Overcast » Blog Archives

Author Archives: admin

Server 2003 EOS

The End is near for Windows 2003

Published by:

I have written about this before, but it is always important to remember that Windows 2003 is quickly approaching End-Of-Line by July 2015. As I have stated before, it is understandable that companies may not want to migrate when an application works fine on Windows 2003. However, that’s no only what matters. There are many aspects like security, features and possibilities of better productivity that should be considered.

Security has always been an issue, with every computer system since the early days of personal computers. With modern operating systems, the role of the manufacturer has gained great importance in making their customers safe. Even this manufactures was still activity researching and correcting the issues, there was always space for Zero-Day vulnerabilities and attacks against the operating system. Can you imagine now, the Microsoft is not going to create new security patches?

Your company, if public or in need to comply with market compliance standards like PCI or others, will need to either mitigate this risk by upgrading your machines or by accepting this risk. Make sure you are really (carefully) measuring the risks of continuing to run business critical applications in Windows 2003.

On the other side, since I have just arrived from Microsoft Ignite, I can see that Microsoft has been putting a great deal of effort on its OS strategy. They want to guarantee a great experience in a very secure environment.

If you have not started, there is always time! Hopefully, before Windows 2k3 goes EOL, you’ll have at least put some thoughts on how to move on with a new Windows OS version.

Please review some resources below and happy migration:

http://www.microsoft.com/en-gb/server-cloud/products/windows-server-2003/

 

Also make sure to visit the links below!

Azure, MSDN and  CANITPRO At The Movies

MSIgnite

MS Ignite–Journal Posts

Published by:

image

I’m sitting right now at the airport waiting for my flight to Chicago. The largest Microsoft Global event is about to begin. It has actually already began, with the pre-sessions today. A while ago, Microsoft decided to unify some conferences that used to be focused on specific platforms, like Exchange, Sharepoint and System Center. Now, it is all together, except for Build (last week), focused on development.

As you may know, there will be a huge number sessions (which is great) and you can only attend so many (which is bad). I’m focusing on System Center and Azure sessions and I will try to bring as much novelty as possible while the event develops.

Stay tuned and make sure you check it out here.

Hyper-V Powershell

Creating Hyper-V Host Virtual NICs

Published by:

In a scenario where you have multiple of your NICs in the hosts teamed, you may not want to dedicate a full gigabit network card only to Heartbeat, CSV or Live migration. With Server 2012 R2 and Hyper-V, you are able to configure virtual NICs in the host (parent) partition and allow communication between the hosts.

In my scenario, the hosts have each 11 NICs (which would be enough for the physical cluster network approach, but not that much fun). 8 of the NICS were teamed. On top of that team, Hyper-V switch called Host Virtual Switch was created and pointed to the NIC adapter:

image

On top of that Switch , the following script will create the vEthernet NICs for HeartBeat, CSV and Live Migration:

Add-VMNetworkAdapter -ManagementOS -SwitchName “Host Virtual Switch” -Name “Heartbeat”
Get-VMNetworkAdapter -ManagementOS -Name “Heartbeat” | Set-VMNetworkAdapterVlan -VlanId 10 -Access
Get-NetAdapter -Name “vEthernet (Heartbeat)” | Set-NetIPInterface -Dhcp Disabled
Get-NetAdapter -Name “vEthernet (Heartbeat)” | New-NetIPAddress -IPAddress 192.168.10.1 -PrefixLength 24

Add-VMNetworkAdapter -ManagementOS -SwitchName “Host Virtual Switch” -Name “Live”
Get-VMNetworkAdapter -ManagementOS -Name “Live” | Set-VMNetworkAdapterVlan -VlanId 20 -Access
Get-NetAdapter -Name “vEthernet (Live)” | Set-NetIPInterface -Dhcp Disabled
Get-NetAdapter -Name “vEthernet (Live)” | New-NetIPAddress -IPAddress 192.168.20.1 -PrefixLength 24

Add-VMNetworkAdapter -ManagementOS -SwitchName “Host Virtual Switch” -Name “CSV”
Get-VMNetworkAdapter -ManagementOS -Name “CSV” | Set-VMNetworkAdapterVlan -VlanId 30 -Access
Get-NetAdapter -Name “vEthernet (CSV)” | Set-NetIPInterface -Dhcp Disabled
Get-NetAdapter -Name “vEthernet (CSV)” | New-NetIPAddress -IPAddress 192.168.30.1 -PrefixLength 24

Easy as pie!

