The Story of The Great Battle with the Security Hardening Policy

It’s been a while since I last posted on my blog. I am reigniting my blog posting initiative and to kickstart things off, I have changed the blog template to something which I hope to be more refreshing. Hope you liked it.

Lets get serious and back to business.

Recently, me and a colleague of mine encounters an problem with our OpsMgr installation setup. We have problems launching our Web Console as well as RMS having problem communicating with Data Warehouse.

When you launch your Web Console, you will get an error with the following description:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

The workaround to resolve this was to

Goto the SCOM Web Console folder

Edit Web.Config with a text editor

Locate the <system.web> section and add the following into the section

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

Save the Web.Config file

Restart IIS

Note: Repeat the steps above with the SSRS folder in your server that hosts the SQL Reporting Services

More information available from: http://support.microsoft.com/kb/911722 

Announcement: SCOM 2007 R2 Admin Reskit Released

The Administrator Resource Kit for SCOM 2007 R2 has just been released. It provides SCOM administrators with the following features

- Scheduled Maintenance Mode- Ability to schedule and manage maintenance mode in the management group.

- Clean Mom - Helps remove all installed R2 components.

- MP Event Analyzer - MP Event Analyzer tool is designed to help a user with functional and exploratory testing and debugging of event based management pack workflows like rules and monitors.

This is a must have for SCOM administrators especially for those who wants to schedule maintenance mode for their servers during scheduled maintenance windows

For more details about the release, please visit the SCOM Team Blog

http://blogs.technet.com/b/momteam/archive/2011/06/03/system-center-operations-manager-2007-r2-admin-reskit-released.aspx

Of Property Bags & Custom Performance Rules

This might not be the best kept secret with OpsMgr especially for those who had experience creating custom monitors/performance in OpsMgr.

Although OpsMgr provides many avenue to collect monitoring information on monitored systems (either via WMI, Perfmon etc), nevertheless at times there are still a need for us to collect information that is not available directly … or maybe the collected data needs a bit of manipulation before sending it to OpsMgr.

In this example, I will just share a simple scenario where we need to collect % Disk Utilization for a Logical Disk in a server. (Albeit OpsMgr already collects % Free Space, but I am going to flip things around in this scenario)

Let’s start things by exploring how do we get the necessary information to compute % Disk Utilization?

This is where our good friend Windows Management Instrumentation (WMI) comes into the picture. Many would know that WMI is a big repository class which stores the management information on the systems host and in this case, we need to query WMI to retrieve the information related to Logical Disk utilization.

There are many ways to achieve this (e.g Powershell, Scripts etc.) but being an old school VB guy, I will resort to VBScripts to do this.

The following are the excerpts for my code.

Const HARD_DISK = 3
Dim counter, strComputer
strComputer = "."

‘ Connect to the WMI class of root\cimv2 (which provides the systems information that we need)

Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

‘ Query WMI to retrieve all Logical Disks in the local computer

Set colDisks = objWMIService.ExecQuery _
    ("Select * from Win32_LogicalDisk Where DriveType = " & HARD_DISK )

‘ Iterate each Logical Disk (e.g C:\ D:\  etc & Provide the Size of the Disk)

For Each objDisk in colDisks   

‘Compute Disk Utilization = (Size – Free Space)/Size
    l_pct_util = ((objDisk.Size  - objDisk.FreeSpace)/objDisk.Size) * 100) 

Next

Now we have the script to collect Disk Utilization, my next posting will show how we will modify this script to collect performance data to OpsMgr using Property Bag.

Creating SNMP Performance Collection Rule

Many folks out there will bump into this problem when they tried to create a Performance Collection Rule and target it to a custom SNMP Device Group.

Let me give you an example here:

I have a group of Extreme Network Switches that I need to collect the temperature for these devices. Hence I created a Group that consist only the Extreme Network switches.

Then like most people, you will just go over to create an SNMP collection rule to collect the performance and will target the rule to the SNMP device –> Only to encounter error when you try to Create the rule.

How to resolve this:

One workaround that I tried was this. When you create the rule, instead of targeting the custom Group, target to the SNMP device. But DO NOT enable the rule.

This will create a Rule that is Disabled by default. Now you just need to Override this rule and target back at the Extreme Network Switch and set to Enable it.

This should get things working.

Unable to execute .js file for Object Discovery in OpsMgr

Noticed that one of my monitored servers is giving up warnings on Health Service Modules

Looks like we have encountered issues on CScript executions on .JS files.

I went on further to the working folder and execute the .js script and I got hit with the following error

Input Error: There is no script engine for file extension ".js".

I then proceed to open command prompt and type

          ASSOC .js

and looks like the .js file is associated incorrectly.

Go back to command prompt and reassociate .js file

           ASSOC .js = JSFile

Restart Health Service and this should do the trick.

The Day IT Security Policy Gave Me The Banana Skin

Ever wondered that one day you will be given the “warm” welcome by the IT security team because of their unique security policy.

I was trying to deploy some OpsMgr agents to some servers which sits in DMZ. No worries, just open the firewall and we are clear to go. Discovery Wizard got it, agent installation successful and we should expect them to show up in Monitoring soon … but hey, wait a sec … why the agent version is unknown and the health status is Grey (unable to contact agent)

Lets  take a look at the Agent Patch version. Its supposed to be CU4. Ouch, the server does not have the version detected. Not Good

Lets go in to the monitored server and have a look at the event viewer. Wow! I get tons of event 21400. Discovery scripts kept failing because it cannot find the CScript.exe file to run the VBS scripts.

When I look at the folder, wow CScript.exe is missing. No wonder SCOM cannot execute the discovery scripts

A quick chat with the administrator, apparently once upon a time. Their security team has this policy of not allowing system executable file to reside in C:\Windows\System32 folder. Anyways that policy does not apply now and we just need to copy the file back to System32 folder.

To be safe, I restarted the Health Service on the monitored server to kickstart discovery tasks immediately. Within a minute … it worked like a charm.