SCOM 2012 Cross forest deployment
Hi all,
Is two way trust is mandatory to deploy cross forest scom 2012 if we user certificate also ?
Thanks,
Sengottuvel M
Monitoring across non- trust domain
1) two way trust between domains OR
2) using certificate
Roger
Similar Messages
-
SCCM 2012 & SCOM 2012 - Cross Forest
My current environment is running Operations Manager and Configuration Manager 2007, I am planning an upgrade them to the 2012 version.
I need to know whether my upgrade to 2012 will support cross forest support ?
CheersAnd, there is no 'upgrade' of Configuration Manager 2007 to Configuration Manager 2012 (if you mean Configuration Manager 2007 instead of "SCCM 2008"). You would need to do a side-by-side migration. There are docs, webcasts, webinars (in fact I just did
one a couple of weeks ago), and TechNet virtual labs on migration to help you gain understanding on how it would work.
However, yes, Configuration Manager (both 2007 and 2012) do support cross forest environments.
Wally Mead -
SCOM 2012 R2 Agent Deployment - Uninstall Old and Install New
By chance anyone come up with a scripted method for removing an existing SCOM 2012 SP1 agent and installing a new 2012 R2 agent? While I've come across a few scripts I'm trying to kill a few birds with one stone. This is a cross-domain attempt where the
SCOM servers sit in one domain and the member servers are scattered across multiple domains. Member servers range from Windows Server 2003, 2008, and 2012. In most cases the servers have the 2012 SP1 agent installed and in some cases there are multiple management
groups from previous SCOM standups. In addition there's a separate DEV SCOM 2012 R2 environment to manage DEV/QA servers. Active Directory Integration is configured and I have the necessary security groups created. There is a group policy created which is
filtered to just that security group. So the plan is to simply drop the servers into the correct group and have the agent installed via group policy start up script. ADI should have DEV servers appear in DEV SCOM and PROD in PROD SCOM.
Although there are ways to facilitate agent deployment via the console I need to perform a staged migration against a ton of server so as to not impact the existing production environment. So I'd rather do this remotely to pre-selected servers. This process
should involve removing the existing agent, installing the new one, and if possible removing any existing management groups. So far I've come up with the following:
Uninstall SCOM Agent:
%WinDir%\System32\msiexec.exe /x <path>\MOMAgent.msi /qb
Install SCOM Agent:
msiexec.exe /i \\path\Directory\MOMAgent.msi /qn /l*v \logs\MOMAgent_install.log USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=<MG_Name> MANAGEMENT_SERVER_DNS=<MSDNSName> ACTIONS_USE_COMPUTER_ACCOUNT=0 ACTIONSUSER=<AccountUser> ACTIONSDOMAIN=<AccountDomain>
ACTIONSPASSWORD=<AccountPassword>
Remove Management Group via Script
http://gallery.technet.microsoft.com/Remove-a-Management-group-336c849a/view/Discussions#content
I'm guessing this wheel has already been invented or maybe there's a better way. So I'm open to ideas or suggestions.
Any responses appreciated.Wow! 4 days and no responses, not good Microsoft SCOM Community. So here's a status on this issue.
As stated I have Active Directory Integration configured which means:
I see the OperationsManager container in AD: dev_scom
I see the HealthService SCP and separate OU's for each of my management servers.
I have an ADI security group containing my management servers and scom action account.
I have an Agent security group which will contain servers the scom agent will be deployed via group policy.
I also have an AD LDAP query set to target the SCOM agent group.
(&(objectCategory=group)(name=DSCOM_ADI))
I finally get the script to install via the following steps:
Reference:
http://technet.microsoft.com/en-us/library/cc754995.aspx
http://technet.microsoft.com/en-us/library/cc770556.aspx
http://blog.coretech.dk/msk/install-a-scom-2012-agent-silent/
1. Launch Notepad ++ and enter the following:
msiexec /i
\\server.yourdomain.com\opsmgragent\%Processor_Architecture%\MOMAgent.msi USE_SETTINGS_FROM_AD=1 MANAGEMENT_GROUP=DEV_SCOM MANAGEMENT_SERVER_DNS=YourSCOMsrvr1.yourdomain.com ACTIONS_USE_COMPUTER_ACCOUNT=0 USE_MANUALLY_SPECIFIED_SETTINGS=0 ACTIONSUSER=svc_dscom
ACTIONSDOMAIN=yourdomain ACTIONSPASSWORD=YourPassword! AcceptEndUserLicenseAgreement=1 /qn /l*v c:\scom2012r2mmainstall.log
2. Save the script to a name of your choice. For me it's installdopsmgragent.cmd. Watch the extensions as you may end up saving it as installdopsmgragent.cmd.txt.
Note: Make note of this steps in the reference articles listed above:
"In the Add a Script dialog box, do the following:
In the Script Name box, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller."
