MS-Opsmgr

Microsoft System Center Operations Manager

SCOM 2016 – Monitor Changes to the Domain Administrators Group

In this blog post I am going to take you thru the steps I took to monitor changes made to the Domain Administrators Group inside a Active Directory.

First step is to create a management pack where we store the WMI-Discovery, the Monitors and the Views. A manual on how to create a management pack using the system center operations manager console can be found here

  1. Start the “System Center Operations Manager Console” and navigate to “Authoring
  2. In the “System Center Operations Manager Console” in the “Authoring” section expand “Management Pack Object” and select “Attributes
  3. In the “System Center Operations Manager Console” in the “Attributes” section right click “Attributes” and click “Create a New AttributeAttribute01 
  4. In the “Create Attribute Wizard”in the “General Properties” section  give the attribute the name  “Running Domain Controller Service” and click “Next
    Attribute02
  5. In the “Create Attribute Wizard” in the “Discovery Method” section, change the following settings:
    • Change the "Discovery Type" to "WMI Query"
    • Change the "Target" to "Windows Server"
    • Change the "Management Pack" to "Group Member Changes"

    In the “Create Attribute Wizard” in the “Discovery Method” section click “Next”. The result should look something like this:
    Attribute03

  6. In the “Create Attribute Wizard” in the “WMI Configuration” section change the following settings:
    • Change the "WMI Namespace" to "root\cimv2"
    • Change the "Query" to "select * from Win32_OperatingSystem where (ProductType = "2""
    • Change the "Property Name" to "ProductType"
    • change the "Frequency" to "900"

    In the “Create Attribute Wizard” in the “WMI Configuration” section click “Finish”. The result should look something like this:
    Attribute04

Now that we created the attribute we need to create a Group.

  1. Start the “System Center Operations Manager Console” and navigate to “Authoring
  2. In the “System Center Operations Manager Console” in the “Authoring” section select “Groups
  3. In the “System Center Operations Manager Console” in the “Authoring” section right click “Groups” and click “Create a New Group
    Group01
  4. In the “Create Group Wizard” in the “General Properties” section change the following settings: 
    • Change the "Name" to "Servers Running Domain Controller Service"
    • Change the "Management Pack" to "Group Member Changes"

    In the “Create Group Wizard” in the “General Properties” section click "Next". The result should look something like this.
    Group02

  5. In the “Create Group Wizard” in the “Explicit Members” section click “Next
  6. In the “Create Group Wizard” in the “Dynamic Members” section click “Create/Edit Rules
  7. In the “Create Group Wizard -  Query Builder” wizard, set the following settings: 
    • Change the "Select the Desired class and click add button to begin building the formule" to "Windows Server_Extended" click "Add"
    • From the Pull down list select "Running Domain Controller Service"
    • Set the Operator to "Greater"
    • Change the Value to "2" and click "Ok"

    In the “Create Group Wizard” in the “Dynamic Members” section click "Next". The result should look something like this.:
    Group04

  8. In the “Create Group Wizard” in the “Subgroups” section click "Next".
  9. In the “Create Group Wizard” in the “Excluded Members” section click "Create".

When you look at which servers are managed by the above created groups

Group05

Now its time to create a custom rule to monitor the changes made to the Domain Admins Groups

  1. Start the "System Center Operations Manager Console" and navigate to “Authoring
  2. In the “System Center Operations Manager Console” in the “Authoring” section expand “Management Pack Object” and select “Rules
  3. In the “System Center Operations Manager Console” in the “Attributes” section right click “Attributes” and click “Create a New Rule
    Rule01
  4. In the “Create Rules Wizard” in the “Rule Type” section, set the following settings:
    • In the "Select the type of rule to create" expand "Alert Generating Rules", "Event Based" and select "NT Event Log (Alert)"
    • In the "Management pack" section select the "Group Member Changes" management pack

    In the “Create Rule Wizard” in the “Rule Type” section click "Next". The result should look something like this.:
    Rule02

  5. In the “Create Rule Wizard”, in the “General” section, set the following settings:
    • Enter the "Rule Name" "Security Group Alert – User Added to Group"
    • Change the "Rule Category" to "Alert"
    • Change the "Rule Target" to "Windows Server"
    • Uncheck "Rule is enabled"

    In the “Create Rule Wizard” in the “General” section click "Next". The result should look something like this.:
    Rule03

  6. In the “Create Rule Wizard” in the “Event Log Type” section change the log name to “Security” and click “Next
  7. In the “Create Rule Wizard” in the “Build event Expression” section., change Event-ID Value to “4782”, change the event source to “Parameter 3” whit the value “Domain Admins”. Click “Next” The result should look something like this:
    Rule04
  8. In the “Create Rule Wizard” in the “Configure Alerts” section. Click “Create.
    Rule05

When you now add a user to the Domain Admins group the following alert is generated.

