choose Configure
OK we finished installing the Enterprise Root CA.
Now we are going to make the certificate site secure because it’s necessary for web enrolment.
18. Click on Server Certificates, Create self signed certificate

19. Give it a friendly name (in our case we used demo-dc01) and click OK

We now can continue to the second part:
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

 

 

 

 

 

Configure the ONTAP/Netapp Management pack with SCOM

ApplianceWatch PRO is a free management pack for Microsoft System Center Operations Manager (SCOM) 2007 R2 that enables you to discover, monitor, and generate reports for your storage systems running Data ONTAP.

Note:
This application has to be installed on a management server, if possible, avoid installing it on the root management server.

Lets start:
Prior to execute the setup I have each of the controller discovered as SNMP device using the SNMP discovery wizard in SCOM. They appear under “Network Devices” in SCOM.

Step 1: Discovering the NetApp Network devices
1. Login to the SCOM console, go to Administration, Configure Computers and devices to manage
2. Choose Network Devices

3. Specify the IP address information of the NetApp device (start and end range) and choose the community string (we used public), Next

4. Select the devices, choose next and finish.
5. Check if the devices are discovered and displayed in the network devices settings under Administration

Step 2: Configuring the NetApp Management pack
1. Download and Execute the OnCommand-PlugIn-Microsoft_3.1_x64_NetApp.exe, Next

2. We are only going to monitor the Storage and do not have Hyper-V or an Metro Cluster. Therefore we only select Storage Monitoring, click Next

3. OnCommand Plug-In 3.1 installs a Web Service which needs a local administrator account.
Create a new or select an existing account, Note that is account needs to be in the Local Admin group and click Next

4. Check Install and Finish, after the installation check if the installation was successful.

The installation installs the Management packs automatically:

5. Next got to Authoring, Rules, change the scope to Management Server, search for Data Ontap: Discovery RuleRight click, OverridesOverride the Rule, For all objects of class Management Server

6. Select the rule and change the Override value to True, click apply, OK

6. Go to monitoring, Data ONTAP, Storage Systems, Management Server and click in the actions pane on Data ONTAP: manage Controller Credentials

7. Insert the credentials

Note: If the Data ONTAP Manage Controller Credentials fails with the following error:

You can run “C:\Program Files\NetApp\OnCommand\MS_Plugin\OC.OM.Management.Controller.Credentials.exe”

7. Finally you get a green check mark if the authentication went successfully

8. Go to the task pane and run the Data ONTAP: Run Discovery Task
If the permission for the task are set properly your task will end successfully. Short after all the NetApp objects will be discovered

Views
After a successful installation you will get several views as you can see in the monitoring pane
Dashboard view

Diagram Overview

Reports
The NetApp Management Pack also deploys several reports.

Building SCOM 2012 Dashboards

System Center Operations Manager 2012 has significant enhancements in the ability to display data through the use of its new dashboard technologies.
This post is the first in a series of dashboard-related posts introducing these new abilities. This post will create two dashboards:
– An VMM Host performance dashboard which contains the performance indicators of the Hyper-V hosts
– An Environment state dashboard which display’s the current health of the complete environments

SCOM 2012 Dashboards
Before we get into the steps of creating a new dashboard, I will talk a  over a bit of terminology. A dashboard is a collection of data from SCOM which give’s you the right overview on a specific view also named the Network Operations Center (NOC) display.

This shows the health of various key applications, products, or websites that are monitored by Operations Manager. Some Advantages of a dashboard:
– Ability to provide custom charts, graphs, beyond those available in the built-in performance view
– Network Operations Center (NOC) shows the health of various key products or applications
– Build an overview which covers the health of specific product’s

Let’s see how this actually all works…

Step 1 – We first start with the VMM Host Performance dashboard layout.
Note: The Virtual Machine Management pack is required for this dashboard

1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2012 management group.
2. In the Operations console, click Administration.
3. Choose the Management Packs node, click Create Management Pack and type the name (we choose Custom Dashboards) Click Next, Create
4. Go to Monitoring, go to the newly created MP name (Custom Dashboards), right click new, Dashboard view

5. Choose Grid Layout and click next, change the name in VMM Host Performance and click next, choose the 4 Cells option, choose next and create.

Step 2 – Adding Widgets to the dashboard.
1. Go to the Grid Layout and click to add widget

2. In the general properties choose the name of the Widget. We choose:
VMM Nodes – % CPU Performance
VMM Nodes – Memory Available MBytes
VMM Nodes – Logical Disk Reads/sec
VMM Nodes – Logical Disk Writes/sec

3. In the groups section choose Groups and scope it to Hosts in VMM, click next

4. Select the required Performance counters and click next

VMM Nodes – % CPU Performance 
Object:
HyperV Logical Processor
Counter: %Total Run Time
Instance (All)

VMM Nodes – Memory Available MBytes
Object:
Memory
Counter:
Available MBytes
Instance:
(All)

VMM Nodes – Logical Disk Reads/sec
Object:
LogicalDisk
Counter:
Disk Read Bytes/sec 
Instance:
(All)

