Setting up the First SCOM Gateway

There is a lot of documentation and posts on setting up your certificates and gateways, but after a couple days of searching I was never able to find the below clearly written out.

The Microsoft documentation lists the below 2 steps, what I missed (and seems really clear now) was that you need to use the MOMCertImport.exe tool on the Management server to install a Cert that was Specifically requested for the Management Server,

Request certificates for any computer in the agent, gateway server, management server chain.
Import those certificates into the target computers by using the MOMCertImport.exe tool.

Allow Proxy on Event Based Rules

I thought I ran into this before but I couldn’t find a post with any concise details.

 

As noted in the below MSDN reference you can use the AllowProxying tag to enable you alerting and collection rules to fire on events that were not written from the local machine.  These include but are not limited to events you would get if you specified the computer name in the PowerShell write-eventLog cmdlet.

 

Just place <AllowProxying>true</AllowProxying> between the LogName and the Expression XML tags when authoring and you should be ready to rock.

 

<ComputerName>$Target/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$</ComputerName>

  <LogName>UserLogonScripts</LogName>

  <AllowProxying>true</AllowProxying>

  <Expression>

    <And>

      <Expression>

 

 

MSDN Reference: http://msdn.microsoft.com/en-us/library/ee809339.aspx

A security warning on Domain Controllers

I ran across a post on TechNet today with questions on what security holes could be opened to administrators to SCOM; I wanted to point out one of the largest items that may not be immediately apparent.

This applies specifically to Domain Controllers, but once someone has access there its pretty much a free-for-all to your domain.

If your SCOM agent runs as local system on the Domain Controllers and scripts launched from the agent could potentially have Domain Administrator Level access to the AD infrastructure.

More on the Local-System and Domain interaction here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/652e82f1-fdb6-46b7-b90e-c62fb37d583a/system-account-in-domain-controller?forum=winserverDS

Balance Agents across Management Servers

The primary environment that I manage is crossing the 3000 server mark, which is what Microsoft lists as the supported max on a single management server.  To keep things under control and automated I created the quick below script from bits from around the internet, I thought it might be useful to someone else so I figured I share it.

Please post any questions you may have and I’ll try to answer them as soon as I can.

The script takes 3 parameters and needs to run on a server where the PowerShell module is installed.

  1. ManagementServer – This is the server you want the script to connect to when it runs.
  2. ServersToExclude – In my case I have a few servers set aside for Linux and SNMP monitoring, I added this to prevent the servers from being set as the Primary Management Server.  All Management servers are added to the FailOver List.
  3. UseServerDigits – This is a switch, I needed a way to distribute the agents that wasn’t random, this way each run of the script doesn’t re-shuffle the agents.  When this switch is enabled it tries to get the last digits in the servers name via regex and use those to place the server.

The Script Code:

param([string]$ManagementServer,[string]$ServersToExclude,[switch]$UseServerDigits)

#Import module and connect to the management server specified
Import-Module OperationsManager
New-SCOMManagementGroupConnection $ManagementServer

#Get the agents and management servers
$Agents = Get-SCOMAgent
$ManagementServers = Get-SCOMManagementServer

#Create two lists that will be used to hold the management servers, 
#$one will contain all servers for the failover list and the other will contain the servers to be set as primary
$AllMSList = New-Object 'System.Collections.Generic.List[Microsoft.EnterpriseManagement.Administration.ManagementServer]'
$PrimaryMSList = New-Object 'System.Collections.Generic.List[Microsoft.EnterpriseManagement.Administration.ManagementServer]'

#Process each management server we received
ForEach($MS in $ManagementServers)
    {
        #Add Every Managment Server to the first list
        $AllMSList.add($MS)
        If($ServersToExclude -notcontains $MS.ComputerName)
            {
                #Only add these servers if they are not in the servers to exclude list
                $PrimaryMSList.add($MS)
            }
    }
    
    
#loop through all servers
ForEach($Agent in $Agents)
    {
        If($Agent.DisplayName -match '(?<Digits>\d+)[^\d]*$' -and $UseServerDigits)
            {
                #Now that we have the rightmost number, do a modulus against the count of managment servers
                $ServerToAssignTo = $Matches.Digits % $PrimaryMSList.Count
               
                #Save some work if the server is already assigned here
                If($Agent.PrimaryManagementServerName -ne $PrimaryMSList[$ServerToAssignTo].DisplayName)
                    {
                        $Agent.SetManagementServers($PrimaryMSList[$ServerToAssignTo],$AllMSList)
                    }
            }
        Else
            {
                #This server appears to have no numbers in its name, or regex failed
                $ServerToAssign = Get-Random -Maximum $PrimaryMSList.Count -Minimum 0
              
                #Save some work if the server is already assigned here
                If($Agent.PrimaryManagementServerName -ne $PrimaryMSList[$ServerToAssignTo].DisplayName)
                    {
                        $Agent.SetManagementServers($PrimaryMSList[$ServerToAssignTo],$AllMSList)
                    }
            }
            
        
    }