You are browsing the archive for Issue.

Avatar of alkin

by alkin

How to change SCOM reporting to use Kerberos instead of NTLM

12:06 pm in Uncategorized by alkin

One of the Domain admins at one of my customers was complaining about all the NTLM request generated by the scom server to the reporting server. One of the issues with NTLM is that you need to re-authenticate every time, with Kerberos you receive a ticket that is valid for a longer period of time (by default 10hours). You can find more info about NTLM VS Kerberos here: http://blogs.technet.com/b/authentication/archive/2006/04/07/ntlm-s-time-has-passed.aspx 

 

All the SQL servers at this customer are configured to use Kerberos but apparently when the SCOM reporting is being installed and modifying the RSReportServer config file it will change the authentication method as well back to NTLM!! Although Microsoft is recommending Kerberos over NTLM for almost 10 years now, new products like SCOM 2012 are still using NTLM!!

 

To change the report server authentication settings, edit the XML elements and values in the RSReportServer.config file.

You can find the file in the following location: C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer

 

clip_image002

Change the setting from RSWindowsNTLM to RSWindowsNegotiate

clip_image004

 

Important note Important

Using RSWindowsNegotiate will result in a Kerberos authentication error if you configured the Report Server service to run under a domain user account and you did not register a Service Principal Name (SPN) for the account. Make sure to create the SPN for the SQL reporting service as described here: http://blogs.technet.com/b/stefan_stranger/archive/2012/07/31/opsmgr-2012-what-should-the-spn-s-look-like-visual-representation.aspx

 

Thanks,

Alex


Avatar of alkin

by alkin

The System Center Management service terminated with service-specific error %%-2147467259

5:19 am in Uncategorized by alkin

I had the following issue on one of my servers

“The System Center Management service terminated with service-specific error %%-2147467259” when I wanted to start my Healthservice.

image

 

When searching the internet I found the following blogpost http://blogs.technet.com/b/smsandmom/archive/2008/04/30/opsmgr-2007-healthservice-service-fails-to-start-with-25362-warning.aspx  . The blogposts says that the State directory registry key can be corrupt but that was fine in my case.

But at the end of the blogpost I found my solution:

This error can be caused by the WindowsAccountLockDownSD Key in at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Group\<Management Group Name Here> being invalid or non-present.  And indeed, that was my issue: the WindowsAccountLockDownSD Key was missing on my server.

 

image

The easiest way to resolve the issue with the Windows AccountLockDownSD key is to export the registry key from a similar, working system and then import it in to the registry of the server experiencing the problem.  Once this is complete the HealthService should start successfully.

image

 

thanks,

Alexandre Verkinderen

Avatar of alkin

by alkin

Fix duplicate relationships for agents to server in Ops DB

9:34 am in Uncategorized by alkin

Sometimes it can happen that agents are ending up with multiple primary management server relationships. Of course you can only have one primary server relationship! In the rare occasions that you end up with multiple primary relationships you can now repair the issue by running the new “Fix duplicate relationships for agents to server in Ops DB” task manually

image

or there is a recovery on this monitor (disabled by default) that you can turn on so that the issue will be fixed automatically:

image

image

 

You will need the latest OpsMgr 2007 R2 management pack that you can find here http://www.microsoft.com/downloads/details.aspx?FamilyID=61365290-3c38-4004-b717-e90bb0f6c148&displaylang=en

Thanks,
Alexandre Verkinderen

Avatar of alkin

by alkin

Diagram view not working in the webconsole OpsMgr 2007 R2: “missing permissions on the server allow the creation of the RenderBase and/or ImageCache folder”

12:50 pm in Uncategorized by alkin

Today I ran into the following problem: I was unable to access diagram views from the webconsole. Every other view like a state view, performance view, alert view etc was working but not the diagram view:

 

clip_image002

Likely this is due to missing permissions on the server allow the creation of the RenderBase and/or ImageCache folder or the ability to create files in these folders. Either add the permissions for the anonymous INET user to write to the root folder, or create the RenderBase and/or ImageCache folder and in the root of the web application and add write access to these folders.

 

As you can see the temp folder is empty

 

clip_image004

you need to give the group called IIS_IUSRS read and write permissions to the root folder of the webconsole

image

once done you will see the following files being created in the temp folder:

clip_image005

and now the final test!

clip_image007

woohoo it’s working! :-)

 

And now you will see a PNG file in the temp folder for every diagram view you open. That’s why you need to modify the rights so that the group IIS_USRS can add those PNG files to the temp folder.

image

I don’t think this is very efficient. Image a NOC with 10 guys consulting the webconsole and each one of them opens 2 views and with 4 levels each then you will 80 PNG files in the temp folder!! But that’s a total different discussion :-)

 

Hope this helps,

Alexandre Verkinderen

Avatar of alkin

by alkin

Cumulative Update 2 for OpsMgr installation

12:28 pm in Uncategorized by alkin

High Level overview steps:

1. Root Management Server

2. Manual update of the Operations Manager database together with the included stored procedure file that is discussed later

3. Manual import of the Management Pack library that is discussed later

4. Secondary Management Servers

5. Gateway Servers

6. Deploy the agent update to the agents that used a discovery-based installation

7. Operations console role computers
Note Select the Run Server Update option from the Software Update dialog box.

8. Web Console server role computers

9. Audit Collection Services role computers

10. Apply the agent update to manually installed agents

Note To run this file on a computer that is running Windows Server 2008, you must use an elevated command prompt. An elevated command prompt is a command prompt that was started by using the Run as Administrator option. If you do not run this Windows-based installer file under an elevated command prompt, the System Center Operations Manager 2007 Software Update splash screen does not allow for the installation of the hotfix.

Download the corresponding CU2.MSI file http://www.microsoft.com/downloads/details.aspx?FamilyID=61714687-668a-46e4-b127-ad8519594351&displaylang=en and launch it:

clip_image001

The only thing you can do here is to accept the license agreement. Don’t forget to read it….

clip_image002

clip_image003

This is the installation folder where the files will be stored that we will need for the manual operations that must be performed after you update the RMS

clip_image004

clip_image005

clip_image007

clip_image008

It’s going to start and stop the opsmgr services. Don’t worry about it

clip_image009

clip_image010

clip_image011

Also don’t panic if you see event ID’s 29104. That’s normal during the upgrade process.

clip_image012

It can take a while but finally my RMS is updated

clip_image013

Just like with the CU1 I chose to not restart the server automatically. When you click no you allow the hotfix installation to finish all his post-processes. Check if the file versions has been updated and only then reboot the server.

clip_image015

I can see that the files have been updated

clip_image016

Manual operations that must be performed after you update the Root Management Server

Note You do not have to repeat the DiscoveryEntitySProcs.SQL installation if you have previously installed Cumulative Update 1 for System Center Operations Manager 2007 R2.

As in my environment I already applied the CU 1 I can skip this step.

Import updated management packs

This updated management pack is located in the ManagementPacks folder of the package installation.

Microsoft.SystemCenter.DatawareHouse.Report.Library.mp

Now you need to upgrade the other opsmgr components as well. I don’t have other MS servers in my lab environment so I’m going to skip this step.

Remember to upgrade one MS server at a time.

clip_image018

Last step is to approve the pending agents

clip_image020

clip_image021

Manually installed agents should be upgraded manually. Or you can easily create a SCCM package and deploy that.

If you have not already done so, create a new view that shows the agent patch list as described on Kevin Holmans blog: http://blogs.technet.com/kevinholman/archive/2008/06/24/how-do-i-know-which-hotfixes-have-been-applied-to-which-agents.aspx

That’s it!

Pretty easy upgrade

Thanks,
Alexandre Verkinderen

Avatar of alkin

by alkin

Cumulative Update 2 Released for System Center Operations Manager 2007 R2 opsmgr

8:34 am in Uncategorized by alkin

Microsoft has just released a second cumulative update for opsmgr! More information can be found here: http://support.microsoft.com/kb/979257 

Make sure to download the correct language: SystemCenterOperationsManager2007-R2CU2-KB979257-X86-X64-IA64-ENU.MSI

 

Have fun,

Alexandre Verkinderen

Avatar of alkin

by alkin

OpsMgr 2007 R2 Cumulative Update 1

7:13 am in Uncategorized by alkin

Our first cumulative update has released for OpsMgr 2007 R2! Cumulative Update 1 contains a number of fixes for the Operations Manager 2007 R2 release. More information about what has been fixed can be found here: http://support.microsoft.com/kb/974144 .

 

And as always RTFM! You will need to perform some additional steps:

  • Update the DiscoveryEntitySPRocs.sql
  • and import the Microsoft.SystemCenter.DatawareHouse.Report.Library.mp manually

 

Also notice that the issue with the SRSUpgradetool.exe, as described here, has been resolved now:

The following updated file that is located in the SupportTools folder supports the upgrade from SQL Reporting Services 2005 to SQL Reporting Services 2008:

SRSUpgradeTool.exe

Note Use the appropriate platform version of this file instead of the file that is supplied in the SupportTools folder of the Operations Manager 2008 R2 distribution media.

 

Hope this helps,

Alexandre Verkinderen

Avatar of alkin

by alkin

OpsMgr : Certificate for this system is not valid when installing Linux agent

3:15 pm in Uncategorized by alkin

Today I ran into some Linux agent deployment issues. I needed to monitor about 20 Redhat Machines . In such an environment environment, Kerberos authentication is not possible. Therefore, certificates are used between the management server and the UNIX-based or Linux-based computers.

windows-to-linux

First if you have some Cross-platform agent deployment issues please have a look at the following blog posts:

 

Ok, let’s start!

So after making sure I had all the pre-requisites needed to deploy an Linux agent I launched the discovery wizard

image

But my agent installation failed because the certificate could not be signed.

image

The certificate signing process does the following:

Operations Manager retrieves the certificate from the agent, signs the certificate, deploys the certificate back to the agent, and then restarts the agent.

image

For an unknow reason my certifcate was not signed and trusted.

 I also got the following error in my event log:

Unexpected ScxCertLibException: Unable to open root store
; input data is: —–BEGIN CERTIFICATE—–
MIIDHjCCAgYCAQEwDQYJKoZIhvcNAQEFBQAwZjEYMBYGA1UEAxMPU0NYLUNlcnRp
ZmljYXRlMTAwLgYDVQQMEydTQ1g2MzMzNzZEMi1FM0UyLTRmMzEtODQ2MS1EMDky

image

 

To solve this problem you need to sign the certificate on your OpsMgr server following this procedure:

 Download and install Winscp on your OpsMgr server.

 Start Winscp and connect to your Linux machine

image

Click yes

image

Browse to /etc/opt/microsoft/scx/ssl

image

Copy the key scx-host-<hostname>.pem  to your opsmgr server.

image

Open the command prompt on your OpsMgr server and change directories to the location where you copied the certificate. Type the command

“scxcertconfig -sign scx-host-<hostname>.pem scx_new.pem”

and then press ENTER. This command will self-sign your certificate (scx-host-<hostname>.pem) and then save the new certificate.

image

Rename your scx_new.pem file with scx-host-<hostname>.ad.pem and replace the original file on your linux server with this file.

image

Connect to your Linux server with putty

image

and type scxadmin –restart

image

This step is very important! If you don’t restart the scxadmin the discovery wizard will still complain about the certificate not being signed!!

 

Now close your discovery wizard and re launch it.

image

The Discovery Wizard discovers the computer and tests to see that the certificate is valid. If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.Almost immediately you will get a message saying the agent is successfully signed and installed:

image

 

Hope this helps,

Alexandre Verkinderen

Avatar of alkin

by alkin

OpsMgr bug : console crashing when creating an override on cluster resource group monitor

12:59 pm in Uncategorized by alkin

Be aware that there is a bug when you want to create an override on the resource group rollup monitor to change the maintenance mode behavior!

big_ugly_bug

Let’s see:

In my example I have one cluster with 2 cluster nodes. I needed to do some maintenance on my nodes and they needed to be rebooted. So I put one node in maintenance mode so that my NOC team will not get alerted, do what I had to do and finally restarted my node and do the same for the other node.

 

Suddenly I had someone of the NOC team yelling at me that they did receive an alert saying that there was a problem with the cluster resource group!!

 

I opened the cluster resource group health explorer and indeed:

image

The underlying resources were in maintenance mode but not the availability rollup monitor! So I had a look at the monitor and apparently the monitor is configured to rollup maintenance mode as an error:

 

image

So I wanted to change the maintenance mode parameter so that when I put a node into maintenance mode the monitor will rollup the maintenance mode as maintenance  mode and not rollup the maintenance mode as an error:

image

And here is the catch:

image

 

When you want to save your override you will get this nice red error! So it’s impossible to change how the behavior of the rollup resource group monitor!

 

So now, when we need to put a cluster node in maintenance mode we also put the resource groups in maintenance mode.

 

Have fun,

Alexandre Verkinderen

Avatar of alkin

by alkin

OpsMgr Webconsole Runtime error “Server Error in ‘/’ Application”

8:07 pm in Uncategorized by alkin

Just a little reminder that if you install the OpsMgr web console after the UI console has already been installed you will need to Copy the following files from the %Program Files%\System Center Operations Manager 2007 directory to the %Program Files%\System Center Operations Manager 2007\Web Console\Bin directory:

 

  • Corgent.Diagramming.CommandResources.dll
  • Corgent.Diagramming.CustomElements.dll
  • Microsoft.ReportViewer.Common.dll
  • Microsoft.ReportViewer.Webforms.dll

 

Otherwise you will get the following error when launching the webconsole:

clip_image001[4]

 

Hope this helps,

Alexandre Verkinderen

Visit Us On TwitterVisit Us On Linkedin