SCOM SDK service crashes with exeption: The service ertificate is not provided. specify a service certificate in ServiceCredentials. at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()

We see the following events on the Operations Manager logs on the problematic SCOM  management server. Log Name:      Operations   Manager Source:          OpsMgr SDK Service Event ID:      26380 Description: The System Center Data Access service failed due to   an unhandled exception.  The service will attempt to restart. Exception: System.InvalidOperationException: The service   certificate is not provided. Specify a service certificate in   ServiceCredentials.    at   System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()    at   System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement   recipientRequirement)    at   System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement   requirement)    at   System.ServiceModel.Channels.SslStreamSecurityUpgradeProvider.CreateServerProvider(SslStreamSecurityBindingElement   bindingElement, BindingContext context)    at   System.ServiceModel.Channels.SslStreamSecurityBindingElement.BuildServerStreamUpgradeProvider(BindingContext   context)    at   System.ServiceModel.Channels.ConnectionOrientedTransportChannelListener..ctor(ConnectionOrientedTransportBindingElement   bindingElement, BindingContext context)    at   System.ServiceModel.Channels.TcpChannelListener..ctor(TcpTransportBindingElement   bindingElement, BindingContext context)    at   System.ServiceModel.Channels.TcpTransportBindingElement.BuildChannelListener[TChannel](BindingContext   context)    at   System.ServiceModel.Channels.SessionChannelDemuxer`2..ctor(BindingContext   context, TimeSpan peekTimeout, Int32 maxPendingSessions)    at   System.ServiceModel.Channels.ChannelDemuxer.CreateTypedDemuxer(Type   channelType, BindingContext context)    at   System.ServiceModel.Channels.ChannelDemuxer.GetTypedDemuxer(Type channelType,   BindingContext context)    at   System.ServiceModel.Channels.ChannelDemuxer.BuildChannelListener[TChannel](BindingContext   context, ChannelDemuxerFilter filter)    at   System.ServiceModel.Channels.ChannelBuilder.BuildChannelListener[TChannel]()    at   System.ServiceModel.Channels.SecurityChannelListener`1.InitializeListener(ChannelBuilder   channelBuilder)    at   System.ServiceModel.Channels.TransportSecurityBindingElement.BuildChannelListenerCore[TChannel](BindingContext   context)    at   System.ServiceModel.Channels.SecurityBindingElement.BuildChannelListener[TChannel](BindingContext   context)    at   System.ServiceModel.Channels.TransactionFlowBindingElement.BuildChannelListener[TChannel](BindingContext   context)    at   System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri   listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode   listenUriMode, BindingParameterCollection parameters)    at   System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean   actuallyCreate, Type[] supportedChannels, Binding binding,   BindingParameterCollection parameters, Uri listenUriBaseAddress, String   listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle   throttle, IChannelListener& result, Boolean supportContextSession)    at   System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo   stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode   listenUriMode, Boolean supportContextSession, IChannelListener& result)    at   System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription   description, ServiceHostBase serviceHost)    at   System.ServiceModel.ServiceHostBase.InitializeRuntime()    at   System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)    at   System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)    at   Microsoft.EnterpriseManagement.Common.BackCompat.BackcompatChannel.InitializeRunner()    at   System.Threading.ExecutionContext.Run(ExecutionContext executionContext,   ContextCallback callback, Object state, Boolean ignoreSyncCtx)    at   System.Threading.ExecutionContext.Run(ExecutionContext executionContext,   ContextCallback callback, Object state)    at   System.Threading.ThreadHelper.ThreadStart() Resolution : =========== The   SDK service starts and It remains in started mode for some time and then it   stops automatically and throws following errors in the Operations Manager   event logs. Log Name:      Operations   Manager Source:          OpsMgr SDK Service Task Category: None Level:           Information Description: The System Center Data Access service failed to   create a self-signed certificate. Clients will not be able to connect over   NTLM/SSL.  So, please assist to fix this issue as soon   as possible. Resolution : ===========       Copy the Microsoft.MOM.Sdk.ServiceHost.exe.config file from another management  server where the SDK service is working fine and replace it on the problematic management server. Start the SDK service.

Close the active alerts with Resolution State PS script

This is for SCOM 2007.

get-alert -criteria 'ResolutionState=''0'' AND IsMonitorAlert=''False''' |where {$_.LastModified -le (Get-Date).addhours(-24)} | resolve-alert -comment "Close old alerts generated by rules" | out-null

This will look for alerts with a New resolution state and coming from a rule, where the last modification to this alert was more than 24 hours ago, and close that alert with a small comment.

