QuickTricks: Creating a dynamic group membership which includes sub-OU’s | Quisitive
Solutions
Integration & Consulting
Help you move, operate, innnovate and thrive within the Microsoft clouds.
Application Development
Data & Analytics
Artificial Intelligence
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Explore the full list of technologies that our expert consultants can support.
Azure
Microsoft Teams
Azure Synapse
Microsoft Viva
System Center
Windows
SQL Server
Power Platform
Microsoft Sentinel
Power BI
Azure Virtual Desktop
Power Apps
Microsoft 365
Dynamics 365
Sharepoint
ERP Technologies
Business Needs
Departmental solutions to ensure cloud and technology enablement across every area of your business.
Sales & Marketing
Operations
Human Resources
Payments
Finance & Accounting
Customer Service
Payment Solutions
Use the power of the cloud to bring value back to the archaic payment processing industry.
Payment Products
Processing
Localization Services
Help you translate software so you can capture new business worldwide.
Language Engineering & NLP
Translations & Localization
Licensing
Experts in Microsoft cloud licensing and optimizing costs for your business.
Products
EmPerform
Provide people managers with flexible employee performance management software.
Velocity Insights
Monitor, analyze, and prioritize .NET, JavaScript or Node JS errors – all on one dashboard.
AgeChecker.net
Ensure local and federal compliance with our age verification tool for retail.
PowerGov
Engage citizens with a community development app for city maintenance and management.
PayiQ
Transform everday payment processing data into seamless customer engagement.
AMS
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
MazikCare
Embrace patient-centered, collaborative care with our suite of real-time health solutions.
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
Spyglass
Take a proactive, continuous approach to optimizing your security environment and strategy.
ShopFloor
Empower production managers with cutting-edge manufacturing process management.
Managed Services
Azure Management Services
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
App Dev Program
Ongoing enhancements, app security, DevOps and reporting for apps running in Azure.
Data Program
Operational support for running, monitoring and managing services within the Azure Data Platform.
Dynamics Program
Ensure the health of your Dynamics environments, optimize usage and encourage user adoption.
Digital Workplace Program
Optimize Microsoft 365 security, usage and user adoption with our digital workplace experts.
Security Program
Take a proactive, continuous approach to optimizing your security environment and strategy.
Power Platform Program
Get an extension of your team that ensures the health of your Power Platform.
Industries
Manufacturing
Education
Public Sector
Financial Services
Healthcare
Energy
Retail
Software
Resources
Blogs
Case Studies
Library
Newsletters
Events
News
Learning Channels
About
Investors
Leadership
Microsoft
Our Approach
Our Partners
Our Story
Awards & Recognition
Careers
Support
Contact us
Solutions
Back
Solutions
Integration & Consulting
Application Development
Data & Analytics
Artificial Intelligence
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Azure
Azure Synapse
Azure Virtual Desktop
System Center
SQL Server
Microsoft Sentinel
Microsoft 365
Sharepoint
Microsoft Teams
Microsoft Viva
Windows
Power Platform
Power BI
Power Apps
Dynamics 365
ERP Technologies
Business Needs
Sales & Marketing
Operations
Human Resources
Payments
Finance & Accounting
Customer Service
Payment Solutions
Payment Products
Processing
Localization Services
Language Engineering & NLP
Translations & Localization
Licensing
Products
Back
Products
EmPerform
AgeChecker.net
PayiQ
MazikCare
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
ShopFloor
Velocity Insights
PowerGov
AMS
Spyglass
Managed Services
Back
Managed Services
Azure Management Services
Data Program
Digital Workplace Program
Power Platform Program
App Dev Program
Dynamics Program
Security Program
Industries
Back
Industries
Manufacturing
Healthcare
Education
Energy
Public Sector
Retail
Financial Services
Software
Resources
Back
Resources
Blogs
Events
Case Studies
News
Library
Learning Channels
Newsletters
Investors
Back
Investors
Financial Reports & Results
Investor News
Earning calls
Contact
Contact us
About
Back
About
Our Story
Investors
Microsoft
Leadership
Our Partners
Awards & Recognition
Our Approach
Careers
Support
Search
Back
Terms of use
Privacy policy

I was recently working with a dynamic group membership situation where we needed to include all of the sub-OU’s within the group. Our approach was to create a dynamic membership which matched based on a wildcard value that would exist because the sub-OU naming includes the top level OU naming. The result was just what we needed so we didn’t need to specify each sub-OU’s membership in the group. I was going to write up the details on this, but I found that someone else had done so (it’s great being a member of a community that shares information like this – way to go!). The following is a subset of his article available a http://00shep.blogspot.com/2012/03/scom-groups-dyanmic-members-ou.html

“Note the highest level OU for which you want to capture all sub-systems

  1. Go to one of the systems in SCOM and view the properties in “Monitoring”. One of the values will be “Organizational Unit” > Copy it
  2. Create your Dynamic Members inclusion rule
  3. Select “Windows Computer” > Add

e.g.
*OU=XenApp-65,OU=Servers,DC=MYDOMAIN,DC=com”

Operations Manager (SCOM, OpsMgr) has the ability to monitor an untrusted domains as well as highly segmented\firewalled networks. 

