SCOM 2016 + OMS Toronto Meetup!

This November, I will be hosting a SCOM 2016 and OMS meetup. The intended target audience is for SCOM and OMS User groups within the Toronto and Greater Toronto Area, however not limited to. It will be hosted at the University of Toronto, November 9th, 2016. Please see the link below for more details!

Topics will include, but not limited to:

  • New Features with SCOM 2016
  • OMS Integration/Configuration
  • OMS Solutions

Seating is limited, so RSVP your spot soon!! For more details on the Meetup, please see HERE.

 

See you all there!

Step-by-Step – SCOM 2012 R2 Update Rollup 11 (UR11) Install Procedure

My personal notes,  SCOM 2012 R2 Update Rollup 11 (UR11) has a lot of networking monitoring fixes, Linux/UNIX support and security fixes, along with more OMS integration. What is OMS, please go HERE. It is highly recommended to upgrade your lab/Dev environments first before upgrading your Production environment(s). The step by step procedures below are the steps I took and in no way shape or form do I accept responsibility for any data loss, and/or issues within your environment. It is advised to always take a backup of your SQL databases and/or snapshots of your SCOM environment(s). Please take these notes as suggestions. Always refer to Microsoft’s KB (posted above) for full documentation steps.

Here are the key updates for UR11 (source Microsoft):

Issues that are fixed in this update rollup can be found here, https://support.microsoft.com/en-us/kb/3183990

Once you are ready to begin your upgrade, it is recommend you do the following server/roles in the order below:

  1. Install the update rollup package on the following server infrastructure:
  • Management server or servers
  • Audit Collection Services
  • Gateway servers
  • Web console server role computers
  • Operations console role computers
  1. Apply SQL scripts.
  2. Manually import the management packs.
  3. Apply the agent update to manually installed agents, or push the installation from the Pending view in the Operations console.

Once you have downloaded the rollup files, I like to extract and only keep the language I need, in this case, ENU (English). You will need to install these with Administrative rights, I like to use PowerShell as Local Administrator. It really does frustrate me, as there is no indication that the rollup installed correctly, (other than looking at the file version number change via File Explorer).

1

2

3

Personally, I prefer to execute the MSP files via PowerShell (RunAs Administrator) console.

Again, the order needs to be:

  1. Management Servers
  2. Audit Collection Services
  3. Gateway Servers
  4. Web Console Role Servers
  5. Operations Console Role Servers

Once the rollups are installed, you will now need to apply the SQL scripts. First update the Data Warehouse, then followed by the OpsMgr DB.

The scripts can be found here, “%SystemDrive%\Program Files\System Center 2012 R2\Operations Manager\Server\SQL Script for Update Rollups

Please note, the user executing these scripts needs to have read and write permissions to the database(s).

4

5

6

Once you have successfully executed the SQL scripts, you will now need to import the updated Management Packs (MP). These MPs can be found here, “%SystemDrive%\Program Files\System Center 2012 R2\Operations Manager\Server\Management Packs for Update Rollups“.

You will need to import the following MPs, please see below:

7

Once the MPs have been imported, you should now go back to your Pending Management view, under the Administrations pane, and update all servers.

8

And that is that! You are now on the latest and greatest System Center release for SCOM 2012 R2.

(more…)

Creating a Site-to-Site (S2S) VPN with Azure Resource Manager (ARM) and Windows 2012R2

To begin, I am setting up a Site-to-Site VPN (Virtual Private Network) between my home-lab and Azure. The same concept(s) can be applied to an On-Premises/Data-Center environment and enterprise grade firewalls/routers.

For starters you will need to know the IP of your home network, my IP is dynamic, so it is continuously changing. If you don’t know your public IP, go HERE to get that now. Also, I will be using the Azure Resource Manager portal, and not the classic portal, and lastly working with IPv4, not IPv6. Lastly, I am going to assume you already know a few things about Azure, Windows Server 2012R2 RRAS (Routing and Remote Access Service) and the basics of Networking.

This setup consists of 2 steps — Step 1, setting up and configuring Azure, and Step 2, setting up and configuring your Windows RRAS server. Let’s begin:


Setting up/Configuring Azure:

Step 1: Create a Resource Group

1

Step 2: Create a Virtual Network

Now we need to create a Virtual Network. This virtual network will provide IPs to machines assigned within this resource group. The IP spacing can be whatever you choose, however it is best to choose an address space different from your home-network. I have chosen a 172.10.0.0/24; my home network is a 10.10.10.0/24.The resource group will always the one you created back in Step 1.

2a

Next I will add two subnets, one for the back-end and one for the gateway of my servers. Within your Virtual Network, select Subnets, and add as many subnets as needed.

2b

Step 3: Create a Virtual Network Gateway

Next we will create the Virtual Network Gateway. The virtual network gateway will be responsible for sending and receiving data. Essentially the bridge between (gateway) Azure and your RRAS server/home-network.

I have kept the defaults, VPN as the Gateway type, and Route based for the VPN type. The resource group will always the one you created back in Step 1.

Depending on your environment and requirements, you will need to decide which VPN type is best for you.

  • Route based, will support dynamic routing and support multiple VPN connections, using IKEv2.
  • Policy based, will support static routing, supporting a single VPN connection, and will use IKEv1.

3

  • The Virtual Network will be what we just created in Step 2,
  • The Public IP address will be one of Azure’s Public IPs,
  • Gateway type will be VPN,
  • VPN type will be Route based.

Once you have entered all the properties successfully, it will take about an hour for Azure to create the Virtual Network Gateway. (Good time for lunch/a break)

Step 4: Create a Local Network Gateway

Now we need to create the local network gateway, this gateway will be configured with all of your on-premises network.

  • IP address will be the IP address of your VPN endpoint, ie. Public Facing IP
  • Address space will be the address space you are using on-premises, in my case my home network is on a 10.10.10.0/24 network. (If you have multiple address spaces on-premises, then add them all here (only add if you want a machine in that space to be Azure accessible))

Keep in mind, the address space here MUST NOT overlap with the address space in Azure (this is why my Azure Local Network was provided a 172.10.0.0/24 address space to differentiate)

The resource group will always the one you created back in Step 1.

4a

Step 5: Create the VPN connection

Now that all the fun stuff is done, now we need to create the VPN connection. Within the Local Network Gateway we just created (Step 4) go within the Connections, and configure a VPN connection.

5b

  • You will need to specify the Virtual and Local LAN gateways we created in Step 3 and Step 4, for the Virtual Network Gateway and Local Network Gateway, respectively.
  • The Shared key (PSK) will need to be a string that will be used between the VPN connection and your RRAS server to encrypt and authenticate. I used a password generator with 32 characters, and only used letters and numbers (no special characters). Make sure to save this key, because you will need it in the Windows RRAS setup to complete the Site-to-Site connection!

 

Great Step 1 – Azure done! After configuring the RRAS server, we will need to come back to Azure, and connect/confirm the VPN traffic is flowing.

 



 

Setting up/Configuring Windows RRAS:

Step 1: Install the RRAS Windows Role 

Microsoft explains this pretty well and it is pretty straight-forward, so I won’t bother, see HERE.

Step 2: Configure and Enable Routing and Remote Access

Right click on the Network Interface, and select a New Demand-dial Interface

1a

Call it something meaningful…

1

Continue through the wizard, choose VPN.

2

Use IKEv2 Encryption here for the VPN Type (as we chose back in Step 5 within the VPN Connection configuration for Azure; they must match…duh)

3

Here you need to specify the Azure Public IP:

4

If you don’t know your Azure Public IP, go to your Virtual LAN Gateway, and see within the Essentials properties:

5

Leave Route IP packets on this interface enabled….

6

Since we are providing a PSK, credentials here don’t matter.. I just entered, Azure and left the rest blank…

7

Now add the Static Route for your local network, as mentioned, my network is a 10.10.10.0/24; 255.255.255.0.

10

Once complete, right-click on the interface we just created, and go to the Security settings. By default “Use machine certificates” will be enabled, select the preshared key for authentication option, and now enter that PSK we used in Step 5 of Azure….

8

Hit OK, and now let’s try to connect…..

Step 3: Test Connection on Server

11

Give this a few minutes, I gave it about 5 minutes, and it finally connected to Azure.

Step 4: Establish/Test Connection on Azure VPN

Go back to Azure, and within your VPN connection, hit Connect. For me, this took some time. Initially it connects, then fails, and repeats for a few minutes. I’d say after 5 minutes or so, it finally connected and stayed connected! YAY!

vpn_connection_success

 

vpn_connection_success_2

After all that, we now have a VPN connection established between Azure and my home network. This is evident as we can see traffic going in and out via Azure’s Gateway! Sweet!!!

 


(more…)

OMS – SCOM Assessment Solution

It’s been a few days since I last logged into OMS. Earlier today, as I was browsing through the Solutions Gallery, I had to do a double-check, as I saw a coming soon, SCOM Assessment Solution. Yes, that is right, OMS will soon be releasing a SCOM Assessment Solution!

As a SCOM/System Center consultant, I can’t even count the number of SCOM Health Checks I have done in my past — this is very exciting as maybe I can rely on OMS to do this for me… hmmm.

From the solution description, it will assess “the risk and health of your SCOM environment on a regular basis. It will provide a prioritized list of recommendations tailored to your deployments”….

As it appears today the solution is still, “coming” so hopefully Microsoft/OMS team can roll this out soon!

capture

What’s new with Hyper-V 2016? (PowerShell Direct)

In Windows Server 2016, Hyper-V 2016, Microsoft has created PowerShell Direct. PowerShell Direct allows us Hyper-V administrators to communicate with a VM from the Hyper-V host regardless of the network configuration, firewall settings, security policies,  and/or remote management settings. Provided the VM meets the basic criteria (see below), we can communicate with the VM with simple PowerShell! (Sweet)

*Yes, you could always log in to the VM as well…….<lame>*

PowerShell Direct Requirements:

In order to make use of PowerShell Direct, the following conditions need to be met:

  1. Hypervisor must be either Windows 10, or Windows Server 2016
  2. Virtual Machine must be either Windows 10, or Windows Server 2016
  3. Must have valid user credentials for the VM
  4. The VM must reside on the same Hypervisor
  5. The admin logged into the Hypervisor must be a Hyper-V administrator

Example:

In my example, my Hypervisor is Windows 10, and my guest VM is also a Windows 10 machine. (Sorry too lazy to get my server up =) )

Here are some cmdlets you will need to know:

  • Get-VM will provide a list of all the VMs on your Hyper-V host
    • Get-VM
  • This will establish the connection between you (the host) and the guest VM:
    • Enter-PSSession -VMName <VMName>
  • If you want to run a block of code, rather than single line:
    • Invoke-Command -VMName <VMName> -ScriptBlock { commands }

PowerShell

I got that error as I shutdown the VM too quickly…

As you can see, there was no Network Adapter on my VM. Also in the screenshot above, no information was provided when I queried an IPCONFIG.

VM vNIC Settings

Also, I was able to shutdown the VM from my host.🙂

shutdown VM shutdown VM(2)

 

I hope you’re excited as I am! Cheers!

For more information on Hyper-V 2016 and/or PowerShell Direct, see HERE.

What’s new with Hyper-V 2016? (Shielded VMs)

Not too long ago, I was fortunate enough to attend the MMS 2016 (Midwest Management Summit). During one of the presentations, I learned some pretty neat things about Windows Server 2016 especially around Hyper-V. One cool feature, “Shielded Virtual Machines“.

What shielded VMs ensures that Hyper-V administrators do not have the ability to alter and/or view the VM settings/data/contents, unless specified. This is great for environments, ie. Banks/Financial Institutions, Governments, Education, etc. environments to ensure their data is protected, even from the ones that administer their environments.

There are a few catches:

  • VM must be a Gen-2 (Generation 2)
  • VM must be Windows Server 2012 or higher, or
  • VM must be Windows 8 or higher

When creating the VM, the shielded VM has a virtual TPM (Trusted Platform Module) assigned and BitLocker encryption is applied to only allow designated owners to access the VM. The shielded VM will not run unless the Hyper-V host is on the Host Guardian Server. All of the VMs data and state information is encrypted, and cannot be accessed.

For more information on Shielded VMs, please visit Microsoft’s post HERE.

Azure Automation PowerShell ISE Add-On

Not too long ago, Microsoft released a new PowerShell module add-on for Azure Automation. This is great as it allows us to work locally and connects directly to Azure, connecting us to our existing Runbooks, gather subscription and account information, etc. This is great for anyone that is interested in OMS Hybrid-Runbooks, DSC (Desired State Configuration) and the future!🙂

Here’s a link to Microsoft’s blog post, HERE.

Cheers!