Event 20052 Certificate subjectname does not match local computer name
Well… One of the things which really divides the SCOM admins from the normal SCOM users is in my believe installing a gateway server. A lot of things can go wrong when installing one and even if you have done a couple of installs still it sometimes goes haywire. It’s basically a one shot or start all over again in my opinion. I’ve spoken about the Azure gateway management server install at SystemCenterUniverse 2014 in Houston and got a lot of feedback after my session that indeed this is the case.
During a recent install at a customers site I came across another great event id:
Event 20052
The full description of the alert (for search engine purposes)
“The specified certificate could not be loaded because the Subject name on the certificate does not match the local computer name
Certificate Subject name: servername.domain.local
Computer name: servername”
So the certificate was created for the full fqdn name but in fact our gateway server is not part of the domain.
Solution
By adding the DNS suffix to the computer name the certificate can be configured.
Open the computer properties of the server by right clicking ‘this pc’ and opening properties:
Selecct Change settings:
Click Change on the computer name tab:
Click the button More…
Fill in the domain FQDN which was documented in the event in the primary DNS suffix and reboot the machine.
This solved my issue and the alert did not return.
Any other suggestions are welcome of course…
SCOM Gatewayapprovaltool.exe just hangs with no error
While installing a gateway server at a high security level environment I followed my procedure carefully but bumped into a new issue I did not yet encounter. We all know it can be tricky to install a gateway server with the certificate chain and such. Kudos to everyone who does it right the first time EVERY time…
During my gateway installation processs on the targeted inside management server I used the Gatewayapprovaltool.exe to allow the gateway server access. For your reference the only and correct way to do this is in fact (source: http://technet.microsoft.com/en-us/library/hh456445.aspx):
To run the gateway Approval tool
- On the management server that was targeted during the gateway server installation, log on with the Operations Manager Administrator account.
- Open a command prompt, and navigate to the Operations Manager installation directory or to the directory that you copied the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to.
- At the command prompt, run
Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN>
/GatewayName=<GatewayFQDN> /Action=Create
- If the approval is successful, you will see
The approval of server <GatewayFQDN> completed successfully. - If you need to remove the gateway server from the management group, run the same command, but substitute the
/Action=Deleteflag for the/Action=Createflag. - Open the Operations console to the Monitoring view. Select the Discovered Inventory view to see that the gateway server is present
But after the command prompt it just stayed there. Doing nothing. No error… Just waiting…
Well I don’t like waiting so tried it a couple of times, check the eventlog, rebooted the machine,… Nothing. On to Google then! But with no error message the search was hard but I found the solution on the blog of Marnix Wolf: http://thoughtsonopsmgr.blogspot.be/2010/02/scom-gateway-approval-tool-stalls.html
Apparently the gatewayapprovaltool is just writing some info in the SQL dbase and takes the user which is logged on to the machine to try to run this query and insert. When this is not working it just times out and sit there. No error code.
Some suggest to login or run as with a domain admin account but I prefer to use the SCOM SDK account because it is guaranteed it has rights on the SQL dbase no matter what.
After opening the command prompt as the SDK user => success!
Another little bump in the road flattened on the way to a perfect SCOM world …
Test drive Opslogix VMware management pack
System Center Operations Manager (SCOM) has been proven to be a great product to monitor your environment from end to end. It has grown version after version and has in my believe outgrown its status of monitoring only Microsoft Windows already for quite a while now. A lot of management packs are out there, some good some less good (let’s keep it diplomatic). When you are a SCOM admin you mostly come across the same management packs from the same vendors. From time to time it’s nice to see a new contender step into the arena with a management pack for a technology which can already be monitored by other management packs.
Recently Opslogix the Dutch company founded in 2009 released one of those management packs which I took for a test drive: VMware® Intelligent Management Pack.
I requested a trial to find out how well it weighs up to the competition. Opslogix is stating that this management pack is a far better choice based on cost vs monitoring. So I took it for a spin through my environment. I’m a SCOM expert but not a VMware expert so for me also the aspect of easy to install and comprehend the management pack and the overview of the environment was also a very valid point.
Installation:
When you install a management pack from the online catalog it is normally a straightforward process. The management pack is downloaded in the background and automatically added to your environment. That’s it. But with non Microsoft management packs this can be another story. Luckily the Opslogix management pack comes with a very detailed install manual and the installation was a breeze. The clear manual stated exactly what steps needed to be taken to install the management pack.
The management pack consists out of 4 different management pack files (Base, licensing ui, VMware and VMware reports). The import is straight forward like you would import any other management pack. Once imported there are still some extra steps that need to be taken to make sure you can connect and monitor your environment. One of the things you also need to keep in mind is the fact that you need to register your license in the SCOM console as well otherwise the discoveries will not kick off. Well documented in the management pack guide but I can fully understand your enthusiasm to get this going that you forgot to do it.
Next up is to define which management server is used to monitor your VMware environment. As all people who are using SCOM 2012 probably already know the resource pools let you divide monitoring between different management servers. In this case this is very handy and well thought of Opslogix because it could well be possible you only have 1 management server facing the internet or your VMware environment. In this case you can populate your resource pool with that server and you are good to go:
Next thing you need to do is add VMware environment to your SCOM environment. Again no hassle with certificates or whatsoever. The Opslogix management pack comes with a straight forward GUI to connect your environment. Just check out monitoring and open up the VMware IMP Configuration Dashboard. Fill in your data, check connect and when the connection was successful you now have a connection to your environment. BUT no monitoring yet.
Last thing to configure is adding the license you have received from OpsLogix to your environment. The license GUI lets you connect your environment we just added to your license. This is needed to calculate the cores which were included in your license.
So that’s it… All ready to go.
What’s in it?
One of the things I always do when a management pack is installed is browse through the views to see what can be visually shown to me but more important to the potential users of the console / environment.
Nothing surprising here actually. Nice views to check out the alerts, status of my devices and some performance views. Nothing more nothing less. Just the things I like to see to get a quick overview. Maybe a full dashboard to get a quick overview would have been nice but hey we can build that ourselves right!
Next I always browse through the rules and monitors. I’m not going over them 1 by 1 but in fact there are enough rules and monitors in the management pack to get you notified when things are wrong. Again I’m not a VMware expert but after the connection to the demo environment I instantly got alerts (probably generated on purpose) that were even for me clear to understand. The discovery process was definitely kicking in because all the different servers were discovered.
If you look through the included monitors and rules you’ll notice that all the different aspects of you VMware environment will be covered. All the rules and monitors are there to generate that desired view of your environment and warn you when things are about to go wrong. Nothing more, nothing less: Just the way I like it. Not drilling through a lot of rules and monitors to disable or enable them. Less config time is more monitoring time…
One thing I really like about a management pack and especially a third party management pack is that it comes with reports. As a SCOM admin I have a pretty good knowledge of what’s going on in my management group and with the servers but to a user / manager it is very hard to explain that there are issues or all is going well. Especially managers and application owners love reports they get in their mailbox on a regular base to keep track of things. Although it is not that hard to create your own reports it’s always nice to have some out of the box to get you going and save you some time in the process.
I looked around in the reports and noticed that indeed there were many reports targeted to an overall view of your environment. Most of the time that is exactly what you are looking for because normally the servers which are running on your virtual environment are also monitored by your rules for monitoring your OS. This is basically in a nutshell what this management pack is intended to do: monitor your infrastructure and give you a helicopter view of everything living in your virtual VMware environment.
Conclusion
The Opslogix management pack proved to be a sound experience on the field of install, config and connection. The installation was easy and not a lot of extra steps had to be taken to get it up and running. After the install it just started the discoveries and just started to… work. I have witnessed other management pack which have to be overridden en fine-tuned before they even produced any events or discover any new servers.
An added bonus that a lot of people are overlooking is the fact that a management pack discovers a lot of classes. This Opslogix management pack is no exception. You can use the discovered classes in your distributed applications and dashboards to even further extend your view on your environment. If you do not load a management pack this process can be tedious because you need to discover all the different types you want to add to your dashboard yourself.
If you are looking for a VMware management pack that’s easy to install, has more than enough monitors and rules on board to give you an essential clear view on your environment AND has the necessary reports: make sure to drop Opslogix a line for a demo license.
It’s all up to you on what exactly you want to monitor on your VMware environment. If you just want to monitor the health of your environment and like the ability to proactively react to issue this could be a great consideration!
For more info check out the Opslogix website: http://www.opslogix.com/products/vmware-intelligent-management-pack
SCOM: System Center Data Access Service stops (event 26380 , 33333)
When I started to review a SCOM 2012 R2 environment recently I came across an interesting issue I didn’t witness before… Time to blog the solution!
Problem
The System Center Data Access Service started successfully but stopped within the minute. After investigating I found out that there were at least 2 events logged during the time when the service crashes that could give us a clue on what is going on.
Event 26380: The System Center Data Access Service failed due to an unhandled exception… Cannot be added to the container…
Event 33333: Data access layer rejected: An entity of type service cannot be owned by a role, a group, or by principals mapped to certificates or asymmetric keys.
Strange… This worked the day before. What was going on?
After my search on the web I found this article of Travis Wright who had a similar problem with SCSM (which share the same code base so a nice entry point to start my troubleshoot).
By now I could pinpoint that there was an issue on the SQL side.
After heading over to the SQL admin with the article we continued our troubleshoot together. Turned out that the issue was not exact what Travis had experienced. In fact the SQL admin had made a review of the SA accounts and removed the SA role from the scom SDK user. No problem so far… But the SDK user was not defined in SQL as a SQL user but just as a member of a group.
Solution
Turned out that the SQL user had no rights to create an instance when executing the stored procedure: [p_TypeSpaceSetupBrokerService]
Original
SET @Query = N’CREATE SERVICE [‘ + @ServiceName + N’] ON QUEUE [‘ + @QueueName + N’] ([http://schemas.microsoft.com/SQL/Notifications/PostQueryNotification]);’;
This was changed by the followin stored procedure to authorize the DBO to execute and after that the issue was resolved.
SET @Query = N’CREATE SERVICE [‘ + @ServiceName + N’] AUTHORIZATION [dbo] ON QUEUE [‘ + @QueueName + N’] ([http://schemas.microsoft.com/SQL/Notifications/PostQueryNotification]);’;
Hopefully when you have stumbled on this page it has saved you some extra troubleshooting…
SCU_Jedi Finalist
System Center Universe is back in full force on the 30th of January to bring you for the 3th year in a row top notch System Center content. This event is held in Houston Texas but spread through the entire galaxy via a high quality live stream reaching out to all the System Center astronauts throughout the world.
To give a chance to someone to share his System Center force the SCU_Jedi contest was held. This epic journey to find the true SCU_Jedi is now in it’s final stage…
After the first stage the SCU_Jedi council elected a top 3 of the applications to enter the final round.
I was selected with my “Combine the force of the cloud and SCOM” session. As the only not American contestant I’m up against 2 other great candidates. In this final round it is however no longer in our hands but I call upon you…
He who has the most votes by 15/12 on his YouTube video posted in the SystemCenterUniverse channel wins the right to participate in person on this awesome event…
Therefore I would be so grateful if you could like my video on YouTube to get me there one like at a time:
http://www.youtube.com/watch?v=L81cv1bbogo
Please give me the opportunity to share my knowledge by giving this session . Every like counts so spread the word and get more SCOM content on this great event which is growing every year!
It would be a privilege to participate…
and remember…
Keep monitoring the force!
Scom: Batch reset monitors through PowerShell
Monitors are a very useful addition to SCOM since SCOM 2007 came out back in the days. However for a lot of fresh SCOM administrators the alerts generated by monitors sometimes can create headaches.
An alert is raised when a state is changed and closed when the state changes back to the health condition. This is the really short version…
If you speak to advanced SCOM admins they can all agree that the management of the monitor generated alerts can be tricky from time to time if you work with operators.
If at one point they close an alert in the console which was generated by a monitor but the condition is not changed for the monitor it will remain in unhealthy state until a force reset is done on the monitor itself.
We all know how many monitors are floating around in our environment so it’s just a disaster waiting to happen. Therefore it is wise to reset the unhealthy monitors for your core business services regularly until everybody is aware about the fact that they can not close alerts from a monitor…
However I use this setup also for another annoying thing that can have great impact on your environment. Again this is a scenario to rule out a human error.
- IF an alert is raised by a monitor going into a unhealthy state, a notification is successfully triggered and a ticket is created… So far so good.
- BUT if someone closes the ticket or the alert without looking at it the condition remains and no warning will be raised again.
- As a lot of my customers are using scom as a monitoring tool in the backend and monitor the tickets it generates they will not be alerted again.
Therefore I created this small PowerShell script in combination with a bat file. It will just reset the health of the unhealthy monitors of a specific monitor you specify. Only thing left to do is create a scheduled task for the bat file and you are good to go.
The script can be downloaded at the Gallery together with the bat file.
Example: Fragmentation level is high and we want to be alerted everyday again as long as the condition remains:
Check the monitor properties to retrieve the monitor display name:
In this case “Logical Disk Fragmentation Level” Copy paste the name.
Fill in the name in the batch file and run it.
The unhealthy monitors will be reset and their alerts are automatically closed in the console.
If we check the monitor again it is now forced to reset state and will fire again the next time it checks the unhealthy condition when this is still true.
This way you will receive a new alert every time this script runs. You could also schedule this during shift change of the helpdesk to get a clear view of the current situation on your environment that they start with a clean sheet.
Livemeeting: 11th of June: So you’ve installed SCOM… now what.
So you are quietly working in your office on a cloudy morning when all of a sudden the IT manager walks in and drops a bomb:
“Hey we are going to use System Center Operations Manager to monitor our systems from now on so throw away all your little monitoring tools and get at it…”
This actually happend to me once and I would have prayed for a livemeeting like this. The installation is in some cases already a hassle but then you are looking at a pristine console ready to start monitoring the systems and save the day… Now what?
This livemeeting will start right after you have survived the installation procedure and will provide you a roadmap to get up quickly. Expect a demo packed session spiced with a lot of tips and tricks from my personal experience installing SCOM in different environments.
Let’s get you from scom zero to scom hero….
Register here (cape not included 
): https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032549855&Culture=en-us&community=0
Community management pack: SCOM check update mp’s
Every once in a while a great management pack hits the community that could really make the SCOM admins out there their lives a little bit easier.
Some are very complex and solve very complex problems others are very simple and add just another functionality to SCOM. Sometimes a community management pack fills a gap that has been left in the product.
This is a nice example of the last category: Let SCOM check for updated management packs.
OK it’s possible to do this periodically by opening up the Management pack catalog in scom and do a search on updated management packs but this management pack gives you proactively an alert when there’s a new management pack available!
How convenient!
So head over to Michaels blog and grab the management pack to free up the time you spend with management pack update checking and let scom do it for you:
http://michelkamp.wordpress.com/2013/04/21/let-scom-check-for-updated-management-packs/
This management pack is also added to my new list of cool community management packs which can be found here: http://scug.be/dieter/2012/12/30/scom-2012-overview-link-blog/
Techdays 2013 session Scugbe now online
The past edition of Techdays 2013 Belgium was one of the best so far with a great outcome and a real buzzz in the community for all different new products and evolutions that were showcased.
Scugbe was also present with a System Center 2012 SP1 overview session giving you a quick drilldown of all the different new features in SP1.
8 members of the Scug went through almost all the different products of System Center and highlighted the improvements in SP1.
If you could not make it to Techdays this valuable info is now available online on the Technet site. Believe me all this info in one place will save you a lot of research on what’s new in System Center 2012 SP1.
View the video here: http://technet.microsoft.com/en-us/video/tdbe13-what-s-new-and-improved-in-service-pack-1-for-the-system-center-2012-suite
View the slidedeck here: http://www.slideshare.net/technetbelux
Overview of ALL the session of Techdays: http://technet.microsoft.com/en-us/video/ff832960?Category=TechDays+Belgium+2013&page=2
System Center 2012 SP1 UR1 released
This morning the System Center community is once more buzzing with excitement.
System Center 2012 Service Pack 1 is live since a couple of weeks and already Microsoft has released the first Update Rollup (UR1) for it.
This show great dedication of Microsoft to keep this product up to date and regularly release updates. The good thing these Update Rollups are all cumulative so no need to perform a series of updates.
Although you need to install SP1 first to install the UR1 of course.
More info on the updates is found here: http://support.microsoft.com/kb/2785682
Note: Pay special attention to the “how to install” section as the correct version of the file needed according to your CPU architecture and local is identified:
Example for SCOM:
So if you have an agent on X86 machine you will need to run the file with F2 at the end and not the 5A.