Setting Up a Single-Server SCOM Server

Update – Added link to deploying report models and my personal Chemistry wiki article on OpsMgr.

System Center Operations Manager; not for the faint of heart! Here’s a ridiculously long post on how to make this work. Enjoy :).

System Center Operations Manager 2007 R2 Deployment Guide

This guide assumes the following:

  • Windows Server 2008 R2 x64
  • System Center Operations Manager 2007R2
  • SQL Server 2008 Standard Edition R1 x64
  • Active Directory Domain Infrastructure with Enterprise Certificates Services
  • You are installing the single-server operations manager deployment scenario, with ACS.

Pre-Installation Checklist

  • In VMWare vCenter, make sure that the operating system version of your VM is listed as Windows Server 2008 R2. If it only says windows server 2008 (without the R2), you will have problems with the console locking up.
  • Turn off user account control.
  • Rename your Ethernet NIC’s according to your organization’s policies. (e.g. “eth0, LAN Network”).
  • Disable IPv6 on your NIC’s if you don’t actively use it.
  • Ensure that your VM has a correct DNS lookup. If not, then don’t even bother continuing. Operations Manager relies _heavily_ on DNS being perfect. It has no concept of NetBIOS names (for your clients too!).
  • Run all Microsoft Updates, including ones for ‘more products’, multiple times until all updates are installed (Silverlight is not specifically needed).
  • Set up 4 hard disks\volumes. The volumes should be labeled and mounted as follows:
  • Enable RDP
  • Activate windows

Provision Domain Users and Groups

First create several domain users with the following usernames \ permissions:

  • MSAA Account
    • Username: opsmgr_msaa
    • Permissions: local admin on opsmgr server and all managed servers and workstations.
  • SDK Account
    • Username: opsmgr_sdk
    • Permissions: local admin on opsmgr server.
  • DRA Account
    • Username: opsmgr_dra
    • Permissions: local admin on opsmgr server.
  • DWA Account
    • Username: opsmgr_dwa
    • Permissions: local admin on opsmgr server.

Then, create the following AD security groups:

  • ACL_opsmgr_Admins
  • ACL_opsmgr_Auditors
  • Security Log Auditors
    • Memberof: ACL_opsmgr_Auditors
  • Operations Manager Admins
    • Memberof: ACL_opsmgr_Admins
  • SQL Server Administrators (if you don’t already have one).

Make sure that you are a member of these groups!


Configuring the Windows Server Features and Roles

  1. Install the .NET 3.5 Framework server feature. Do not install WCF Activation.
  2. Install the IIS Role (Application Server) with the following options:
    1. Common HTTP Features
      1. Static Content
      2. Default Document
      3. Directory Browsing
      4. HTTP Errors
      5. HTTP Redirection
    2. Application Development
      1. ASP.Net
      2. .NET Extensibility
      3. ISAPI Extensions
      4. ISAPI Filters
    3. Health and Diagnostics
      1. HTTP Logging
      2. Request Monitor
      3. Tracing
    4. Security
      1. Windows Authentication
      2. Client Certificate Mapping Authentication
      3. IIS Client Certificate Mapping Authentication
      4. Request Filtering
    5. Performance
      1. Static Content Compression
      2. Dynamic Content Compression
    6. Management Tools
      1. IIS Management Console
      2. IIS Management Scripts and Tools
      3. IIS 6 Management Compatibility (All Sub-Features)
  3. Install AJAX Support for IIS
    1. Download Link. Don’t be afraid that it’s 1.0: ASP.NET AJAX 1.0
  4. Configure a Certificate
    1. Start -> Administrative Tools -> IIS Manager
    2. Select the IIS server in the explorer pane, then double click the ‘Server Certificates’ icon.
    3. Click ‘create domain certificate’
    4. Type the FQDN into the ‘common name’ box. If you spell this wrong, reporting services won’t work.
    5. Fill out the rest of the information, and complete the request.

