Archive | AUTHORING RSS feed for this section

O no I forgot my SCOM account passwords!!

25 May

 

Problem:

O no I forgot my SCOM account passwords!! I don’t know the password of the Data Access, Data Reader and Writer account anymore. Resetting it in AD will force me to do a lot of tweaking to correct the accounts in SCOM.

Don’t worry we will find them for you.

Analyse:

 

SCOM stores the account passwords in the “Run AS Configuration -> Accounts” section. This account information is linked to a “Run As profile”. This Run as Profile can be assigned to a SCOM Workflow (Rule/Monitor/Task…) so that this workflow is going to run under the account security context.

 

Nice but we still can’t see the password on the accounts.

 

Solution:

 

But we can also do other things with the Run As profile. We can just assign them as a parameter to for example a script. In the script we can readout the account information and find our lost password.

In SCOM we can use the secure script provider (vbscript) aka “Microsoft.Windows.ScriptWriteAction”. The secure script provider streams the run as information as an input stream to the VBScript. So if you read this input stream at top of your script you will get the account information. This can be tricky sometimes.

See an example below:

<WriteActions>

<WriteAction ID=”sc” TypeID=”Windows!Microsoft.Windows.ScriptWriteAction”>

<ScriptName>ScriptName.vbs</ScriptName>

<Arguments />

<ScriptBody><![CDATA[ Set oAPI = CreateObject(“MOM.ScriptAPI”)

Set oArgs = WScript.Arguments

 

password= WScript.StdIn.ReadLine()

Call oAPI.LogScriptEvent(“ScriptName.vbs”, 101, 2, “Debug password = ” & password)

]]></ScriptBody>

<SecureInput>$RunAs[Name=”RUNAS_PROFILE_1″]/UserName$ $RunAs[Name=” RUNAS_PROFILE_1″]/Password$</SecureInput>

<TimeoutSeconds>300</TimeoutSeconds>

</WriteAction>

</WriteActions>

 

Using the SecureInput parameter we can provide the Run as account information. For getting the UserName we use :

$RunAs[Name=”RUNAS_PROFILE_1“]/UserName$

And for the password we use

$RunAs[Name=”RUNAS_PROFILE_1“]/Password$

The RUNAS_PROFILE_1 is the internal name of the Run as profile in SCOM. You can use Powershell “Get-SCOMRunAsProfile” to get the internal names.

I hear you thinking, this is way too old, this is VBScript, we WANT PowerShell! And I agree completely.

So for PowerShell we can use the normal PowerShell script provider aka “Microsoft.Windows.PowerShellProbe”. We don’t have to apply a secureinput parameter but just very simple supply the RunAs as a normal parameter. And this will do the trick.

<ProbeAction ID=”Probe” TypeID=”Windows!Microsoft.Windows.PowerShellProbe”>

<ScriptName>DisplayCerdentials.ps1</ScriptName>

<ScriptBody><![CDATA[Param(

$USERNAME,

$PASSWORD

)

 

# output the input paramters

Write-Output “UserName: $USERNAME”

Write-Output “Password: $PASSWORD”

 

# end script

 

]]></ScriptBody>

<SnapIns />

<Parameters>

<Parameter>

<Name> USERNAME </Name>

<Value>$RunAs[Name=”MSDL!Microsoft.SystemCenter.DataWarehouse.ActionAccount”]/UserName$</Value>

</Parameter>

<Parameter>

<Name> PASSWORD </Name>

<Value>$RunAs[Name=”SC!Microsoft.SystemCenter.DatabaseWriteActionAccount”]/Password$</Value>

</Parameter>

 

</Parameters>

<TimeoutSeconds>300</TimeoutSeconds>

<StrictErrorHandling>true</StrictErrorHandling>

</ProbeAction>

 

Now we make a simple workflow for example a task and add use this probeaction.

Concussion

 

You see it’s very simple to get account information that’s stored in the run as accounts / profiles. If this is good is up to you.

To make it even easier I created a MP that will display the most important account information (so the usernames and passwords).

You simply import the MP and select the Managementserver target and press the special task “GetRunAsCredentials”.

The account information will be displayed in the task output.

 

Download link for the Management Pack:

https://onedrive.live.com/redir?resid=A6ECD6E173E79D82!137890&authkey=!AEuYWi5Z6etHxno&ithint=file%2cxml

NOTICE: Please remember that the task output is stored in the SCOM Databases so it can be traced back not very secure I think. So use this only in emergencies. Or change the PowerShell script to write it to a file!!

 

Happy SCOMMING!

Michel Kamp

Touching SCOM

https://michelkamp.wordpress.com

 

 

 

Advertisements

[FOR the MP Devs] Grooming your managed objects completely from scom

8 Feb

Hi,

I some situations when you are developing a new MP you want to be sure that your discovery’s are working correctly.

The problem

Normally you would let the discovery run and watch if the managed object is created, but after the first time discovering and un-discovering the managed object it could trick you for the next discovery.

Basically we as MP devs know that we can simply manual delete a managed object from scom by using a SQL query and set the isDeleted to true. But this can be tricky. If the discovery workflow runs again and create a managed object (the same) it will just update the isDeleted to False. So basically you are getting ‘old’ discovery data. Knowing this in some cases the configuration is not updated and the workflows under this managed object just won’t get executed. So you will be stuck in having an uninitialized managed object(s). Especially when using Managed objects that are managed by a scom resource pool can be facing this issue.

Solution

Two solution could help you out. (ALL UNSUPPORTED BY MICRSOSOFT, but yhea … no guts no glory)

  1. Wait 2 days … then the normal purge will kick in
  2. Modify the purging threshold and manual run the purge

The SQL script below provides step 2. Connect to the operational DB as admin and follow the steps.

Before you run it you will have to change ‘vcenterlab.contoso.com‘ to the first parent name you want to delete. (By not including the right % in the like) In this case it’s the parent of all VMWARE monitoring managed objects.

————————————————–
— Delete a managed object completely from scom

————————————————–

— Michel Kamp

————————————————–

————- Find the object

select
*
from dbo.BaseManagedEntity where FullName like
%:vcenterlab.contoso.com’

————- delete it (hmmm okay mark it as delete)

update dbo.BaseManagedEntity set IsDeleted=1 where FullName like
%:vcenterlab.contoso.com’

— object is still in DB but now as isdeleted = true

— it will be deleted after 2 days. but we don’t want to wait.

— we force the delete by setting the purgedate delta to 0

————- Update the purge date time function

ALTER
FUNCTION [dbo].[fn_DiscoveryDataPurgeThreshold]()

RETURNS
datetime

BEGIN

    –RETURN DATEADD(dd, -2, getutcdate())

    RETURN
DATEADD(dd, 0, getutcdate())

END

— now we call the purge stp to clean it all

————- do the real purge

exec p_DiscoveryDataPurging

— we do a check if it is gone.

————- Find the object

select
*
from dbo.BaseManagedEntity where FullName like
%vcenterlab.contoso.com’

— and there should not be any (0) result.

— End script

O don’t forget to change the DiscoveryDataPurgeThreshold back to its original when you are ready …

Happy SCOMMING PURGING

Michel Kamp

TOUCHING SCOM

https://michelkamp.wordpress.com/

xSNMP for SCOM 2012

31 Oct

Hi,

In the SCOM 2007 age we had a fantastic network management pack called xSNMP. Not only because it was free but also because it covered a lot of network devices that even now aren’t covered in SCOM 2012. But what happened ….

The Problem

SCOM 2012 was introduced and contained a brand new way to monitor network devices. This indirectly replaced the complete SNMP stack out of SCOM. Well not the complete SNMP stack but the discovery process was changed and not compatible with the old SNMP stack. I am not going into details if this is a good or bad thing but for the xSNMP mps it was RIP…. (as far as you didn’t do a SCOM 2012 upgrade)

Solution

.. or not …. I decided to take a couple of xSNMP MPs and redesign it to work in SCOM 2012.

For now I have changed the APC mp. Also the same for the Brocade MP and this one is now in the testing phase.
Since the complete xSNMP mps are community free I will share the compiled mps also for free. The source code I share later on.

Reminder: All the credits go to the original xSNMP devOps. I only redesigned it to work with SCOM 2012. So if it breaks down your environment don’t knock on my door ;-)))

You can download the MPs here:

Happy SCOMMING !!

Michel Kamp

https://michelkamp.wordpress.com

 

 

 

 

[FIX] Part 2. Fixing the Top n by Performance Widget now the supported way

5 Sep

 

Hi,

In May this year I posted an article on how to fix the top-n widgets. https://michelkamp.wordpress.com/2014/05/27/fix-fixing-the-top-n-by-performance-widget/

This unsupported fix worked great for SCOM 2012 CU1/6 and SCOM 2012 R2 UR1/2.

I don’t know if the SCOM product team has read my blog but it seems they have listened and responded to the community! 😉 Because now, after almost a year, by applying SCOM 2012 Sp1
CU7 or SCOM 2012 R2 Update Rollup 3 it is officially FIXED !!!

Thank you Microsoft SCOM product team for this fix !!

 

Analyze:

 

To verify you open the stored procedure “[sdk].[Microsoft_SystemCenter_Visualization_Library_TopNEntitiesByPerfGet]” from the DWH database.

The part where we had to replace the = by like is now completely rewritten. By using an extra stored procedure “[sdk].[Microsoft_SystemCenter_Visualization_Library_PerformanceCounterListByMultipleManagedEntities]

Let’s look it up:


— Use existing sprocs to narrow down the perf counter instances that are valid for the contained types. Avoids duplicating that logic here.


INSERT
INTO
#ResolvedPerfInstancesTable
(ContainerManagedEntityRowId, ObjectName, CounterName, InstanceName, PerformanceRuleInstanceRowId, ManagedEntityRowId)


EXEC
[sdk].[Microsoft_SystemCenter_Visualization_Library_PerformanceCounterListByMultipleManagedEntities]


@ManagementGroup
=
@ManagementGroup,


@ObjectNamePattern= @ObjectNamePattern,


@CounterNamePattern
=
@CounterNamePattern,


@InstanceNamePattern
=
@InstanceNamePattern

 

Looking into this extra stored procedure gives me the wanted ‘Like’ statement we were waiting for:


— Populate this table with the target types of the matching rules.


INSERT
INTO
#RuleTargetTypesAndTheirBaseTypes


SELECT
RMV.TargetManagedEntityTypeRowId, PR.ObjectName, PR.CounterName, PR.RuleRowId, METMPV.AbstractInd


FROM
vPerformanceRule
PR


JOIN
RuleManagementPackVersion
RMV
ON
RMV.RuleRowId = PR.RuleRowId


AND
EXISTS
(SELECT
ManagementPackVersionRowId
FROM
dbo.ManagementGroupManagementPackVersion
M2


WHERE
M2.ManagementPackVersionRowId = RMV.ManagementPackVersionRowId


AND
M2.LatestVersionInd=1)


JOIN
ManagedEntityTypeManagementPackVersion
METMPV
ON
METMPV.ManagedEntityTypeRowId = RMV.TargetManagedEntityTypeRowId


JOIN
dbo.ManagementGroupManagementPackVersion
MGMPV
ON
MGMPV.ManagementPackVersionRowId = METMPV.ManagementPackVersionRowId


AND
MGMPV.LatestVersionInd=1


AND
MGMPV.ManagementGroupRowId=@MGRowId


WHERE ((PR.ObjectName
LIKE
@ObjectNamePattern)


AND
(PR.CounterName
LIKE
@CounterNamePattern))

 

Solution:

 

You can download the SCOM 2012 SP1 CU7 here http://support.microsoft.com/kb/2965089

And the SCOM 2012 R2 Update Rollup 3 here http://support.microsoft.com/kb/2965445

As always I have the habit to walk on the edge of supported/unsupported scenarios so in case of you are in a situation you can’t apply the complete update package you could (haven’t tested it yet) import only the updated MPs located in the directory:

C:\Program Files\System Center 2012\Operations Manager\Server\Management Packs for Update Rollups

Especially MPs Microsoft.SystemCenter.Visualization.Component.Library.mpb and Microsoft.SystemCenter.Visualization.Library.mpb because they contain the widget fix.

 

So community keep on SCOMMING and making great dashboards!!

Michel Kamp

https://michelkamp.wordpress.com

[FIX] Fixing the Top n by Performance Widget

27 May

Update!: Fixed the run issue on SCOM 2012 R2 installations in MP version V1.0.0.6 . Thanks community for pointing out to this R2 issue.

Challenge:

First, I really LOVE the dashboard widgets included in SCOM. When making MPs I always deliver dashboards that gives the operator a one shot overview of the monitored targets. The most used and valuable widget for this is the “Objects by performance Widget”

This works perfect EXECPT when you have more instances of a performance value. Let’s say the table space free of table spaces, or disk C: D: ect from windows servers.

The problem is that most of the time you will get the situation below “Empty Widgets”

 

The problem is the Stored Procedure “Microsoft_SystemCenter_Visualization_Library_TopNEntitiesByPerfGet“. I don’t go into details because this issue is a known fact and already reported several times on the community. For example by Cameron Fuller http://blogs.catapultsystems.com/cfuller/archive/2013/06/05/issue-with-the-objects-by-performance-widget-with-and-all-performance-instances-scom-sysctr.aspx

But a fix for this in a SCOM CU was till now never released…. Till now….

 

Analyze

As I mentioned before it’s in the Stored Procedure “Microsoft_SystemCenter_Visualization_Library_TopNEntitiesByPerfGet“. We have a code part that does an exact match on the instance name. If we want to show all instances it will not return any matches. See the yellow parts below.

  •    INSERT
    INTO
    #ResolvedSeriesTable(ManagedEntityRowId, PerformanceRuleInstanceRowId)

                  SELECT
    CET.ContainedEntityRowId, PRI.PerformanceRuleInstanceRowId

                  FROM
    PerformanceRule
    PR

                  JOIN
    PerformanceRuleInstance
    PRI
    ON (PR.RuleRowId = PRI.RuleRowId)

                  JOIN
    #ContainedEntitiesTable
    CET
    ON (1=1)

            WHERE (
    (PR.ObjectName
    =
    @ObjectNamePattern)
    AND

                    (PR.CounterName
    =
    @CounterNamePattern)
    AND

                    (PRI.InstanceName
    =
    @InstanceNamePattern))

Suggestion to fix, is to use a like match. See yellow part.

       INSERT
INTO
#ResolvedSeriesTable(ManagedEntityRowId, PerformanceRuleInstanceRowId)

              SELECT
CET.ContainedEntityRowId, PRI.PerformanceRuleInstanceRowId

              FROM
PerformanceRule
PR

              JOIN
PerformanceRuleInstance
PRI
ON (PR.RuleRowId = PRI.RuleRowId)

              JOIN
#ContainedEntitiesTable
CET
ON (1=1)

        WHERE (
(PR.ObjectName
like
@ObjectNamePattern)
AND

                (PR.CounterName
like
@CounterNamePattern)
AND

                (PRI.InstanceName
like
@InstanceNamePattern))

 

To change this you will need SQL Developer knowledge. And I realize that most of the operators know a lot of backend/frontend products but aren’t developers. So it could be a bit of a challenge to change this stored procedure yourself.

 

Solution

To solve this issue I have created a Management Pack that changes this stored procedure for you. It doesn’t do this automatically, because I want you to choose to do it. So I implemented it as a SCOM task. When you import the MP and go the ManagementServer target that has the property “Is Root Health Service Emulator = True” (you can find it in the view Operations Manager -> Management Server -> Management Servers State) you will see a Task “Task Fix TopNQuery Widget“. Now you execute the task and you will see a Task output below:


And you go to the Widget dashboard you created and what do you see ????

 


Yes a working TopN Widget page.

 

NOTICE!!!

Using this task is totally unsupported. But in my opinion the negative impact is very low compared to the positive impact because this stored procedure is only used for reading data and not changing it so it wouldn’t impact the DB with incorrect data (except for some SQL performance penalty for the use of the like statement).

NOTICE!!!

When you reload the MP Microsoft.SystemCenter.Visualization.Library the stored procedure will be overwritten to the original version. This could happen if you implement an upcoming CU release. If the issue isn’t fixed in this release you must rerun the TASK again.

 

You can download this MP on my personal download site:

https://onedrive.live.com/redir?resid=A6ECD6E173E79D82!6314&authkey=!AE0rJkhRPXOcblI&ithint=file%2c.zip

Happy Scomming

Michel Kamp

[BUG] VSAE with a PowerShell $Data parameter

27 May

Hi,

This time for a short post on a ‘possible’ bug i detected in VSAE

Problem:

You create a PowerShell script and want to include this script using the $includeFileContent/<script_name>$ tag.

For example

<ProbeAction
ID=Probe
TypeID=Windows!Microsoft.Windows.PowerShellProbe
RunAs=SystemCenter!Microsoft.SystemCenter.DatabaseWriteActionAccount>

<ScriptName>FixTopNQuery.ps1</ScriptName>

<ScriptBody>$IncludeFileContent/FixTopNQuery.ps1$</ScriptBody>

<TimeoutSeconds>300</TimeoutSeconds>

<StrictErrorHandling>true</StrictErrorHandling>

</ProbeAction>

(Added a screenshot below)

The FixTopNQuery.ps1 is a PS script added to the project as “Embedded Resource”.

Now you compile the project and you get a compile error:

Error    1176    The configuration specified for Module Probe is not valid.

: Incorrect expression specified: $DataSet=New-Object System.Data.DataSet

. Unable to resolve this expression. Check the expression for errors. (Hints: Check for correct character casing (upper case/lower case), mismatched “$” signs, double quotes(“), square brackets “[” or “]”). Here is a sample expression: $Data/EventNumber$

(Path = OpsLogix.IMP.Oracle.Dashboards.Task.FixTopNQuery/Probe)    C:\Program Files (x86)\MSBuild\Microsoft\VSAC\Microsoft.SystemCenter.OperationsManager.targets    255    6    Dashboards

(Added a screenshot below)


Hmmm.. Why ?

 

Analyze

After a lot of error and retry I found out that the problem is in the included powershell script. And exactly in this line below:

$DataSet=New-Object System.Data.DataSet

Hmm I hear you thinking, what’s wrong with this statement? That exactly what I was thinking…. But when I change the parameter name the compile was successful…

 

Solution

Do not start a parameter name with $Data in the powershell script. It looks like it’s a reserved word in VSAE.

 

I will share this issue also with the VSAA product team.

Happy Scomming

Michel Kamp

Reading out PS NoteProperty’s

6 Nov

 

Case:

How do i read out the IsManagementServer property on the example below ??

$X= Get-SCOMClass -Name “Microsoft.SystemCenter.ManagementServer” | Get-SCOMMonitoringObject

The output is:

[Microsoft.SystemCenter.HealthService].AuthenticationName : SRV.stateview.nl

[Microsoft.SystemCenter.HealthService].MaximumQueueSize : 104857600

[Microsoft.SystemCenter.HealthService].MaximumSizeOfAllTransferredFiles : (null)

[Microsoft.SystemCenter.HealthService].RequestCompression : True

[Microsoft.SystemCenter.HealthService].CreateListener : True

[Microsoft.SystemCenter.HealthService].Port : 5723

[Microsoft.SystemCenter.HealthService].IsRHS : True

[Microsoft.SystemCenter.HealthService].IsManagementServer : True

 

Now I want to get the IsManagementServer value

$.[Microsoft.SystemCenter.HealthService].IsManagementServer

But it Fails

$.IsManagementServer

But it Fails

How do I read it out ??

Solution:

Running the command below..

$x | GM

pointed out it was a noteproperty

image  

So since its using [] i have to use ” to make a string of it

So the correct syntax would be

$x.'[Microsoft.SystemCenter.HealthService].IsManagementServer’.value

Happy Scomming

Michel Kamp