Free ebook: Introducing Windows Server 2012 R2

http://blogs.msdn.com/b/microsoft_press/archive/2013/11/08/free-ebook-introducing-windows-server-2012-r2-technical-overview.aspx

Reference Management Pack not found - Microsoft.SystemCenter.Library MP

ust the other day I was working on an MP after updating the environment to CU4 and all of a sudden I got the error that a reference management pack wasn’t found.

Ok no big issue. Locate the management pack and reference it…

no go… Still the same error…

So why? My version should be correct no? Wrong…

Apparently the Microsoft.SystemCenter.Library management pack is included in the CU4 but is installed while running the SQL update script (that’s why it’s so important to run them!). It bypasses the verification code.

CAUTION: Just download the management pack but do not import it into your environment. It’s already in there and functioning correctly. In rare cases reimporting the management pack again in your environment can cause a corrupt dbase.

In fact Microsoft has released a KB2590414 to address this issue:

http://support.microsoft.com/kb/2590414

In the middle of the kb you can download the management pack which is transported in a MSI file

Read the license agreement carefully (yes you should!) and except it:

Select the folder (I kept it default) click next:

Confirm:

Installation complete:

When you click close the folder where the mp was copied will open:

Open your console again and browse to the newly installed Management pack:

SCCM Case Study - Mphasis - Microsoft

Mphasis

Services Company Improves IT management with Systems Management Solution

MphasiS is a leading applications services, remote infrastructure services and business process outsourcing services provider. Known for its commitment to technology and innovation, the company wanted to enhance the management of its computing environment and deliver greater IT service levels. To achieve these goals, MphasiS deployed Microsoft® System Center Configuration Manager 2007 to manage all systems through a single console. The solution is helping the company increase application service levels and enhance IT security. In addition, the IT team has achieved a 99 percent success rate with rolling-out of security updates. The new end-to-end management environment also helps automate software distribution, enhance asset management, and deliver a more secure and consistent user experience.
Situation
MphasiS consistently delivers global Infrastructure Technology Outsourcing, Applications Services Outsourcing and Business Process Outsourcing services through a combination of technology know-how, and domain and process expertise. MphasiS Limited (then, MphasiS BFL Limited) was formed in June 2000 after the merger of the US-based IT consulting company MphasiS Corporation (founded in 1998) and the Indian IT services company BFL Software Limited (founded in 1993).

MphasiS supports global companies around the world in the improvement of their business processes. The company services clients in Financial Services & Insurance, Manufacturing, Healthcare, Communications, Media & Entertainment, Government, Transportation & Logistics, Energy & Utilities, and Consumer & Retail industries worldwide. It brings to its clients a credible and experienced global leadership team driving service delivery through the next generation global delivery model. 

Besides an onsite presence at key locations globally, the company headquartered in India has an extensive offshore infrastructure for Applications, ITO and BPO services. It has a global footprint with delivery centers all over the world, and a staff of over 38,000 professionals.

The computing infrastructure at MphasiS was a mix of desktop, portable computers and servers running the Windows XP, Windows 2003, and Windows Server 2008 operating systems. This was spread both within the corporate network as well as on the Internet. Additionally, over the years, this infrastructure had grown in size and complexity. The company currently operated close to 500 servers including both physical as well as virtual. 

With so much hardware spread across so many sites, it was impossible for MphasiS to build an accurate inventory of what it used. Earlier, MphasiS was using Systems Management Server (SMS) 2003 for managing the inventory. Additionally, administrators were also concerned about security and performance. Windows Server Update Services (WSUS) were being used to apply routine Microsoft security updates. With standalone WSUS at each location, deployment was done separately at each of these locations.

Managing this environment was becoming a time and resource-intensive task. Other key challenges included lack of ability to reconcile deployed hardware with purchased hardware. The frustratingly slow desktop and laptop refreshes added to these. Therefore, it was important to the company that it could efficiently identify a desktop and laptop; deploy a new operating system and software updates without interrupting the workforce.

The company sought a comprehensive, integrated solution that it could use to manage and monitor its entire IT environment from a single, unified console. “We needed a simpler way to manage our IT infrastructure,” says Sandeep Prabhakar Joshi, Infrastructure Services Manager, MphasiS. “Standardizing on a single end-to-end management tool would help us to better manage our desktops and allow users to work in a more secure environment.”

Solution
To continue its efforts to maximize systems management efficiency, MphasiS decided that upgrading to Microsoft System Center Configuration Manager (SCCM) 2007 was the solution that would best meet its requirements. Shivakumar M, Infrastructure Services Engineer, MphasiS says, “Microsoft products offered us the best functionality and were easy to use and learn. The support provided by Microsoft was also one of the reasons to go with this solution.”