Install SQL Server 2008

Follow the steps on my previous blog post “Optimizing SQL Server 2008 Standard Installation“, with the following tweaks:

  1. Install the following features:
    1. Database Engine Services
    2. Reporting Services
    3. Client Tools Connectivity
    4. Integration Services
    5. Client Tools Backwards Compatibility
    6. Management Tools – Complete
    7. SQL Client Connectivity SDK
  2. Use LOCAL SYSTEM for all of the accounts. Then, change SQL Server Browser’s ‘Startup Type’ to Automatic.
  3. When configuring reporting services leave the default: “Install the native mode default configuration”.
  4. Update SQL Server 2008 to the latest version; check the SQL Server Version Database. As of this update, it’s SP2 CU1.
  5. Enable TCP/IP for localhost through SQL Server Configuration Manager.

Configuring SQL Server Reporting Services

  1. Fix the config files for reporting services for FireFox.
    1. Follow the directions at this link: Fixing Sql Reporting Services for FireFox
  2. Configure SSL for Reporting Services

Install Operations Manager Operations Manager 2007 R2

WARNING! Make sure that your OpsMgr domain accounts are set up, and that they are local admins on your operations manager server. If they aren’t, installation will proceed and appear to complete successfully, but many background configuration steps won’t be completed, such as SPN creation.

WARNING! Do not install the “Operations Manager 2007 R2 Agent” on the RMS or you will break it!

  1. Mount the ISO, and run SetupOM.exe. Click Install Operations Manager 2007 R2.
  2. Install all of the features.
  3. On the screen “Management Group Configuration”, enter a name for your root management group, and use the group DOMAIN\ACL_opsmgr_Admins as the administrators group. If browsing for a group make sure ‘From this location:’ says, “Entire Directory”.
  4. Under “SQL Server Database Instance”, connect to the localhost (this should already be filled in).
  5. Under “Database and Log File Options”, place the “Data File Location” under D:\SQLData, and the “Log File Location” under E:\SQLLogs. Don’t worry about the database size; it’ll auto-grow.
  6. For the “Management Server Action Account”, use opsmgr_msaa.
  7. For the “SDK and Config Service Account”, use opsmgr_sdk.
  8. On the screen “Web Console Authentication Configuration”, choose “Use Windows Authentication”.
  9. Backup the encryption key to another system when asked.

Now, go to Start -> Run and type, “services.msc”, hit OK. Configure the following services to start ‘Automatic (Delayed Start)’. Otherwise, Operations Manager will generate errors and alerts because these services start faster then SQL Server, and attempt to access databases before SQL Server is ready.

  • System Center Data Access
  • System Center Management
  • System Center Management Configuration

Install Operations Manager R2 Reporting

  1. First, create two folders: F:\ACSDB and G:\ACSLogs.
  2. Click “Install Operations Manager 2007 R2 Reporting”
  3. Install all of the features.
  4. On the screen, “Select to the Root Management Server”, if you don’t specify the entire FQDN the server will fail once you actually try to use reporting. Setup will continue without a warning.
  5. Under “SQL Server Database Instance”, connect to the localhost (this should already be filled in).
  6. Under “Database and Log File Options”, place the “Data File Location” under D:\SQLData, and the “Log File Location” under E:\SQLLogs. Don’t worry about the database size; it’ll auto-grow.
  7. For the “Data Warehouse Write Account” use opsmgr_dwa.
  8. For the “Data Reader Account” use opsmgr_dra.
  9. Upload your report models per this link: Deploying the report models

Install ACS (Audit Collection Server)

  1. Click “Install Audit Collection Server”.
  2. Create a new database, but leave the default database name.
  3. Choose “database server running locally”.
  4. Change the folders to F:\ACSDB and G:\ACSLogs. WARNING! If those folders don’t exist, setup will continue without warning and appear to complete successfully, but will not actually install ACS or create the database.
  5. Keep the default “Windows Authentication”.

