Archive

Archive for the ‘SCOM’ Category

Install Untrusted SCOM Gateway Servers

November 12, 2013 Leave a comment

 

So today I needed to deploy a System Center Operations Manager Gateway in our perimeter network to support external client connections from third party locations and environments that are not part of our internal corp domain. I thought I would write up the vast majority of my steps for future reference and hopefully to help you. I used primarily two sources of information in additional to my general knowledge, both are listed at the bottom of this post.

1. Deploy Windows Server 2012 R2 standalone Server

2. Install Updates

3. Rename the server

4. Host File:

It is very important that all servers are able to resolve the FQDN of each other. Typically this is done through DNS, but if DNS is not possible you should have all the servers setup in a host file.

a. On all of the Management group servers that are unable to use DNS to resolve the FQDN of the Gateway Server edit the host file found locally in “C:\Windows\System32\drivers\etc”

b. Open file with Notepad as a admin with elevated rights

c. Enter the IP address and FQDN of the Gateway servers

d. On all of the Gateway servers enter all the Management group servers that the gateway will connect to

On the Management Server you should have something like:

192.168.0.100 managementserver1.domain1.com

192.168.0.101 managementserver2.domain1.com

On the Gateway Server you should have

99.100.99.100 gatewayserver1.domain2.com

99.100.99.101 gatewayserver2.domain2.com

Save the file and close Notepad.

5. Firewall:

Before you begin you need to make sure that if there are any firewalls between the servers that port 5723 is open.

6. Certificates:

Deploying gateway servers requires certificates on all servers in the management group and all gateway servers. These can be internal via a CA or external from a third party vendor like VeriSign. I use an internal CA which is already setup to issue SCOM Gateway Certificates, you can find more information on how to set this up from the sources link at the bottom.

7. Ensure The Management Servers has an Ops Manager Certificate install in it Personal Computer Store, if you do not have one, enrol.

8. Gateway Root Certificate Import

On the Gateway Server, install the CA root certificate.

a. Browse to https://<CA Issuing Server>/certsrv

b. Authenticate

c. Select the “Download a CA certificate, certificate chain, or CRL link on the web page.

d. Select “Base 64” as the encoding method

e. Select “Download CA certificate chain” and save the file.

f. Open MMC and add the certificate snapin for the local computer.

g. Right click the Trusted Root Certification Authorities\Certificates store and select All Tasks\Import, import the downloaded file into the store. This will ensure that any certificate issued by the internal CA will be trusted by this machine.

9. Gateway Server SCOM Certificate

a. From the Gateway server browse to https://<CA Issuing Server>/certsrv

b. Select “Request a Certificate”

c. Select “Advanced Certificate Request”

d. Select “Create and Submit a request to this CA” If you do not get a prompt check your ActiveX settings as you should get a prompt.

e. Select your Operations Manager certificate form the “Certificate Template” option (Drop Down).

f. In the name field populate with the FQDN of the Gateway Server in the server is in a domain, if it is in a workgroup use the server name..

g. Select PKCS10 as the request format

h. Provide a friendly name so you can identify the certificate at a later date.

i. Select “Submit”

j. Select yes to any popups

k. Select “Install this certificate”

10. Move the Certificate to the correct location

a. On the gateway server in the Certificate MMC for the user export the new certificate to file exporting the private key and import into the personal certificate store for the local computer.

b. Restart the health service (Microsoft Monitoring Agent)

11. Gateway Approval Tool

Now that we have our certs in place we need to run the gateway approval tool on the SCOM RMS server. In the installation media in SUPPORTTOOLS under your respective processor folder you will find two files:

Microsoft.EnterpriseManagement.GatewayApprovalTool.exe

Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.config

a. Copy both of these files to the SCOM install directory under <installed Drive>Program Files\System Center 2012 R2\Operations Manager\Setup and run the following command in that folder from an elevated command prompt.

Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<FQDN of RMS box> /GatewayName=<FQDN of Gateway Server> /Action=Create

Note: If you are installing a Gateway server in a domain then use the FQDN of the gateway server, if you are installing the gateway in a workgroup just using the server name.

