Event 10154, The WinRM service failed to create the following SPNs: WSMAN/dcname.domain.tld; WSMAN/dcname.

Sometimes when you create new DC you will get this error inside event log. It means that WINRM service can not create SPN in Active directory with its credentials. You can create SPNs manually, but WINRM service will try to create it every time you start domain controller. To solve this you need to give certain permissions to Network Service account in Active Directory.

image

For this to work you need to give Network Service next permissions on DC computer object using ADSI edit console (ADSIEDIT.msc).

image

If you list SPNs registered for DC you will see next list

C:\Windows\system32>setspn -l dc1
Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=test,DC=ba:
         TERMSRV/DC1
         TERMSRV/DC1.test.ba
         Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC1.test.ba
         ldap/DC1.test.ba/ForestDnsZones.test.ba
         ldap/DC1.test.ba/DomainDnsZones.test.ba
         DNS/DC1.test.ba
         GC/DC1.test.ba/test.ba
         RestrictedKrbHost/DC1.test.ba
         RestrictedKrbHost/DC1
         RPC/a90510ff-a822-4109-8123-de4e338205ba._msdcs.test.ba
         HOST/DC1/TEST
         HOST/DC1.test.ba/TEST
         HOST/DC1
         HOST/DC1.test.ba
         HOST/DC1.test.ba/test.ba
         E3514235-4B06-11D1-AB04-00C04FC2DCD2/a90510ff-a822-4109-8123-de4e338205ba/test.ba
         ldap/DC1/TEST
         ldap/a90510ff-a822-4109-8123-de4e338205ba._msdcs.test.ba
         ldap/DC1.test.ba/TEST
         ldap/DC1
         ldap/DC1.test.ba
         ldap/DC1.test.ba/test.ba

After you apply permissions to Network Service WSMAN is there

C:\Windows\system32>setspn -l dc1
Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=test,DC=ba:
         WSMAN/DC1
         WSMAN/DC1.test.ba

         TERMSRV/DC1
         TERMSRV/DC1.test.ba
         Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC1.test.ba
         ldap/DC1.test.ba/ForestDnsZones.test.ba
         ldap/DC1.test.ba/DomainDnsZones.test.ba
         DNS/DC1.test.ba
         GC/DC1.test.ba/test.ba
         RestrictedKrbHost/DC1.test.ba
         RestrictedKrbHost/DC1
         RPC/a90510ff-a822-4109-8123-de4e338205ba._msdcs.test.ba
         HOST/DC1/TEST
         HOST/DC1.test.ba/TEST
         HOST/DC1
         HOST/DC1.test.ba
         HOST/DC1.test.ba/test.ba
         E3514235-4B06-11D1-AB04-00C04FC2DCD2/a90510ff-a822-4109-8123-de4e338205ba/test.ba
         ldap/DC1/TEST
         ldap/a90510ff-a822-4109-8123-de4e338205ba._msdcs.test.ba
         ldap/DC1.test.ba/TEST
         ldap/DC1
         ldap/DC1.test.ba
         ldap/DC1.test.ba/test.ba

Advertisements

Domain network is not recognized on domain controller

How many times it happened to you that your domain controller does not recognize network, and it register Private profile on network connection. If you now that it is happening you restart Network Location Awareness service and domain network profile is back there again. It happens for a lot of reasons. Sometimes (in case of physical servers) it is network problem. Usually port fast is not enabled on switch port, and server is booting much quicker then switch port is. In case of test virtual environments, where you have one DC only, case is that NLA service is started before Active Directory or DNS  service is on, and it doesn’t find DC on the network. To solve that problem some people are putting this service to Automatic(Delayed) restart, but better solution is to setup this service to depend on DNS and Active Directory service.

 

image

image

If you open NLA service properties you will se on what services it depends on.

image

How to add then AD and DNS on dependency list? It is very simple. just run this command. On depend list you will now have AD&DNS service, and your DC will not hide behind firewall on restart

sc config nlasvc depend=NSI/RpcSs/TcpIp/Dhcp/Eventlog/DNS/NTDS

image

EVENT 10016, DistributedCOM CLSID {8D8F4F83-3594-4F07-8369-FC3C3CAE4919} and APPID {F72671A9-012C-4725-9D2F-2A4D32D65169} error

Hi

Long time no see but lets go to the chase. I am trying to make gold image of Windows Server 2016 but this error is hunting me all the time. I know that this should not be done without you know what you are doing, but it is for my test environment and it is good to explore sometimes. There is a lot of posts about this problem, but lets say that this one is mix of all of them and it is working. This one apply only on this case on Windows 2016 that is updated to last CU on February 2019. Maybe it apply somewhere else? Leave a comment if it helped you. The error in question is:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
and APPID {F72671A9-012C-4725-9D2F-2A4D32D65169}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable).

image

Lets start with finding these number guids Smile.

From the above information we’ve establish that computer attempted to perform an action involving the Microsoft Windows DistributedCOM server, however permission settings were not granted for Local Activation. We are told the Security Identified (SID) is the user NT Authority\System SID (S-1-5-18) which essentially has the highest privileges allowed for your computer.
We are given a Class ID (CLSID) and also an Application ID (APPID) with the alphanumeric key name which is recorded in your Windows Registry. With those two keys we can work out which application the computer was making use of when the error occurred.

If you do search with Registry Editor for this classes you will find next paths (there is one for 64bit Windows too):

The CLSID {8D8F4F83-3594-4F07-8369-FC3C3CAE4919} key will be located here:
HKEY_CLASSES_ROOT\CLSID\{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}

The APPID {F72671A9-012C-4725-9D2F-2A4D32D65169} we are interested in will be located here:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}

Run this commands just for fun

reg query "HKEY_CLASSES_ROOT\CLSID\{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}" /ve
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}" /ve
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}" /ve

 

image

We can see that DCOM component we are looking for is CDP Activity Store.

We know that the Microsoft DistributedCOM we is the CDP Activity Store component, and APPID does not have value set. If you go to DCOM config under Component Services MMC you will se that you can not change security context of this component. The reason for this is because this is a component owned by the System account.

image

What we need to do is to take ownership of  registry keys, and give access permissions to right account. Just to clarify:

CLSID {8D8F4F83-3594-4F07-8369-FC3C3CAE4919} original Owner is SYSTEM and APPID {F72671A9-012C-4725-9D2F-2A4D32D65169} original Owner is TrustedInstaller = NT SERVICE\TrustedInstaller

Now open reg. keys recorder earlier and take ownership to Administrators

image

image

Also give full permissions to Administrators on that registry key

image

Do the same for these registry keys:

HKEY_CLASSES_ROOT\CLSID\{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}

Now open Component Services and look for {F72671A9-012C-4725-9D2F-2A4D32D65169} under DCOM Config. Open properties and click Security tab, and you will see that customize is now not grayed out any more.

image

If you click edit you will see, or not see, account that you are warned about in error message. In our case it is System account. Add the System account and give it Local Activation.

imageimage

After that restart computer and error should be gone. But that is not all. To tidy things up Please give back the ownership of registry key HKEY_CLASSES_ROOT\CLSID\{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}  to System account, and HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169};HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169} to NT SERVICE\TrustedInstaller. That should bring back security to its starting position regarding registry ownership.

Takeaway

The same procedure can be done for any similar case of error.

SCOM 2016 Step by Step– Part 18 – Operations Manager Shell PowerShell Error When Launched as Administrator

You wll probably get this error when you start SCOM powershell console as administrator.

“.\OperationsManager\Functions.ps1 : The term ‘.\OperationsManager\Functions.ps1’ is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:1 char:34
+ … t-Module OperationsManager; .\OperationsManager\Functions.ps1; .\Oper …
+                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ObjectNotFound: (.\OperationsManager\Functions.ps1:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

.\OperationsManager\Startup.ps1 : The term ‘.\OperationsManager\Startup.ps1’ is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:1 char:69
+ … r; .\OperationsManager\Functions.ps1; .\OperationsManager\Startup.ps1
+                                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ObjectNotFound: (.\OperationsManager\Startup.ps1:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

PS C:\Windows\system32>

To resolve it once and for all run this code

 

$CMD = '$SCOMInstallPath = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup" -Name "InstallDirectory").InstallDirectory; Set-Location $SCOMInstallPath\..\PowerShell'
Add-Content -Path $profile.AllUsersAllHosts -Value $CMD -verbose -Force