Hope this helps!

Azure Linux

Run a command in a Linux Azure VM

Published by:

Here’s my scenario: I have a tomcat Ubuntu server that I wanted to log on to. Problem: can’t remember the password. Can’t actually remember the users I have created.

There are more than one solution, but here’s what I have used.

I wanted to list the existing users. An old trick from my Unix days was to dump the content of the /etc/passwd file, where you can see the usernames. Since my Azure VM has an agent, I can take advantage of the Linux Extensions and compose the following powershell:

 

#Enter the VM name and Service name
$vm = Get-AzureVM -ServiceName “MyServiceName” -Name “mytocam”
#Specify the command to execute
$PublicConfiguration = ‘{“commandToExecute”: “cat /etc/passwd”}’

#Deploy the extension to the VM
$ExtensionName = ‘CustomScriptForLinux’ 
$Publisher = ‘Microsoft.OSTCExtensions’ 
$Version = ‘1.*’
Set-AzureVMExtension -ExtensionName $ExtensionName -VM  $vm -Publisher $Publisher -Version $Version -PublicConfiguration $PublicConfiguration  | Update-AzureVM

 

Simple enough. Now you can see the results in the new and gorgeous portal:

image

And the results:

image

When I looked at the list, I even remembered that I had a specific user for monitoring that I used for SCOM. Done. I was in.

Any commands can be run this will, with full access.

 

Hope this helps!

Authoring SCOM

Issue with SCOM Run As Account

Published by:

Recently had an issue with my custom fileshare monitor but I believe it can happen to any Run As Account/Profile. My MP has a run as profile, to run the PowerShell commands:

image

When installing this at a customer, we have re-purposed an existing Run As Account, by changing the account credentials. The Account was then assigned to my Run As Profile.

image

However, the monitor wouldn’t work. Bummer! I had that tested extensively in my lab. And it is a simple monitor. So, I have added more debug to the script:

image

It will then show the logged on user while running the command.

image

For my (big surprise), the account running the monitoring was the account set before the re-purposing. And yes, it had been almost four days, so, not a case of waiting for the MPs to be updated in the agent.

So, quick solution: create a new Run As Account and assign it to the MP’s run as profile.

Fixed!

Moral of the story: you can’t always trust what it says in the run as account credentials configuration. There must an issue that needs to be looked at. Maybe by clearing the Health Store, it will download the correct information.

Hope this helps!

 

Take the time and get an Azure subscription or and MSDN subscription, as well as a night at the movies if you are in Canada!

Authoring SCOM

SCOM Distributed Application Object Location

Published by:

Often enough I find myself asked where can certain types of objects be found in SCOM when creating a Distributed Application. It seems straightforward but the location of some of them can take you a few minutes to find. So here goes a summary of objects I find useful:

Windows Computer

Object->

Configuration Item->

Logical Entity->

Device->

Computer->

Windows Computer

Web Application Monitors

Object->

Configuration Item->

Logical Entity->

Perspective->

Web Application Perspective

Web Availability Monitors

Object->

Configuration Item->

Logical Entity->

Perspective->

Web Application Availability Monitoring Test Base

SQL Jobs

Object->

Configuration Item->

Logical Entity->

Application Component->

Windows Application Component->

SQL Component->

SQL Agent Job

Windows Services

Object->

Configuration Item->

Logical Entity->

Local Application->

Windows Local Application->

Windows Local Service->

Windows Service

Distributed Applications (User Created)

Object->

Configuration Item->

Logical Entity->

Service->

User Created Distributed Application

TCP Ports

Object->

Configuration Item->

Logical Entity->

Perspective->

TCP port check Perspective

Databases (SQL)

Object->

Configuration Item->

Logical Entity->

Application Component->

Database->

SQL Database

Clusters

Object->

Configuration Item->

Logical Entity->

Group->

Windows Cluster

Hope this helps!