By making every update centrally available, we not only have more control of the IT environment but have also increased security and stability. Now, we are seeing a 99 percent success rate with security updates Sandeep Prabhakar Joshi Infrastructure Services Manager, MphasiS Limited

System Center Configuration Manager 2007 is the solution to comprehensively assess, deploy, and update servers, clients, and devices - across physical, virtual, distributed, and mobile environments. Optimized for Windows and extensible beyond, it is the best choice for gaining enhanced insight into, and control over, IT systems.

There were several factors that supported MphasiS’s decision to use System Center Configuration Manager. Among them were centralized software update management, automated operating system deployment, hardware and software inventory management, and software updates for internet users. “Infrastructure stability in any environment results in more productivity and less downtime,” says Anil KP, Lead Infrastructure Services, MphasiS. “System Center Configuration Manager has helped us to achieve the same. It provides us automated ways to manage updates and distribute deployments to desktop systems and servers remotely.” 

The implementation was carried out in two phases. In the first phase, MphasiS migrated from Systems Management Server to System Center Configuration Manager RTM and also removed the standalone WSUS (it was integrated with System Center Configuration Manager). This migration project started in October 2008. It took the company 4 months to implement the software update operations in System Center Configuration Manager. The project was completed in January 2009. It was implemented across 14 locations including the central site at Bagmane Tech Park, Bangalore.

In the second phase, MphasiS upgraded all the sites from System Center Configuration Manager RTM to SP1. Some of the initial issues faced in phase one were fixed in this phase. This phase started in February 2009 and was completed by March 2009. Centralized software update management was implemented during this phase.

MphasiS is also using System Center Configuration Manager to gain insight into its hardware and software assets. Having insight into its software holdings helps the company to remove unauthorized software that might put the company network at risk or consume valuable storage and network bandwidth. 

With System Center Configuration Manager, the IT team at MphasiS has been able to improve overall network performance, automate the rollout of custom deployments while being able to better monitor the status of its entire infrastructure. 

Benefits
Today, MphasiS is using Microsoft System Center Configuration Manager 2007 to help manage its IT environment. The solution has helped the company maximize network uptime and responsiveness, while providing access to secure and up-to-date applications.

Provides Better Compliance
System Center Configuration Manager 2007 simplifies the tasks of securing and managing the server environment, which helps ensure availability throughout the server infrastructure. The ability to view complete software inventories on each machine enables MphasiS to see if important security updates are missing from certain computers and remotely apply them. “With the solution, we have much better control over our desktop and server environment with far less work,” remarks Shashank More, Leader - Client MphasiS Operations, MphasiS Limited. “It helps us to detect and eliminate security risks thus, overall making MphasiS more successful.”

Simplifies IT Management
With System Center Configuration Manager in place, MphasiS has centralized control and a more predictable IT environment. The deployment of software and application updates has been automated. “By making every update centrally available, we not only have more control of the IT environment but have also increased security and stability,” says Sandeep Prabhakar Joshi. “Now, we are seeing a 99 percent success rate with security updates.”

Enables Fast Operating System Deployment
Deploying operating systems enterprise wide was a complex and expensive process for MphasiS. However, with System Center Configuration Manager, IT administrators now have a centralized, scalable, and customizable way to deploy operating systems across their organization quickly and cost-effectively.

Earlier MphasiS was using RIS for operating system deployments, but each system deployment would take approximately 1.5 to 2 hours to bring them to the network for production. Now with System Center Configuration Manager, the process is completely automated. It has given more administrative control in terms of adding or removing software packages to the task sequence. Complete zero touch operating system deployment has reduced turned around time significantly. Each system deployment now takes only 45 minutes to 1 hour.

Secures Systems
Internet based client management has helped in securing all the systems over Internet. It also helps secure all users who are working over the Internet and also track their software and hardware inventories.

Prior to System Center Configuration Manager, MphasiS was using standalone WSUS for rolling out software updates at 13 locations. Patch roll out was done by engineers at each location individually, which means 13 engineers were involved in this roll out process for 13 locations. Post System Center Configuration Manager implementation, WSUS has been integrated with System Center Configuration Manager and software update management has been centralized. Patch roll out is now centrally done by a team of only 3 engineers. 

