Wednesday, September 21, 2016

PowerShell: SCOM Health Check HTML Report v2.3

Some background information & how version 2.1 came to be
Almost a year back I posted a PS script for the SCOM Health Check Report. And NO, that script wasn’t made by me, but by Jason Rydstrand for SCOM 2007x. Later on fellow MVP Scott Moss rewrote that PS script for SCOM 2012x. Back then I added some additional information to that Report and shared that with the community.

Version 2.3
From that moment on I used that Report on many occasions, adding/modifying the PS code as I got along. Many of these modifications came to be based on customer feedback. Also I fixed some issues and modified the formatting in the Report for improved reading. An overview of the most important modifications I made:

  • Added GW Server Primary & Failover MS server information;
  • Added warning when no Failover MS server for GW server is detected;
  • Added Generic Alerts Overview section;
  • Fixed issue where Unhealthy SCOM Agents table didn't show in report;
  • Fixed issue where SCOM Agents in Maintenance Mode table didn't show in report;
  • Fixed issue where SCOM Agents in Maintenance Mode table missed Maintenance Mode Comments;
  • Added report section with SCOM license information;
  • Added detection and warning when only one SCOM MS server is present;
  • Modified report formatting for improved reading experience.

How to use it
That’s pretty easy. Best way to do is to run it from any SCOM Management Server. Otherwise from a system where the SCOM 2012x Console is installed. In the latter situation please ‘activate’ and modify lines 45 & 46.

Also adjust the customer/company name in line 65. This will personalize the report for your usage.

Some screenshots of the Report
Here are some examples of the SCOM Health Check Report v2.3.

Don’t forget to modify line 65 as mentioned earlier, otherwise the report has this default company name:
image

Say hello to the new formatting which improves the overall reading experience:
image

And:
image

Some new sections:
image

SCOM GW server section:
image

Same section, in another SCOM MG with multiple GWs, configured in failover mode:
image

Now with one GW server not configured for failover:
image

Where to get it?
I’ve uploaded it to TechNet Gallery, to be found here.

Credits
As stated earlier, the basis of this PS script isn’t written by me. Instead Jason Rydstrand wrote the PS script for SCOM 2007 and Scott Moss rewrote it for SCOM 2012x. I just added some additional stuff, that’s all. So all credits go to Jason Rydstrand and Scott Moss.

When you think you can add some use full code as well, feel free to do so. Contact me and I will update this posting accordingly.

Sharing is Caring!

Thursday, September 8, 2016

OMS Solution ‘Security & Audit’ vs SCOM ACS: And The Winner Is OMS! (Thanks To Wei Hao Lim)

Some history of ACS
In all the years SCOM is available, as a side solution ACS (Audit Collection Services) is wrapped in it, enabling organizations to audit their IT systems and produce audit reports. By default this solution is disabled when SCOM is installed, but can be enabled and – after some additional configuration and installation of additional components – used.

On paper it’s awesome. But in real life ACS misses out on a lot of things, like (but not limited to):

  • No high availability. It can be achieved, but only as workarounds with the possibility of duplicate – or even worse – loss of data (I’ve done some pretty deep research when I wrote the chapter ‘Complex Configurations’ for System Center 2012 – Operations Manager Unleashed book, so I am pretty sure here Smile);
  • Monster sized ACS databases when the retention is set higher then the default of 14 days which isn’t enough for most customers I know. I’ve seen ACS databases of 4 TB!;
  • ACS Reports timing out because of the monster sized databases;
  • No archiving solution out of the box. For some time a 3rd party delivered this solution (Secure Vantage Technologies, SVT), but they asked outrageous prices so I never ever had a customer using it. And now SVT is no more.

As such, ACS never really took off and became (sadly) an obscure feature. Funny in it’s own way but never functioning well enough for enterprise environments (out of the box that is). One customer I know got it working but only with many additional customizations and programming, resulting in a non-supported custom solution…

And today ACS is still available, and will be available as well when SCOM 2016 sees the light. And yes, in the past years support for UX systems is added, as well the support for Windows Server 2008/2012 which uses other Event ID numbers for all their events, the security ones included.

But still, I don’t recommend it to any organization which is looking for a serious IT auditing solution. Period.

Back to the future and today
However, as we all know has Microsoft focused itself on the cloud en hybrid workloads. Their offering of cloud based services is huge. IaaS, PaaS and SaaS alike and many other forms as well.

