• Categories

  • Active Directory
  • Appletalk
  • DHCP
  • GPO
  • Microsoft windows server
  • Netapp
  • netsh
  • NTFS
  • OpsMgr
  • SCOM
  • Script
  • SQL Reporting Services
  • System Center Operations Manager

• Meta

  • Register
  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

• Recent Comments

  • WHRKit on How to create a Recovery task in SCOM on a windows service.
  • Brad Hearn on How to move the OperationsManager DataBase to a new SQL server
  • Brad Hearn on Deploying SCOM Gateway server
  • Chris Rundle on How to move the OperationsManager DataBase to a new SQL server
  • Krishna on Deploying SCOM Gateway server

• Recent Posts

  • SCOM – How to Create an override
  • How to move the Operations Manager 2007 Reporting Server
  • How to move the OperationsManager Data Warehouse Database to a new SQL server
  • How to move the OperationsManager DataBase to a new SQL server
  • How to create a SCOM Windows Events Monitor and alert on the Description field

• Tags

  Active Directory AD Apple Talk Appletalk asp ASP.net aspnet_regiis Computer database dependencies DHCP export File services for Macintosh GPO health service import Loopback Management Pack Microsoft Microsoft windows server Modify mom_tracing.mof move Netapp netsh NTFS operationsmanger OpsMgr Permisions tab permissions prerequisite Recovery Task SCOM Scopes Screen Saver servicePrincipalName Spilt Scopes sql System Center Operations Manager System Centre Operations Manager The OpsMgr Connector could not connect to the user authentication method required by this server Unix WMI Xcacls

• Spam Blocked

  434 spam comments

  blocked by
  Akismet

SCOM: I screwed up the OpsMgr Health Service

Have you ever seen this in Microsfts System Center Operations Manager (SCOM)?

The OpsMgr Connector could not connect to MSOMHSvc\rms01.local

haha, I have.

Using a domain account is not supported and will not allow you to start the service. But it will register a second servicePrincipalName to the domain account. If this happens the agents will no longer be able to communicate with the server. Or at least until the duplicate servicePrincipalName is removed.

I found this out during the test phase when I changed the service login account during trouble shooting the health service. (The original problem with the health service was that it would keep failing and stopping. The resolution was never found, and that was with an open Microsoft call. We reinstalled the server and that resolved it. However the servicePrincipalName was still messed up in active directory.)

The following is what I have documented and used to fix this.

Here is a clipping from another post (http://www2.wolzak.com/index.php?option=com_frontpage&Itemid=1) on this that I found.

To generate a list of accounts that the SPNs are registered to, run the following command at the command prompt.

1. From the domain controller, open a command prompt and then type the following string: ldifde -f domain.txt
2. Open the text file in Notepad and then search for the SPN that is reported in the event log. ServiceClass/host.domain.com (in this case look for MSOMHSvc/rms01.local)
3. Note the user accounts under which the SPN is located and the organizational unit the accounts reside in….the userPrincipalName should be located directly above the servicePrincipalName registration as in the example below.
userPrincipalName: useraccount@domain.com
servicePrincipalName: ServiceClass/host.domain.com

Use one of the following options to delete the account SPN registrations from the accounts that should not contain registrations to ServiceClass/host.domain.com. (i.e. Typically any accounts containing an SPN registration for SeriviceClass/host.domain.com that services are not explicitly starting with). Make sure you know which credentials you want to keep (in this case the system account or the domain administrator) and see to it that the service is running with the credentials you want to use. Delete the other one.

Using ADSIEdit

1. Add ADSIEdit to the MMC and bind to the domain using the Domain well known naming context.
2. Navigate to each user account you previously documented as having a duplicate SPN registration and right click the account and select properties.
3. Scroll through the list of attributes until you see servicePrincipalName, double click servicePrincipalName and remove the duplicate SPN registration and click on OK and exit ADSIEdit.

Using SetSPN

1. From the command prompt type the following command and hit enter.setspn -D ServiceClass/host.domain.com:Port AccountName

Make sure to test before performing this operation in a production environment.

Brad Hearn

Enterprise Server Analyst

http://bradstechblog.com/

Comments

• Search for:

• Archives

  • September 2009
  • April 2009
  • February 2009
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008

• Blogroll

  • windowsreference

• Great resources

  • Contoso
  • IT Angst
  • myITforum.com
  • System Center Operations Manager 2007 Training Videos
  • System Senter Forum

• StatPress

  Visits today: 11

• StatPress TopPosts

  • Promoting MS to RMS : USE WITH CAUTION!!
  (1238)
  • SCOM: I screwed up the OpsMgr Health Service
  (1225)
  • WMI issues that prevent SCOM Agent install
  (1179)
  (1146)
  (1140)