It's been a while since having to use a startup script so it took me a minute to figure this out. "getting too old 'fer this..."
3. Copy the script to the Netlogon folder which is located in the following directory on my Windows 2012 server: E:\SYSVOL\sysvol\yourdomain.com\scripts
4. Launch the group policy management console, create a new policy, edit it, and navigate to the following location:
Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)
5. Double-click Startup to open the Startup Properties window.
6. Click Add and browse to the location of the script which you copied to the Netlogon share.
7. Click OK to close the Startup Properties window.
8. Close the Group Policy Management Editor.
9. Link the policy to an OU containing the servers.
10. Add the SCOM Agent group to the Security Filtering area of the group policy. I also remove Authenticated Users.
Note: make sure you have a few test servers in your Agent security group.
11. Drop to a command line and run gpupdate /force. You can also use gpupdate /force /sync but you will have to reboot the box you're running this from.
12. Log into one of the servers you have slated to deploy the agent to, drop to a command line, and run the same gpupdate command.
13. Follow this with a gpresult /r command to ensure that you see the policy applied in the Computer Settings area.
14. Reboot the server and you should see the startup script run.
15. Log into the server and launch the Control Panel.
16. If all went well you'll see the "Microsoft Monitoring Agent" icon.
17. Launch Event Viewer, navigate to the Operations Manager events node located under Applications and Services Logs and validate the logs.
17. If all didn't go well check the error log located, for me, on the C:\scom2012r2mmainstall.log
My issue: I don't see the management info in the Agent properties.
I installed this last night and waited until the next day still no changes. Event logs show the following:
Event ID: 2011 The Health Service did not find any policy in Active Directory
Event ID: 2003 No management groups were started. This may either be because no management groups are currently configured or a configured management group failed to start. The Health Service will wait for policy from Active Directory configuring
a management group to run.
I see the HealthService is Running in Task Manager on this server and of course I don't see anything listed in the Management Groups registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\
I don't want to manually add the management group info. Checking as I may have missed something in one of the switches.
Any responses appreciated. -
SCOM 2007 cross-forest clients migration
Hello to all. I'm preparing a cross-forest migration from source domain domain1.a.com to target domain domain2.b.com .
Source domain has hundreds of servers (windows 2003 and windows 2008). All source DCs are Windows 2003. Source domain already has SCOM 2007 R2 deployed on its member servers and on others located on another source domains.
As cross-forest migration will run just for domain1.a.com I need to know:
1- Is possible to migrate member servers from source-->target and keep source SCOM 2007 R3 monitoring the already migrated member server?
2-If positive, what need to be done in advance (before any member server migration) and after each member server migration?
3-If target forest already have a SCOM 2007 R2 environment, what should need to be done so migrated member servers would be monitored on this target SCOM 2007 R2 (that has nothing to do with the source one) ?
Thanks in advance, EEOC.1. It is possible.
2. You will have to install certificates in the environment and either manag the agents through a gateway (minimal number of certs) or by installing certs on the agents directly.
3. Just uninstall the agents and reinstall by the target SCOM 2007 R2 console.
Juke Chou
TechNet Community Support -
Roll Back SCOM 2012 R2 after deploying Cumulative Updates
Hi,
I updated my SCOM 2012 R2 Environment into CU2 and I need to roll back this CU2 into the previous version CU1.
Is there any way to do the roll back to any previous version of CU?
Thanks,
KhaledYou should refer to http://support.microsoft.com/kb/2929891/en-us which provide uninstall information
To uninstall an update, run the following command:
msiexec /uninstall PatchCodeGuid /package RTMProductCodeGuid
Note In this command, <var>PatchCodeGuid</var> is a placeholder that represents one of the following GUIDs.
Collapse this tableExpand this table
Patch Code GUID
Component
Architecture
Language
{D6943F32-41C0-4252-B216-4EE6867F74FB}
Server
AMD64
EN
{1D38FCF3-DDB1-4810-B747-898E7FCCC57B}
Gateway
AMD64
EN
{3FF0B1F5-9A92-4544-A311-6CCFE552BD0F}
WebConsole
AMD64
EN
{033805E7-9FBA-45A8-B9E0-DEF1395D0E63}
Console
AMD64
EN
{4A2BA6B7-9A24-46FA-A379-1ABD74E576AB}
Console
x86
EN
Additionally, <var>RTMProductCodeGuid</var> is a placeholder that represents one of the following GUIDs.
Collapse this tableExpand this table
Component
RTMProductCodeGuid
Server
{C92727BE-BD12-4140-96A6-276BA4F60AC1}
Console (AMD64)
{041C3416-87CE-4B02-918E-6FDC95F241D3}
Console (x86)
{175B7A24-E94B-46E5-A0FD-06B78AC82D17}
WebConsole (AMD64)
{B9853D74-E2A7-446C-851D-5B5374671D0B}
Gateway
{1D02271D-B7F5-48E8-9050-7F28D2B254BB}
SCX-ACS (AMD64)
{46B40E96-9631-11E2-8D42-2CE76188709B}
SCX-ACS (x86)
{46B40E96-9631-11E2-8D42-2CE76188709B}
Roger -
NOT RESOLVED - SCOM 2012 R2 - App Advisor and App Diagnostics Issue
Hi there!
