Category: Automation

New Features in SCOM 2016 – Maintenance Schedules

One very common request I always get with my SCOM 2012 customers is, “how can I put machines into Maintenance Mode for a future date?”

My response is, well, with some PowerShell and the Windows Task Scheduler, you can achieve this.  But wait, looks like the System Center/SCOM 2016 team has listened and delivered! Introducing ‘Maintenance Schedules‘.

Now SCOM administrators can put a machine, or a group of machines, or a group into Maintenance Mode (MM) for a future date. Even better, it looks like a lot (if not all) of the functionality has been taken from good old Windows Task Scheduler. What that means is, you can put machines into MM, for that Friday night/Saturday morning Change Request, or even better MM for reoccurring schedule, like Patch Tuesday.

In the example below, I am going to do a quick walk-through for a group of machines for a typical patching schedule.


For this scenario, let’s assume the following:

  1. Machines are patched every 3rd Friday of the month,
  2. Blackout/maintenance window is 6 hours (360 minutes),
  3. Scheduled MM will start @11:00PM.

1

  • Right click either on Maintenance Schedules, or within the middle pane.

2

  • As a rule of thumb, always a good idea to select the second (default) option here, “selected objects and all their contained objects.

3

  • Search for the machine(s) or the group(s) you want to enter into Maintenance Mode

4

  • Once you’re happy, go ahead and hit next

5

  • Next we are presented with an array of options. As per our example, we will be putting our machines in MM every 3rd Friday of the month, starting at 11:00PM, for 6 hours.

6

  • Now we’re ready

7

  • Now we need to provide a name to our MM Schedule… By default, ‘Planned’ and ‘Enable Schedule’ are ticked off. Go ahead and hit finish!

8

  • Now we can see our new Scheduled Maintenance Mode schedule! 🙂

As you can see here, for a SCOM Administrator, you can see which user create this task and also to see if it is enabled at the current time

9

  • You can also Edit, Copy, or Disable the schedule. Looks like I just discovered a bug! Also, disabling is not provided here, but it is within the Action pane:

10

11

  • And that is it!

If the schedule was done correctly, you will see the Event ID 1215 within the SCOM Management Server.

12

I hope this helped!

Happy SCOM’ing 2016!!

Advertisements

Setting up a KMS Server – Windows Server 2012R2

What is a KMS? Microsoft’s KMS allows you to automate license activation for Windows servers and/or applications. In my case, I am using KMS for Windows 2012R2 license activation.  (Oh, KMS stands for Key Management Server) The setup is simple, it took me no more than 15 minutes. Below are the steps I took to set this up. Some pieces of information, I decided to dedicate a server for KMS. Also, when adding the Windows server key, double check and ensure you are using a valid Volume License key, and a KMS key — not MAK! (Yes, there is a difference)

For starters I am going to assume you already made note of the license key from your Microsoft Volume License Servicing Center portal.

As mentioned, I decided to stand up a server dedicated for KMS.

From the Windows Server Manager, install the “Volume Activation Services” role either via the GUI, or via PowerShell. If via PowerShell, here is that command, “Install-WindowsFeature -Name VolumeActivation -IncludeAllSubFeature

Once the role has been installed, launch the Volume Activation Tool console, and essentially next, next, finish!

  • Browse/Select the server that will be hosting the KMS (service):

1

  • Paste in your KMS Host/License Key:

2

3

  • Choose “Active online

4

5

Here, you have some options, how often would you like KMS to check-in, how often would like KMS to apply the key, etc. I left my settings at default, but (assuming) your environment is domain based, check mark Domain for KMS firewall exceptions. Also, by default, KMS listens on TCP port 1688.

6

 

And that is is! Now your existing/new Windows 2012R2 servers will have their licence automatically activated within 2 hours.

(more…)

Hyper-V Network Virtual Switches

So you’ve spun up a Windows 2012R2 machine with Hyper-V installed and ready to go. However, now you’re stuck and not sure which type of  Network Virtual Switch (vSwitch) applies to your environment(s)…

In Windows 2012R2, Hyper-V’s network virtual switch runs at Layer 2 (Data Link layer). If you are unfamiliar with this, or either terms, I suggest good old Wikipedia. 🙂 Layer 2 maintains a MAC address table contains the MAC addresses of all the virtual machines (VMs) connected to it. The switch determines where to direct/redirect the packets to based on MAC addresses. It should be noted, in Hyper-V, you can have an unlimited amount of VMs connected to this vSwitch.