Once complete the command prompt should say something like “The approval of the server <gateway server FQDN> completed successfully”

12. Install Gateway Role

Now we have everything in place to deploy the gateway role.

a. Using the Operation Manager Install media install the “Gateway Management Server” Role using the link on the install media splash screen.

b. Once installed, go back to the SCOM console, in Administration view under Management servers select the properties of the new gateway server and in the security tab enable the server proxy.

c. On the gateway server we need to tell SCOM which certificate to use for authentication, by running the MOMCERTIMPORT.exe tool. In the installation media in SUPPORTTOOLS under your respective processor folder run the MOMCERTIMPORT.exe tool from an elevated command prompt. You should see the cert that you installed previously. Select the correct certificate and Click OK

Sources:

http://jimmoldenhauer.blogspot.co.uk/2012/11/scom-2012-install-and-configure-gateway.html

http://technet.microsoft.com/en-us/library/hh456445.aspx

Categories: SCOM, System Center

SCOM 2012–Create Agent Maintenance Account to support SSH Key

December 31, 2012 1 comment

So I guess my last post for 2012, I am working on setting up monitoring of some Linux servers using SCOM 2012 SP1. One of the requirements is to setup a account for Agent Maintenance. I am going to explain how I setup the Ubuntu server to accept a user account and support a SSH as authentication. And hopefully at the end we will have a account that will work with SCOM 2012.

I am using Ubuntu version 12.04 LTE, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

image_thumb43

The Linux Action Account is used for basic health and performance monitoring, the Linux Privileged account is used for monitoring protected resources and actions that require higher privileges and the Linux agent account is used for agent maintenance operations.

I am using Ubuntu version 12.04.1 LTS, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Logon to the Server using your favourite method, I am using Virtual Machine manager 2012 console.

SNAGHTML95778c_thumb1

Create a user:

sudo adduser <username">

Follow the instructions to create a standard user account.

SNAGHTML88b07e

Next we need to configure sudo elevation for the user account we just created.

Use the vusudo program to edit the sudo configuration.

sudo visudo

Find the section root ALL=(ALL:ALL) ALL

Insert under it the same but replace root with the username you just created and add “NO PASSWRD: ALL

eg

<Username> ALL=ALL:ALL) NOPASSWD: ALL

SNAGHTMLca4c73

This is allow the user account to sudo without supplying a password which is a requirement of SCOM monitoring.

Next we need to create some authentication keys.

1.Download yourself a copy of Putty Generator and open it.

2.Select Generate and move the mouse around the blank area at the top until it has generated you a set of keys.

The text displayed at the top is the public key.

3.Copy and past that into notepad (we will need this later) but exclude the last part (rsa-key-20121229)

4.Type in a passphrase in the two available boxes

5.Select “Save Private Key” and save it to a safe place.

 

image

 

You have now generated a set of keys made up of a public and private key, the private key is protected with a Passphrase, the next step is to configure the server with this.

1.Logon to the server with the user account we created above using Putty.

2. Create a folder and file

mkdir /home/scom-agentacct/.ssh

nano /home/scom-agentacct/.ssh/authorized_keys

3. Paste in the public key you created using Putty Generator and save the file.

Next we need to set the permissions on the new folder and the file.

1. Specify exclusive owner access to the directory

cd /home/<username>

chmod 700 .ssh

2. navigate to .ssh directory

3 Give the user read and write permissions to the authorized keys file:

chmod 600 authorized_keys

 

Ones this has been completed, go back to the SCOM Console and update the Run AS accounts and the Profile and test… Smile

Categories: SCOM, System Center, Ubuntu Tags: ,

SCOM 2012–Create Linux Privileged User Account.

December 31, 2012 Leave a comment

So I guess one of my last posts for 2012, I am working on setting up monitoring of some Linux servers using SCOM 2012 SP1. One of the requirements is to setup a account monitoring that will be allowed to elevate it’s permissions. I am going to explain how I setup the Ubuntu server for this monitoring account

Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

image_thumb43

The Linux Action Account is used for basic health and performance monitoring, the Linux Privileged account is used for monitoring protected resources and actions that require higher privileges and the Linux agent account is used for agent maintenance operations.

 

I am using Ubuntu version 12.04.1 LTS, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Logon to the Server using your favourite method, I am using Virtual Machine manager 2012 console.

SNAGHTML95778c_thumb1

Create a user:

sudo adduser <username">

Follow the instructions to create a standard user account.

SNAGHTML88b07e

 

Next we need to configure sudo elevation for the user account we just created.

Use the vusudo program to edit the sudo configuration.

sudo visudo

Find the section root ALL=(ALL:ALL) ALL

Insert under it the same but replace root with the username you just created and add “NO PASSWRD: ALL

eg

<Username> ALL=ALL:ALL) NOPASSWD: ALL

 

SNAGHTMLca4c73

This is allow the user account to sudo without supplying a password which is a requirement of SCOM monitoring.

 

Once that is complete, pop back into the SCOM Console, create a Run As account for this monitoring account as per the previous article, and update the profile, ensure on the Run As wizard you select “Elevate this account using sudo for privileged access” and you correctly set the distribution.