If you don’t belive me reference is here

And now It is fine

image

Install SCOM Reporting role again on the same SSRS server aka FileNotFoundException: Could not load file or assembly ‘Microsoft.EnterpriseManagement.Reporting.Security’

SCOM reporting and me!? We are lately on the war path. I decided yesterday to remove SCOM 1711 technical preview and install SCOM 1801 final release. When I started to install reporting role I get this error screen

image

I checked everything and everything was fine. Next steps were logs. Error in logs was: ERROR: Exception caught instantiating Windows report server extension: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error. See the report server log files for more information. —> System.IO.FileNotFoundException: Could not load file or assembly ‘Microsoft.EnterpriseManagement.Reporting.Security’ or one of its dependencies. The system cannot find the file specified.

What is the problem? Problem is that SCOM modifies the configuration files of the SQL Reporting Service with its own configuration. It makes copies of original configuration files as RSReportServer.config.0, RSReportServer.config.1 and web.config.0

image

So what to do when you try to reinstall?

Method 1

Rename one of these configuration files back to RSReportServer.config and web.config.  Restart ReportServer Windows Service and IIS.

Method 2

Run ResetSRS.exe tool you can find on SCOM installation media under Support Tools folder . It will reset configuration of SRS. After you run it restart SSRS services. Tool is used in command prompt in this manner c:\resetSRS.exe <SQLINSTANCENAME>

image

image

I constantly forget  things. I hope this helps somebody not to scratch its head for a day and try different things.

System Center Operations Manager 2016 Step by Step– Part 17 – Cannot create a connection to data source “DB_Audit”

Let assume that you installed Audit Collection and gave some users Report Operators role. After they run some reports from Audit Report folders they get error

An error has occurred during report processing. (rsProccesingAborted).
Cannot create a connection to data source ‘DB_Audit’. (rsErrorOpeningConnection)

image

What is the problem? When you are running other reports (not AC Reports)  from SCOM console they are run in context of Operations Manager Data Reader you created. Because ACS is not part of SCOM reporting role it does not share same security context. Account you use to run Audit reports will not have any rights to read from SCOM audit database. The best explanation (old one but good one) I read is written on this blog .

To solve this we need to give account access to OperationsManagerAC database. Just log in to you SQL instance and give it db_datareader access. Best practice would be to create group with name for example ACReports users, and give this group db_datareader access. All users inside group will have access to Audit reports, regardless of they SCOM Reports Operator role.

image

This is also very specific written on SCOM 2016 documentation link

The installation procedures for ACS Reporting do not differ, but the application of access control is different. By deploying ACS Reporting on the same SQL Server Reporting Services instance as your Operations Manager Reporting, the same role-based security applies to all reports. This means that ACS Reporting users need to be assigned to the Operations Manager Report Operator Role to access the ACS reports.

In addition to membership in the Operations Manager Reporting Role, ACS report users must also be assigned db_datareader role on the ACS database (OperationsManagerAC) to run ACS reports. This requirement is independent of the presence of Operations Manager Reporting

I hope this helped you in getting your Reports utilized, because it is very important part of SCOM software.  

System Center Operations Manager 2016 Step by Step– Part 16 – Installing Reporting role on remote SQL installation? Missing SQL instance!?

The other day I was trying to install test SCOM 1801 environment and when I wanted to do reporting role installation I was stuck at this page. SQL Server instance for Reporting Services had empty SQL Server instance list. I scratched my had a little bit, but finally come to solution that is very obvious but somehow hidden and not enough explained. That is why some people doesn’t like SCOM because they can not get answers when they need it. Please if you have some piece of blog or Microsoft article that explain this comment. (I would like to have some reference) Closest one is article from Cameron Fuller. Even he had the same problem there.

 

image

 

So let me explain. When people are starting with SCOM or making test environments they take one big server and put everything there. SCOM installation, SQL database, SSRS and everything else needed for SCOM to work. IT works fine if you have enough resources. When it comes to production you usually take one server for SCOM roles and another one for SQL workloads. You start with installation and suddenly you come to this screen and there is no SQL Server instance available, even you know that everything is setup fine on SQL Server. You can even get remotely http://server/reports and http://server/reportserver pages. So what is the catch. 

YOU INSTALL SCOM REPORTING ROLE ON THE SERVER WHERE SSRS SERVICES ARE INSTALLED!