Here is our scenario: SCOM 2012 R2 is deployed in the environment
SCOM - Management Server and SCOM Management Console.
SQLOD - SQL 2012 Operational Database
SQLDW - SQL 2012 Data Warehouse Database, SQL Reporting Services, SCOM Reporting, SCOM Web Console.
Problem: SCOM Administrator is able to open SCOM Application Advisor, SCOM Application Diagnostics and SCOM Web Console from any computer only after the SCOM Application Advisor, SCOM Application Diagnostics and SCOM Web Console are opened
from SQLDW (i.e. after opening them from the place where they were originally installed). The errors message prompts to retry after adding the user to the proper groups for SCOM Application Advisor and SCOM Application Diagnostics. SCOM Web Console prompts
the user to login.
Workaround: Open SCOM Application Advisor, SCOM Application Diagnostics and SCOM Web Console on SQLDW (i.e. after opening them from the place where they were originally installed) and everything works fine.
Question: What is causing the issue and how to fix it?
Many thanks, in advance!I followed the article and it did not fix the issue.
Here are additional details:
There is only one user who does not experience the issue and it is a user under whose credentials the SCOM was installed AND that user has to login from the local network. If this users tries to connect over VPN he receives the same error.
Here are errors when Test1 user logs in:
Application Advisor (Enabled authentication: Windows Authentication, Forms Authentication, ASP.NET Impersonation):
Authentication error
User account: DOMAINNAME\Test1
This user account does not have sufficient rights to use Application Advisor.
Ask your administrator to add this user account to the Operations Manager Report Operators role, and then try again.
Application Diagnostics (Enabled authentication: Windows Authentication, Forms Authentication):
Access denied
User account: DOMAINNAME\Test1
This user account does not have sufficient rights to use Application Diagnostics.
Ask your administrator to add this user account to the Operations Manager Application Monitoring Operators role, and then try again.
Operations Manager Web Console (Enabled authentication: Windows Authentication):
Prompted for credentials with error:
The user credentials are invalid or user does not have permissions to access the application.
Please provide the following information to the support engineer if you have to contact Microsoft Help and Support :
Microsoft.EnterpriseManagement.Presentation.Security.ConnectionSessionAccessDeniedException: The user access is denied.
This error reappears no matter whose credentials are entered. Even the SCOM Installer's credentials generate Error 3 when entered at the time when Test1 user is logged on.
App Pools:
OperationsManager - 4.0; Integrated; ApplicationPoolIdentity; 1 application
OperationsManagerAppMonitoring - 4.0; Classic; NetworkService; 2 applications
OperationsManagerMonitoring View - 2.0; Classic; NetworkService; 1 application
Added *://*.domain.local zone to the trusted zone in the Internet Explorer.
Please help!!!! -
Deploying SCOM 2012 Agents to untrusted Forests/Domain
Can we deploy SCOM 2012 agents to untrusted forest/domain? I don't want to use SCCM 2012 for installing agents via package deployment. Pls suggest.
Regards,
RaviYes, You can deploy SCOM Agent to untrusted domain manually and using Certificate.
For deployment scom Agent, you can refer below links
http://www.toolzz.com/?p=279
http://jimmoldenhauer.blogspot.com/2012/11/scom-2012-deploying-agents-to-untrusted.html
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Mai Ali | My blog: Technical | Twitter:
Mai Ali -
SCCM 2012 - Network requirements for Client communication to primary in a Cross Forest Environment
Hello, I have been trying to get some definitive answers on what network traffic is required between a client and a primary site versus a secondary in a cross forest scenario.
Here is the scenario:
Company A has an existing SCCM 2012 primary Site. Company B (Separate Forest) has now been brought in. One subnet on each side can route to each other and using that one subnet a two way forest
trust has been setup. But the remote offices have IP address overlaps between companies. At some point in the future all assets on company B will be re-IP and brought over to Company A domain. But in the interim it would be nice to get SCCM cross forest clients
working. Upgrading to a CAS model with two Primaries would not be preferred here as this is a temporary solution.
My questions are as follows.
If a secondary site is deployed into Company B Forest/Network. I have seen people online elude to that clients will still need to communicate to the Primary located at Company A, even though they
are assigned to a secondary on Company B’s network. Is this true? Is there any workarounds for this? Is a NAT back to the primary acceptable, or is reverse lookup required?
Will the Primary need to communicate directly to the clients in Company B? If this is in fact a requirement, then this would be a show stopper. But if its only needed for things like client pushes,
then we could work around it.