Gateways can be within the trusted domain as well, but are highly segmented by Firewalled VLANs.  The Gateways that are installed in the trusted domain do not actually utilize certificates, as the untrusted domain computers do.  In this case, the trusted computers utilize Kerberos (SPNs must be registered) and they may also require a Trusted Internal CA Root Cert.

The untrusted Gateway cannot properly communicate to the MS’s (EVENT ID 220071, 21016)

OpsManager Unable to set up a communication channel with MS

I validate the following:

  1. Verify Manual Agent Installs show in Pending Actions for approval
    • In the Operations Console, Administration>Settings>Security
      • Ensure ‘Review new manual agent installations in pending managmeent view’ is checked
  2. Recycle the HealthService (System Center Management Service)
  3. SPN’s registered for DB\DW and MS’s
    • Restart of Servers in this order may be necessary
      1. DB\DW Instances
      2. RMSe Management Server
      3. Other MS’s
  4. Install GW as local Administrator
    • GW Approval tool run using an account with SysAdmin privileges to SQL DB
  5. Certificates are OK
    • Trusted Root Certificates on All GW and MS
    • Ensure Full Name of Computer is used as the Friendly name and name of the certificate
    • OpsMgr Cert unique to each computer and imported
    • Using 1024 or 2048 key size (2048 adds slight CPU overhead)
      • MOMCertImport changes this to 1024
    • Expiration OK
      • MOMCertImport changes this to 1 year in the Registry
    • If you cannot request the certificate from the GW or Agent:
      • Use the web site on the MS to request a server cert
  6. Gateway approval tool is OK
    • Ensure the following files exist on the Management Server:
      • Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
      • Microsoft.EnterpriseManagement.GatewayApprovalTool.config
    • Command Run successfully:
      • Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
  7. Port 5723 has been validated as Open
    • I haven’t seen the need for 5724 in the past, although mentioned in the MS documentation
  8. Telnet to 5723 to the MS succeeds
  9. Check DNS
    • Mgmt Server name resolves to IP
    • Potential Hosts file edit or DNS entry
  10. Try re-copying the certificate out of the OperationsManager Folder into the Trusted Root store and restarting HealthService
  11. Flushing Health Service Cache
  12. Reinstalling GW and pointing to different MS
  13. Reissuing Certificates and reimporting, then running MOMCertImport
  14. Recycle the HealthService (System Center Management Service)

I ran into this issue where the RMSe Installation would fail at the Data warehouse configuration during Operations Manager Setup. 

Issue:

The install fails at the DW installation….and a warning is seen for the Management Server Install, then subsequent red X Critical Failures below.

Assumptions:

Error:

The OpsMgrSetupWizard.log states the following interesting section where the Error begins.

[14:38:27]: Error: :RemoveVssExpressWriter failed with the following exception: : Threw Exception.Type: System.Reflection.TargetInvocationException, Exception Error Code: 0x80131604, Exception.Message: Exception has been thrown by the target of an invocation.
[14:38:27]: Error: :StackTrace:   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)

[14:37:43]:    Always:    :Management Server DENAPP08.amr.ch2m.com failed to connect, now trying another one.
[14:37:43]:    Warn:    :Failed to connect to any SDK in the management group, trying again
[14:38:03]:    Error:    :Error:Could not connect to management group. Can not continue with DW upgrade…
[14:38:03]:    Info:    :Info:got MG connection
[14:38:03]:    Error:    :Error:Could not connect to management group. Cannot continue with current action…
[14:38:03]:    Error:    :FATAL ACTION: GetManagementGroup
[14:38:03]:    Error:    :FATAL ACTION: DWInstallActionsPostProcessor
[14:38:03]:    Error:    :ProcessInstalls: Running the PostProcessDelegate returned false.
[14:38:03]:    Always:    :SetErrorType: Setting VitalFailure. currentInstallItem: Data Warehouse Configuration
[14:38:03]:    Error:    :ProcessInstalls: Running the PostProcessDelegate for OMDATAWAREHOUSE failed…. This is a fatal item.  Setting rollback.
[14:38:03]:    Info:    :SetProgressScreen: FinishMinorStep.
[14:38:03]:    Always:    :!***** Installing: OMCONSOLE ***
[14:38:03]:    Info:    :ProcessInstalls: Rollback is set and we are not doing an uninstall so we will stop processing installs
[14:38:03]:    Always:    :****************************************************************
[14:38:03]:    Always:    :****Starting*RollBack*******************************************
[14:38:03]:    Always:    :****************************************************************

I tried the following, but not limited to:

Workaround:

Perform the installation for creation of OperationsManager and OperationsManagerDW to the default location of User database files as configured on the SQL instance.  When the installer completes successully, then you can manually move the OperationsManagerDW to the preferred disk.

