System Center Operations Manager 2016 Step by Step–Part 7

After SCOM installation there will always be some hiccups to solve. Lets start with two. First one is long time friend of SCOM and second one is related to SCOM 2016 installation. If you open SCOM console most likely you will see this error:

Data Access Service SPN Not Registered

The System Center Data Access service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/scom2016 and MSOMSdkSvc/scom2016.contoso.com to the servicePrincipalName of CN=SCOM2016,OU=servers,DC=contoso,DC=com

 

image

From times of SCOM 2012 management servers can run on multiple computers for redundancy and workload offload. Before there was only one management server  and usual place were SPN  (Service Principal Name) was added was its computer account. Today we use domain user account for running this service on multiple servers and SPN should be placed there. So lets list SPN for account we use. We use setspn command.

C:\Windows\system32>setspn -l contoso\scomcdas
Registered ServicePrincipalNames for CN=scomcdas,DC=contoso,DC=com:

We see there is no SPN registered for this account because this account does not have rights to do that

If you run this on computer account we get next result

C:\Windows\system32>setspn –l contoso\scom2016
Registered ServicePrincipalNames for CN=SCOM2016,OU=servers,DC=contoso,DC=com:

MSOMHSvc/SCOM2016
MSOMHSvc/scom2016.contoso.com
WSMAN/scom2016
WSMAN/scom2016.contoso.com
TERMSRV/SCOM2016
TERMSRV/scom2016.contoso.com
RestrictedKrbHost/SCOM2016
HOST/SCOM2016
RestrictedKrbHost/scom2016.contoso.com
HOST/scom2016.contoso.com

So lets add SPN for our account. You do this with commands

setspn -A  MSOMSdkSvc/SERVERNAME DOMAIN\USERNAME
setspn -A  MSOMSdkSvc/SERVERNAME.fqdn.name DOMAIN\USERNAME

C:\Windows\system32>setspn -s MSOMSdkSvc/scom2016.contoso.com contoso\scomcdas

Checking domain DC=contoso,DC=com

Registering ServicePrincipalNames for CN=scomcdas,DC=contoso,DC=com
        MSOMSdkSvc/scom2016.contoso.com
Updated object

Repeat the same with NETBIOS name  setspn -s MSOMSdkSvc/scom2016 contoso\scomcdas

If you list you SPN on domain account it should look like this:

C:\Windows\system32>setspn -l contoso\scomcdas
Registered ServicePrincipalNames for CN=scomcdas,DC=contoso,DC=com:

MSOMSdkSvc/scom2016
MSOMSdkSvc/scom2016.contoso.com

SDK will be healthy now

image

The EXECUTE permission was denied on the object ‘sp_help_jobactivity’, database ‘msdb’, schema ‘dbo’.

New features, new problems. This is second error you will receive on SCOM 2016 installation only. If you did all by the book and you click Maintenance Schedule you will get this error.

image

You will see it also in Operations Manager event log even if you didn’t try to use Meintenence schedule.

image

What to do? This is purely missing permissions of SCOM sdk account on SQL server. so to solve this one install SQL Management Studio if you didn’t already and give you SCOM SDK account next permissions on msdb database.

image

Error is fixed now and you will not see it in the future.

Advertisements