Thanks"But the remote offices have IP address overlaps between companies"
Technically, this is unsupported because clients, depending upon your boundaries, will not be able to find a local DP since they use IP addresses for this. The only way to work around this is to use AD Site boundaries.
"though they are assigned to a secondary"
Clients are *never* assigned to a secondary site -- that's not what secondary sites are for. Yes, clients require communication with an MP in the primary site where they are assigned. There is no way to change this or work-around this except to put
an MP from the primary site closer to those clients and use the new MP affinity option in R2 CU3.
Reverse lookups are only used to verify names by applications that wish to have this type of functionality (which are very few in number) and have nothing to do with true network traffic. NATing is an issue for the reason I gave above -- DP location.
Remote control, client push, and WoL won't work either because there is no way for the traffic to reach the destination behind the NAT.
All client *agent* communication in ConfigMgr is client initiated in ConfigMgr (remote control, client push, and WoL -- as just mentioned -- are sort of exceptions to this but they don't really involve the client *agent*.)
Jason | http://blog.configmgrftw.com | @jasonsandys -
SCCM 2012 R2 cross forest with one-way trust feasible?
We are planning to replace our existing SMS 2003 server with SCCM 2012 R2 (running on Windows server 2012 R2).
Our requirements are to support client our Windows 7 client PC's in Domain A and also support Xen Desktop clients in a separate domain (Domain B) and forest. We have a one way trust established (Domain B trusts Domain A). The SCCM 2012 R2 server will be
in Domain A the same as our current SMS 2003 server.
What we want to do, at a minimum, using SCCM is:
Client inventory (hardware, software, user) and package distribution.
Is this do able or a no go? If not directly is there any work-around for this? Appreciate any helpful advice or feedback.
I have made the below diagram to better illustrate the scenario:
Note: Domain B does not have WINS implemented (Domain A does). Both domains are running DNS of course.Hi,
The following blog describes the technical requirements that have been put in place for the support of cross forest communication. You could have a look.
Quote:
Inner-site Communication (site to site communication) exists in the form of both File Based Replication (SMB Port 445) and Database Replication (TCP/IP port 4022 by default).
In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a
two way trust with the forest of the parent (CAS or primary).
Site System Roles (MP, DP, etc.) with the exception of the Out of Band Service Point and the Application Catalog Web Service Point can be deployed in an untrusted forest.
The SLP functionality as known in ConfigMgr 2007 is now performed by a Management Point. In this blog I will refer to this as the Lookup Management Point.
Most of these items were taken from this TechNet article – please refer to the article for more information -
Planning for Communications in Configuration Manager .
For more information:
http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Thank you for your reply. The below appears to make it seem as though this can be accomplished without requiring a trust:
http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/#comment-284522
Not sure which is correct... -
Hi Experts,
I have a typical situation in the LAB environment. Hope some one helps. I have Installed a SCOM 2012 R2 with SQL 2012 SP1 in a single server (Management group 1). I have installed another management group on another server using this SQL server for its database
so i have everything going fine.
The first management group has its reporting installed in the SQL server. For the second i created a new named instance for that. But i cannot run the SCOM setup in the SQL server (Also holding the Management group 1 MS) as 1 st reporting is already there.
When i run the setup it is asking me to repair it. I don't get the install option so i can install the reporting for management group 2 in the named instance.
Default instance is being used by the 1st management group.
Can any one figure a possibility for installing 2 SCOM reporting services for different management groups in a same SQL 2012 server please.
Gautam.75801Hi Yan Li,
Thank you for the reply. So as you are aware If i need to instal reporting, i need to run the SCOM 2012 R2 setup in the SQL server and select reporting and select the
instance and then mention the management server there right. I am not getting that option there it is asking me to remove or repair the existing installation as there is already a SCOM entire setup including reporting there. As it is a lab there is no problem
in testing. I have 2 reporting instances. Any suggestions for me on how to overcome this issue and deploy the second reporting in the new named instance ?
Below is the screenshot of the error what i am talking about when i run SCOM 2012 R2 setup to install reporting in the SQL server
When i click on add feature reporting is greyed out (As already 1st management groups reporting is installed)
When i click on remove or repair it
uninstalls the existing one. But i want both SCOM 2012 r2 reporting to be there(For both Management group). Is it possible ? If yes What is the trick to run the setup ?
Gautam.75801 -
SCOM 2012 Installation fails while deploying Datawarehouse
Hi All,
I have a strange issue, My SCOM 2012 installation fails during Datawarehouse deployment. (This setup is not SCOM 2012 SP1 OR 2012 R2 it is just SCOM 2012)
When i check the SCOM installation logs it says it tried to connect to my Management server and it could not open Port 5724.
During the installation i checked that the SDK Service was stopping frequently and also a Visual studio debugger popup also occured. Can any one assist in solving the issue ?