In Hyper-V you have three types of Network Virtual Switches: External, Internal and Private. All have similar functions but are disgustingly different.

  1. External vSwitch allows communication between the VMs running within the Hyper-V hosts, the Hyper-V parent partition, and between all VMs on the remote host server. The External vSwitch does require a network adapter on the host (that is not mapped to any other Hyper-V External vSwitch). You can also tag to a VLAN ID.
  2. Internal vSwitch allows communication between all VMs that are connected to the vSwitch and also allows communication between the Hyper-V parent partition. You can also tag to a VLAN ID.
  3. Private vSwitch allows communication between all VMs that are connected to the vSwitch, and that is it. (Note, no communication between the VMs and its Hyper-V parent partition. Also no VLAN ID tagging can occur on the vSwitch)

Without the use of SCVMM (System Center Virtual Machine Manager), I have found there are two ways to go about creating a vSwitch, one via Hyper-V GUI and second via PowerShell.

Let’s start with the GUI:

Launch the Hyper-V console, and right-click on the Hypervisor’s Virtual Switch Manager. Now selecting New virtual network switch, you can specify your properties here. Name your vSwitch, associate to the correct vNIC, tag to the appropriate VLAN ID, etc.

1 vSwitch HyperV Host

You can now specify which vSwitch for your guest VM to use. Within the VMs properties, you will have the option to chose within the Virtual Switch (you will need to create a Network Adapter if not already done). Once selected you can specify your VLAN ID here. (I am finding you cannot specify the VLAN within the Management vSwitch, but it must be done on the client VM’s end) *Again, this is without the use of SCVMM..yet*

2 vSwitch client OS

 

The same process above can be automated via PowerShell. If you’re like me and need to provision a few dozen Hyper-V hosts, creating vSwitches via the GUI is rather tedious. This can be automated with PowerShell (and SCVMM). Please see the code below:

First you will need to get a list of all the Network Adapters your Hyper-V host has to offer. Hopefully you have named them, if you have not, I highly suggest doing this, and considering this best practice and keeping your sanity.

3 Get Adapter names via PS

Once you have the list of vNICs and their names, you can go ahead and start creating vSwitches.

4 Create vSwitch via PS Code 5 Output Create vSwitch via PS

If the code below worked (note only Line 6 is needed to create the External vSwitch) your Hyper-V host should have the vSwitch, or something similar:

1 vSwitch HyperV Host

 

(more…)

Load Balancing SCOM Agents

So you have multiple SCOM Management Servers, yet you just happen to have all of your SCOM agents reporting to one server, or maybe two if you half tried to load balance your agents. There are several reasons why you would want to have multiple Management Servers, ie. off-load workflows, reduce stress on servers, etc., etc. Well what is the point of having multiple Management Servers yet nearly all of your agents are reporting to one, or maybe two at best Management Servers, while the others are collecting dust. Load balance those agents! You could manually move an agent by right clicking and moving to a new server, or you could let our friend PowerShell automate this for you.

In my experience I have seen many SCOM environments where load balancing is either done manually, or not done at all. And usually manually implies the SCOM administrator takes a look which of the servers has the least agents, and deploys away. That works, but why not deploy to any server then let PowerShell load balance for you.

In the solution below, I am using PowerShell along with Orchestrator 2012R2. The runbook can be setup to run ad-hoc, or run regularly, ie. monthly, weekly, etc. Of course if you do not Orchestrator deployed in your environment, you could very well take the script and schedule it to run via Windows Scheduled tasks.

ce63742c-85d7-402e-b114-c3979b7ce32b

Here I have created a Runbook to execute the script, and then send back a warning notification if the Runbook failed, or an informational notification that the Runbook executed successfully.

See below for the PowerShell script. Please note, you will need to change the Line 5 with a SCOM Management server applicable to your environment, duh. This script can also be modified, and you can load balance between two gateway servers.

The script can be found HERE!

Happy SCOM’ing!

SCOM Servers not “Remotely Manageable”? – Automation

Few posts ago, I blogged on how you can change your manually installed SCOM agents to actually appear as console-deployed. Although this solution is essentially a one time work-around, the solution below is intended for on-going manual installs. The solution below using the same SQL query and creating an automated SQL tasks that runs on a user-defined interval. Following the steps below, you can set this to run every month (or week, or quarter, etc.) and any manually installed will back their “Change Primary Management Server” enabled again.

In my solution below, I was working with SQL Server 2012SP1. This should work for previous iterations of SQL Server as well, 2012, 2008R2, etc.

Following the steps below, and using the SQL query used in a previous POST, you can automate this as well!

 

image001

image002

image003

 

image004

SCOM 2012R2 IIS Prerequisites

If you’re like me, a System Center Operations Manager consultant, then I am sure you have already ‘googled’ this a few times by now. I constantly find myself looking this up, so I figured I would write my very own blog post on this.

It should be noted, the following code below was found on various sites, and I have now pieced it together to suite my own needs.

For starters, when installing SCOM 2012R2 and its Web Console, you are required to meet certain IIS prerequisites. You can either do Option 1, the manual way, or Option 2, the PowerShell way.

If you go with Option 1, you will need to install the following IIS features:

  • Static Content
  • Default Document
  • Directory Browsing
  • HTTP Errors
  • HTTP Logging
  • Request Monitor
  • Request Filtering
  • Static Content Compression
  • Web Server (IIS) Support
  • IIS 6 Metabase Compatibility
  • ASP.NET
  • Windows Authentication

Or, Option 2, you can use PowerShell to automate this for you…. (Note, you will need to launch PowerShell console as an Administrator)

Import-Module ServerManager
Add-WindowsFeature NET-Framework-Core,AS-HTTP-Activation,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Request-Monitor,Web-Filtering,Web-Stat-Compression,AS-Web-Support,Web-Metabase,Web-Asp-Net,Web-Windows-Auth –restart

scom preq PS capture RT

Creating certificates for Azure authorization

So let’s say you want monitor your Azure environment using your on-premises SCOM, you would think all you need is an Azure environment and an Azure Management Pack and SCOM. Well for the most part that is true, but to authenticate Azure and SCOM, you will require a certificated based authentication to bind the two environments. For starters, you will need the tools below, and can follow the steps I have outlined below.

Prerequisites

  1. Azure subscription
  2. Azure (SCOM) Management Pack
  3. Local SCOM environment (with Internet access)
  4. Windows 8.1 SDK or Visual Studio

I used my Windows 8.1 machine, therefore I needed the Windows 8 SDK. If you do not already have the SDK, it can be downloaded from HERE. Once you have installed the SDK, we will then need to create the certificate.

I used PowerShell, but you could probably use Command Prompt just as well. Please note, run as Administrator.

First browse to the SDK directory, “C:\Program Files (x86)\Windows Kits\8.1\bin\x86

1

Then, using the following code below, this will create a self-signed certificate. Please note, your certificate name should match in both places here.

makecert -sky exchange -r -n "CN=yourCERTnameHERE" -pe -a sha1 -len 2048 -ss My "yourCERTnameHERE.cer"

2

Now, I don’t know what all these switches meant so I did look it up. Also, I used the links below as reference:

If the step above, you should have got “Succeeded”.

Next, we will generate the PFX with a private key. Use the code below in squence, again in Administrator mode, PowerShell or Command Prompt.

$MyPwd = ConvertTo-SecureString -String "yourPASSWORDhere" -Force –AsPlainText

$AzureCert = Get-ChildItem -Path Cert:\CurrentUser\My | where {$_.Subject -match "yourCERTnameHERE”}

Export-PfxCertificate -FilePath C:\yourCERTnameHERE.pfx -Password $MyPwd -Cert $AzureCert

 

3

If all went well, you can now import your PFX certificate. Go into the Certificate Store (launch MMC services, add the Certificate snap-in, run as Local Computer), and right click on Personal > Certificates > Import. Browse to your *.pfx certificate and import. You will be required for the Private Key (password to complete).

If all went well you should now be able to see the certificate within your Certificate Store, under Personal.

6

Now, Azure will want a *.cer based certificate, so we will now need to export our *.pfx certificate from the Certificate Store. This is pretty straight forward, export on the certificate, and save as a *.cer file.

Once you have export the PFX as a CER file, you can now go back to Azure, and import/upload the certificate we have just created!

7