• After you select the appropriate object you will see the override properties page. There may be as few as one rule to multiple rules that you can modify. Here you are going to need detailed knowledge about the technology that you are monitoring.
• At the bottom of this page you will need to select the management pack to save the override to. DO NOT USE THE “DEFAULT MANAGMENT PACK”!
• If you don’t have a custom management pack to save it to you can create one from this window. Just follow the dialog boxes.
• When you are done say ok and the changes will be saved.
• This article will show the basics of how to create an override
• This will not show the values to use. For this product knowledge of the technology being monitored will be required as well as some research.
• Never use the “Default Management Pack” it is selected by default, so be careful to change it to a custom management pack. This creates other potential problems later on. When installing OpsMgr service packs the “Default Management Pack” can be overwritten causing us to lose all changes.
• Never disable a monitor. This can be done as an override. When you disable a monitor it is automatically saved to the “Default Management Pack”.

how-to-move-the-operations-manager-2007-reporting-server

the two databases will be moved to a new SQL server under a new name. And the reporting services role will be moved to its own server serperate from the SQL server. I will post all three manuals that I have created out of this here.

how-to-move-the-operationsmanager-data-warehouse-database-to-a-new-sql-server

the two databases will be moved to a new SQL server under a new name. And the reporting services role will be moved to its own server serperate from the SQL server. I will post all three manuals that I have created out of this here.

how-to-move-the-operationsmanager-database-to-a-new-sql-server

here are the two variables you will be adding to the monitor

parameter name: EventDescription

Alert description: $Data/EventDescription$

1. When you are creating the Event Expression click on insert, then click on button “…: under parameter name

2. Select Use Parameter Name not specified above and enter EventDescription

$Data/EventDescription$

Select an Event Property-EventDescription

3. change your operator to Contains

4. under the Value, enter the words you want to find in the desction field.

Build Event Expresion - operator and value

THIS IS NOT DONE!!!!

5. Continue to build your rule until you arrive at the Configure Alerts page. Enter the value $Data/EventDescription$ in the Alert description window. If you do not you will receive errors.

6. Create the rule, and refresh how ever you like. When i am in a hurry i will restart the health service on the server that I am monitoring.

7. To test your rule the OpsMgr Event Creator tool is not going to work. It does not allow you to create custom descriptions. Log onto the server that you want to monitor and open a command window. Using the eventcreate command type the following

eventcreate /t error /ID 1000/d “fieldxu.exe THIS IS JUST A TEST BY Brad Hearn”

/t sets as an error

/ID is the event id

/d is what will be placed into the description field. Remeber to place quotes around your text.

The alerts will look something like this.

Hope this helps out.

Download the PDF deploying-scom-gateway-server2

Open and test ports

Put a change request into the Network group to open TCP port 5723 both ways from the Gateway server to the MS server.

To test if the ports are open. Log on to gateway server. From a command prompt type

telnet SRVNAME261 5723

If you get a cursor at the top left corner then the port is open. Any other errors indicate that the port is still closed.

Do the same from the management server back to the gateway server.

Certificates need to be deployed (2 types of certificates)

1. Root certificate

a. Import the root certificate for the management servers on the same domain as the CA server

i. Logon on the management server. Open a web Brower and navigate to http://SRVNAME342/certsrv/

ii. Click on Download a CA certificate, certificate chain, or CRL

iii. Click on Download CA Certificate chain

iv. Click on save. And save to a location of your choice. The default file name is certnew.p7b. This is fine. (you can use this cert for all your management servers and gateway server to skip the initial download on this servers if you like.

b. To import the downloaded cert open the certificate MMC

i. Open run and type MMC

ii. Click on file, add/remove snap-in

iii. Click on Add and select Certificates, and click on add again.

iv. Select computer account and say finish

v. Close the window and say ok to the add remove window.

vi. Expand certificates and right click on “Trusted Root Certification Authorities”

vii. When the wizard opens navigate to the downloaded cert is certnew.p7b . You will need to change the file type to PKCS #7

viii. Accept the defaults and finish

ix. Do this on all management servers inside the domain

c. Import the root certificate for the Gateway server that is not attached to the domain as the CA server.

i. Perform step one above to save certnew.p7b. Or use the same cert that was downloaded above. And copy to the gateway server. Then perform step 2 above.

2. Create the Custom OpsMgr Certificate

a. To create the cert. We will use two consoles to do this. Certification Authority mmc and certificate templates mmc

i. Open run and type MMC

ii. Click on file, add/remove snap-in

iii. Click on Add and select Certificate Templates and Certification Authority, and click on add again. And finish

b. Select Certificate Templates

c. In the Certificate Templates Console right click IPSec (Offline request) and then select duplicate template

i. General Tab

ii. Type a name

Request Handling

1. select Allow private key to be exported

2. Click on CSPs…

3. select Microsoft RSA SChannel Cryptographic provider for windows 2003 and Microsoft Enhanced Cryptographic provider 1.0 for windows 2000

iii. Extensions Tab

iv. select the Applications Policies and click on edit

1. remove IP security IKE intermediate

2. Click on add..

3. Select Client Authentication and Server Authentication, and clink on ok twice.

v. Security Tab

1. Users should have read

2. Say ok and close.

3. Add the new custom cert to the certificate authority

i. Open the Certification Authority mmc console

ii. Expand it and right click on certificate templates

iii. Select new, certificate template to issue

iv. Scroll through the list until you find the one you just created. Select it and say ok.

v. It should now show in the right window.

4. Deploy the Custom OpsMgr Certificate to the management servers on the same domain as the CA (need to do the full steps individually for each server)

a. Logon on the management server. Open a web Brower and navigate to http://SRVNAME342/certsrv/

b. Click on Request a certificate

c. Click on Create and submit a request to this CA

d. Select the custom Template

e. Enter a name for the template. This is the full unc name of the server that you are going to install the cert on.

f. Enter the rest of the identity info if you like.

g. Under Key options select the csp that fits your operating system. select Microsoft RSA SChannel Cryptographic provider for windows 2003 and Microsoft Enhanced Cryptographic provider 1.0 for windows 2000

h. Key size 1024

i. Mark keys as exportable

j. Check off Store cert in local computer cert store…

k. Use full unc path as friendly name.

l. Click on submit, say yes.

m. Click on Install this certificate

n. Open run and type MMC

o. Click on file, add/remove snap-in

p. Click on Add and select Certificates, and click on add again.

q. Select computer account and say finish

r. Close the window and say ok to the add remove window.

s. Expand certificates and right click on Personal certificates

t. You should see the new cert here.

5. Deploy the custom Certificate to the Gateway sever in the DMZ.

a. Because the gateway is not part of the same domain as the CA. We need to create the certificate on a different server and export it to a usb drive or other storage device. Then manually copy it to the gateway server and import it.

b. First create the cert from a server on the same domain as the CA. Follow the steps in step 4 first.

c. Next we will export the cert

i. Open run and type MMC

ii. Click on file, add/remove snap-in

iii. Click on Add and select Certificates, and click on add again.

iv. Select computer account and say finish

v. Close the window and say ok to the add remove window.

vi. Expand certificates and right click on Personal certificates

vii. You should see the new cert here.

viii. Right click on the cert and select All tasks, export

ix. The export wizard will open, say next

x. Select Yes, export private key

xi. Select enable strong protection

xii. Enter a password for the import. You will need this password when you export the cert.

xiii. Specify a location and name to save it too.

xiv. And finish

d. Import the cert.

i. Copy the cert to the gateway server. It will have a .pfx extension.

ii. Open run and type MMC

iii. Click on file, add/remove snap-in

iv. Click on Add and select Certificates, and click on add again.

v. Select computer account and say finish

vi. Close the window and say ok to the add remove window.

vii. Expand certificates and right click on Personal certificates

viii. Select All tasks, Import

ix. Browse to the cert you coppied over. You will need to change the file type to PFX to see the cert.

x. Select open, say next, enter password.

xi. Check off Mark this key as exportable.

xii. Say next, make sure the certificate store is personal , click next and finish.

6. Run the momcertimport utility

a. In this step we are going to use the same pfx certificate (the custom personal cert) that we created in step 4. This tool writes the certificate serial number to the registry. This will help OpsMgr components find the the proper certificate for authenticatin easily.

b. You will find the momcertimport utility on the install cd under supporttools\i386.

c. Copy momcertimport.exe and the pfs certificate into the same folder.

d. Open a command prompt, navigate to the folder with both files and type the following command

i. C:\>MOMCertImport.exe certfilename.pfx

ii. There is NO response after the command is successfully initiated.

e. So this on all SCOM management servers. RMS, MS, and Gateway

7. Approve the Gateway Server

a. We will use the gateway approval tool to achieve this. This will setup the gateway server as a management server in SCOM. Once done you can confirm this by looking in the SCOM console under administration, Device Management, Management Servers.

b. The tool has to be run from c:\program Files\System Center Operations Manager 2007

c. Copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the support tools directory to c:\program Files\System Center Operations Manager 2007

d. Open the command prompt and type the following command

i. microsoft.enterprisemanagement.gatewayapprovaltool.exe /managementservername=SRVNAME261.domainName.com /gatewayname=domainNamedmz22.domainNamedmz.com /action=create

8. Next you now ready to manually install the agents on the servers in the DMZ

9. Approve the agents in the SCOM console.

Follow the following steps to monitor a service and have it restarted automatically by SCOM if it fails.

Steps

Create a management pack to store the monitor in

Create a group that the monitor will be applied against

Create a monitor that watches the service

Create overrides (apply to group)

Create the recovery task

Step 1: Create the Management Pack

In the managment console under Administration right click on Management Packs and select “Create Management Pack”. Give this new MP a meaningfull name and continue.

Step 2: Create the Group

• In the Authoring Pane right click on “create new group” Give this new group a meaningful name. A description. And select the management pack that you created.

Important: Do not use the default management pack. You can do it. But this will create problems when trying to remove MP in the future. Always use Custom MP’s.

• Say next. Click on Add/remove objects on the Explicit Group Members. Enter a server name and search. Select your computer object and say ok. You can now add dynamic and exclusions. I am not going into that on this post so except all defaults.

Step 3: Create the Monitor

• In the Authoring Pane right click on monitors and select Create a monitor, then Unit Monitor.

• Expand Windows Services, and select “Basic Service Monitor”. Select the custom management pack.

• Provide a name for the monitor. I am going to create this monitor to watch Windows Update services. Select the monitor target as windows Server Operating System. Select the Parent Monitor as Availability.

• Next Browse to the server, or any server with the service running. and select the service.

• The next window shows how the monitor sees the health state. Accept the default.

• The last window is how the alerts are configured.

• uncheck the “Generate alerts for this monitor:” for now. This will prevent any unwanted alerts until we are ready.

Step 4: Apply to group

Lets apply this MP against the group that we created earlier and disable it for all other servers.

Fist disable the rule for all servers

• Find the new rule under Authoring\monitors. The easiest way to do this is to change your scope. Click on the Change scope in the top right corner
• Look for windows server operating System and select it and say ok.

• Expand the monitor, right click on it and select properties.

• Select Disable and “For all objects of type: windows Server Operating System”

• Next Right click on the same monitor and select override, Override the Monitor, for a group

• Start to type the name of the group you created and select it.
  
• Place a check beside “Parameter name”. Change the override setting to True. This will enable the rule for the group.

• Say OK to save.

STEP 5: Create Recovery Task

• In the Authoring Pane right click on monitors and select the monitor you created by right clicking on it and select properties.
• Click on the Diagnostic and Recovery Tab
• Under the configure recovery Tasks select Add… and choose “Recovery for Critical Health State”
  
• Select Run command
• Provide a meaningful name and description
• Select the recovery target as Windows server operating system
• Check run recovery automatically and recalculate monitor state.

• Next, for the full path to the file type C:\WINDOWS\system32\net.exe This will spawn the net command
• for the parameters type start service name. We are starting windows update service. Here is the best way to find the service name. Open services by opening the run box and type services.msc

• now that you have the actual service name lets enter it in the parameters field. so you would type “Start wuauserv”

• Once you have clicked on create you are done.

But if you did not like all the rest of have done at least once, then here is how you can remove the dependencies. But first please backup you management packs.

1. Download and install Microsoft’s XML Notepad
2. Export the Default management pack to any folder you like. This will export it into an XML file. Back this file up before making changes to it.
3. Open the XML file in XML Notepad
4. Expand the management pack in the left window to \\managmentPack\Manifest\References 

1. Look in each sub-folder named Reference for the Management pack that you are trying to remove. Once you find it Delete the Reference folder.
2. Import the Default XML file back into the console.
3. Try to delete the management pack again.

Symptom 1: During the pre-requisite check you receive notification that ASP.net is not started but the service is running.

Symptom 2: During setup you receive the “srs server validation” error  

To fix this

• Of course confirm that ASP is installed. If it is then do the following.
• Open the command prompt go to

C:\windows\Microsoft.NET\Framework\v2.0.50727

• Run the following command

aspnet_regiis /i

After I implementing Microsoft’s System Center Operation’s Manager 2007 (SCOM) into our environment I wanted to test the disaster recovery process. Our design is using an RMS and one MS. The test was meant to be simple and I of course didn’t think to create another test environment for this. *what an idiot*

To prove that the steps provided by Microsoft worked I unplugged the RMS and prompted the MS server. Hey this worked like a charm. It was the next step that really got ugly, the next step of course was when I brought the RMS back on-line. Because that is the goal in the end right. To restore the original server. Somewhere I missed a step. And before you know it I was rebuilding the entire environment. I was fairly sure that I hadn’t really missed anything. But I screw up so often who really knows for sure? I then created that test environment that ignored the first time and tried it again. Hey what do you know I had the same results. Then for the third test I opened up a Microsoft support call and had them help me do it right, and again the same results. The Microsoft support tech confessed to me that in there training they only test the promotion . They didn’t actually try to go back to the original solid state.

After a couple of days he for-wards me an internal email from Microsoft that talks about the process and how to avoid this issue.

Read on to see the risk assessment and the detailed steps of how to demote and promote

Risk assessment of promotion

The Root management server (RMS) is the primary SCOM server that is responsible for sending alerts out to a pager. It is also the server that needs to be running in order to access the alerts window within SCOM.

If the RMS fails, the Management Server (MS) will continue to accept the alerts from the agents (client servers that are being monitored). However, the MS will only collect alerts. It will not provide access to the Console to view alerts, nor will it send alerts to pager or email. The result of this is that all alerting will stop until there is a RMS in the environment again.

Options

In our environment, we have three options to handle the RMS to MS fail-over.

1. Don’t promote the MS server. Fix the RMS and bring it back on-line.

During the outage of the RMS server there will be no indication of other service failures in the environment. We would be relying on the business to notify us through the Service Desk.

1. Promote the MS to RMS

Benefit: This will provide Alerting and console access.

I have documented and tested the promotion and demotion of RMS servers in our environment. If the steps are followed exact then there should not be an issue.

However, if the procedure is not followed exactly it would mean a complete loss of the SCOM environment. The database may need to be rebuilt and the agents would need to be redeployed to all servers. The SCOM servers would need to be rebuilt from scratch.

The following note is from an internal Microsoft memo that was provided to us during Microsoft support call. This is not included in the official MS documentation. There is the risk that an analyst that responds to this type of incident might consult the official documentation and not complete the fail-over properly.

NOTE: You do NOT want the previous RMS to still be an RMS when it comes back up or becomes reachable again (network back up), as both RMS’s will compete for the DB’s attention, which is not a healthy state. If you do get in this state (old RMS not demoted, back in contact with DB), the correct fix is to demote that old/previous RMS first, as indicated above.

Do not try to demote the new RMS, as you will end up with no RMS indicated in the DB, and would likely have no way to recover the Management Group. If you want to set the previous RMS back to the current RMS, demote it first, then re-promote it, which will then automatically demote the existing RMS.

The promotion should be used only as the last resort and only in the case where there is no other way to restore the original RMS.

1. Upgrade the SCOM environment to a Cluster. (The best option but the most costly)

Clustered SCOM environment would ascertain stability of the SCOM environment and eliminate its single point of failure. It would also eliminate the need for the shaky promoting procedure described in item 2.

How to demote the Root Management Server so that you can promote it again later.

The following 3 steps need to happen to promote the Management server.

1. Backup the key on the current RMS to a file share using SecureStorageBackup tool

2. import the key to the MS to be promoted to RMS from the file share

3. Run the management server config tool on the new RMS to promote it

1. Backup the key on the current RMS to a file share

To run the SecureStorageBackup.exe Tool

On the current Root Management Server

a. Copy

SecureStorageBackup.exe and ManagementServerConfigTool.exe from

\ Ops_SP1Rc1\SupportTools.

To

C:\Program Files\System Center Operations Manager 2007

b. Open a command line and navigate to

C:\Program Files\System Center Operations Manager 2007

c. Run the following command:

SecureStorageBackup Backup “Network Path\SCOM_Key_backup\SCOMKEY.bin”

This key must be available to the machine you want to promote.

d. Provide a password

to secure the key and retype the password. The password must be eight characters long. Once the key is exported, you will see a success message.

2. Import Key to the current MS

On the Management Server you want to promote to become the Root Management Server

a. Copy SecureStorageBackup.exe and ManagementServerConfigTool.exe from

Ops_SP1Rc1\SupportTools.

To

C:\Program Files\System Center Operations Manager 2007

b. Open a command line and navigate to

C:\Program Files\System Center Operations Manager 2007

c. Run the following command:

SecureStorageBackup Restore “Network Parch\SCOM_Key_backup\SCOMKEY.bin”

d. Provide password used to access the key and retype the password again. Once the key is exported, you see a success message.

3. On the Management Server you want to promote to become the Root Management Server

a. Copy SecureStorageBackup.exe and ManagementServerConfigTool.exe from

\Ops_SP1Rc1\SupportTools.

To

C:\Program Files\System Center Operations Manager 2007

b. Open a command line and navigate to

C:\Program Files\System Center Operations Manager 2007

c. Run the following command:

ManagementServerConfigTool.exe PromoteRMS

If the Current RMS is currently on-line and reachable you are done. This will automatically update and demote the RMS to a MS. If not it is critical to complete ALL the following steps.

d. Go to the promoted Root Management Server, open the services and stop the Ops HealthService.

a. Go to the installation directory (default: %ProgramFiles%\System Center Operations Manager 2007) and delete the Health Service State folder.

e. Start the MOM Health Service.

f. When you open the Operations Console the first time, specify the name of the new Root Management Server to connect to.

4. Demote the Original RMS server when it is back on-line. This needs to be done before it can be promoted back to RMS.

a. Copy SecureStorageBackup.exe and ManagementServerConfigTool.exe from

\ Ops_SP1Rc1\SupportTools.

To

C:\Program Files\System Center Operations Manager 2007

b. Open a command line and navigate to

C:\Program Files\System Center Operations Manager 2007

c. Run the following command:

ManagementServerConfigTool.exe UpdateDemotedRMS

After the Original RMS is back online you will need to promote it again

5. On the Management Server you want to promote to become the Root Management Server

a. Copy SecureStorageBackup.exe and ManagementServerConfigTool.exe from

\ Ops_SP1Rc1\SupportTools.

To

C:\Program Files\System Center Operations Manager 2007

b. Open a command line and navigate to

C:\Program Files\System Center Operations Manager 2007

c. Run the following command:

ManagementServerConfigTool.exe PromoteRMS

Final Steps

Go to the promoted Root Management Server, open the services and stop the Ops HealthService.

1. Go to the installation directory (default: %ProgramFiles%\System Center Operations Manager 2007) and delete the Health Service State folder.
2. Start the MOM Health Service.
3. When you open the Operations Console the first time, specify the name of the new Root  Management Server to connect to.

If the Current RMS is currently on-line and reachable you are done. This will automatically update and demote the RMS to a MS.