SCOM – Certificate Missing Enhanced Key Usage EventID 20050

missing

If you want to monitor a server which does not belong to a domain you need to use a certificate, which has special requirements. You will find many posts how to handle SCOM certificates using a Microsoft PKI on the internet. An example is the detailed post from Tyson Paul. One of the essential requirements for the certificates is to provide the Enhanced Key Usage properties for Client Authentication (OID 1.3.6.1.5.5.7.3.2) and Server Authentication (OID 1.3.6.1.5.5.7.3.1). If you do not provide these properties you will receive an error in the Operations Manager event log…

image

A problem you could face in the real world is, that some customers won’t allow you to create the certificates for SCOM and they might have “generic” certificates for other use cases. Usually YOU provide the request file and provide the configuration for the certificates. Under certain circumstances this might not be the case. This means, that you might certain properties will be missing on the certificate itself. In case of SCOM, you can add the missing properties on the certificate. Just go to the Details of the certificate after you imported it into your computer. Click Edit Properties and select the purpose in the dialog, like this…

image

Having this option in place, let’s you successfully monitor the workgroup servers.

This will probably save you some headache 🙂 .

OMS – Disconnect Azure Storage Account from Workspace

Whereisit

In OMS you are able to collect data from storage account? Why is this useful? Well, there times where you want to store data from different Azure sources for a longer time than provided by Azure itself and then dig into the data using OMS. For example you are able to store IIS Logs, Windows Events, Syslog (Linux), Windows Tracing Logs (ETW Logs) or Service Fabric Events. In the past days you could just configure the settings within the OMS portal itself.

StorageAccount

In the current OMS portal you simply see something like this…

image

…the documentation link does not provide much help in terms of connecting or removing these accounts. Therefore go to the new Azure portal, select your workspace and select “Storage account logs” and click Add

Continue reading

Power BI – AAD Activity Logs App: The credentials provided for the AADData source are invalid

Power BI used to have Content Packs which were a way to package up your dashboards, reports, Excel workbooks and datasets for Power BI. Microsoft changed it now to so called Apps, probably to be consistent with their Azure terms.

There is an interesting App for Azure Active Directory to analyze the Activity Logs.

image

If you try to install this App, you need to provide the tenant name and in the next screen you need to authenticate against AAD, but it could be that you receive this error…

AAD1

The reason was, that I had to switch my Azure Active Directory edition to Premium…

AAD2

…after this upgrade I the connection worked perfectly and I could analyze my data…

image

It seems that there is a Premium license required to use this powerful Power BI App. I haven’t found anything on the internet, so I hope it helps you getting this report up and running.

Microsoft MVP Award 2017

image

Yes I got it again, awesome! Today I received an e-mail from Microsoft, that I am re-awarded for another year as Most Valuable Professional (MVP). This is my 3rd year as an MVP and it still feels like –WOW! I got the award in the Cloud and Datacenter Management space for my expertise and community work. Why is this so awesome?

  • Because I get the chance to address any issues to Microsoft program manager directly.
  • Invitation to the yearly MVP summit which takes place once a year in Redmond.
  • Connect to other bright MVP minds and technology leaders.
  • Getting special opportunities to speak at conferences world wide.
  • Having access to the latest product information and releases from Microsoft.
  • and so much more…

I would like to thank my employer itnetX which is supporting me in the best possible way, all the SCOM/OMS/PowerShell/System Center guys worldwide, many Microsoft MVPs (just a great community) and of course all the Microsoft employees. If you want to get more information about the MVP award or you want to become a MVP visit the MVP award site here.

Quick Post – Azure Updates & Roadmap

whats-going-on

Knowing what’s new across all Azure services is a tough job if not almost impossible, BUT I bumped in a useful page called Azure Updates. It let’s you select a service and lists all major updates in a monthly order. In my opinion not all services are equally well maintained, but it gives you a first pit stop to figure out if there are any news.

image

…additionally there is another related page Azure roadmap, which gives you an overview what is planned, in preview or in development in Azure. I got the impression this page is more accurate than Azure Updates and also a valuable source which you should bookmark.

image

I hope these two hints provide you the information you want.

SCOM 2016 – Upgrade Notes from the Field

upgrade

Upgrading from SCOM 2012 R2 to SCOM 2016 is theoretically no such big deal. BUT sometimes you could face issues at the customer’s infrastructure, which force you to take some extra hurdle. This post should give you a high level overview of different migration scenarios and additionally some pitfalls you could meet upgrading to SCOM 2016.

High level upgrade path

There are 3 ways to upgrade a SCOM 2012 R2 environment.

1. Side-by-side migration (“Slow Motion”)

image

  • This is probably the way which has almost no risks, but takes a long time to finish and has a consequence that you loose old data. Why is this? You install a brand new SCOM 2016 management group, having brand new databases (OperationsManager / OperationsManagerDW / OperationsManagerAC). If needed you also install separate Web Console, Reporting and if needed the ACS role also on a dedicated (management) server. I think the best option is to install all these SCOM 2016 roles on a brand new Windows Server 2016 server and the databases on SQL Server 2016. This way you have the latest and greatest technologies available and you are armed for the next couple of years. Having this in place you are able to dual-home (multi-homing) the agent which is sending data to both management groups SCOM 2012 R2 and SCOM 2016. There is a good article on TechNet Wiki how to configure multi-homing if you have multiple AD forests or here if you have agents deployed in the same AD forest. As soon you have the new management group up and running you need to migrate all management packs, channels, subscriptions, overrides, roles etc. There are ways to export and import this stuff, but I recommend if you are choosing this upgrade path, then I would start configuring SCOM from scratch. Especially creating new overrides and documenting them will give you a chance to have a well configured and documented SCOM environment. One huge advantage of this upgrade path is, that you are able to upgrade to new versions of existing management packs, implementing new management packs and testing them thoroughly with no impact on your production SCOM environment until you switch management group and turn on notifications. This approach has also few disadvantages:
  • It takes usually a long time to finish this migration.
  • There are 2 management groups to maintain.
  • The amount of work to tune the management packs should not be underestimated.
  • Dual-homing an agent could lead to some more stress on the agent server.

2. SCOM In-place only upgrade (“Big Bang”)

image

  • If you decide to go for an in-place upgrade you are taking a much faster but also “risky” path, which needs more pre-work, testing and in case of failures also some plans to revert the changes using backups and/or VM snapshots. An in-place upgrade is in theory not that much of a problem and also fully supported by Microsoft. The first step is to run the SCOM 2016 setup on a management server which will discover the roles on the management server and upgrade the server itself and also the SCOM databases to SCOM 2016. If you managed to successfully upgrade the first management server / management group, then you go for the next management server, ACS Collector, Gateways, Console, Web Console and Reporting Server. As soon you have upgraded all components you are all done. Sounds easy, but believe me, there are plenty of things that could fail. This approach has also few disadvantages:
  • Because you upgrade SCOM only, the operating system stays the same. Of course you could theoretically in-place upgrade the operating system as well, but I really don’t encourage you to do so. If you need to upgrade SCOM and the operating system as well, please check the next upgrade option.
  • All your SCOM configurations bad or good will stay. If your management group is badly configured it will stay badly configured – an upgrade won’t change anything.
  • You need to check if the management packs work with SCOM 2016, especially third party or community MP’s. Please ask the vendor BEFORE you start the upgrade.
  • Make sure you meet the system requirements for SCOM 2016 .
  • Remember there are also 3rd party connectors in SCOM which might are not supported by SCOM 2016.

3. SCOM In-place upgrade and OS upgrade (“Big Bang++”)

image

  • If you decide to go for an in-place upgrade and you also want to upgrade the operating system to Windows Server 2016 in your environment, then this is an elegant way to achieve this goal. The risks are the same as “in-place only” upgrade but in addition you need to have a good plan how to switch the SCOM agents and ACS Forwarders to the new management servers. Before you start upgrading, make sure you have new Windows Server 2016 servers installed, which will become the new management servers. Step 1 is to run in-place upgrade on an “old” SCOM 2012 R2 management server (make sure it meets SCOM 2016 system requirements). If this is finished upgrade the other SCOM 2012 R2 management servers to SCOM 2016 and also ACS Collector, Gateways, Console, Web Console and Reporting Server. Step 2 if your management group is upgraded successfully install SCOM 2016 management servers on the fresh installed Windows Server 2016 servers. Depending on your SCOM environment, but if you have ACS installed, you could also install ACS Collector on a additional dedicated SCOM 2016 management server running on Windows Server 2016. Step 3 move the Windows / Linux agents, ACS Forwarders to the new management servers / ACS Collector. Step 4 uninstall the “old” management servers from the management group. If you have Web Console and/or Reporting installed you could simply uninstall the features from the “old” SCOM servers and reinstall it on new Windows Server 2016 server pointing to the SCOM 2016 deployment. I recommend uninstalling Reporting and Web Console BEFORE you upgrade the management group. This scenario has the same problems as an “in-place only” scenario but additionally you have to be aware of few more things:
  • Switching the Windows / Linux agents or ACS Forwarders to the new management servers could take some time and depending on the amount of “clients” Step 3 needs to be planned carefully.
  • If you don’t have the agents controlled by the SCOM Console you need to prepare some PowerShell scripts for moving the agents / ACS Forwarders to the new management servers.
  • Remember to install certificates for Linux  or Windows agents monitoring on the new management servers.
  • Remember to set the SPNs for the new management servers.
  • If you changed settings (Registry)  on your old management servers, check if you need to make these settings on your new management servers as well.

Continue reading

SMA – Migrating SMA Runbooks (SMART Toolkit) Annoying Confirmation

blocked

To migrate SMA runbooks from one environment to another you probably want to use SMA Runbook Toolkit to export and import the runbooks and assets, you can find the download here. This toolkit is a collection of PowerShell scripts which are few years old but still work perfectly with SMA 2016. After you downloaded the toolkit and extracted it, there is e.g. the SMART\Import and Export Tool\SMART-IE-GUI.ps1 to export and import your runbooks with a PowerShell GUI…

image

…and the GUI looks like this…

image

One problem you might encounter is, that you would have to confirm the execution of a child script Import-SMARunbookfromXMLorPS1.ps1 for each script you want to import…

image

…to circumvent this annoying step, you need to unblock the files in PowerShell. How can you do it? Well you just need to get all files in the SMART directory and use Unblock-File cmdlet to unblock the script….

2

…after this step the import runs without interruption. This problem happens not only to the SMART tools, but also could happen to any other module you download from an external source.