Screenshots:
Error logs
Microsoft.EnterpriseManagement.OperationsManager.Setup.ReportingComponent.GetExistingManagementServerFromOMDB(String omSQLServer, Nullable`1 omSqlPort, String omDatabaseName, String& firstWorkingManagementServer)
[01:08:57]: Error:
:Inner Exception.Type: System.ServiceModel.EndpointNotFoundException, Exception Error Code: 0x80131500, Exception.Message: Could not connect to net.tcp://My management server:5724/DispatcherService. The connection attempt lasted for a time span of 00:00:03.0079280.
TCP error code 10061: No connection could be made because the target machine actively refused it 172.17.221.45:5724.
[01:08:57]: Error:
:InnerException.StackTrace:
Server stack trace:
at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.EnterpriseManagement.Common.Internal.IDispatcherService.Connect(SdkClientConnectionOptions connectionOptions)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.Initialize(EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
[01:08:57]: Error:
:Inner Exception.Type: System.Net.Sockets.SocketException, Exception Error Code: 0x80131500, Exception.Message: No connection could be made because the target machine actively refused it 172.17.221.45:5724
[01:08:57]: Error:
:InnerException.StackTrace: at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
[01:08:57]: Always:
:Management Server My management server failed to connect, now trying another one.
[01:08:57]: Warn:
:Failed to connect to any SDK in the management group, trying again
[01:09:17]: Info:
:Info:trying to connect with server My management server
[01:09:26]: Info:
:Info:Error while connecting to management server: The Data Access service is either not running or not yet initialized. Check the event log for more information.
[01:09:26]: Error:
:Couldn't connect to mgt server stack: : Threw Exception.Type: Microsoft.EnterpriseManagement.Common.ServiceNotRunningException, Exception Error Code: 0x80131500, Exception.Message: The Data Access service is either not running or not yet initialized.
Check the event log for more information.
[01:09:26]: Error:
:StackTrace: at Microsoft.EnterpriseManagement.Common.Internal.ExceptionHandlers.HandleChannelExceptions(Exception ex)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.ConstructEnterpriseManagementGroupInternal[T,P](EnterpriseManagementConnectionSettings connectionSettings, ClientDataAccessCore clientCallback)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.RetrieveEnterpriseManagementGroupInternal[T,P](EnterpriseManagementConnectionSettings connectionSettings, ClientDataAccessCore callbackDispatcherService)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.Connect[T,P](EnterpriseManagementConnectionSettings connectionSettings, ClientDataAccessCore callbackDispatcherService)
at Microsoft.EnterpriseManagement.ManagementGroup.InternalInitialize(EnterpriseManagementConnectionSettings connectionSettings, ManagementGroupInternal internals)
at Microsoft.EnterpriseManagement.OperationsManager.Setup.ReportingComponent.GetExistingManagementServerFromOMDB(String omSQLServer, Nullable`1 omSqlPort, String omDatabaseName, String& firstWorkingManagementServer)
[01:09:26]: Error:
:Inner Exception.Type: System.ServiceModel.EndpointNotFoundException, Exception Error Code: 0x80131500, Exception.Message: Could not connect to net.tcp://My management server:5724/DispatcherService. The connection attempt lasted for a time span of 00:00:03.0040216.
TCP error code 10061: No connection could be made because the target machine actively refused it 172.17.221.45:5724.
[01:09:26]: Error:
:InnerException.StackTrace:
Server stack trace:
at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.EnterpriseManagement.Common.Internal.IDispatcherService.Connect(SdkClientConnectionOptions connectionOptions)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.Initialize(EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
[01:09:26]: Error:
:Inner Exception.Type: System.Net.Sockets.SocketException, Exception Error Code: 0x80131500, Exception.Message: No connection could be made because the target machine actively refused it 172.17.221.45:5724
[01:09:26]: Error:
:InnerException.StackTrace: at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
[01:09:26]: Always:
:Management Server My management server failed to connect, now trying another one.
[01:09:26]: Warn:
:Failed to connect to any SDK in the management group, trying again
[01:09:46]: Error:
:Error:Could not connect to management group. Can not continue with DW upgrade...
[01:09:46]: Info:
:Info:got MG connection
[01:09:46]: Error:
:Error:Could not connect to management group. Cannot continue with current action...
[01:09:46]: Error:
:FATAL ACTION: GetManagementGroup
[01:09:46]: Error:
:FATAL ACTION: DWInstallActionsPostProcessor
[01:09:46]: Error:
:ProcessInstalls: Running the PostProcessDelegate returned false.
[01:09:46]: Always:
:SetErrorType: Setting VitalFailure. currentInstallItem: Data Warehouse Configuration
[01:09:46]: Error:
:ProcessInstalls: Running the PostProcessDelegate for OMDATAWAREHOUSE failed.... This is a fatal item. Setting rollback.
[01:09:46]: Info:
:SetProgressScreen: FinishMinorStep.
[01:09:46]: Always:
:!***** Installing: OMCONSOLE ***
[01:09:46]: Info:
:ProcessInstalls: Rollback is set and we are not doing an uninstall so we will stop processing installs
[01:09:46]: Always:
[01:09:46]: Always:
:****Starting*RollBack*******************************************
[01:09:46]: Always:
[01:09:46]: Info:
:SetProgressScreen: StartMinorStep.
[01:09:46]: Info:
:SetProgressScreen: StartMinorStep.
[01:09:46]: Debug:
:ProcessInstalls: Install Item Data Warehouse Configuration has a Preprocessing delegate of RunXamlPreProcessor. Launching it now.
[01:09:46]: Always:
:Determining actions to be run.
[01:09:46]: Always:
:Done validating action list; now running individual actions.
[01:09:46]: Always:
:Current Action: UninstallPrePreprocessor
[01:09:46]: Info:
:UninstallPrePreprocessor completed.
[01:09:46]: Always:
:Current Action: UpgradePreprocessor
[01:09:46]: Info:
:UpgradePreprocessor completed.
[01:09:46]: Always:
:LaunchExeSetup: Launching E:\SCOM setups\SCOM 2012\Setup\AMD64\SetupInstallItem.exe with arguments:
[01:09:46]: Info:
:SetProgressScreen: Init Exe Install progress.
[01:09:47]: Always:
:LaunchExeSetup: Install return value was: 0
[01:09:47]: Info:
:CheckPointPassed is removing the Rollback property as this is an uninstall.
[01:09:47]: Always:
:SetErrorType: Setting VitalFailure. currentInstallItem: Data Warehouse
Gautam.75801Hi All,
So i got the actual commands to register the SPN. So the above were wrong. Hope the below is useful for some one if the face the above issue.
In Windows Server 2008R2 – the command is SETSPN –A. In WS2012, it changed to SETPSPN –S which checks for duplicates before it allows you to create them.
Legend: SCOM Server - SCOMSVR.Contoso.com
DNS Domain: Contoso.com
SDK Account: SDKSVC
To add SPN for the SDK Service:
===================================
In Win2k 12
setspn -S MSOMSdkSvc/SCOM Server FQDN Domain\SDK Account name
setspn -S MSOMSdkSvc/SCOM Server name without FQDN Domain\SDK Account name
Ex: setspn -S MSOMSdkSvc/SCOMSVR.Contoso.com Contoso\SDKSVC
setspn -S MSOMSdkSvc/SCOMSVR Contoso\SDKSVC
In Win2k8
setspn -A MSOMSdkSvc/SCOM Server FQDN Domain\SDK Account name
setspn -A MSOMSdkSvc/SCOM Server name without FQDN Domain\SDK Account name
Ex: setspn -A MSOMSdkSvc/SCOMSVR.Contoso.com Contoso\SDKSVC
setspn -A MSOMSdkSvc/SCOMSVR Contoso\SDKSVC
To verify the SPN's
============================
1. setspn -L MS Host name without FQDN
Ex: setspn -L SCOMSVR
2. setspn -L Domain\DSK Action account
Ex: setspn -L Contoso\SDKSVC
Post entering the above commands you should see the entries of the Healthservice and not the entries of the SDK Service.
1. If you are are using a Domain account for SDK / DAS then that entry should not appear when execute the command “setspn -L SCOMSVR”. Where SCOMSVR is the name of the MS and it should be without FQDN.
Example: The below entry should not appear when you enter setspn -L SCOMSVR
MSOMSdkSvc/SCOMSVR
MSOMSdkSvc/SCOMSVR.contoso.com
If you get the above entries for "setspn -L SCOMSVR" then you need to delete and re add the SPN again and re check.
If you get Duplicate entries the below post entering "setspn -L Contoso\SDKSVC" then you need to delete the duplicate entries and re add the SPN again and re check.
Ex: MSOMSdkSvc/SCOMSVR
MSOMSdkSvc/SCOMSVR.contoso.com
MSOMSdkSvc/SCOMSVR.contoso.com
MSOMSdkSvc/SCOMSVR
To delete a SPN if required:
===============================
setspn -D MSOMSdkSvc/SCOM MS FQDN Hostname without FQDN Hostname
setspn -D MSOMSdkSvc/Hostname without FQDN Hostname without FQDN again
Ex: setspn -D MSOMSdkSvc/SCOMSVR.Contoso.com SCOMSVR
setspn -D MSOMSdkSvc/SCOMSVR SCOMSVR
Reference used : http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx
Gautam.75801 -
Deploy scom 2012 r2 on server 2012 r2
Going to deploy scom 2012 r2 on server 2012 r2 with sql 2012 sp1. a few questions before starting:
1. roles placement: server1 - management server, operation console;
server2: database server, reporting server;
Not sure where to place web console - server1 or server2?
