Author: Ravi Yadav

Ravi Yadav is a Technical Solutions Architect, focused on Microsoft Cloud and Data Center technologies. Specializing in Azure -- ASR, OMS, Data Analytics, IaaS, PaaS, DRaaS, AAD; System Center -- SCOM, SCCM, SCVMM; and Hyper-V. Ravi is based out of Toronto, Canada, and is a Microsoft MVP in Cloud and Datacenter Management.

Creating certificates for Azure authorization

So let’s say you want monitor your Azure environment using your on-premises SCOM, you would think all you need is an Azure environment and an Azure Management Pack and SCOM. Well for the most part that is true, but to authenticate Azure and SCOM, you will require a certificated based authentication to bind the two environments. For starters, you will need the tools below, and can follow the steps I have outlined below.

Prerequisites

  1. Azure subscription
  2. Azure (SCOM) Management Pack
  3. Local SCOM environment (with Internet access)
  4. Windows 8.1 SDK or Visual Studio

I used my Windows 8.1 machine, therefore I needed the Windows 8 SDK. If you do not already have the SDK, it can be downloaded from HERE. Once you have installed the SDK, we will then need to create the certificate.

I used PowerShell, but you could probably use Command Prompt just as well. Please note, run as Administrator.

First browse to the SDK directory, “C:\Program Files (x86)\Windows Kits\8.1\bin\x86

1

Then, using the following code below, this will create a self-signed certificate. Please note, your certificate name should match in both places here.

makecert -sky exchange -r -n "CN=yourCERTnameHERE" -pe -a sha1 -len 2048 -ss My "yourCERTnameHERE.cer"

2

Now, I don’t know what all these switches meant so I did look it up. Also, I used the links below as reference:

If the step above, you should have got “Succeeded”.

Next, we will generate the PFX with a private key. Use the code below in squence, again in Administrator mode, PowerShell or Command Prompt.

$MyPwd = ConvertTo-SecureString -String "yourPASSWORDhere" -Force –AsPlainText

$AzureCert = Get-ChildItem -Path Cert:\CurrentUser\My | where {$_.Subject -match "yourCERTnameHERE”}

Export-PfxCertificate -FilePath C:\yourCERTnameHERE.pfx -Password $MyPwd -Cert $AzureCert

 

3

If all went well, you can now import your PFX certificate. Go into the Certificate Store (launch MMC services, add the Certificate snap-in, run as Local Computer), and right click on Personal > Certificates > Import. Browse to your *.pfx certificate and import. You will be required for the Private Key (password to complete).

If all went well you should now be able to see the certificate within your Certificate Store, under Personal.

6

Now, Azure will want a *.cer based certificate, so we will now need to export our *.pfx certificate from the Certificate Store. This is pretty straight forward, export on the certificate, and save as a *.cer file.

Once you have export the PFX as a CER file, you can now go back to Azure, and import/upload the certificate we have just created!

7

Advertisements

Configuring Office 365 (O365) Management Pack in SCOM

For starters, I am assuming you have a valid Office 365 account, a SCOM environment (with Internet access), and the Office 365 Management Pack.

Once you have imported the MP, next within the Administrations tab, you will need to add your O365 subscription. I used the “All Management Servers Resource Pool” for my Server Pool.

1

2

Once successful, you should have your Office 365 Subscription within the Office 365 Overview:

3

If you go back to the Monitoring tab, you should now see the Office 365 folder along with some native views.

5

 

I went a step further and added the, “Message Center” webpage, same view you would see within an browser.

I copied the two views from the MP into My Workspace, and added a new Web Page view, with the URL here, https://portal.office.com/MessageCenter/MessageCenter.aspx.

When you launch the view the first time, you will be required to sign-in. I also check marked “stay logged in” to avoid this down the road.

6

7

8

 

And that is it! Pretty easy!

Azure Runbook Limitiation

Here I am testing my Runbooks in my Azure lab, and all of a sudden I get the following alert, “The job failed. The quota for the monthly total job run time has been reached for this subscription. To get more job run time you can change to a different Automation plan or wait until next month when the quota will reset.

Whaaaaat!!?

1

Well that sucks… I don’t wait to wait another month! And I certainly do not want to upgrade my Azure subscription plan.

I contact Microsoft, and they advised me the same, I will need to either wait until next month, or upgrade my subscription plan.

“…using a Free account, then it is limited to 500 job minutes per calendar month. You can change to the Basic pricing tier and get unlimited job minutes for just $0.002 / minute.”

Turns out, with the Free account, I am limited to 500 job (Runbook) minutes per calendar month. If I upgrade then I get unlimited job minutes, but at a cost of $0.002 per minute.

Well this is certainly good to know, also good to know, when creating Runbooks, we should code efficiently, otherwise our 500 minutes will but gone soon. =)

Thanks to Chris Sanders, Program Manager @ Microsoft for the helpful information!

Enabling SCOM 2012R2 Agent Proxy

The other day, I’m asked, “what the heck are these SCOM agent proxy alerts!?” I’m sure you fellow SCOM admins have seen these alerts before:

1

You could go to the computer that SCOM is complaining about and manually enable the agent proxy via Administration > Managed Computers, and modifying its properties, see below:

2

 

Or…… you could make your life easier, and do this…

The fix is easy, and the explanation are both below:

To resolve the “Agent proxy not enabled” alert for all machines in your current environment, run the following PowerShell code in the SCOM PowerShell Console:

get-SCOMagent | where {$_.ProxyingEnabled -match "False"} | Enable-SCOMAgentProxy

3

 

To prevent this alert in the future, run the following below:

 

add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client";
new-managementGroupConnection -ConnectionString:yourSCOMserverFQDNhere;
set-location "OperationsManagerMonitoring::";
Set-DefaultSetting -Name HealthService\ProxyingEnabled -Value True

4

 

(more…)

Adding ESX/vCenter to SCVMM

Adding a Hyper-V host to SCVMM is pretty straight forward, I would only hope so, since they are both Microsoft products. Well, as quick as it is to add a Hyper-V host, adding an ESX/vCenter is just as quick. Here are the steps I took to add an ESX host and vCenter appliance to SCVMM 2012 R2.

Some prerequisites, well, I am assuming you have already deployed an ESX/ESXi server which also has a vCenter appliance installed and configured with a static IP and hostname. In my lab, I have vCenter installed on the ESX host itself. I am also assuming your SCVMM and ESX/ESXi environment(s) are able to communicate with one another.

  • Launch the SCVMM console
  • Create a Run As account, here I used the default VMware credentials (root/vmware)
  • Under the Fabric pane, and under the Servers > Infrastructure Node, right click on vCenter Servers, and add a new VMware vCenter Server

1

 

  • Input the vCenter IP address, leaving the TCP/IP port as default (443)
  • Also, specify the Run As account, select the one you created back at Step 2
  • Keep Communicate with VMware ESX host in secure mode enabled

2

 

  • Next, if the Run As account validated successfully, you should now get an Import Certificate prompt. Select Import

3

 

  • You can view the status of the new addition within the Jobs window

4

 

  • If all went smoothly, your vCenter appliance/server should now be within the vCenter Servers view!

5

  • Next, you will want to essentially the same steps above, but this time, we will add the ESX host
  • Select, Add VMware ESX Hosts and Clusters

6

  • Hopefully here it should auto populate the search with the host, if not, search for it, using its IP or hostname

7

  • If all went went, proper Run As account, etc. etc, then it should soon be visible within the Server > All  Hosts view. Confirm by viewing the Jobs window for any errors/messages.

9

8

(more…)

Automating Start and Stop Times for Azure VMs

So you have set up an Azure lab, but you are now starting to see your billing costs are higher than you anticipated, or maybe you are getting tired of logging in to the Azure portal, every morning and every evening to start and shutdown your lab/Virtual Machine(s). Unfortunately there is no UI in the Azure portal that allows you to input a start and stop time for your Virtual Machines to be powered on and/or off, however there are some clever workarounds! Below are the steps I have taken to automate this problem.

Of course you will need an Azure environment, at least one Virtual Machine and some (very) basic PowerShell knowledge.

For starters, I have already built my VM, and I have already created an account that is a member of the domain administrators.


  • Log into the Azure portal and expand the Browse All icon, located on the left pane.

1

  • Select Automation Accounts and create a new Automation Account. I called mine “MachineStartStopAutomation”.

2

  • Next under the new account, select Assets

3

  • Here we will assign credentials associated to this Automation account. Within Assets, select Credentials

4

5

  • Once you have created the Credentials, next we will need to create the Runbook
  • Go back to the Automation Account, and this time select Runbooks

6

  • Provide some descriptive name for the Runbook. I used “Start<hostname>VM”. Also, I had some issues creating/editing the Runbook script when using the Graphical Runbook type, so I used the PowerShell Workflow. I would advise using the PowerShell Workflow option.

7

  • Within the script, use the code similar here. Note, your workflow will be name of your Runbook name. Also, in line 5, the -Name <hostname> will be your VM you are interested in automating the PowerOn. To be safe, I specified the FQDN.

8

  • Once complete, you can test and/or publish the Runbook. (You will need to Publish the Runbook in order to make use of it)
  • Next you will need to create a schedule. Go back to the Runbook, and select Schedules

9

  • Since I would like to start this VM daily, I set it for daily Recurrence.

10

You will now need to repeat all the steps above (starting at step 7) to create an automated shutdown Runbook. The PowerShell code will be almost exactly the same, but you will make use of the “Stop-VM -Name <hostname>” Cmdlets.

Once complete, your new Automation Runbook should look similar to this. Hopefully this will keep your Azure billing costs down, and hopefully no more daily/manual starting and shutting down your lab/Virtual Machine(s). =)

11

OMS SQL Assessment Solution

First things, first, what is the SQL Assessment Solution? OMS SQL Assessment Solution does exactly what it sounds like, it assesses a given SQL environment, providing a health check and risk assessment. The solution executes on a fixed (for now) interval monitoring and evaluates your SQL environment.

With the solution, it provides six focus areas, where it allows you and your SQL team(s) to understand where your environment may need attention either soon, or immediately. The focus areas provide recommendations based on Microsoft’s KB and Microsoft’s engineers across multiple environments, industries and scenarios. These recommendations are suggested in order to get your environment back in good standing.

Six Focus Areas:

  1. Security and Compliance
  2. Availability and Business Continuity
  3. Performance and Scalability
  4. Upgrade, Migration and Deployment
  5. Operations and Monitoring
  6. Change and Configuration Management

Each focus area will break down its recommendations based on a weighted system. The weighted system is based on three metrics: Impact, Probability and Effort.

Each metric can be broken down as follows:

  • The Impact of the issue on your organization if it does cause a problem. The higher the impact equates to a larger overall score for the recommendation.
  • The Probability that an issue identified will cause problems within the environment. The higher the probability equates to a larger overall score for the recommendation.
  • The Effort required to implement the suggested recommendation. A higher effort equates to a smaller overall score for the recommendation.

For example, if the “Schedule full database backups at least weekly,” is weighted with 4.0, this means after implementing the recommendations and satisfying the assessment, this will improve our SQL assessment score from 88% to 92%, an overall increase of 4%.

temp

Implementing the OMS Solution

To get the SQL Assessment Solution implemented, you will obviously need a SQL environment to monitor, and its Microsoft Monitoring Agent (MMA) either configured to OMS, or the agent/server a member of the OMS server group with SCOM.

Here are the steps you will need to follow to configure the SQL Run As account in the SCOM console:

Note, the Run As account you will be using, needs to be a member of the Local Administrators group on all of the Windows Servers hosting the SQL Server Instances.

  1. In SCOM, go to the Administrations tab
  2. Under the Run As Configuration, click Accounts
  3. Create the Run As Account, following through the Wizard, creating a Windows account
    1. Under Distribution Security, select More secure
  4. Go back to the Run As Configuration and click Profiles
  5. Search for the SQL Assessment Profile
  6. Assuming you are using SCOM 2012 R2 UR7, the profile name should be, “Micorsoft System Center Advisor SQL Assessment Run As Profile
  7. Right click and update its properties, and add the recently created Run As Account we just created in step 3
  8. Now you need to add the Run As account to the SQL database, and grant it the permissions it will need. Use the SQL code below, this will need to be executed on all SQL instances you are interested in incorporating into the SQL Assessment Solution. (I used this from the OMS documentation site; link can be found at the bottom of this blog)

---
    -- Replace "DOMAIN\UserName" with the actual user name being used as Run As Account (removing the quotes).
    USE master

    -- Create login for the user, comment this line if login is already created.
    CREATE LOGIN ["DOMAIN\UserName"] FROM WINDOWS

    -- Grant permissions to user.
    GRANT VIEW SERVER STATE TO ["DOMAIN\UserName"]
    GRANT VIEW ANY DEFINITION TO ["DOMAIN\UserName"]
    GRANT VIEW ANY DATABASE TO ["DOMAIN\UserName"]

    -- Add database user for all the databases on SQL Server Instance, this is required for connecting to individual databases.
    -- NOTE: This command must be run anytime new databases are added to SQL Server instances.
    EXEC sp_msforeachdb N'USE [?]; CREATE USER ["DOMAIN\UserName"] FOR LOGIN ["DOMAIN\UserName"];'

Once you have implemented the steps above, and assuming everything went successfully, soon, with OMS, you will see your SQL environment under the SQL Assessment Solution.

Hopefully there isn’t too much to fix. =)

SQL Assessment OMS

(more…)