OpsMgr 2007: Subscriptions getting automatically been to False State - Event ID 11452 logged

I recently ran across an issue where notification subscriptions were getting disabled every 30 minutes. The strange thing was that only about half of the subscriptions were being disabled and they were the same subscriptions every time. I tried re-enabling them with both Powershell as well as the GUI and had the same result, the subscriptions kept being disabled. After digging through event logs I found this warning:

Log Name: Operations Manager
Source: Health Service Modules
Event ID: 11452
Task Category:   None
Level: Warning

Validate alert subscription data source module encountered an alert subscription data source with configuration that has gone out of scope. Disabling the alert subscription data source module.

Alert subscription name: Subscriptionaca6a276_e5a9_446b_9751_0ea539168e41

One or more workflows were affected by this.
Workflow name: Microsoft.SystemCenter.ValidateAlertSubscription

The problem turned out to be that I recently cleaned up the SCOM Admins user group and one of the users removed from the group had created half of the subscriptions. By putting the user back in the SCOM Admins group and re-enabling the subscriptions the problem was solved but we really didn’t want this user in the SCOM Admins group as he had moved on to a different role.

So why was this happening? When a subscription is created the user who created the subscriptions SID is associated with that subscription. There is a workflow that checks every half hour for SIDs no longer valid. They could be invalid because their accounts access that had been removed, or possibly because the account has been disabled or deleted.

Resolution

To fix it long term I first exported the “Microsoft.SystemCenter.Notifications.Internal” management pack. This management pack is unsealed and contains all subscriptions.

Inside the management pack I searched for one of the subscriptions that were being disabled and one that was wasn’t. I then replaced the SID of the bad subscription with the SID of the good subscription.

After replacing the SIDs I re-imported the management pack and re-enabled all subscriptions and the problem was solved for good.

Here is an example of one of the SIDs I had to replace.

>
10/11/2008 21:38:45>
1> S-1-5-21-3273141924-712819414-2074229892-500> ENU>
false>
$MPElement$

Hope this helps,

Seal a Management Pack SCOM 2007

Sealing a Management Pack is easy.  Although, it can be frustrating the first time through.  It's a process that requires a few different pieces to interact, so preparation is key.  Going through some simple steps now will save time in the future.

• Create a directory somewhere on a workstation where you'll be sealing MP's.  For this example, I created the directory c:\MPS
• I also created four directories within c:\MPS
  • \Input - this directory will contain the MP to be sealed (the xml file)
  • \Output - this directory will contain the sealed MP (the final mp file)
  • \MP - this directory will contain all referenced MP’s
  • \Key - this directory will contain the pair key file
• Copy MPSeal.exe from the installation media "SupportTools" directory to the c:\MPS directory.
• Copy sn.exe to the c:\MPS directory
  • If you need a copy, the sn.exe utility comes with .NET Framework SDK
• Copy your unsealed MP (xml file) into the \Input directory
• Copy all the *.mp files from the RMS installation directory into the \MP directory
  • Usually "%Program Files%\System Center Operations Manager 2007\"
• Also, copy all *.mp files that you'll be referencing to the \MP directory
  • TIP: I'd just keep this directory updated with all available current MP's (ie; Active Directory, Exchange, etc)

Finally, the c:\MPS directory will look like this.

The two files highlighted:
Command.txt is just a file I created that contains the commands needed to seal the management pack.  The MPResources.resources file is automatically created while sealing management packs.  This is not anything you’ll need to copy into the directory.

Now, we're ready to seal our Management Pack.

Open a command prompt and navigate to your work directory (c:\MPS).  Run these commands in sequence.  (beware of word wrap with these commands)

• sn -k c:\mps\key\PairKey.snk
• sn -p c:\mps\key\PairKey.snk c:\mps\key\PubKey
• sn -tp c:\mps\key\PubKey
• mpseal c:\mps\input\unsealed_mp.xml /I "c:\mps\mp" /Keyfile "c:\mps\key\PairKey.snk" /Company "Your Company" /Outdir "c:\mps\output"

You should now have your sealed MP in the Output directory.  And, you'll have a working directory for later use.  Just remember to keep the MP versions in the c:\MPS\MP directory current with your Management Groups.  Otherwise, you'll get version errors while attempting to run the MPSeal tool.

Hint: Once you've created the key the first time around, it's not necessary to create a new key each time you seal a MP.  The current key may be reused.  So, the only step you'll need to actually do after the first run is the last step.  How's that for easy!

A note to developers: I’ve had some questions about where the MPResources.resources file mentioned above is created.  Specifically, if two build flavor threads (x64 and x86, for example), compiles at same time and try to create this file under sources, one build thread will break.

To solve that problem, execute MPSeal from a different location.  Examples below.

This will create the MPResources.resources file in the users %temp% directory.

This will create the MPResources.resources file in the x86 directory I created.

This will create the MPResources.resources file in the x64 directory I created.