Additional Logs:

[14:33:54]:    Always:    :Current Action: CreateDataWarehouse
[14:33:54]:    Always:    :Creating DataWarehouse Database
[14:33:54]:    Info:    :Info:Using DB command timeout = 480 seconds.
[14:33:54]:    Info:    :Adding Script files to dictionary.
[14:33:54]:    Info:    :
    .\build_mom_dw_admin.sql
[14:33:54]:    Info:    :Added
    .\build_mom_dw_admin.sql
   to the dictionary.
[14:33:54]:    Info:    :
    .\Datawarehouse.Initial.Setup.sql
[14:33:54]:    Info:    :Added
    .\Datawarehouse.Initial.Setup.sql
   to the dictionary.
[14:33:54]:    Info:    :
    .\build_momv3_dw_localization.sql
[14:33:54]:    Info:    :Added
    .\build_momv3_dw_localization.sql
   to the dictionary.
[14:33:54]:    Info:    :
    .\Datawarehouse.OM12.Upgrade.sql
[14:33:54]:    Info:    :Not Added to dictionary:
    .\Datawarehouse.OM12.Upgrade.sql
[14:33:54]:    Info:    :Done loading scripts
[14:33:54]:    Info:    :Info:Connecting to Remote SQL server SCOMDB.domain.com
[14:33:54]:    Info:    :Info:Connecting to Remote SQL server SCOMDB.domain.com
[14:33:54]:    Always:    :Creating Database: OperationsManagerDW
[14:33:57]:    Always:    :Running first set of configuration scripts.
[14:33:57]:    Info:    :Info:Using DB command timeout = 1800 seconds.
[14:33:57]:    Info:    :Adding Script files to dictionary.
[14:33:57]:    Info:    :
    .\build_mom_dw_admin.sql
[14:33:57]:    Info:    :Added
    .\build_mom_dw_admin.sql
   to the dictionary.
[14:33:57]:    Info:    :
    .\Datawarehouse.Initial.Setup.sql
[14:33:57]:    Info:    :Added
    .\Datawarehouse.Initial.Setup.sql
   to the dictionary.
[14:33:57]:    Info:    :
    .\build_momv3_dw_localization.sql
[14:33:57]:    Info:    :Added
    .\build_momv3_dw_localization.sql
   to the dictionary.
[14:33:57]:    Info:    :
    .\Datawarehouse.OM12.Upgrade.sql
[14:33:57]:    Info:    :Not Added to dictionary:
    .\Datawarehouse.OM12.Upgrade.sql
[14:33:57]:    Info:    :Done loading scripts
[14:33:57]:    Always:    :Running standard DB Configuration scripts.
[14:35:27]:    Always:    :Running DataWarehouse Database configuration scripts
[14:35:27]:    Info:    :Info:Using DB command timeout = 1800 seconds.
[14:35:27]:    Info:    :Adding Script files to dictionary.
[14:35:27]:    Info:    :
    .\build_mom_dw_admin.sql
[14:35:27]:    Info:    :Added
    .\build_mom_dw_admin.sql
   to the dictionary.
[14:35:27]:    Info:    :
    .\Datawarehouse.Initial.Setup.sql
[14:35:27]:    Info:    :Added
    .\Datawarehouse.Initial.Setup.sql
   to the dictionary.
[14:35:27]:    Info:    :
    .\build_momv3_dw_localization.sql
[14:35:27]:    Info:    :Added
    .\build_momv3_dw_localization.sql
   to the dictionary.
[14:35:27]:    Info:    :
    .\Datawarehouse.OM12.Upgrade.sql
[14:35:27]:    Info:    :Not Added to dictionary:
    .\Datawarehouse.OM12.Upgrade.sql
[14:35:27]:    Info:    :Done loading scripts
[14:35:27]:    Always:    :Setting Auto Close off..
[14:35:27]:    Always:    :Running DW Sql strings now…
[14:35:27]:    Info:    :CreateDataWarehouse completed.
[14:35:27]:    Always:    :Current Action: RunDWExistingMGStrings
[14:35:27]:    Always:    :Running DataWarehouse Database configuration scripts
[14:35:27]:    Info:    :Info:Using DB command timeout = 1800 seconds.
[14:35:27]:    Info:    :Adding Script files to dictionary.
[14:35:27]:    Info:    :
    .\build_mom_dw_admin.sql
[14:35:27]:    Info:    :Added
    .\build_mom_dw_admin.sql
   to the dictionary.
[14:35:27]:    Info:    :
    .\Datawarehouse.Initial.Setup.sql
[14:35:27]:    Info:    :Added
    .\Datawarehouse.Initial.Setup.sql
   to the dictionary.
[14:35:27]:    Info:    :
    .\build_momv3_dw_localization.sql
[14:35:27]:    Info:    :Added
    .\build_momv3_dw_localization.sql
   to the dictionary.
[14:35:27]:    Info:    :
    .\Datawarehouse.OM12.Upgrade.sql
[14:35:27]:    Info:    :Not Added to dictionary:
    .\Datawarehouse.OM12.Upgrade.sql
[14:35:27]:    Info:    :Done loading scripts
[14:35:27]:    Always:    :Running DW Sql strings now…
[14:35:27]:    Info:    :RunDWExistingMGStrings completed.
[14:35:27]:    Always:    :Current Action: GetManagementGroup
[14:35:27]:    Info:    :Info:getting MG connection
[14:35:27]:    Info:    :Info:trying to connect with server server01.domain.com
[14:35:33]:    Info:    :Info:Error while connecting to management server: The Data Access service is either not running or not yet initialized. Check the event log for more information.
[14:35:33]:    Error:    :Couldn’t connect to mgt server stack: : Threw Exception.Type: Microsoft.EnterpriseManagement.Common.ServiceNotRunningException, Exception Error Code: 0x80131500, Exception.Message: The Data Access service is either not running or not yet initialized. Check the event log for more information.

