Tag: SCOM 2016

ADFS Monitoring with Azure, OMS, SCOM 2016

· 3 Comments ·

ADFS (Active Directory Federation Services) has really taken flight since the inception of Office 365 and Azure Active Directory. Getting your on-premises environment configured with online identity services such as Azure, and having the SSO (Single Sign-On) abilities makes ADFS fundamental. Implementing ADFS is one thing, but what about monitoring your ADFS environment?

The following post is intended to illustrate the differences between ADFS monitoring by comparing the following monitoring tools: Azure AD Connect Health, OMS (Operations Management Suite) and SCOM 2016 (System Center Operations Manager).

SCOM (Operations Manager) 2016

First step is to deploy SCOM agents to your ADFS environment/servers along with the ADFS Management Pack install. Once that is complete, and discovery has run, we should start seeing data within the ADFS view(s).

Within the ADFS view, we can see some useful information such as Token requests. This data is represented in an hour fashion, and we can see the number of tokens being requested per hour over the given date range.

And good view is the Password Failed attempts. We can see how many bad password attempts were made over the various date range, but information such as which user, and when, could be useful.

This information is all good, however without doing some custom management pack work, it is impossible to get any additional data, ie. which users are requesting the token, which users are inputting bad passwords, and which users are connecting to which site/service offered by ADFS.

OMS (Operations Management Suite)

OMS does a nice job with dashboards, but unlike SCOM, we need to not only know which Event IDs we need to capture, we also need to build our dashboards out. This is not ideal, as it does require some custom work, and some investigation with regards to ADFS related Event IDs.

The query below, “EventID=4648 OR EventID4624 | measure count() by TargetAccount” shows us which target account/active directory user has requested the most ADFS tokens over the last 1 hour. Please note, this query is based on the OMS Log Analytics language version 1.

Since OMS does require a lot of ADFS knowledge, ie Event IDs, I decided not to proceed any further and build additional queries and dashboards.

Azure AD Connect Health

Lastly, Azure AD Connect is probably the most simple, and least technical configuration.

As a prerequisite, I enabled the all event types on the ADFS logs.

After running the AD Connect agent on the ADFS server(s).  And launching the Azure Resource Manager portal, we get some dashboards. Right off the bat, we can see some excellent information. Let’s take a deeper look.

If we click on the total request widget, this shows us similar data as we see in SCOM 2016, with some exceptions. Not only can we see the number of tokens being requested. We also can see which ADFS server within the farm is distributing the tokens. Since this is a highly-available and load-balanced configuration, it is comforting to know ADFS is distributing tokens as it is designed.

Secondly, we can also see which services within ADFS are generating the most hits. This is great to see which sites are the most busy. This something that lacks in SCOM and OMS, and I was unable to generate even after some custom MP work.

 

 

If we go into the Bad Password Attempts widget, we can see not only the number of bad password attempts, but also see which user and at what time and their source IP the attempt was generated from — very cool!

Overall, AD Connect Health does an excellent job and provides rich data and expands on what SCOM already does.

Verdict

After comparing SCOM 2016, OMS and Azure AD Connect Health, the clear winner is Azure AD Connect Health. Not only is the configuration straight forward, but provides more than enough information to monitor the ADFS environment. Azure AD Connect Health provides rich and very clear dashboards with almost no effect other than some log configuration on the ADFS server(s). The data is comparable to what SCOM presents, however much more richer and detailed. OMS and SCOM are still good tools, however does require some more technical knowledge and building the dashboards can be laboursome.

Enabling SCOM 2016 Agent Proxy

· Leave a comment ·

Not too much has changed when it comes to SCOM 2012R2 and SCOM 2016. This post is a similar post to SCOM 2012R2, but applicable to SCOM 2016. (See that post here).

You could go to the computer that SCOM is complaining about and manually enable the agent proxy via Administration > Managed Computers, and modifying its properties, see below:

2

Or…… you could make your life easier, and do this…

The fix is easy, and the explanation are both below:

To resolve the “Agent proxy not enabled” alert for all machines in your current environment, run the following PowerShell code in the SCOM PowerShell Console:

get-SCOMagent | where {$_.ProxyingEnabled -match "False"} | Enable-SCOMAgentProxy

To prevent this alert in the future, run the following below:

add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; new-managementGroupConnection -ConnectionString:<strong>yourSCOMMGMTserverFQDNhere</strong>; set-location "OperationsManagerMonitoring::"; Set-DefaultSetting -Name HealthService\ProxyingEnabled -Value True

 

Monitoring Domain Controllers in SCOM 2016 – Script Automation

· Leave a comment ·

Not too long ago, I wrote about how SCOM 2016 has some workarounds for monitoring domain controllers, find that post here. We learned the HSLockdown tool needs to be configured to allow the Local System account to be run under.

I was in an environment were 100+ domain controllers needed this done.. No way was I going to do this manually 100+ times… So, I wrote the following script. Unfortunately, do some PowerShell switch limitations, I had to resort to using a batch command line script.

How it works. Save the list of servers affected to a text file. Using this file/script, and PSExec, we can execute the script against the servers affected. To get that script, please visit the Microsoft TechNet Gallery.

Cheers!

Migrating Notifications from SCOM 2012 R2 to 2016

· 2 Comments ·

When upgrading a SCOM environment from 2012R2 (or 2012) to 2016, one of the most time demanding tasks can be replicating the notifications settings. In my case, I had to do a brand new install, and needed some way to migrate the notifications configuration from the old SCOM environment to the new. Luckily there is a pretty quick way to achieve this. Let’s begin!

Log in to the 2012R2 environment, go to the Administrations pane, and locate and export the Notifications Internal Library (Microsoft.SystemCenter.Notifications.Internal). Export this MP somewhere locally.

Open the MP/XML file with some editing tool, Notepad, Notepad++, Visual Studio, etc….

As you can see, this MP version is version 7.1.10226.0.

If you quickly hop over to the SCOM 2016 environment, and locate the same MP (same name, Microsoft.SystemCenter.Notifications.Internal), you will notice it is a different version. What we will need to do here is, update the OLD MP to a version number just slightly higher than the one in the 2016 environment.

So, in my case, I will change 7.1.10226.0 to 7.2.11719.1. Save the XML file, and copy it over to the SCOM 2016 environment.

Next we have two options:

  1. we can either import the updated MP, or,
  2. alternatively we can delete the MP from SCOM 2016 (v7.2.11719.0)

Before doing that, it is recommended to export the MP, and save it for “just in case“. In my case, I deleted the MP.

Now if you go into Notifications settings, you will see an exact copy of the configurations from your SCOM 2012R2 environment. To enable all the notifications, or disable, execute the following cmdlet in the OperationsManager console.

Get-SCOMNotificationSubscription | Enable-SCOMNotificationSubscription
Get-SCOMNotificationSubscription | Disable-SCOMNotificationSubscription

As an FYI, I forgot to disable the subscriptions beforehand. This would have been ideal to do before saving the XML file before importing into SCOM 2016. You can edit this by replacing the following text. Run a Control+H (Replace), and Replace All, Enabled=”true” to Enabled=”false”.

 

There you go! Notifications have been replaced from SCOM 2012R2 to SCOM 2016.

Monitoring Domain Controllers in SCOM 2016 – Event ID 1102

· 4 Comments ·

So  you deploy a SCOM 2016 agent to a Windows 2016 Domain Controller, only problem is, after the agent push, discovery doesn’t work. Well, the agent isn’t corrupted… Ports are open… SCOM agent is being deployed using the System Local account…  etc. etc. So, now what?

Taking a look at the Windows 2016 domain controller and its event log, the domain controller OpsMgr log is getting bombarded with Event IDs 1102….

After some investigation, seems to be this has been an issue in SCOM 2012 (and 2012R2) as well. Well, here’s the fix…

Taking a look at the HSLockdown, the Local System account is being denied access..  Browse to the following folder “%windir%\Program Files\Microsoft Monitoring Agent\Agent “and run the following command (elevated access…), “HSLockdown.exe /L

Now that we can see the Local System account is being denied access, let’s give it access… Running the following command, “HSLockdown /A “NT AUTHORITY\SYSTEM“. Restart the SCOM Agent (net stop HealthService.exe & net start HealthService.exe) and you should be good to go now!

Cheers!

Step-by-Step – SCOM 2016 Update Rollup 2 (UR2) Install Procedure

· 1 Comment ·

My personal notes for installing SCOM 2016 Update Rollup 2, Step-by-Step. UR2 (Update Rollup) has a lot improvements, please see below the many updates being provided in this UR. Two fixes I am seeing that makes me happy, is having the alerts view fixed… Previously alerts within the Alerts view would still appear even after the alert was closed. Also, the Get-SCOMGroup cmdlet consistently failed when there was a great number of groups within an environment.

It is highly recommended to upgrade your lab/Dev environments first before upgrading your Production environment(s). The step by step procedures below are the steps I took and in no way shape or form do I accept responsibility for any data loss, and/or issues within your environment. It is advised to always take a backup of your SQL databases and/or snapshots of your SCOM environment(s). Please take these notes as suggestions. Always refer to Microsoft’s KB (posted below) for full documentation steps.

8

Here are the key updates for UR2 (source Microsoft):

Issues that are fixed in Operations Manager Update Rollup 2

  • When you use the Unix Process Monitoring Template wizard (adding a new template) to monitor processes on UNIX servers, the monitored data is not inserted into the database because of the following failure (Event ID 10801)
  • When a management server is removed from the All Management Servers Resource Pool, the monitoring host process does not update the TypeSpaceCache.
  • When alerts are closed from the Alerts view after you run a Search, the closed Alerts still appear in the View when the Search is cleared.
  • When you press Ctrl+C to copy an alert in Operations Manager Alert view and then press Ctrl+V to paste it to Notepad, the Created time is in UTC time, not local time.
  • Groups disappear from Group view after they are added to a Distributed Application.
  • IM notifications from Operating Manager to Skype fail when an incorrect exception causes NullReferenceException in the SipNotificationTransport.Send method.
  • When the maintenance mode option for the dependency monitor is set to “Ignore,” and the group (consisting of the server to which this dependency monitor is targeted) is put in Maintenance mode, the state of the monitor changes to critical and does not ignore maintenance mode.
  • Because of a rare scenario of incorrect computation of configuration and overrides, some managed entities may go into an unmonitored state. This behavior is accompanied by 1215 events that are written to the Operations Manager log.
  • Recovery tasks on “Computer Not Reachable” Operations Manager Monitor generate failed logons on SCOM Agents that are not part of the same domain as the management groups.
  • The ManagementGroupCollectionAlertsCountRule workflow fails and generates a “Power Shell Script failed to run” alert.
  • Get-SCOMGroup cmdlet fails when thousands of groups are created in Operations Manager.
  • Organizational unit properties for computers that are running Windows are not discovered or populated. This discovery is part of the System Center Internal Library MP. After this update, organizational unit properties will be discovered for all computers that are running Windows.
  • When the Operations Manager Health Service agent starts, and the agent is configured for AD integration, if the agent cannot contact Active Directory at all, it immediately goes dormant and stops trying to connect and obtain the policy from Active Directory.

Issues that are fixed in the UNIX and Linux management packs

  • SHA1 is deprecated, and SHA256 certificates are now supported on the management server that’s used to sign the Unix/Linux OMI certificate.
  • OMI does not work on Linux servers configured for FIPS compliance.
  • Avg. Physical disk sec/transfer performance counters are not displayed for Hewlett Packard computers.
  • OMI displays incorrect Memory information on Solaris 10 computers.
  • Network adapter performance is not displayed for SLES 12 x64 platform in the Operations Manager Console.
  • Cannot discover file systems on HPUX 11.31 IA-64 computers with more than 128 disks. Previously it supported only 128 VGs. Now support is extended to 256 VGs.
  • Deep monitoring cannot be started successfully on some JBoss applications because the discovery of the JBoss application server sets the Disk Path for the JBoss server incorrectly. Deep monitoring was not being started in JBoss stand-alone mode when a nondefault configuration was used.

 

Install Procedure

Once you are ready to begin your upgrade, it is recommended you do the following server/roles in the order specified below:

  1. Install the update rollup package on the following server infrastructure in the order below:
  • Management server(s)
  • Agents; Nano Agents
  • Web console server role computers
  • Gateway(s)
  • Operations console role computers
  1. Apply SQL script(s).
  2. Manually import the management packs.
  3. Apply the nano agent update to manually installed agents, or push the installation from the Pending view in the Operations console.

Once you have downloaded the rollup files, I like to extract and only keep the language I need, in this case, ENU (English). You will need to install these with Administrative rights, I like to use PowerShell as Local Administrator. It really does frustrate me, as there is no indication that the rollup installed correctly, (other than looking at the file version number change via File Explorer; Build Number 7.2.11719.0 (RTM) –> 7.2.11822.0 (UR2)).

 

1

3

Personally, I prefer to execute the MSP files via PowerShell (RunAs Administrator) console.

Again, the order needs to be:

  1. Management server(s)
  2. Agents; Nano Agents
  3. Web console server role computers
  4. Gateway(s)
  5. Operations console role computers

Once the Update Rollups are installed, you will now need to apply the SQL script(s). In this UR, only the Operations Manager (OpsMgr) Database is affected.

The script(s) can be found here, “%SystemDrive%\Program Files\Microsoft System Center 2016\Operations Manager\Server\SQL Script for Update Rollups\

Please note, the user executing these scripts needs to have read and write permissions to the database(s).

4

5

Once you have successfully executed the SQL script, you will now need to import the updated Management Packs (MP). These MPs can be found here, “%SystemDrive%\Program Files\Microsoft System Center 2016\Operations Manager\Server\Management Packs for Update Rollups\“.

You will need to import the following MPs, please see below:

  • Microsoft.SystemCenter.Internal.mp
  • Microsoft.SystemCenter.2007.mp
  • Microsoft.SystemCenter.Advisor.Internal.mpb
  • Microsoft.SystemCenter.OperationsManager.Library.mp
  • Microsoft.SystemCenter.Image.Library.mp
  • Microsoft.SystemCenter.Visualization.Library.mpb
  • Microsoft.SystemCenter.Advisor.mpb
  • Microsoft.Windows.InternetInformationServices.CommonLibrary.mp
  • Microsoft.SystemCenter.AlertAttachment.mpb
  • Microsoft.SystemCenter.IntelliTraceProfiling.mpb
  • Microsoft.SystemCenter.SyntheticTransactions.Library.mp
  • Microsoft.SystemCenter.OperationsManager.AM.DR.2007.mp
  • Microsoft.SystemCenter.OperationsManager.SummaryDashboard.mp
  • Microsoft.SystemCenter.Advisor.Resources.(LANGUAGECODE_3LTR).mpb

6

Don’t forget, once the MPs have been imported, you should now go back to your Pending Management view, under the Administrations pane, and update all servers.

7

And that is that! You are now on the latest and greatest System Center Operations Manager release for SCOM 2016.

Installing SCOM 2016 License Key

· 1 Comment ·

Launch the PowerShell console, and Run as Administrator:

Import-Module OperationsManager
Set-SCOMLicense -ProductId "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
Start-Sleep -s 10
Restart-Service healthservice, omsdk, cshost

capture

Don’t forget, in order for the Product Key to be applied, you will need to restart all SCOM Services, (or you can run the code above (there is a 10 second delay after the key is applied before the services are restarted)):

  • Microsoft Monitoring Agent (healthservice)
  • System Center Data Access Service (OMSDK)
  • System Center Management Configuration (cshost)

 

Cheers!

System Center Operations Manager (SCOM) 2016 – Requirements for Windows Server 2016 via PowerShell

· 2 Comments ·

The following PowerShell code is to install all the necessary IIS components for System Center Operations Manager (SCOM) 2016 Web Console on Windows Server 2016.

Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Mgmt-Compat, Web-Metabase, NET-Framework-45-Features, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-Services45, NET-WCF-HTTP-Activation45, NET-WCF-TCP-PortSharing45, WAS, WAS-Process-Model, WAS-Config-APIs, web-asp-net -restart

You can also find this in Microsoft’s TechNet Gallery, HERE.