2. what are the least privileges to have for the installation account - domain user with local administrators?
should the servers' system account need to be member of local administrators?
3. what about other SCOM specific accounts? what least privileges they need?
Thanks in advance.1. You can place it on the 1st server. do note however the downside doing all in one box SCOM components.
2. It would be best to use a domain user account with local admin rights on the box
3. Its all in the SCOM deployment docs..
You might want to check this link
http://blogs.technet.com/b/kevinholman/archive/2013/10/18/opsmgr-2012-r2-quickstart-deployment-guide.aspx (same as
Blake Mengotto)
Hope this helps.
Thanks, -
Active Directory cross forest trust which are deployed in separate subscription
Hi All,
I know that this is not Azure forum, but I have a question related to Active Directory, Appreciate your understanding and letting me know your concerns about AD cross forest between two subscriptions of Azure.
We have two separate subscriptions of Windows Azure under one Global Account, previously these two subscriptions are treated as a separate company and they are having separate forest and separate domain, these two companies does not have any site to
site VPN with each other over the wan, but these two companies are having site to site connection with Azure for their own subscription respectively.
Additional domain controller for both subscriptions are deployed in Azure in order to authenticate those servers which are already deployed in Azure
Due to some reasons these companies are merging together and due to some reasons they want to have cross forest trusts between these two companies. As we do not have any WAN connection between these two companies the questions has been raised that can we
do a cross forest trust between two Active Directories because these two are deployed in Azure and both companies active directories are deployed in Azure.
Can we achieve this and how we can achieve this, I know that we can expose servers in Azure over the internet by creating endpoints and allow ACL in order to get connection from specific public IPs.
My question is can we achieve this, does it supported from Microsoft. if yes then is there any thing we have to consider before deploying it.
Thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft LyncNo, i am not using Windows Azure Active Directory at all, i have deployed additional domain controllers from each forest on each subscription.
For example in subscription 1 we have additional domain controller of forest 1 and in subscription 2 we have additional domain controller of forest 2.
Thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync -
AD Integration: 1 Forest containing 2 Domains - Run Accounts/Profiles (SCOM 2012)
I know there are plenty of threads on AD integration & Run As accounts\Profiles, but none quite answering my scenario...so here goes.
1 Forest containing 2 domains -
abc.com and
def.com.
abc.comcontains SCOM 2012 infrastructure (Mgmt Servers (MS1, MS2), Ops DB, Reporting DWDB).
abc.com
1. Created SCOM Admins
Global Security group
2. Created SCOM_MS_Action
domain user account (used during SCOM setup & also Local Admin on all
abc.com machines via Action Account AD group/GPO)
3. Ran MomADAdmin.exe DEV-OPSMGR12 "abc\SCOM Admins" abc\SCOM_MS_Action abc.com
(SCOM_MS_Action
added to SCOM Admins group as a result)
4. Created Auto Agent Assign
rule for abc.com
against MS1 for "servers", Run As Profile left as
default setting.
RESULT: All servers in abc.com
populated MS_PrimarySG_xxx
group as expected.
def.com
5. Created SCOM Admins
Global Security group
6. Created SCOM_AD_Assign
domain user account
7. Ran MomADAdmin.exe DEV-OPSMGR12 "def\SCOM Admins" def\SCOM_AD_Assign def.com
(SCOM_AD_Assign added to
SCOM Admins group as a result)
8. Created Run As Account (Windows) "def\SCOM_AD_Assign"
Do I need to create this?
9. Set "def\SCOM_AD_Assign"
Run As account to "More Secure"
Is"More Secure" correct, otherwise "Less Secure" causes errors on abc.com clients?
10. Created Run As Profile "def AD Agent Discovery" & assigned to
Default Management Pack
Do I need to create a new Run As Profile?
Was this the correct MP as when creating a new MP I got errors about it being unsealed when assigning to new Auto Agent Assign
rule? I was under the impression never to use the Default MP?
11. Associated "def\SCOM_AD_Assign" Run As account to "def AD Agent Discovery"
Run As Profile, targetting "All Objects"
Is this correct?
12. Created Auto Agent Assign
rule for def.com
against MS1 for "servers", Run As Profile changed to "def AD Agent Discovery."
RESULT: def.com contains OperationsManagement\DEV-OPSMGR12
container but no MS_PrimarySG_xxx
group exists?
Do I need to add my Run As account to the "Active Directory Based Agent Assignment Account" Run As Profile as well as/instead of creating a Run As Profile? - and if so, do I target All Objects, Class, Group,
Object?
Thanks in advance - I find these Run As accounts very confusing when it comes to multiple domains!OK, solved this one myself. To answer my own questions :) this is what needed to be done (whether it's entirely correct or not is up for debate, however I ended up with the result I was after, so I am happy for now):
def.com
5. Created SCOM Admins
Global Security group
6. Created SCOM_AD_Assign
domain user account
7. Ran MomADAdmin.exe DEV-OPSMGR12 "def\SCOM Admins" def\SCOM_AD_Assign def.com
(SCOM_AD_Assign added toSCOM Admins group as a result)
8. Created Run As Account (Windows) "def\SCOM_AD_Assign"
Do I need to create this?