 

Subscribe to Azure and enjoy the Cloud Computing model!

Also try MSDN and take your chance to get a night at the movies!

Lync SCOM

Configuring an External watcher node for Lync 2013 and SCOM

Published by:

Summary

Recently, I’ve been asked to configure an external Lync watcher node. The documentation doesn’t do a good, IMHO, in describing such a scenario in detail and doesn’t comment on ports. If you don’t want to go through all the steps below, please make sure you are using 443 when creating the configuration. Port 5061, which is mentioned in the original doc is only usable internally. Port 5061, in the Edge server, seems to be in use for Federation,so, no good.

Pre-requisites

Create accounts and enable Lync with Enterprise voice
Steps, according to the original Lync guide

To configure a computer to act as a watcher node, you must first complete the following prerequisites:

  • Install System Center Operation Manager and import the Lync Server 2013 management packs. You must also first verify that the watcher node computer meets all prerequisites for installing Lync Server 2013.
  • Install the following items on the watcher node computer:
    • The full version of .NET Framework 4.5
    • Windows Identity Foundation
    • Windows PowerShell 3.0

After the prerequisites are met, you can configure the watcher node by following these steps:

  • Install the Lync Server 2013 core files on the watcher node computer.
  • Install System Center Operations Manager agent on the watcher node computer.
  • Run the Watchernode.msi executable file.
  • Use the CsWatcherNodeConfiguration cmdlet to configure test user accounts to be employed by the watcher node.
Installing the Lync Server 2013 Core Files and the RTCLocal Database

To install the Microsoft Lync Server 2013 core files on a computer, complete the following procedure. The RTCLocal database will automatically be installed when you install the core files. Note that you do not need to install SQL Server on the watcher nodes. SQL Server Express Edition will be automatically installed.

To install the Lync Server 2013 core files and the RTCLocal database:

1. On the watcher node computer, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. In the console window, type the following command and press ENTER. Be sure to enter the appropriate path to your Lync Server setup files:

D:\Setup.exe /BootstrapLocalMgmt

clip_image001[4]

First, near the end…

clip_image002[4]

After rebooting, all good:

clip_image003[4]

To verify that the core Lync Server components are successfully installed, click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell. In the Lync Server 2013 Management Shell, type the following Windows PowerShell command and press ENTER:

Get-CsWatcherNodeConfiguration

clip_image005[4]

Note: The first time you run this command, no data will be returned because you have not yet configured any watcher node computers. If the command runs without returning an error, you can assume that the Lync Server setup completed successfully.

If you see information about your PIN policies, the core components have been successfully installed.

SCOM Agent with certificate

Your agent won’t be part of the domain, so you’ll need a certificate (or a gateway server) to allow for communication.

Agent Ports

Network flow

All you should need between your agent and the EDGE server is 443.

Set as proxy

clip_image007[4]

Authentication Type: Credential

Step by step

If your watcher node computer lies outside the perimeter network then you must follow a slightly different procedure in order to configure that watcher node to run synthetic transactions: in particular, you should not create a trusted application pool or a trusted application. That means that you will need to complete two separate tasks:

  • Update the membership in the computer’s RTC Local Read-only Administrators Group
  • Install the watcher node configuration files
Updating Membership in the RTC Local Read-Only Administrators Group

If your watcher node lies outside the perimeter network, you must add the Network Service account to the RTC Local Read-only Administrators group on the watcher node computer by completing the following procedure on the watcher node:

1. Click Start, right-click Computer, and then click Manage.

2. In Server Manager, expand Configuration, expand Local Users and Groups, and then click Groups.

3. In the Groups pane, double-click RTC Local Read-only Administrators.

4. In the RTC Local Read-only Administrators Properties dialog box, click Add.

5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Locations.

6. In the Locations dialog box, select the name of the watcher node computer, and then click OK.

7. In the Enter object names to select box, type Network Service, and then click OK.

8. In the RTC Local Read-only Administrators Properties dialog box, click OK, and then close Server Manager.

9.

clip_image008[4]

You must then restart the watcher node computer.