 

SNAGHTMLcdba61

 

image

 

Useful Articles:

http://technet.microsoft.com/en-us/library/hh230690.aspx

http://technet.microsoft.com/en-us/library/hh212926.aspx

http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx

In the next article, I will be creating an account to be used for agent maintenance and enabling public, private key logon.

Categories: SCOM, System Center, Ubuntu Tags: ,

SCOM 2012–Create Linux Unprivileged User Account.

December 31, 2012 Leave a comment

So I guess one of my last posts for 2012, I am working on setting up monitoring of some Linux servers using SCOM 2012 SP1. One of the requirements is to setup a account monitoring. I am going to explain how I setup the Ubuntu server for this monitoring account

Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

image

The Linux Action Account is used for basic health and performance monitoring, the Linux Privileged account is used for monitoring protected resources and actions that require higher privileges and the Linux agent account is used for agent maintenance operations.

 

I am using Ubuntu version 12.04.1 LTS, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Logon to the Server using your favourite method, I am using Virtual Machine manager 2012 console.

SNAGHTML95778c

Create a user:

sudo adduser <username">

Follow the instructions to create a standard user account.

SNAGHTML88b07e

 

Once the user account has been created on the Ubuntu server you can the goto the SCOM Console and start the “Create Run As Account” wizard found under the Administration tab under Run As Configuration\Unix/Linux Accounts.

Follow the wizard ensuring you select Do not use elevation with this account, you have distributed these RunAs accounts to all the management servers that will be monitoring your servers and then save it.

 

SNAGHTML8c627a

 

SNAGHTML8ce48a

Once the Run As profile has been setup you then need to update the Unix/Linux Action Account profile, found on the Administration tab under Run As Configuration\Profiles with the newly created account.

 

image

 

image

And that’s it for this bit, once you have an agent deployed this is all you will need for basic monitoring.

The next blog post will cover setting up the privileged monitoring account and a third blog post will cover the setting up of the agent maintenance account so we can actually discover these machines Smile

 

Links of use during my journey of discovery:

http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx

http://technet.microsoft.com/en-us/library/hh476947.aspx

Categories: SCOM, System Center, Ubuntu Tags: ,

Access Denied Setting System Center ACS Filter

September 26, 2012 1 comment

So today I was fine tuning my Microsoft System Center 2012 Audit Collection Services by setting a filter that would reduce the amount of noise the system generates. I need to keep this data for a few years so it can build up quite considerable.

So the Query I am testing at the moment is:

AdtAdmin.exe /setquery /query:"SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841) OR EventId=538 OR EventId=672 OR EventId=680 OR EventId=571 OR (EventId=624 And TargetUser LIKE ‘%$%’) OR (EventId=627 AND HeaderUser=’System’ AND ClientUser like ‘%$%’ And TargetUser = ‘TsInternetUser’) OR ((EventId = 538 or EventId = 540) AND (String01 = ‘3’) AND HeaderUser like ‘%$%’) OR ((EventId > 671 and EventId < 678) and ClientUser LIKE ‘%$%’) OR ((HEADERUSER LIKE ‘%ADM_%’ OR HEADERUSER LIKE ‘%SYS_%’) AND (EventID = 528 OR EventID = 540 OR EventID = 680)))"

I navigated to c:\Windows\System32\Security\Adtserver in a elevated command prompt and ran the query and it errored with Access Denied…..

image

I was lucky as I have a working ACS Collector already on the network and I am migrating to a new one. After a bit of digging around I noticed that the permissions on the below registry Key are not set correctly. The Network Service as you can see from the below images needs Allow permissions to “Set Value”.

HKLM\SYSTEM\CurrentControlSet\services\AdtServer\Parameters\

Entry:

DbQueueQuery

Permissions on non-working server

 

image

Permissions on working Server

image

 

So to fix, just add the permission for the Network Service to Allow “Set Value” close the GUI and registry editor and try again.

Categories: SCOM, System Center

Clean Up failed SCOM Install

December 1, 2011 Leave a comment

Here is a nice little tool that enables you too clean up a server after a failed install.

The tool is available here for SCOM R2

The switch to use is /Cleanservers

 

I am sure there are other switches to look at!

image

This will then go through the registry etc and clean up the server.

image

Categories: SCOM, Useful Tools Tags:

SCOM 2007 R2 virtual labs

August 31, 2010 Leave a comment

I just found a virtual lab to help master SCOM and the monitoring of and Exchange 2010 environment, you can find it at:https://cmg.vlabcenter.com/default.aspx?moduleid=85b3088b-172e-4c91-9801-3e92169b235b

I am just about to have a look myself Smile

Categories: Exchange 2010, SCOM