Updating System Center Operations Manager 2007 R2 to CU2

Follow the excellent guide at the following link.

  1. OpsMgr 2007 R2 CU2 rollup hotfix ships – and my experience installing it
  2. Read EVERY DETAIL, this is a non-trivial update which requires many manual steps!

Configuring Audit Collection Services

Brief Overview:

  • Uploading Audit Reports
  • Configuring Windows Firewall
  • Configuring Auditing Permissions
  • Enabling an ACS noise filter
  • Enabling forwarders
  • Verifying with AdtAdmin

Uploading Audit Reports

Use the excellent guide here: ACS Reports for Windows 2008 and Windows 2008 R2

Configuring Windows Firewall

Open port 51909 TCP for all profiles, call it “ACS Forwarding”.

Configuring Auditing Permissions

  1. Add “ACL_opsmgr_Auditors” group to “Operations Manager Report Operators” in the console’s administration tab.
  2. Give the group “ACL_opsmgr_Auditors” group the DB_Datareader permission for the OperationsManagerAC database in SQL Management Studio.

Enabling an ACS noise filter

Adtadmin is located at %systemroot%\system32\security\adtserver . Here’s a default filter that works pretty well. It excludes service start-ups and various other common events.

adtadmin /setquery /collector:"collectorFQDN" /query:"SELECT * FROM AdtsEvent WHERE NOT (((EventId=528 AND String01='5') OR (EventId=576 AND (String01='SeChangeNotifyPrivilege' OR HeaderDomain='NT Authority')) OR (EventId=538 OR EventId=566 OR EventId=672 OR EventId=680)))"

Enable Forwarding on Clients

Troubleshooting ACS Installs

ACS References

Configure AD Integration

  1. Open a command prompt.
  2. Run the following commands:
    1. cd “C:\Program Files\System Center Operations Manager 2007”
    2. MomADAdmin.exe“Root Management Group” domain\ACL_opsmgr_Admins opsmgrServerFQDN AD_Domain
  3. In the Console, do Administration -> Settings -> Security -> Review Manually Installed Agents
  4. Open the operations manager console.
  5. Navigate to administration, click, “Configure LDAP Integration”, then “add”.
  6. Type the FQDN for your domain.
  7. Use an LDAP filter which captures all of the computers that you’d like to automatically attach to this server.
    1. Example – all computers in a specific group
    2. (&(objectCategory=computer)(memberof=CN=COMP_opsmgr-ugrad_Undergrad-Computers,OU=Computer Groups,OU=Security Groups,DC=chemistry,DC=ohio-state,DC=edu))
  8. Navigate to ‘Pending Management’ and accept any computers that you would like to manage. They may take a while to show up.
  9. Only manually installed agents which are configured to ‘USEADSETTINGS=1’ will show up.

Error Reporting (CEIP \ Client Monitoring)

  1. Open the management console, and choose the ‘administration’ view.
  2. Click to select the root of the navigation tree, “Administration”.
  3. On the right pange, click “configure client monitoring”.
  4. Use SSL, Use windows authentication.
  5. Port 51907
  6. Make an empty folder on the D drive for the file share location. e.g. “D:\ErrorData”
  7. Port 51906
  8. Choose an organizational name.
  9. Save the ADM file.
  10. Open a GPO, import the ADM, and enable the settings.
  11. Make sure to target the GPO only to the computers from which you want errors to this particular RMS.

Whew, took a lot to get started! More to come — install verification, screenshots, troubleshooting, configuring alerts, etc. I have 3 working systems, so if you need help drop me a comment or email. For some random\unorganized notes, check out my wiki page on Operations Manager.


3 thoughts on “Setting Up a Single-Server SCOM Server

  1. Dude this is the hardest slowest deployment in the universe. I’ve been searching for 4 months for such an article during which I had 99% unsuccessful attempts.

  2. Pingback: Table of Contents | windowsmasher

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s