Summary: Operator role and higher (operator, advanced operator, and administrator) should be able to put systems into maintenance mode.

My testing: For due diligence I tested this in my lab environment as well for the Administrator role, Operator Role and Read-Only Operator Role and the results are shown below.

Administrator: (Maintenance mode is available)

Operator: (Maintenance mode is available)

Read-Only Operator: (Maintenance mode is NOT available)

For additional details, Microsoft has provided a set of what privileges are associated with each role in OpsMgr which is included in this post for reference purposes (The following content of what roles have what privileges is re-arranged from: http://technet.microsoft.com/en-us/library/hh872885.aspx)

1.1 Administrator

The Administrator profile includes full privileges to Operations Manager. No scoping of the Administrator profile is supported. The Administrator profile contains all of the privileges found in the Author, Advanced Operator, Operator, and Read-Only Operator profiles in addition to those listed below.

1.2 Author

The Author profile includes a set of privileges designed for authoring of monitoring configuration. A role based on the Authors profile grants members the ability to create, edit, and delete monitoring configuration (tasks, rules, monitors, and views) within the configured scope. For convenience, Authors can also be configured to have Advanced Operator privileges scoped by group. The Author profile contains all of the privileges found in the Advanced Operator, Operator, and Read-Only Operator profiles in addition to those listed below.

1.3 Advanced Operator

The Advanced Operator profile includes a set of privileges designed for users who need access to limited tweaking of monitoring configuration in addition to the Operators privileges. A role based on the Advanced Operators profile grants members the ability to override the configuration of rules and monitors for specific targets or groups of targets within the configured scope. The Advanced Operator profile contains all of the privileges found in the Operator and Read-Only Operator profiles in addition to those listed below.

1.4 Operator

The Operator profile includes a set of privileges designed for users who need access to alerts, views, and tasks. A role based on the Operators profile grants members the ability to interact with alerts, run tasks, and access views according to their configured scope. The Operator profile contains all of the privileges found in the Read-Only Operator profile in addition to those listed below.

1.5 Read-Only Operator

The Read-Only Operator profile includes a set of privileges designed for users who need read-only access to alerts and views. A role based on the Read-Only Operators profile grants members the ability to view alerts and access views according to their configured scope.

1.6 Report Operator

The Report Operator profile includes a set of privileges designed for users who need access to Reports. A role based on the Report Operator profile grants members the ability to view reports according to their configured scope.

1.7 Report Security Administrator

Thank you to Paul Johnson for his assistance putting this together!

Kent Agerlund posted a new blog post where Coretech developed a really nice shutdown utility for use with ConfigMgr. Read the full post here.

To suppress or not suppress a computer restart when deploying software and software updates that is the question. No matter what you do, you most likely will not win the “best colleague of the Month” award.

If you do not force a computer restart you might face problems like:

If you do force a restart you might face problems like: