Alberto Ortega’s Blog

Since OpsMgr 2007 I found several times with the same error from the DNS Management pack. The “DNS 2008 External Resolution Monitor” is always in an error state besides my DNS has no problems at all solving public names.

I solve this problem by overriding for the whole DNS Class the “Query Type” parameter of the monitor, changing from “ns” to “A”. I also tried to use the CNAME query type but the monitor kept on the error state.

Hope this helps!

Before OpsMgr ACS is able to collect token related audit events (Event ID 299), auditing needs to be enabled on each Geneva Server on the farm. This will create a lot of audits, which you may need to filer using Noise Filtering on your assigned Audit Collector Server, I will cover how we achieved noise filtering on our platform on other post, for now, I want to share a couple of easy steps to centrally enable audits on your Geneve Servers,

1)  In Geneva Server MMC for each Geneva Server on the farm

1. Root node
2. Edit Service Properties
3. Check “Success” and “Failure” Events

2) In Active Directory

1. Create a GPO and link to the Geneva Servers OU
2. Enable Audits
   1. Navigate to Security Settings->Local Policies->Audit Policy.
   2. Click on the  “Audit object access” Security Setting on the list view at the right side pane.
   3. On the “Local Security Setting” tab, click the “[ ] Success” and/or “[ ] Failure” check boxes according to your needs.
3. Give Permissions to the account
   1. Click Security Settings -> Local Policies -> User Rights Assignment.
   2. Double click “Generate Security Audits” and add the account of your service to Local Security Settings (you can verify service account by opening “services.msc”, and checking the “Microsoft “Geneva” Server” log on account)

Happy auditing!

Note: (2009-07-21) I added a couple of details to the article.

I just finished the deployment of OpsMgr R2 RC on a lab environment using a multiple server architecture, the deployment was straightforward. Below I blog my experience indicating from which VM I run the commands,

Environment

This reference environment is based on:

• AD: Windows Server 2008 running ADDS.
• RMS: Single Windows Server 2008 EE with Operations Manager R2 RC
  • Management Server Node
  • Audit Collection Server
  • WebUI
• DB: Single Windows Server 2008 EE running SQL Server 2008 (with SSRS)
  • SQL Server Enterprise Edition 2008: Database, Analysis and Reporting services.
  • Opened port 1433 on Firewall for SQL Remote Connections.
  • Operations Manager Database Server
  • Operations Manager Reporting Node
  • Operations Manager DataWarehouse Node
  • ACS DB (On different disk array than Ops Mgr DB)

Accounts

1. (AD) In Active Directory Users and Computers, create five accounts: the Management Server Action account, the SDK and Configuration Service account, the Data Reader account, the Data Warehouse Write Action account, and an Operations Manager Administrator account (for example, OpsMgrAdmin). These can all be domain user accounts. No special privileges are required at the domain level.
   • SCOM_Action_Service
   • SCOM_DataReader_Service
   • SCOM_DW_Service
   • SCOM_SDK_Service
2. (AD) In Active Directory Domain Services, create a Global Security group for the Operations Manager Administrators.
3. (AD) Add the Operations Manager Administrator Account to the Operations Manager Administrators Global Security group.
4. (RMS) On the server that you are going to install Operations Manager on, log on with an account that has local administrator rights.
5. (RMS) In the Computer Management tool, under Local Users and Groups, open the Administrators group and add the Operations Manager Administrators Global Security group that you created in step 2 of “To prepare accounts and groups in Active Directory.” Also add the accounts that you created to use as the Management Server Action account, the SDK and Config account, the Data Reader account, and the Data Warehouse Write Action account.

Validate SQL Server Reporting Services

1. Browse: http://<SERVER>/Reports/Pages/Folder.aspx
2. Browse: http://<SERVER>/ReportServer

Deploy Root Management Server (RMS)

1. (RMS) Added Web Role with ASP.NET + AJAX 1.0
2. (RMS) Deploy Operations Manager RMS
   1. SCOM Action Account: SCOM_Action_Service
   2. SCOM SDK Account: SCOM_SDK_Service (Local administrator of RMS and DB)
3. (RMS) Test deployment importing the SQL management pack and verifying Ops Mgr successfully monitors his database layer
4. (RMS) Installed SCOM Agent con (DB) to monitor SQL.
5. (RMS) Problems discovering computers? http://blogs.technet.com/momteam/archive/2006/10/24/having-trouble-discovering-computers-using-the-opsmgr-2007-discovery-wizard.aspx
6. (DB) Enable the following FW exceptions on monitored computers.
   • Port
     • 135 - TCP
     • 139 - TCP
     • 445 - TCP
     • 5723 - TCP
     • 173 - UDP
     • 138 - UDP
     • 445 - UDP
   • Exception for “File and Print Sharing” for Ops Mgr Agent deployment.

Deploy Operations Manager Reporting

(SQL) If your SSRS 2008 deployment is healthy you will not have problems during this deployent. To guarantee a least privilege scenario use domain specific accounts for running this role services, for example:

• SCOM_DW_Service –> Warehouse write account
• SCOM_DataReader_Service –> Reporting services reader account.

Deploy Audit Collection Services

(RMS) Deploy Audit Collector Server and specify a dedicated disk to host the AC Database on your database server. The auth between the audit collector and the database server occurs via Kerberos.

1. (following the operations manager 2007 deployment guide)
2. Deployed the Audit Collector role on RMS following the wizard
   1. 2 AM in the Morning to do db maintenance tasks
   2. 365 days of data retention
   3. Deployed the Audit Database to DB to a different disk array
3. Imported ACS reports on DB following this procedure: http://blogs.technet.com/smsandmom/archive/2007/08/29/scom2007-audit-collection-services-acs-reports-installation-configuration.aspx
4. Enabled Audit on computers. You can do this through OpsMgr Console –> Moniroting Node –> Operations Manager –> Agents, then when you select an agent on the details pane, the action pane will show the “Enable Audti Collectio” action
5. Create custom reports: http://contoso.se/blog/?p=288

Troubleshooting

• Troubleshooting - Discovery hangs, alerts on Service Broker

The Windows 7×7 campaign is already running, do not miss this opportunity to learn hot new topics about this OS in a 10 minutes screencast format, there are three published with me as a speaker :), enter here! http://www.microsoft.com/latam/windows/7×7/

• Gestión de drivers en Windows 7: http://www.mslatam.com/latam/mediacenter/default.aspx?v=44091f9f-6d9f-45c4-b28e-864e88f0f0cc
• Instalación rápida de Windows 7: http://www.mslatam.com/latam/mediacenter/default.aspx?v=87c813e3-9ef2-4cd6-9bd9-c270f5e321c7
• Mas productividad en el almacenamiento de información con BranchCache: http://www.mslatam.com/latam/mediacenter/default.aspx?v=d82c2973-2d25-4b4e-b7a1-70423c5674bb

This may happened I you use a volume-licensed media to deploy Windows Server 2008 SP2 (this was my case). The resolution is to set-up a KMS server on your LAN or switch the product key to a MAK key, find out more here:

• Volume Activation For Windows Vista: http://support.microsoft.com/default.aspx/kb/929712/
• Error message when you try to activate Windows Vista Enterprise, Windows Vista Business, or Windows Server 2008: “Code 0×8007232b”: http://support.microsoft.com/kb/929826
• Windows Server 2008 KMS Setup Demonstration: http://www.microsoft.com/downloads/details.aspx?FamilyID=bbf2eb61-2b30-4f2d-bccd-df53e220b8e9&displaylang=en

In my case this happened on a Geneva Server machine.

Hope it helps,