Warning

I created a management pack which is also monitoring the “Domain Admins”, “Schema Admins”, “Enterprise Admins”. The only difference. is that a warning is generated and that the rules are enabled. You can download the management pack from here

SCOM: Data Access SPN Not Registered

I was rebuilding my System Center Operations Manager 2012 R2 Lab environment and when finished installing my System Center Operations Manager Environment it was giving me the critical alert. “Data Access Service SPN Not Registered

Alert Data Access Service SPN Not Registered

The reason I get this error is that I deployed my System Center Operations Manager Environment using a standard Domain User account for the System Center Data Access Service. By default a Domain User doesn’t have the right to update its own Service Principle Name (SPN).

When looking into the blog post off Kevin Holman you can read that it’s a Bug in the System Center Operations Manager 2012 r2 software. You can find the blog post here 

Before I go into explaining the solution Let me explain what Service Principle Name (SPN) is.

Kerberos defines two different types of accounts (Principals). The two different names given to these types of accounts are User Principle Name (UPN) and Service Principle Name (SPN).

User Principal Name are defined on user accounts. When looking at the properties of a user account on the account tab, the UPN is combined between two fields listed under the User Logon Name.
User Principel Name A User Principal Name (UPN) must be unique across the entire Active Directory Forest otherwise the Key Distribution Center (KDC) goes looking up a user account using the UPN, it will get back more than one account and causes authentication failures for all user accounts that have the same UPN. The UPN of an Active Directory Object is an attribute of the object and can only hold a single value.  The attribute name is userPrinicipalName and can be found when opening the properties off a user account and going to the Attribute Editor tab

User Principel Name

Service Principal Names must also be unique across the entire Active Directory Forest and can be assigned to User Accounts and Computer Accounts. Computer Accounts automatically have the Service Principal Names Defined. Service Principal Names define what services run under the accounts security context. The SPN of a Active Directory Object is an attribute of the object and can hold multiple values. The attribute name is servicePrincipalName and can be found when opening the properties off a computer account and going to the Attribute Editor Tab

Service Principal NameIf you want more information on User Principal Names and Service Principal Names please take a look at Rob Greene blog which can be found here

Now that we know a little bit more about Service Principal Names time to solve the above mentioned error.

  • Start “Active Directory Users And Computers
  • Browse to the location where the computer Object is located
  • Right Click on the “Computer Object” and click “Properties

    Active Directory Users And Computers

  • On the “Properties” page, select the “Attribute Editor
  • Double click the attribute “servicePrinicipalName
  • In the “Multi-valued String Editor” screen enter “MSOMSdkSvc/DevMS02” and click “Add

    Active Directory Users And Computers 

  • In the “Multi-Valued String Editor” screen enter “MSOMSdkSvc/DevMS02.dev.ms-opsmgr.eu” and click “Add” and “OK
  • On the Properties Page Click “Apply” and “OK

When the above mentioned entries are entered the Alert is being resolved.

Active Directory Integration

When installing a System Center Operations Manager 2012 r2 environment Active Directory Integration is not direct part off the installation process. Active Directory integration enables agents to retrieve a the management server by queering Active Directory. You can use this options if you want to deploy your clients using a GPO or System Center Configuration Manager.

In this blog post I’m going to take you to de steps you need to take to deploy and configure Active Directory Integration:

  1. Connect the “System Center Operations Manager 2012 r2” installation media to your “Management Server
  2. Start an elevated “Powershell” console, and browse to “D:\Microsoft System Center 2012 R2\Operations Manager\Server
    Powershell
  3. At the prompt “D:\Microsoft System Center 2012 R2\Operations Manager\Server” type “momadmin.exe<ManagementGroupName> <OMAdminSecurityGroup> <RunAsAccount> <Domain>”. In my case would that be “momadmin.exe Opsmgr2012r2 “Opsmgr Administrators” dev\DevOpsmgrAction dev.ms-opsmgr.eu” and press “Enter
    Powershell When starting “Active Directory Users And Computers” the result should look something like this:
    Active Directory Users And Computers
  4. Start the “System Center Operations Manager Console
  5. In the “System Center Operations Manager Console” click “Administration” expand “Device Management” and click “Management Servers
    Management Server
  6. Right click on the management server that you want to configure and click “Properties
    Management Server Properties
  7. On the “Management Server Properties” screen in the “Auto Agent Assignment” section click “add
  8. In the “Agent Assignment and Failover Wizard” screen on the “Introduction” page click “Next
  9. In the “Agent Assignment and Failover Wizard” screen on the “Domain” page, Select the domain that you want to use. In my case “dev.ms-opsmgr.eu”. Click “Next
    Agent Assignment And Failover Wizard
  10. In the “Agent Assignment and Failover Wizard” screen, on the “Inclusion Criteria” page, click “Configure
  11. In the “Find Computers” wizard, Create a query that matches your needs. and click “Ok
    Find Computers
  12. In the “Agent Assignment and Failover Wizard” screen, on the “Inclusion Criteria” page, click “Next
  13. In the “Agent Assignment and Failover Wizard” screen, on the “Exclusion Criteria” page, click “Next
  14. In the “Agent Assignment and Failover Wizard” screen, on the “Agent Failover” page, select “Automatically manage failover” and click “Create

Now that we configured Active Directory Integration we have to configure the Microsoft Monitoring Agent to make use of the Active Directory integration. You can start the “Microsoft Monitoring Agent” using the “Control Panel”. `

Microsoft Monitoring Agent PropertiesSelect the manual assigned Management Server and click “Remove” and click “Apply”. The Microsoft Monitoring Agent Service is restarted. Now it’s time to wait for the Active Directory Integration service to pick up the configuration.

When the configuration us picked up by the client it should look something like this.

Microsoft Monitoring Agent Properties

AD Replication Monitoring – Access Denied

During the implementation of the Active Directory Management Pack I ran into the following issue.
When you want to monitor replication between domain controllers inside a Forest, the Active directory Management Pack Guide tells you to configure a domain account that will be used for replication monitoring.

1

To ensure the replication monitoring account has the rights to modify the object under the container “OpsMgrLatencyMonitors

  1. Start “Adsiedit.msc” and click “connect to
  2. Under “Connetion Point”, select “Select or type a Distinguished Name or Naming Context:”, fill in “DC=Domain,DC=Domain_Extension
     2
  3. Locate and right click “CN=OpsMgrLatencyMonitors,DC=domain,DC=domain_extension” click “properties
  4. In the “Security” tab click “advanced
     3
  5. Click “Advanced” and click “Add
  6. Under “Select Users, Computers, or Groups” and enter the “Active Directory Management Pack Run As” account and click “OK
  7. Under the “Permission Entry for OpsMgrLatencyMonitors” check the apply to is “This object and all descendant objects
  8. Under permissions, allow “Read all properties”,“ Write all properties”  and “Create All child Objects
     4
  9. Click “OK”, “Apply” and “OK” (twice)
  10. In the adsiedit console click “Action”, “Connect to
  11. Under “Connetion Point”, select “Select or type a Distinguished Name or Naming Context:”, fill in “DC=DomainDNSZones,DC=Domain,DC=Domain_Extension
     5
  12. Locate and right click “CN=OpsMgrLatencyMonitors,DC=DomainDNSZones,DC=domain,DC=domain_extension” click “properties
  13. In the “Security Tab” click “Advanced
  14. Click “Add
  15. Under “Select Users, Computers, or Groups” and enter the “Active Directory Management Pack Run As” account and click “OK
  16. Under the “Permission Entry for OpsMgrLatencyMonitors” check the apply to is “This object and all descendant objects
  17. Under permissions, allow “Read all properties”,“ Write all properties”  and “Create All child Objects
  18. Click “OK”, “Apply” and “OK” (twice)
  19. In the adsiedit console click “Action”, “Connect to
  20. Under “Connetion Point”, select “Select or type a Distinguished Name or Naming Context:”, fill in “DC=ForestDNSZones,DC=Domain,DC=Domain_Extension
     6
  21. Locate and right click “CN=OpsMgrLatencyMonitors,DC=ForestDNSZones,DC=domain,DC=domain_extension” click “properties
  22. In the “Security Tab” click “Advanced
  23. Click “Add
  24. Under “Select Users, Computers, or Groups” and enter the “Active Directory Management Pack Run As” account and click “OK
  25. Under the “Permission Entry for OpsMgrLatencyMonitors” check the apply to is “This object and all descendant objects
  26. Under permissions, allow “Read all properties”,“ Write all properties”  and “Create All child Objects
  27. Click “OK”, “Apply” and “OK” (twice)