Installing the Watcher Node Configuration Files

Your next step is to run the file Watchernode.msi:

(Download from http://www.microsoft.com/en-ca/download/details.aspx?id=35842)

1. Open the Microsoft Lync Server 2013 Management Shell. Click Start, click All Programs, click Microsoft Lync Server 2013, and then click Lync Server Management Shell.

2. In Lync Server Management Shell, type the following command, and then press ENTER (be sure to specify the actual path to your copy of Watchernode.msi):

c:\Tools\Watchernode.msi Authentication=Negotiate

Note: As mentioned previously, Watchernode.msi can also be run from a command window. To open a command window, click Start, right-click Command Prompt, and then click Run as administrator. When the command window opens, type the same command shown in step 2, above.

The Negotiate mode is used any time the watcher node cannot be set up as a trusted application pool. In this mode, administrators will need to manage test user passwords on the watcher node.

clip_image009[4]

Configuring Watcher Node Test Users and Configuration Settings

After configuring the computer that will act as a watcher node, you must:

1. Create the test accounts to be used by these watcher nodes. If you are using the Negotiate authentication method, you must also use the Set-CsTestUserCredential cmdlet to enable these test accounts for use on the watcher node.

2. Update the watcher node configuration settings.

This section covers the following procedures:

Configuring Test User Accounts

Configuring a Basic Watcher Node with the Default Synthetic Transactions

Configuring Extended Tests

Adding and Removing Synthetic Transactions

Viewing and Testing the Watcher Node Configuration

Configuring Test User Accounts

Test accounts do not need to represent actual people, but they must be valid Active Directory accounts. In addition, these accounts must be enabled for Microsoft Lync Server 2013, they must have valid SIP addresses, and they should be enabled for Enterprise Voice (to use the Test-CsPstnPeerToPeerCall synthetic transaction). If you are using the TrustedServer authentication method, all you need to do is to make sure that these accounts exist and configure them as noted. You should assign at least three test users for each pool that you want to test.

If you are using the Negotiate authentication method, you must also use the Set-CsTestUserCredential cmdlet and the Lync Server Management Shell in the watcher node as Administrator to enable these test accounts to work with the synthetic transactions. Do this by running a command similar to the following (these commands assume that the three Active Directory user accounts have been created and that these accounts are enabled for Lync Server 2013):

Set-CsTestUserCredential –SipAddress “sip:watcher1@domain.com” –UserName “domain\watcher1” –Password “P@ssw0rd”

Set-CsTestUserCredential –SipAddress “sip:watcher2@ domain.com” –UserName “domain\watcher2” –Password “P@ssw0rd”

Set-CsTestUserCredential –SipAddress “sip:watcher3@domain.com” –UserName “domain\watcher3” –Password “P@ssw0rd”

You must include not only the SIP address, but also the user name and password. If you do not include the password, the Set-CsTestUserCredential cmdlet will prompt you to enter that information. The user name can be specified by using the domain name\user name format shown in the preceding code block, or by using this format: user name@domain name. For example:

-UserName “watcher3@domain.com”

To verify that the test user credentials were created, run these commands from the Lync Server Management Shell:

Get-CsTestUserCredential -SipAddress “sip:watcher1@domain.com”

Get-CsTestUserCredential -SipAddress “sip:watcher2@domain.com”

Get-CsTestUserCredential -SipAddress “sip:watcher3@domain.com”

Information similar to this will be returned for each user:

UserName Password

——– ——–

domain\watcher1 System.Security.SecureString

Configuring a Basic Watcher Node with the Default Synthetic Transactions

After the test users have been created, you can create a watcher node by using a command similar to this:

New-CsWatcherNodeConfiguration –TargetFqdn “sip.domain.com” –PortNumber 443 –TestUsers @{Add= “sip:watcher1@domain.com”,”sip:watcher2@domain.com “, “sip:watcher3@domain.com”}

TargetFqdn is the address of your Lync pool, accessible from the watcher node or internet, which in this case will be your Edge server. Note port 443! That’s the important part!

clip_image011

This command creates a new watcher node that uses the default settings and runs the default set of synthetic transactions. The new watcher node also uses the test users watcher1@domain.com, watcher2@domain.com, and watcher3@domain.com. If the watcher node uses TrustedServer authentication, the three test accounts can be any valid user accounts enabled for Active Directory and Lync Server. If the watcher node uses the Negotiate authentication method, these user accounts must also be enabled for the watcher node by using the Set-CsTestUserCredential cmdlet.