There is no other way. You can try but it doesn’t work and you will always get the same problem. You can manage to use remote SQL Reports database for examle, but SSRS service and Reporting role SCOM installation need to be on the same computer. There is also a catch for using reporting in web console but you can read it on another one of my  blogs https://igorpuhalo.wordpress.com/2017/03/16/system-center-operations-manager-2016-step-by-step-part-6/ 

In any case to repeat

YOU INSTALL SCOM REPORTING ROLE ON THE SERVER WHERE SSRS SERVICES ARE INSTALLED!

Like addition I will give you link to short Reporting book from Savision team “SCOM Reporting Guide – Tips and best practices”.

HP ILO2 2.31 released?! :-)

Hi

Yesterday I needed to do some update and I was trying to get ILO running on one server (DL 360 G5). I checked latest firmware version I had in my repository and saw it was not updated. Ok I said let go check if there is something newer on HP (sorry HPE) site. I was surprised. They released by the end of 2017 new firmware for ILO2 that is deprecated. They addressed some Java and SSL issues that probably everybody has these days . So upgrade you repository and download latest firmware for old stuff

https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_7b812185e8e84018a53456c209#tab-history

System Center Operations Manager Ignite Announcements

 

Ignite is behind us, and lots of new things are happening in and around Microsoft. Things change, and SCOM also. If you are SCOM user and follow SCOM team blog, you will see that they announced survey regarding changes they implement in System Center products. One of them is new release cadence that will resemble Windows. It means that update for System  Center will be aligned with Windows updates. On November 8th Microsoft will release preview version of System Center 1801. If you don’t understand the numbers of version, first two numbers are the year of release, and two last ones are the month. System Center will be released semi-annual with new future addressing issues and new feature. you will be able to update you system if you have eligible Software Assurance for that product.

systemcentercadence

When we talk about what is coming for SCOM 2016 here it is

  • System Center 1801 prieview early November. Release Q1 2018
  • Service Map integration is now in public preview but it will relased probably with new version. you can download MP here
  • Windows Server 2016 SDDC monitoring

Improved Unix/Linux support

    • “setup improvements” hopefully a better way to deploy “manually”
    • Kerberos support
    • Log file monitoring with FluentD. Essentially this enables us to create monitors etc. based on logfiles as we can with Windows (This is huge)

image

SCOM 2016 HTML5 console

  • Improved diagnostics and drill down – this is huge for those who haven’t invested in third-party software
  • Custom widget support. Display other charts on your dashboard.

image

  • MP updates and recommendations (introduced in 2016) now supports 3rd party MPs. 56 partners with certified MPs are available.
  • Visual Studio Authoring Extension for VS 2017

If you want to find out more details about all of this please watch Ignite session System Center for the modern datacenter: First look at advancements coming this year

System Center Operations Manager 2016 Step by Step– Part 15 – Installing inbox MP hotfix for WMI health monitor issue and more

After almost 2 months I remembered that I have blog to write.Lot of things happened in between, but couple of days ago Microsoft released fix for WMI health monitoring issues. I will not go to much in detail what happened there, but symptoms you have look like on the picture below and error you see in alerts is WMI is unhealthy. Error can be true in some cases! Bu if you have installed this fix and error is still there something is for sure wrong. There was discussion about this error already on Technet forum and colleague from SquaredUp company wrote new management pack you can download that was removing this issue until Microsoft relase fix. If you don’t know SquaredUp has nice community page where you can found post about it and lot of other SCOM related things.

image

Microsoft released fixed MPs and announced it on SCOM Team blog here.  New feature in SCOM 2016 for Nano servers caused trouble.  Fix is called Microsoft System Center Operations Manager 2016 inbox MP hotfix for WMI health monitor issue and you can download it here . It is just simple new management pack. Lets deploy it.

Run installation you downloaded

image

 

image

image

image

In Windows Explorer you will se two new MPs

image

Go to Import Management pack and navigate to folder you “installed” MPs. Chose them and you should see next windows. Version of currently installed System Center Core Monitoring MP is 7.2.11878.0 (fixed 7.2.11907.0) and version of System Center Internal Library is 7.0.8437.7 (fixed 7.0.8437.10).

image

Click Yes on Security risk question. and that is it. You fixed problem your boss was nagging you for. Easy.-)

image