YES
9. Set "def\SCOM_AD_Assign"Run As account to
"More Secure"
Is "More Secure" correct, otherwise "Less Secure" causes errors on abc.com clients?
YES, and added the Management Servers as "...the computers to which the credentials will be distributed"
10. Created Run As Profile "def AD Agent Discovery" & assigned to
Default Management Pack
Do I need to create a new Run As Profile?
YES
Was this the correct MP as when creating a new MP I got errors about it being unsealed when assigning to new Auto Agent Assign rule? I was under the impression
never to use the Default MP?
Questionable, I did select the Default MP, otherwise the unsealed error occured when creating the Auto Agent Assign rule
11. Associated "def\SCOM_AD_Assign" Run As account to "def AD Agent Discovery"
Run As Profile, targeting "All Objects"
Is this correct?
NO, instead I targeted the Class "AD Assignment Resource Pool"
12. Created Auto Agent Assign
rule for def.com
against MS1 for "servers", Run As Profile changed to "def AD Agent Discovery."
Do I need to add my Run As account to the "Active Directory Based Agent Assignment Account" Run As Profile as well as/instead of creating a Run As Profile? - and if so, do I target All Objects, Class, Group, Object?
NO, otherwise alerts appear in regards to abc.com discovery rules breaking. Looks like for additional domains this rule should not be touched.
RESULT: All servers in def.com
populated MS_PrimarySG_xxx
group as expected
Note: Domain Controllers should not be included in the Auto Assign rules supposedly (makes sense) so I altered the query to ensure they didn't populate in the
MS_PrimarySG_xxx group:
(&(sAMAccountType=805306369)(objectCategory=computer)(objectClass=computer)(operatingSystem=*Server*)) (!(primaryGroupID=516))
(!(primaryGroupID=516)) equates to exclude DCs.
Hope this helps others
Steve -
SCOM 2012 Agent Deployment query
Hello,
I have tried to deploy the agent remotely to a Windows Storage Server Standard - SP1 server but it failed,
I have checked the compatible OS list and it makes reference to Server 2008 SP2 but not Storage Server.
If I upgrade to SP2 will the agent install on the OS or will it fail anyway.
THanks
NickHello,
I have tried to deploy the agent remotely to a Windows Storage Server Standard - SP1 server but it failed,
I have checked the compatible OS list and it makes reference to Server 2008 SP2 but not Storage Server.
If I upgrade to SP2 will the agent install on the OS or will it fail anyway.
THanks
Nick
I had raised a ticket with Microsoft as this was quite unclear no matter where we looked.
This was their response,
I can confirm SCOM 2012 SP1 agent can be installed on the server “Windows Storage Server Standard –
SP2” as per the below technet link.
http://technet.microsoft.com/en-us/library/jj656654.aspx#BKMK_RBF_WindowsAgents
Operating Systems: Windows Server 2003 SP2,
Windows Server 2008 SP2, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, Windows XP Professional x64 Edition SP2, Windows XP Professional SP3, Windows Vista SP2, Windows
7, POSReady, Windows XP Embedded Standard, Windows XP Embedded Enterprise, Windows XP Embedded POSReady, Windows 7 Professional for Embedded Systems, Windows 7 Ultimate for Embedded Systems, Windows 8 Pro, Windows 8 Enterprise, Windows 8.1 Pro, or Windows
Embedded 8.1 Industry.
Hope this answers your question. Kindly let me know if you have any queries regarding this case further if not I will proceed with the case closure.
Maybe you are looking for
-
Events created by iphone do not sync to my macbook through itunes
Hello, I have a problem with my IPhone and my MacBook. I use to work with my IPhone (photos, calendar, mail...) and then when I go home I sync it to my MacBook through ITunes as always. But two weeks ago I realize that the events I was creating in
-
HT201210 can i restore a iphone 4s that has been jail broken into?
my iphone was jail broken and i just want to restore it to its original format
-
Syncing contacts & calendar across multiple desktops
Hi - I have a PC laptop and a Mac Mini. I'd like to get the contacts and address book synced between them, but can't for the life of me work out how to do this. It seems that mobile exchange (?) was the way to do it, but that we're now in limbo bef
-
does anybody know if i can create a PEP with a bapi in an exsisting project?, i mean there is a project with some peps, and i want to create a new one in this project and put in the level i decide , can i do that?, what is the bapi? thanks in advance
-
Hp laserjet 1320 prints to light with a new 49 x cartridge. old cartridge prints fine and dark.
I bought a brand new 49x cartridge and it prints to light. I put my old cartridge and it prints dark. Any hint on what the problem could be?