VMM Nodes – Logical Disk Writes/sec

Object: LogicalDisk
Counter: Disk Writes Bytes/sec 
Instance: (All)

 

6. Click Next, set the time range to 12 Hours (or different)

5. Check the chart preferences and sort so it looks like this
Show the legend
Target
Path
Last value
Minimum Value
Maximum Value
Average Value

6. Click next and finish.
7. Do this for
VMM Nodes – % CPU Performance
VMM Nodes – Memory Available MBytes
VMM Nodes – Logical Disk Reads/sec
VMM Nodes – Logical Disk Writes/sec

 
Note;
HyperV processor monitoring; Why monitor HyperV Logical Processor, %Total Run Time and not the %Processor time

Measure overall processor utilization of the Hyper-V environment using Hyper-V performance monitor counters To measure total physical processor utilization of the host operating system and all guest operating systems, use the “\Hyper-V Hypervisor Logical Processor(_Total)\% Total Run Time” performance monitor counter. This counter measures the total percentage of time spent by the processor running the both the host operating system and all guest operating systems. Use the following thresholds to evaluate overall processor utilization of the Hyper-V environment using the “\Hyper-V Hypervisor Logical Processor(_Total)\% Total Run Time” performance monitor counter:
– Less than 60% consumed = Healthy
– 60% – 89% consumed = Monitor or Caution
– 90% – 100% consumed = Critical, performance will be adversely affected

See http://technet.microsoft.com/en-us/library/cc768535(v=bts.10).aspx for more information

 

 

 

 

 

 

 

How to backup all SCOM management packs

Very simple powershell script to backup all management packs to disk.
Launch the System Center Operations Manager, Command Shell:

OpsMgr 2007 R2
get-managementpack | export-managementpack -path D:\mgmt\MPBackups

OpsMgr 2012
Get-SCManagementPack | Export-SCManagementPack -path D:\mgmt\MPBackups

The difference in the code above in comparison to the OpsMgr 2007 R2 code is that the ‘get-managementpack’ and ‘export-managementpack’ commands have been modified in SCOM 2012 to become ‘get-scmanagementpack” and ‘export-scmanagementpack’

 

SQL Agent Job Discovery in SCOM is empty

Issue:
When implementing the SQL management pack the “SQL Agent Job state” is empty. Therefore there is no overview which jobs have ran successfully or have failed.

Cause:
The SQL Server Management Pack includes an option to discover and monitor SQL Server Agent Jobs for SQL 2005/2008/2012.  The Discovery for this is disabled by default.

Solution:
To use an override to change the setting for automatic discovery
1. In the Authoring pane, expand Management Pack Objects, and then click Object Discoveries.
2. On the Operations Manager toolbar, click Scope, and then filter the objects that appear in the details pane to include only SQL Server objects.
3. In the Operations Manager toolbar, use the Scope button to filter the list of objects, and then click SQL Server Agent Job.
4. On the Operations Manager toolbar, click Overrides, click Override the Object Discovery, and then click For all objects of class: SQL 20xx Agent

5. In the Override Properties dialog box, click the Override box for the Enabled parameter.
6. Under Management Pack, click New to create an unsealed version of the management pack or use an existing one, and then click OK, or select an unsealed management pack that you previously created in which to save this override. As a best practice, you should not save overrides to the Default Management Pack.

After you change the override setting, the object type is automatically discovered and appears in the Monitoring pane under SQL Server.

NOTE: The script runs every 14400 seconds so it can take up to 4 hours before the discovery takes place. You can shorten this by changing the discovery interval to for example 120 seconds. Don’t forget to change it back to default.

After the discovery the SQL Agent Job State

 

 

 

 

Why download management packs manually instead of from the catalog

When updating OpsMgr management packs the easiest way to do this is to show “Updates available for Installed Management Packs” in the console.

When doing this only the existing imported MP’s are updated.
If the MP is updated with new additional monitoring features it will not show up as needing an update. So if you use the console you will miss new ones.
Because of this I do not recommend using the console update feature but download the MSI from the catalog on the web at http://systemcenter.pinpoint.microsoft.com and extract them, if not you will end up missing MP’s you need.

 

Updating the Exchange 2010 Management Pack in OpsMgr 2007 and OpsMgr 2012

This is a step by step guide on how to update the Exchange Server 2010 management pack with System Center Operations Manager 2007 and 2012.

Installing a fresh installation of the Exchange 2010 MP see http://www.toolzz.com/?p=63

NOTE!
Operations Manager 2007 R2 requires a restart!
Operations Manager 2012 does not require a restart!
The Exchange Monitoring will have downtime during the upgrade of the correlation engine

This article is discusses how to update the Exchange 2010 management pack the proper way.

Step 1 – Checking the current version of the Exchange 2010 MP
1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2012 management group.
2. In the Operations console, click Administration.
3. Choose the Management Packs node,
4. Type Exchange in the search box and check if it is an older version and not already updated.