One of those offerings is OMS, which is growing in functionality, capability and supportability by the month. Each functionality in OMS is available as a Solution. And one of them is Security and Audit:
image

And this Solution is very good AND very fast, simply because the backend – required to run the queries – is huge, far more bigger than any enterprise organization will ever have for it’s own.

Yes, this Solution collects a HUGE amount of data (also depending on how servers upload their data AND what kind of audit policies you’ve got in place). And the more data you upload, the more money you pay. But you know, security is key to many organizations, which should be reflected in the available budgets. And don’t underestimate the on-premise auditing solutions, requiring lots of hardware, maintenance, energy and so on. Also not very cheap Smile.

OMS solution ‘Security & Audit’ vs SCOM ACS
So here we are. We can choose for SCOM ACS with all the limitations, or for OMS (pay as you go) with the Solution Security and Audit. Where the latter can unleash enormous calculation power, helping you to drill through a mountain of data, like it’s nothing!

But wait! How about those queries? Because in ACS their are about 20+ pre canned Reports. Just click on them, fill out some fields and you’ve got yourself a nice auditing report (when the ACS database isn’t too big that is…).

In OMS however, even with the solution Security & Audit enabled, you still need to build some challenging queries in order to get back some valid auditing information. Ouch! For sure, the same solution contains some pre canned search queries as well, but still some additional effort is required when needing more detailed information, like the pre canned SCOM ACS Reports…

This is where Wei Hao Lim comes in
Some years ago I met Wei Hao Lim. His knowledge and skills amazed me, since he’s just a beast (in a positive way that is). Soon after I met him he joined Microsoft (they recognized his skills as well I guess Smile) in the role as Senior PFE. In that role he started blogging, where each posting is of very high quality. I’ve learned a lot from him.

In one of his latest posting he shares the OMS search queries, mapped to the pre canned SCOM ACS Reports! Which is awesome since these OMS search queries can be saved so you can use them another time far more easier.

So now all is complete!

Still using SCOM ACS? Time to move to OMS solution ‘Security & Audit’
So you’re using SCOM ACS and frustrated because of the limitations? Why not try OMS with a free data plan, enable the Security & Audit solution in order to experience the difference. And yes, visit Wei’s blog for the correct OMS search queries.

Please know this: When using OMS with the free data plan, the daily upload of data is capped to 500 MB. When the solution Security and Audit is enabled, and some servers are connected to OMS, their upload of data will exceed the 500 MB. So start small, and when adding more servers, change to a paid data plan since otherwise the collected data will have gaps, because of the dropped data, exceeding the daily limit of 500 MB based on the free data plan.

Credits
A big thanks goes out to Wei Hao Lim for sharing.

OMS IP Bug: ‘Operations Manager Failed to Access the Windows Event Log’ SCOM Alert

Issue
A customer of mine who has one of his SCOM environments connected with OMS reported me that they saw the Alert ‘Operations Manager Failed to Access the Windows Event Log’ coming in for many SCOM managed servers, but not all of them. They noticed the Alert was all about trying to access a non-existent event log, ATA?

Time to investigate
As it turned out, this Alert about not being able to access the ATA event log, only happened on a subset of SCOM managed servers. As stated before, the particular SCOM MG is connected to OMS. And in OMS a Group of computers is managed by OMS. And for all those servers, this Alert pops up.

The non-existent event log, ATA is all about Microsoft Advanced Threat Analytics. And the specific Rule causing this Alert is Microsoft.SystemCenter.CollectATAEvents:
image
This Rule comes from the MP Microsoft System Center Advisor Advanced Threat Analytics.

What surprises me here is the targeting of the Rule. One of the basics MP authors are taught (even though I am not a MP author, I am familiar with the foundation and the rules), is NOT to use the Windows Computer Class as a target. Simply because it’s to broad! Like using buckshot instead of a well aimed bullet…

And yet, this Rule is like buckshot:
image
Ouch!

And even though this Rule is disabled by default, it’s enabled for the Group Microsoft System Center Advisor Monitoring Server Group:
image

And this Group is populated with all the SCOM managed servers who’re also connected to OMS. And none of those servers has an Microsoft ATA event log, even though this Rule wants to connect to it:
image

But when looking deeper into this Rule, it looks even weirder since the Rule doesn’t contain any filters at all?
image
Wow, when an ATA log is present it basically means EVERY ATA event is uploaded to OMS. How much data is that? Consider this running for hundreds of servers….

