4 Eylül 2016 Pazar

How to add accounts from another domain into a SCOM User Role

Normally – when you have a trust with a remote account domain, and you want to add users from the rote domain to SCOM, things go perfectly.
However, if the user account in the remote domain uses a different UPN name than the SAM account name – the SCOM UI block’s it.

For instance, I have a SCOM infrastructure in OPSMGR.NET (OPSMGR), but want to grant users in DMZ.CORP (DMZ) domain access.  This works fine, if the UPN domain name for my user is the same as the SAM account name.

In the image – I am trying to add DMZ\sqlmondmz account to my SQL Ops Team role:

image

When I check names – I can see the UPN domain is different, than the actual DNS domain name of DMZ.CORP:

image

This results in the following error:

Date: 7/19/2016 2:25:18 PM
Application: Operations Manager
Application Version: 7.1.10226.1177
Severity: Error
Message:
Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException: Unable to resolve the user sqlmondmz@zzz.com associated with the user role. Error code 1332. Check your active directory configuration.
   at Microsoft.EnterpriseManagement.Common.Internal.ServiceProxy.HandleFault(String methodName, Message message)
   at Microsoft.EnterpriseManagement.Common.Internal.SecurityConfigurationServiceProxy.UpsertUserRolesV2(ICollection`1 urUpdateResults, ICollection`1 urScopeUpdateResults, ICollection`1 urViewScopeUpdateResults, ICollection`1 urTaskScopeUpdateResults, ICollection`1 urConsoleTaskScopeUpdateResults, ICollection`1 urTemplateScopeUpdateResults, ICollection`1 urDashboardReferenceScopeUpdateResults, ICollection`1 urUserUpdateResults)
   at Microsoft.EnterpriseManagement.SecurityConfigurationManagement.UpdateUserRoles(ICollection`1 userRoles)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)

The workaround?
A common previous workaround to this was to add these accounts a Global Group, then add the global group to the role.  This workaround did well when you needed to add a large number of users to an unscoped Operator role.  However, if you have a lot of different user roles with customized scopes, you will constantly be creating groups.  Another alternative?

Use PowerShell to add these users to the role:

$Role = Get-SCOMUserRole -Name “SQL Ops Team”
$Role | Set-SCOMUserRole -User ($Role.Users + “DMZ\sqlmondmz”)

This doesn’t have the same UI restriction:

image

Ref: Kevin Holman

Windows Server Operating System 6.0.7316.0 released

The base operating system MP’s have been updated:

Previously, there were a couple interim releases that were pulled due to issues, mostly affecting older operating system versions.  This was due to the MP focusing on changes for Windows Server 2016.  This MP update addresses those issues caused by the interim MP changes.  The previous stable MP version was 6.0.7297.0 so I will focus on changes since that MP:

  • MP used to discover physical CPU, which performance monitor instance name property was not correlated with Windows PerfMon object (expecting instance name in (socket, core) format). That affected related rules and monitors. With this release, MP discovers logical processors, rather than physical, and populates performance monitor instance name in proper format
  • Microsoft.Windows.Server.ClusterSharedVolumeMonitoring.mp and Microsoft.Windows.Server.Library.mp scripts code migration to PowerShell in scope of Windows Server 2016 Nano support (relevantly introduced in Windows Server 2016 MP version 10.0.1.0).
  • Updated Microsoft.Windows.Server.ClusterSharedVolumeMonitoring.ClusterSharedVolume.Monitoring.State monitor alert properties and description. The fix resolved property replacement failure warning been generated on monitor alert firing.

  • Several bugs located in Cluster Shared Volumes MP were fixed (see below); error handling migrated to common recommended scenario. Enabled Quorum monitoring via changing the monitoring logic. The monitoring logic is splitting for Nano Server (with usage of PowerShell) and all other operation systems.
    • Fixed bug: disk free space monitoring issue on Quorum disks in failover clusters; the monitor was displayed as healthy, but actually it did not work and no performance data was collected.
    • Fixed bug: logical disk discovery did not discover logical disk on non-clustered server with Failover Cluster Feature enabled.
    • Fixed bug: Clustered Shared Volumes were being discovered twice – as a Clustered Shared Volume and as a logical disk; now they are discovered as Clustered Shared Volumes only.
    • Fixed bug (partially): mount points were being discovered twice for cluster disks mounted to a folder – as a cluster disk and as a logical disk. See Troubleshooting and Known Issues section for details.
    • Fixed bug: Cluster Shared Volume objects were being discovered incorrectly when they had more than one partition (applied to discovery and monitoring): only one partition was discovered, while the monitoring data was discovered for all partitions available. The key field is changed, and now partitions are discovered correctly; see Troubleshooting and Known Issuessection for details.
  • Error handling was corrected. Logical disk correct discoveries on non-cluster server with Failover Clustered Server Feature is installed.
  • Created new overrides for Cluster Shared Volume MP, as long as the old ones did not work.
  • Cluster disk monitors alert messages: alert title might be disorienting and was corrected.

  • Due to incompatibility issues in monitoring logic, several Cluster Shared Volumes MP bugs remained in version 6.0.7310.0. These are now fixed in the current version (see the complete list of bugs below). To provide compatibility with the previous MP versions, all monitoring logic (structure of classes’ discovery) was reverted to the one present in version 6.0.7297.0.
    • Fixed bug: disk free space monitoring issue on Quorum disks in failover clusters; the monitor was displayed as healthy, but actually it did not work and no performance data was collected.
    • Fixed bug: logical disk discovery did not discover logical disk on non-clustered server with Failover Cluster Feature enabled.
    • Fixed bug: Clustered Shared Volumes were being discovered twice – as a Clustered Shared Volume and as a logical disk; now they are discovered as Clustered Shared Volumes only.
    • Fixed bug (partially): mount points were being discovered twice for cluster disks mounted to a folder – as a cluster disk and as a logical disk. See Troubleshooting and Known Issues section for details.
    • Fixed bug: Cluster Shared Volume objects were being discovered incorrectly when they had more than one partition (applied to discovery and monitoring): only one partition was discovered, while the monitoring data was discovered for all partitions available. The key field is changed, and now partitions are discovered correctly; see Troubleshooting and Known Issuessection for details.
    • Fixed bug: physical CPUs are now discovered on Windows Server 2008 R2 platforms; logical CPUs are no longer discovered, see Troubleshooting and Known Issues section for details.
    • Fixed bug: Windows Server 2008 Max Concurrent API Monitor did not work on Windows Server 2008 platform. Now, it is supported on Windows Server platforms starting from Windows Server 2008 R2.
    • Fixed bug: when network resource name contained more than 15 symbols, the last symbols of the name were cut off, which was resulting in cluster disks and Cluster Shared Volume discovery issues.
  • Cluster disk monitors alert messages: alert title might be disorienting and was corrected.

I have been running this version for a few weeks now, and I haven’t seen any major issues.  However, like ALL MP’s, I recommend careful testing and evaluation in your lab and test environments before moving to production.

Ref: Kevin Holman