Step 2 – Updating the Exchange correlation Engine
The correlation update must run on from the server where it is successfully installed. Most likely (and recommended) the Correlation Engine will be installed and updated on the root management server (emulator).

Do the following steps on the RMS Emulator
1. Download the MP software from the Microsoft site http://www.microsoft.com/downloads/details.aspx?FamilyID=7150bfed-64a4-42a4-97a2-07048cca5d23&displaylang=en
2. Choose the proper version (X64)
3. Launch the MSI Package and run the installation and follow the installation


4. As mentioned before
Operations Manager 2007 R2 requires a restart after that you can continue to step 3
Operations Manager 2012 continue to step 3.

Step 3 – Import the Exchange 2010 Management Pack
1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2012 management group.
2. In the Operations console, click Administration.
3. Right-click the Management Packs node, and then click Import Management Packs.
4. The Import Management Packs wizard opens. Click Add, and then click Add from disk.
5. If prompted to connect to the online catalog, click No.
6. The Select Management Packs to import dialog box appears. Go to the directory where your management pack file is located as extracted in Step 1. By default, the location is C:\Program Files\System Center Management Packs.
7. Select both management pack files to import from that directory, and then click Open.
8. On the Select Management Packs page, the management packs that you selected for import are listed.

9. You will receive a prompt indicating that the management pack presents a security risk. This is due to the management pack’s use of agent proxying. Click Yes to allow the import.
10. The Import Management Packs page appears and shows the progress for each management pack. Each management pack is downloaded to a temporary directory, imported to Operations Manager, and then deleted from the temporary directory. If there is a problem at any stage of the import process, select the management pack in the list to view the status details. Click Close.
11. Check the C:\Program Files\Microsoft\Exchange Server\v14\Bin directory content if the update ran successfully

That’s all !
Note:
Because the configuration already took place during the initial installation of the MP the update does not require any adjustments.

 

 

Configure/open Firewall ports for MS SQL 2008 R2/Windows 2008 (R2)

By default, installing SQL Server 2008 R2 on a brand new Windows Server 2008 R2 server does not open the required Windows Firewall ports.
I always wonder why they don’t give you the option during the installation of SQL and let MS make the changes for you. Anyway, MS has a tool to “Fix It” but on my Windows Server 2008 it runs but doesn’t apply to the Windows 2008 R2 setup.

You can of course follow Microsoft’s KB articles and manually add the Windows Advanced Firewall rules. For me, a script to do this was the way to go. Don’t forget to run the script as Administrator in the CMD box.

@echo =========  SQL Server Ports  ===================
@echo Enabling SQLServer default instance port 1433
netsh firewall set portopening TCP 1433 "SQLServer" 
@echo Enabling Dedicated Admin Connection port 1434
netsh firewall set portopening TCP 1434 "SQL Admin Connection" 
@echo Enabling conventional SQL Server Service Broker port 4022  
netsh firewall set portopening TCP 4022 "SQL Service Broker" 
@echo Enabling Transact-SQL Debugger/RPC port 135 
netsh firewall set portopening TCP 135 "SQL Debugger/RPC" 
@echo =========  Analysis Services Ports  ==============
@echo Enabling SSAS Default Instance port 2383
netsh firewall set portopening TCP 2383 "Analysis Services" 
@echo Enabling SQL Server Browser Service port 2382
netsh firewall set portopening TCP 2382 "SQL Browser" 
@echo =========  Misc Applications  ==============
@echo Enabling HTTP port 80 
netsh firewall set portopening TCP 80 "HTTP" 
@echo Enabling SSL port 443
netsh firewall set portopening TCP 443 "SSL" 
@echo Enabling port for SQL Server Browser Service's 'Browse' Button
netsh firewall set portopening UDP 1434 "SQL Browser" 
@echo Allowing multicast broadcast response on UDP (Browser Service Enumerations OK)
netsh firewall set multicastbroadcastresponse ENABLE

Check if the ports are opened successfully (see the picture).

 

 

Alerts from the HP management pack

Issue:
Regarding my blog post on HP monitoring I get a lot of questions on errors which are generated by the HP management pack / SNMP hardware logs; these errors are displayed in the Computer State not in the Active Alerts.

The description is very poor but it suggests that there are issues in the HP Hardware logs.

Context: Date and Time: 11/11/2011 10:20:52 AM Property Name Property Value Processors_SNMP.HealthState HealthSuccess Cooling_SNMP. HealthState HealthSuccess RealtimeMonitors_SNMP.HealthState HealthSuccess TemperatureSensors_ SNMP.HealthState HealthSuccess Logs_SNMP.HealthState HealthError

Logs_SNMP.FailedComponent Integrated Management Log Server Others_SNMP.HealthState HealthSuccess Health explorer

Cause:
The cause is in the computer’s local HP log which is in a bad state and has errors which are not resolved (cleared or fixed). Therefore it will stay in bad state.

Solution:
The solution is most of the time very simple. Clearing the HP log on the local server and resetting the OpsMgr heath state will solve the issue. You can do this in the HP homepage on the local computer which is causing the issue.