So now we have the culprit and the cause. Time to solve it.

Workaround
Since this is a badly written Rule but we don’t have access to the source code, we need a workaround which is nothing more than an Override in order to disable it.

In this case I set an Override (Disable) for the Group Windows Server Computer Group and also ENFORCED the same Override in order to be 100% sure it’s effective:
image

Case closed.

Thursday, September 1, 2016

OMS & X-Plat

OMS is an ever evolving Azure based service. New features, functionality and extensions are added on a monthly basis. The push behind it is huge and very impressive.

For a few weeks now OMS supports multiple Linux operating systems, and different versions and editions as such:

So OMS shows that Microsoft isn’t only about Microsoft anymore. Instead, other non-Microsoft based technologies are fully supported as well. Totally awesome!

Want to know more? Go here.

OM12 R2 UR#11 Released

Yesterday Microsoft released Update Rollup 11 for SCOM 2012 R2, per KB3183990.

The fixed issues are quite numerous:

  1. Network discovery fails because of monitoring host crash if no paging file is set on the operating system;
  2. Backport PuTTY 0.64 and 0.66 updates from 2016 release;
  3. Update Register-SCAdvisor cmdlet for WEU workspaces;
  4. ACS eventschema.xml has incorrect parameter mappings for multiple audit events;
  5. Memory leak when monitoring network devices by using SNMPv3;
  6. Web Console user can view datawarehouse performance or SLA widget data outside of their scoped dashboard views;
  7. Downtime duration doesn't take business hour into consideration;
  8. Cisco 3172 PQ network device certification issues;
  9. Adding SCOM assessment links in the Operations Management Suite view in the SCOM console;
  10. SQL Server Seed relationship with a server that is running Windows;
  11. Alert subscriptions are not always fired for 3 state monitors;
  12. When you connect SCOM to OMS, Availability monitors health state of some management servers changes to Warning state;
  13. RunAs Account password expiration does not work with Active directory Password Settings Objects that breaks the validation of LOCAL User Accounts;
  14. MPB Entries in Catalog database for the VersionIndependentGuid column is updated;
  15. If the first try of importing MPB failed then re-importing the MPB was not possible until the SCOM console is closed and reopened;
  16. Change of the displayname field for a group in a sealed or unsealed management pack.

Support added for Linux OS version:

  1. Ubuntu Linux 16.04 LTS (x86 and x64)

Fixed issues for the UX\Linux MPs:

  • During UNIX/Linux computer discovery, the GetOSVersion.sh script is run with sudo elevation if a sudo-enabled user is selected for Discovery;
  • Scripts executed by the ExecuteScript method in Management Packs always run from the /tmp folder;
  • UNIX or Linux computers together with sshd versions that implement the Key Exchange Algorithms described in RFC 4419, such as Ubuntu 15.10, cannot be discovered with the Discovery Wizard;
  • Network statistics collected on AIX servers are reset when another tool such as NetStat is also used;
  • Physical disks are shown incorrectly as offline if an LVM snapshot is taken.

Resources:

Warning:

As before: TEST it before rolling it out in PRODUCTION.

Monday, August 15, 2016

New Kid On The Block!

A colleague of mine, Corno Christianen, has launched a new blog, aimed at Azure, Azure Stack and Windows Server. And yes, of course his blog will cover PowerShell as well, that goes without saying Smile.

I respect Corno highly for his deep knowledge and thorough experience. For me is he is one of the company’s ‘Go-To-Guy’ when a problem needs to be fixed. Therefore I am pretty sure his blog will be good and worthwhile to keep an eye on.

His blog is titled DutchItPro.nl and certainly worth your time for a visit.

MAS TP2 Roll Out Started To Some Early Adopter Customers

Last week Microsoft started releasing MAS TP2. However, this roll out is limited for now to only a subset of interested customers, as Microsoft describes ‘…some early adopter customers…’. Hopefully TP2 will be made available to anyone, interested in this new technology.

Back to TP1 and to some ‘rumors’…
With TP1 out in the wild and available for anyone, many companies started test driving it. With it, the publicity and rumor machine started. During the last WPC Microsoft fed this rumor machine, by announcing MAS is to be revamped and delayed.

So even though MAS TP2 is out of reach for most companies yet, there is a lot of good stuff out there, all about MAS and what it will be like when finally released. For me these 4 articles shed some good light on it: