Category Archives: SCOM

Failed to store data in the Data Warehouse – SCOM Reports – Exchange Microsoft.Exchange.15.MailboxStatsSubscription

Exchange 2016, SCOM, Uncategorized June 4, 2017 Comments: 3

Recently when we tried to generate the top mailbox statistics report with the below option available from SCOM reports we weren’t able to generate them.

SCOMd

It was giving an empty report without any values.

Along with that few report data’s only for Exchange Servers like database IO reads/write  while trying too were empty with no values.

Upon looking into the operations manager log saw the below event ID.

Log Name:      Operations Manager
Source:        Health Service Modules
Date:          20.04.2017 09:36:58
Event ID:      31551
Task Category: Data Warehouse
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SCOM1.exchangequery.com
Description:
Failed to store data in the Data Warehouse. The operation will be retried.
Exception ‘InvalidOperationException’: The given value of type String from the data source cannot be converted to type nvarchar of the specified target column.
One or more workflows were affected by this.
Workflow name: Microsoft.Exchange.15.MailboxStatsSubscription.Rule
Instance name: SCOM1.exchangequery.com
Instance ID: {466DF86F-CC39-046A-932D-00660D652716}
Management group: ExchangeQueryBy the above error we can see that this mailbox statistics subscription  rule has some problem and hence the reports were not generated.

Below 2 rules are required to be enabled to generate this report:

1) Exchange 2013: Mailbox Statistics Subscription.
2) Exchange 2013: Mailbox Statistics Collection.

SCOMd2

So by looking into the above event we can see that the SCOM is having trouble in writing the data into this target tables in the data-warehouse from the stage table.First the generated alerts are written on the operational stage table database by the SCOM. Then the operational database will insert these bulk datas into its Target DataWareHouse. It uses the option SQL bulk Insert because of the amount of data that it needs to insert from its stage table and needs to take this process.

During this process of bulk insert it will compare the value of the data that needs to be inserted with its default allowed values (NVARCHAR values for each tables). So if any of the alert titles have the values more than its default allowed limit then we will run into this problem.

This value can be seen in active stage under the columns in the operational manager database – Tables – Exchange2013mailboxstatsstaging- columns

Here we can see the nvarchar values for each properties of the mailbox which will be used to generate the mailbox statistics report from the scom 2012

SCOMd1

So here if any of  these nvarchar values which is required to generate the report value have exceeded the allowed limit then it will fail inserting the data into the datawarehouse. For example the default length of the allowed limit for Mailbox_EmailAddress is 1024.

Lets say if there is one system mailbox which has multiple smtp addresses added in them which exceeds this character limit then the  entire mailbox stats report will fail.

The SCOM requires in data type Nvarchar for Exchange because to support the unicode type for multi languages mainly. More details on SQL data types can be read here.

In our case we had a service account mailbox which had multiple SMTP addresses added on them and that exceed the allowed limit.

If any one run into the issue here is the simple command to identify the mailbox which has Email addresses of more than 1024 characters.

get-mailbox | where-object { $_.EmailAddresses.ProxyAddressString.ToCharArray().Length -ge 1024 } | foreach-object {write-host “$_”}

Once we find that mailbox we can remove that additional SMTP addresses and make the value less than 1024. After this the reports will be generating without any issues.

Another solution : ( Not Recommended)

Extend the nvarchar field values on the stage table as well as  target table (Exchange2013.MailboxProperties_) in DataWareHouse which will allow the data to get processed and generate the reports even if it has a large amount of data.

Its better not to change the default values as it might go as unsupported model , rather modifying  the mailbox and reducing the character limit which will keep everything in place without any customization.

Thanks & Regards
Sathish Veerapandian

Configure SCOM to monitor servers in the DMZ

SCOM November 15, 2016 Comments: 2

SCOM requires Mutual Authentication to Trust and Communicate with the agents for Monitoring and reporting.Initially SCOM tries to establish kerberos authentication with the agents. This happens for all internal agents which is joined in the domain.
For the workgroup machines which are in the DMZ network SCOM use the certificate based authentication for secure communication and then it monitors them.

Below are the high level steps:

1)Configure your firewall to pass traffic from DMZ agents(DMZ servers) to SCOM management server’s port 5723 & 5724.
2)Request certificate from all DMZ machines(certificate type must be server authentication & Client Authentication)
3)Request certificate from SCOM machine (certificate type must be server authentication & Client Authentication)
4)Import the server authentication & Client Authentication certificates on the DMZ machines
5)Import the server authentication & Client Authentication certificates on the SCOM 2012
6)Run the MOMCERTIMPORT on all Machines and assign the certificate
7)Approve the DMZ agents in the SCOM Server.

For Publish Certificate request for SCOM  there are 2 types based on the CA we have.

  1. Enterprise CA.
  2. StandAlone CA.

1) Enterprise CA

If we are going to request certificate from Enterprise CA then we need to use Publish a Certificate Template for SCOM through your enterprise CA.

To perform the task  through enterprise CA do the below :
Open Certificate Authority – Navigate to Certificate Templates – And Select Manage

sc1

Right click the Computer Certificate and Click Duplicate

dmzsc

Make sure the option allow private keys to be exported is chosen.

dmzsc

The most important thing that we need to note is that in the extensions it need to have both server and client authentication enabled. This is applicable for both the SCOM and the DMZ hosts throughout the configuration no matter we are requesting them either from Enterprise CA or Stand Alone CA.

dmzsc

Once the above is completed we can import this duplicate certificate to the SCOM.

2) StandAlone CA:

Below are the steps that needs to be carried over for Stand Alone CA SCOM Certificate Request:

Go to the SCOM 2012 Server

Connect to the computer hosting certificate services

https://ca.exchangequery.com/certsrv

dmzsc

Click request a certificate and submit advance certificate request

dmzsc

Click create and submit request to this CA

After that we will get confirmation on web access information as below and click yes

dmzsc

Below are the information that needs to be filled

Name – name of the server requesting the cert.

Type of Certificate – Choose Other

In OID  enter – 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (This plays a major role in enhanced key usage)

dmzsc

Keyoptions – Select Create new key set

CSP – Select Microsoft Enhanced Cryptographic Provider v1.0

Key Usage – Select Both

Key Size – 1024

Select – Mark Keys as exportable.

Request Format – CMC

Hash Algorithm – SHA1 and give friendly name and submit.

DMZsc.png

Once the CA request is completed from the CA we can go ahead and import them on the SCOM server.

Request certificate for DMZ Servers to be Monitored:

First and the foremost thing is that wecan request the Certificate from internal domain server since most of the times the DMZ servers will not have access to certificate web enrollment services on port 443 to the internal certificate authority server.

So what we can do is generate cert request from one machine in the domain nw and then import them to the DMZ servers.

Perform the same process of submitting the certificate request for all the DMZ servers

Below are the information that needs to be filled

Name – name of the  DMZ server that requires the certificate.

Type of Certificate – Choose Other

In OID  enter – 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (This plays a major role in enhanced key usage)

Keyoptions – Select Create new key set

CSP – Select Microsoft Enhanced Cryptographic Provider v1.0

Key Usage – Select Both

Key Size – 1024

Select – Mark Keys as exportable.

Request Format – CMC

Hash Algorithm – SHA1 and give friendly name and submit.

Once the above is done we need to approve the request from the CA and then import them on the server from where we requested the certificate for those DMZ machines.

Now we need to export this certificate from this requested machine and them import them on all DMZ servers which needs to be monitored.

There are multiple ways of doing this. I prefer doing this via Digicert Windows Utility Tool.

Download  the DigiCert Windows utility tool from the below url on the certificate requested machine

https://www.digicert.com/util/

On opening we  can see all the issued SSL certificate which owns the private key on that machine.

Select the DMZ  servers requested certificate and click on export

dmzsc

Select the option export the private key and export them with password.

dmzsc

Once the above steps are completed we need to import these certificates on the DMZ servers computer personal store.

We can use the same certificate import wizard like below and import the above certificate on DMZ servers

dmzsc

Now the final step is to run the MOMCERTIMPORT on all Machines and select this certificate and we are done.

This tool MOMCERTIMPORT GUI can be found on SCOM 2012 Installation Media path in below directory

E:\supporttools\AMD64\MOMCERTIMPORT

Make sure the same version of the tool from the setup is copied to all machines

Just run this tool on all machines and we will get a pop up window to confirm the certificate. Please confirm  by choosing our relevant requested certificate on all servers.

After the above is completed wait for some time and these DMZ servers will appear on the Administration – pending in the SCOM server and just we need to approve them and we are done.

Thanks & Regards
Sathish Veerapandian
MVP – Office Servers & Services

Configure SCOM 2012 to receive Exchange 2016 Alerts in Email and SMS

Exchange 2016, SCOM August 2, 2016 Leave a comment

Its better if we receive alerts regarding Exchange service level unavailability during any outage.

Though the managed availability  self healing component is very much capable of self monitoring the Exchange services still few companies would request a display dashboard about the current Exchange services and to be notified via sms and email when there is any outage.

Below are the main prerequisites:

1) System Center Operations Manager 2012 R2 is in environment.
2) Exchange Server 2013 Management Pack is installed. Currently only Exchange 2013 management pack is present and it supports 2016.

Below are the high level steps that we need to perform in the SCOM 2012:

1) Create Channels – Basically a path through which the alert will be delivered to the destination (admins).
2) Create Subscribers – Persons who are supposed to be notified when an alert is identified in SCOM for Exchange.
3) Create Subscriptions – Selecting the components to be alerted when any Exchange services are unavailable.

This should be the case for any applications to be notified when there is an issue with their system.
To receive SCOM alerts in mobile as SMS we need to have an SMS routing agent configured.

Below work flow is the normal way of configuring to receive alerts in SMS :

SCOM – Mailbox Server Relay – Reaches Mail Contact local SMTP address domain.com – Finds the SMTP target address – Finds the appropriate send connector – Routes to the SMS routing Agent – Exchange Admin receives the SMS

To receive SCOM alerts in a Email:

Below work flow is the normal way of configuring to receive alerts in Email:

SCOM subscribers – Mailbox server relay – Finds Mail Group – Alerts Delivered to the Admin’s mailbox.

So we need to give relay permission to the SCOM 2012 server on the Exchange to send the alerts when any issue occurs.

First we need to create Channel :

To create a channel perform the below :

Navigate to Operations manager console – Click on Administration – Click on notifications- Select Channels

SCOm1.png

Right click on Channels – New Channel – Select the appropriate channel that we wish to route .

SCOm2.png
The best way always is to create only SMTP channels route them to exchange and from there deliver it to the appropriate destinations.
This will keep less complication.

Also we can create a DNS A record and point them to all mailbox servers to that record as well.

To create a Subscribers perform the below:

Navigate to Operations manager console – Click on Administration – Click on notifications- Select Channels

Right Click on Subscriptions – new Subscriber

SCOm3.png

Create a new Subscriber

SCOm4.png

Select always send notifications

SCOm5.png

Add the delivery address – admin email address if it needs to be delivered to email or email contact if it needs to be routed to his mobile device

SCOm6.png

Select the channel type as Email(SMTP) – Its better if we route all the messages via Exchange and from there we can route to the appropriate destinations. I feel this will make less complication in creating the channels.

SCOm7.png

Now we need to create the Subscriptions

To create a Subscriptions perform the below:

Navigate to Operations manager console – Click on Administration – Click on notifications- Select Channels
Right Click on Subscriptions – new Subscriptions

SCOm8.png

 

Now this part is very important. We further need to fine tune this based on the setup, issues. Here we are actually specifying and subscribing  the alerts which we will be notified on a application unavailability .

So you need to choose the alerts based on your request. For Exchange i can say if there is any issues with  Database copies unhealthy , Database dismounted we can specify them with specific name , description in this criteria section and get notified via SMS.

For the  exchange services EWS, Active Sync, MAPI we don’t need to configure here since we have the health probes configured on the load balancers and will be notified from them.

SCOm9.png

 

And in this part we specify the subscribers:

Usually the subscribers are the group of distribution that we created.

SCOm10.png

Now select the Channels  that was configured to route the alerts to Exchange servers.

SCOm11.png

After this is done we would be able to receive the Exchange 2016 alerts through email and SMS.

Thanks & Regards
Sathish Veerapandian
MVP – Office Server and Services

%d bloggers like this: