Archive

Archive for the ‘System Center’ Category

Awesome Azure Pack Wiki Available via OneNote

January 9, 2015 Leave a comment

So I found a link to an awesome collection of information on Azure Pack and other related technologies, well worth reviewing.

 

It is maintained by Hans Vredevoort and Marc van Eijk from http://www.hyper-v.nu

 

https://onedrive.live.com/view.aspx?resid=96BA3346350A5309!174574&app=OneNote&authkey=!AJnfwyDR0iUtOCM

SCVMM 2012 R2 Update Rollup 4 Pulled

October 30, 2014 2 comments

So another normal day at work, too much to do not enough time. But I planned to update my VMM 2012 R2 servers today to the latest update rollup package.

 

Update Rollup 4 for System Center 2012 R2 Virtual Machine Manager

 

https://support.microsoft.com/kb/2992024?wa=wsignin1.0

 

However I could not find the download for the VMM server anywhere, I could find the admin console update only. My understanding is that it was pulled late last night or early morning (depending on where you live) because of installation issues upgrading VMM servers using Windows Server 2012.

I would expect the update to be re-released next week

Categories: SCVMM, System Center

Install Untrusted SCOM Gateway Servers

November 12, 2013 Leave a comment

 

So today I needed to deploy a System Center Operations Manager Gateway in our perimeter network to support external client connections from third party locations and environments that are not part of our internal corp domain. I thought I would write up the vast majority of my steps for future reference and hopefully to help you. I used primarily two sources of information in additional to my general knowledge, both are listed at the bottom of this post.

1. Deploy Windows Server 2012 R2 standalone Server

2. Install Updates

3. Rename the server

4. Host File:

It is very important that all servers are able to resolve the FQDN of each other. Typically this is done through DNS, but if DNS is not possible you should have all the servers setup in a host file.

a. On all of the Management group servers that are unable to use DNS to resolve the FQDN of the Gateway Server edit the host file found locally in “C:\Windows\System32\drivers\etc”

b. Open file with Notepad as a admin with elevated rights

c. Enter the IP address and FQDN of the Gateway servers

d. On all of the Gateway servers enter all the Management group servers that the gateway will connect to

On the Management Server you should have something like:

192.168.0.100 managementserver1.domain1.com

192.168.0.101 managementserver2.domain1.com

On the Gateway Server you should have

99.100.99.100 gatewayserver1.domain2.com

99.100.99.101 gatewayserver2.domain2.com

Save the file and close Notepad.

5. Firewall:

Before you begin you need to make sure that if there are any firewalls between the servers that port 5723 is open.

6. Certificates:

Deploying gateway servers requires certificates on all servers in the management group and all gateway servers. These can be internal via a CA or external from a third party vendor like VeriSign. I use an internal CA which is already setup to issue SCOM Gateway Certificates, you can find more information on how to set this up from the sources link at the bottom.

7. Ensure The Management Servers has an Ops Manager Certificate install in it Personal Computer Store, if you do not have one, enrol.

8. Gateway Root Certificate Import

On the Gateway Server, install the CA root certificate.

a. Browse to https://<CA Issuing Server>/certsrv

b. Authenticate

c. Select the “Download a CA certificate, certificate chain, or CRL link on the web page.

d. Select “Base 64” as the encoding method

e. Select “Download CA certificate chain” and save the file.

f. Open MMC and add the certificate snapin for the local computer.

g. Right click the Trusted Root Certification Authorities\Certificates store and select All Tasks\Import, import the downloaded file into the store. This will ensure that any certificate issued by the internal CA will be trusted by this machine.

9. Gateway Server SCOM Certificate

a. From the Gateway server browse to https://<CA Issuing Server>/certsrv

b. Select “Request a Certificate”

c. Select “Advanced Certificate Request”

d. Select “Create and Submit a request to this CA” If you do not get a prompt check your ActiveX settings as you should get a prompt.

e. Select your Operations Manager certificate form the “Certificate Template” option (Drop Down).

f. In the name field populate with the FQDN of the Gateway Server in the server is in a domain, if it is in a workgroup use the server name..

g. Select PKCS10 as the request format

h. Provide a friendly name so you can identify the certificate at a later date.

i. Select “Submit”

j. Select yes to any popups

k. Select “Install this certificate”

10. Move the Certificate to the correct location

a. On the gateway server in the Certificate MMC for the user export the new certificate to file exporting the private key and import into the personal certificate store for the local computer.

b. Restart the health service (Microsoft Monitoring Agent)

11. Gateway Approval Tool

Now that we have our certs in place we need to run the gateway approval tool on the SCOM RMS server. In the installation media in SUPPORTTOOLS under your respective processor folder you will find two files:

Microsoft.EnterpriseManagement.GatewayApprovalTool.exe

Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.config

a. Copy both of these files to the SCOM install directory under <installed Drive>Program Files\System Center 2012 R2\Operations Manager\Setup and run the following command in that folder from an elevated command prompt.

Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<FQDN of RMS box> /GatewayName=<FQDN of Gateway Server> /Action=Create

Note: If you are installing a Gateway server in a domain then use the FQDN of the gateway server, if you are installing the gateway in a workgroup just using the server name.

Once complete the command prompt should say something like “The approval of the server <gateway server FQDN> completed successfully”

12. Install Gateway Role

Now we have everything in place to deploy the gateway role.

a. Using the Operation Manager Install media install the “Gateway Management Server” Role using the link on the install media splash screen.

b. Once installed, go back to the SCOM console, in Administration view under Management servers select the properties of the new gateway server and in the security tab enable the server proxy.

c. On the gateway server we need to tell SCOM which certificate to use for authentication, by running the MOMCERTIMPORT.exe tool. In the installation media in SUPPORTTOOLS under your respective processor folder run the MOMCERTIMPORT.exe tool from an elevated command prompt. You should see the cert that you installed previously. Select the correct certificate and Click OK

Sources:

http://jimmoldenhauer.blogspot.co.uk/2012/11/scom-2012-install-and-configure-gateway.html

http://technet.microsoft.com/en-us/library/hh456445.aspx

Categories: SCOM, System Center

SCOM 2012–Create Agent Maintenance Account to support SSH Key

December 31, 2012 1 comment

So I guess my last post for 2012, I am working on setting up monitoring of some Linux servers using SCOM 2012 SP1. One of the requirements is to setup a account for Agent Maintenance. I am going to explain how I setup the Ubuntu server to accept a user account and support a SSH as authentication. And hopefully at the end we will have a account that will work with SCOM 2012.

I am using Ubuntu version 12.04 LTE, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

image_thumb43

The Linux Action Account is used for basic health and performance monitoring, the Linux Privileged account is used for monitoring protected resources and actions that require higher privileges and the Linux agent account is used for agent maintenance operations.

I am using Ubuntu version 12.04.1 LTS, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Logon to the Server using your favourite method, I am using Virtual Machine manager 2012 console.

SNAGHTML95778c_thumb1

Create a user:

sudo adduser <username">

Follow the instructions to create a standard user account.

SNAGHTML88b07e

Next we need to configure sudo elevation for the user account we just created.

Use the vusudo program to edit the sudo configuration.

sudo visudo

Find the section root ALL=(ALL:ALL) ALL

Insert under it the same but replace root with the username you just created and add “NO PASSWRD: ALL

eg

<Username> ALL=ALL:ALL) NOPASSWD: ALL

SNAGHTMLca4c73

This is allow the user account to sudo without supplying a password which is a requirement of SCOM monitoring.

Next we need to create some authentication keys.

1.Download yourself a copy of Putty Generator and open it.

2.Select Generate and move the mouse around the blank area at the top until it has generated you a set of keys.

The text displayed at the top is the public key.

3.Copy and past that into notepad (we will need this later) but exclude the last part (rsa-key-20121229)

4.Type in a passphrase in the two available boxes

5.Select “Save Private Key” and save it to a safe place.

 

image

 

You have now generated a set of keys made up of a public and private key, the private key is protected with a Passphrase, the next step is to configure the server with this.

1.Logon to the server with the user account we created above using Putty.

2. Create a folder and file

mkdir /home/scom-agentacct/.ssh

nano /home/scom-agentacct/.ssh/authorized_keys

3. Paste in the public key you created using Putty Generator and save the file.

Next we need to set the permissions on the new folder and the file.

1. Specify exclusive owner access to the directory

cd /home/<username>

chmod 700 .ssh

2. navigate to .ssh directory

3 Give the user read and write permissions to the authorized keys file:

chmod 600 authorized_keys

 

Ones this has been completed, go back to the SCOM Console and update the Run AS accounts and the Profile and test… Smile

Categories: SCOM, System Center, Ubuntu Tags: ,

SCOM 2012–Create Linux Privileged User Account.

December 31, 2012 Leave a comment

So I guess one of my last posts for 2012, I am working on setting up monitoring of some Linux servers using SCOM 2012 SP1. One of the requirements is to setup a account monitoring that will be allowed to elevate it’s permissions. I am going to explain how I setup the Ubuntu server for this monitoring account

Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

image_thumb43

The Linux Action Account is used for basic health and performance monitoring, the Linux Privileged account is used for monitoring protected resources and actions that require higher privileges and the Linux agent account is used for agent maintenance operations.

 

I am using Ubuntu version 12.04.1 LTS, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Logon to the Server using your favourite method, I am using Virtual Machine manager 2012 console.

SNAGHTML95778c_thumb1

Create a user:

sudo adduser <username">

Follow the instructions to create a standard user account.

SNAGHTML88b07e

 

Next we need to configure sudo elevation for the user account we just created.

Use the vusudo program to edit the sudo configuration.

sudo visudo

Find the section root ALL=(ALL:ALL) ALL

Insert under it the same but replace root with the username you just created and add “NO PASSWRD: ALL

eg

<Username> ALL=ALL:ALL) NOPASSWD: ALL

 

SNAGHTMLca4c73

This is allow the user account to sudo without supplying a password which is a requirement of SCOM monitoring.

 

Once that is complete, pop back into the SCOM Console, create a Run As account for this monitoring account as per the previous article, and update the profile, ensure on the Run As wizard you select “Elevate this account using sudo for privileged access” and you correctly set the distribution.

 

SNAGHTMLcdba61

 

image

 

Useful Articles:

http://technet.microsoft.com/en-us/library/hh230690.aspx

http://technet.microsoft.com/en-us/library/hh212926.aspx

http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx

In the next article, I will be creating an account to be used for agent maintenance and enabling public, private key logon.

Categories: SCOM, System Center, Ubuntu Tags: ,

SCOM 2012–Create Linux Unprivileged User Account.

December 31, 2012 Leave a comment

So I guess one of my last posts for 2012, I am working on setting up monitoring of some Linux servers using SCOM 2012 SP1. One of the requirements is to setup a account monitoring. I am going to explain how I setup the Ubuntu server for this monitoring account

Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

image

The Linux Action Account is used for basic health and performance monitoring, the Linux Privileged account is used for monitoring protected resources and actions that require higher privileges and the Linux agent account is used for agent maintenance operations.

 

I am using Ubuntu version 12.04.1 LTS, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Logon to the Server using your favourite method, I am using Virtual Machine manager 2012 console.

SNAGHTML95778c

Create a user:

sudo adduser <username">

Follow the instructions to create a standard user account.

SNAGHTML88b07e

 

Once the user account has been created on the Ubuntu server you can the goto the SCOM Console and start the “Create Run As Account” wizard found under the Administration tab under Run As Configuration\Unix/Linux Accounts.

Follow the wizard ensuring you select Do not use elevation with this account, you have distributed these RunAs accounts to all the management servers that will be monitoring your servers and then save it.

 

SNAGHTML8c627a

 

SNAGHTML8ce48a

Once the Run As profile has been setup you then need to update the Unix/Linux Action Account profile, found on the Administration tab under Run As Configuration\Profiles with the newly created account.

 

image

 

image

And that’s it for this bit, once you have an agent deployed this is all you will need for basic monitoring.

The next blog post will cover setting up the privileged monitoring account and a third blog post will cover the setting up of the agent maintenance account so we can actually discover these machines Smile

 

Links of use during my journey of discovery:

http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx

http://technet.microsoft.com/en-us/library/hh476947.aspx

Categories: SCOM, System Center, Ubuntu Tags: ,

MMS Dates Announced

October 9, 2012 Leave a comment

MMS Dates announced will you be going?

 

April 8-12 2013

http://www.mms-2012.com/headlines/details/34ddda43-7b11-e211-84a1-001ec953730b

Categories: System Center