Viewing and Testing the Watcher Node Configuration

If you want to view the tests that have been assigned to a watcher node, use a command similar to this:

Get-CsWatcherNodeConfiguration –Identity “sip.domain.com” | Select-Object –ExpandProperty Tests

Restart the SCOM agent (Microsoft Monitoring Agent)

In a few minutes, the watcher node should be discovered and visible in the SCOM console.

Management Pack SCOM SCSM

Configuring the SCSM 2012 Management Pack

Published by:

It may sound silly, but this MP requires a bit of configuration to work properly. Let’s go for the steps:

 

0. Make sure your SCSM server is added to SCOM. See details here. Make sure the servers have the Agent Proxy enabled.

image

 

1. Download it from here: http://www.microsoft.com/en-ca/download/details.aspx?id=41136

2.Read the whole guide!

3.Import Library MP

image

4.Configure Run As Account

As per the deployment guide, this profile needs to be populated:

image

This profile is used to access the Service Manager databases and the staging and configuration DWStagingAndConfig databases.

Let’s add a run as account for this purpose:

image

image

Guide says the account has the requirements below:

image

I think I could go with my SCSM Service account for that.

image

UPDATE: after I’ve configured it all, I had to actually add specific rights to registry keys, as the guide states and make my run as account a sysadmin in both SQL instances (MS and DW server).

I like it more secure:

image

Make sure you distribute it to all the servers:

image

If you want, you can create an specific account for that. Just make sure you follow the guide to configure the right permissions.

Also, make sure all firewall requirements are there, since this is an Agentless Management pack…yes, I know. It seems that even though the SCOM agents have no issues running on the servers, MS didn’t bother to change the MP:

Any firewall and routing are configured to support monitoring of the Service Manager management server from the designated proxy system. Access to the Service Manager and data warehouse databases must be possible because it is required by the proxy agent in one of the monitoring scenarios.

· The Windows Management Instrumentation (WMI) service is running on the proxy agent and on all Service Manager management servers that you want to monitor.

· The proxy system is able to establish a remote WMI connection to all Service Manager management servers. By default, this is possible if the service account that is used for proxy monitoring has administrative privileges on the Service Manager management servers.

· The account that is used for the Database Run As Profile also has these same privileges; therefore, it can access registry keys remotely from the proxy agents.

5.Import Discovery

image

After a few minutes, it seems that I have data coming in:

(By the way, you won’t find any views yet, since they have been defined in the Monitoring MP, so, go for the Discovered Inventory view.)

image

6.Import Monitoring

image

And look at that! It seems I’ve been neglecting my DW server:

image

Let’s try starting the Service!

image

Service is up, but it seems I will get some grief for a while:

image

But it will all be good in the end!

 

Hope this helps!

Uncategorized

SCSM Dashboard

Published by:

Since Service Manager lacks a native capability to create dashboards, like OpsMgr does, one often uses the Data Warehouse capabilities to provide relatively recent information, mainly to manager and director levels. In order to do that, a few things need to be in place:

A SQL view, to generate information for the reports

Connect a SQL Management Studio to the server hosting the DW databases:

image

Create a new View. You can close the Add Table window.

image

In the SQL are, paste the Service Request query below:

SELECT        dbo.WorkItemDimvw.Id, dbo.ServiceRequestDimvw.Title, dbo.UserDimvw.DisplayName AS [Assigned To], UserDimvw_1.DisplayName AS [Affected User],
                         dbo.ServiceRequestSupportGroupvw.ServiceRequestSupportGroupValue AS Queue, dbo.ServiceRequestDimvw.CreatedDate, dbo.SLAInstanceStatusvw.SLAInstanceStatusValue AS SLAStatus
FROM            dbo.WorkItemDimvw LEFT OUTER JOIN
                         dbo.SLAInstanceInformationFactvw LEFT OUTER JOIN
                         dbo.SLAInstanceStatusvw ON dbo.SLAInstanceInformationFactvw.SLAInstanceStatusId = dbo.SLAInstanceStatusvw.SLAInstanceStatusId ON
                         dbo.WorkItemDimvw.WorkItemDimKey = dbo.SLAInstanceInformationFactvw.WorkItemDimKey LEFT OUTER JOIN
                         dbo.UserDimvw AS UserDimvw_1 RIGHT OUTER JOIN
                         dbo.WorkItemAffectedUserFactvw ON UserDimvw_1.UserDimKey = dbo.WorkItemAffectedUserFactvw.WorkItemAffectedUser_UserDimKey ON
                         dbo.WorkItemDimvw.WorkItemDimKey = dbo.WorkItemAffectedUserFactvw.WorkItemDimKey RIGHT OUTER JOIN
                         dbo.ServiceRequestSupportGroupvw INNER JOIN
                         dbo.ServiceRequestDimvw INNER JOIN
                         dbo.ServiceRequestStatusvw ON dbo.ServiceRequestDimvw.Status_ServiceRequestStatusId = dbo.ServiceRequestStatusvw.ServiceRequestStatusId ON
                         dbo.ServiceRequestSupportGroupvw.ServiceRequestSupportGroupId = dbo.ServiceRequestDimvw.SupportGroup_ServiceRequestSupportGroupId ON
                         dbo.WorkItemDimvw.EntityDimKey = dbo.ServiceRequestDimvw.EntityDimKey LEFT OUTER JOIN
                         dbo.UserDimvw RIGHT OUTER JOIN
                         dbo.WorkItemAssignedToUserFactvw ON dbo.UserDimvw.UserDimKey = dbo.WorkItemAssignedToUserFactvw.WorkItemAssignedToUser_UserDimKey ON
                         dbo.WorkItemDimvw.WorkItemDimKey = dbo.WorkItemAssignedToUserFactvw.WorkItemDimKey

Hit the image to execute. You should get something like:

image

Now save the view:

image

Refresh the Views and it should be there:

image

2. Create a new Report in SSRS.

Navigate to your SSRS url:

image

Navigate to the Service Manager folder and create a Dashboards folder:

image

In the Dashboards folder, click on Report Builder (it will install if you don’t have it yet). Create on New Report as below:

image

Some initial visual configuration:

image

Create a Data Source:

image

 

image

image

Notice you are now using your own credentials to connect. Eventually, you’ll need to store credentials just so all the users can connect (since most of them won’t be allowed to query the DW directly).

image

Now, let’s create the dataset based on the View we created on step1:

image

Click on Query Designer:

image

image

Your dataset should look like this:

image

Adding a table:

image

 

image

image

image

Run it and it should look something like this:

image

(I have a funny queue entry there, but yours should look good!)

 

I will come back with some other queries for Incidents and Activities, to compose a complete dashboard.

 

Hope this helps!

Uncategorized

A Simple File Share monitoring MP

Published by:

Recently had a request to implement a simple solution to monitor a path in the network. There are some MPs around, but we had issues with them, so, we needed something simple to accomplish a simple task.

First think the MP will do is discovering watcher nodes and paths to be monitored. The way it does it is by finding a file in a certain folder (C:\FileShareMP\fileshares.txt) and reading its contents. Each server found with that file will be a watcher node and all the paths listed in the file will become objects.

It will then fire up a monitor against these objects and will generate an alert in case the path is not accessible.

Simple.

The discovery is disabled by default. It could, theoretically be enabled  for all machines, but may not be necessary. Enabled it only for the machines the have the files.

More details:

The Discovery has parameters that can be overridden:

image

So does the monitor:

image

Your alerts should look like this:

image

I have not created a view for the objects, but it can be easily added.

 

You can find the MP here.

 

Hope this helps!