Second Pluralsight Course Published – Monitor and Maintain a Software-Defined Datacenter with SCOM

Pluralsight has recently published my second course. This course is Monitor and Maintain a Software-Defined Datacenter with SCOM. This one took me back to my System Center roots focusing on Operations Manager.

This course prepares you for the 70-745 exam, while simultaneously showing you how to use SCOM for your datacenter.

In the course you will learn:

  • How to plan, deploy, and configure Operations Manager.
  • Then, you will discover how to tune Operations Manager.
  • Finally, you will learn about monitoring infrastructure and virtual machine workloads.

By the end of this course, you will have a better understanding of how monitoring works using SCOM.

Please check out the course here: https://app.pluralsight.com/library/courses/monitor-maintain-software-defined-datacenter-scom/table-of-contents

Also, be sure to follow my profile on Pluralsight so you will be notified as I release new courses! I will be releasing an Azure course soon!

Here is the link to my Pluralsight profile: https://app.pluralsight.com/profile/author/steve-buchanan

 

Read more

Speaking at OSCON and MMS May 2017

May is a busy month for me with the opportunity to speak at both OSCON – Open Source Convention (https://conferences.oreilly.com/oscon/oscon-tx) and MMS – Midwest Management Summit (https://mmsmoa.com)! OSCON is May 8th through the 11th in Austin Texas. MMS is May 15th through the 18th in Minnesota.

At OSCON I will be presenting on “How to Motivate Technical Employees” with friend and fellow Microsoft MVP Samuel Erskine – @samerskine. This will be on Thursday, May 11, 2017 at 4:15pm–4:55pm. This session is for CIOs, CTOs, IT directors, and IT managers and will cover how to retain your top talent and give you five ways to motivate technical employees. Come to this session to learn the secret sauce for keeping employee’s engaged!  Here is a link to the session: https://conferences.oreilly.com/oscon/oscon-tx/public/schedule/detail/57374

At MMS I will be presenting three sessions! These sessions are:

Awesomize your Azure Stack Deployments with Azure Stack Tools” with fellow MVP Mikael Nystrom -@mikael_nystrom.

Link: https://mms2017.sched.com/event/AUae/awesomize-your-azure-stack-deployments-with-azure-stack-tools

Azure Operationalized” with fellow MVP Natascia Heil – @NatasciaHeil.

Link: https://mms2017.sched.com/event/AUbn/azure-operationalized

Backup is Dead! Restore is Born in the Cloud!” with fellow MVP Robert Hedblom -@RobertandDPM.

Link: https://mms2017.sched.com/event/AUaR/backup-is-dead-restore-is-born-in-the-cloud

These conferences will be lots of great community fun! Hope to see you there.

Read more

4th book published (Service Manager 2016)

On March 2nd I became a 4 time author. With several talented co-authors we published the Microsoft System Center 2016 Service Manager Cookbook. It was great to work with the co-authors and I would like to thank each of them for their hard work. The co-authors are:

 

  • Microsoft MVP Anders Asp
  • Microsoft MVP Andreas Baumgarten
  • Microsoft MVP Steve Beaumont
  • Service Manager/System Center expert Dieter Gasser

It was an honor to work with them. Also a shout out to Microsoft MVP Sam Erskine for writing up the foreword and helping with the technical review. Last I want to thank Rafael Delgado who also was a technical review on the book. This book is an update to the Microsoft System Center 2012 Service Manager Cookbook. In this new book you will read the new updated recipes for 2016, how to upgrade from 2012 R2 to 2016 and about the new HTML 5 portal.

Official book description:

System Center Service Manager (SCSM) is an integrated platform that offers a simplified data center management experience by implementing best practices such as Incident Management, Service Request, and Change control to achieve efficient service delivery across your organization.

This book provides you with real-world recipes that can be used immediately and will show you how to configure and administer SCSM 2016. You’ll also find out how to solve particular problems and scenarios to take this tool further. You’ll start with recipes on implementing ITSM frameworks and processes and configuring Service Level Agreements (SLAs). Then, you’ll work through deploying and configuring the HTML5 Self-Service Portal, configuring Incident and Problem Management, and designing and configuring change and release management. You’ll also learn about security roles and overall Microsoft SCSM 2016 administration.

Toward the end of the book, we’ll look at advanced topics, such as presenting the wealth of information stored within the Service Manager Data Warehouse, standardizing SCSM deployments, and implementing automation.

What you will learn:

  • See a practical implementation of the ITSM framework and processes based on ITIL
  • Deploy and configure the new Service Manager HTML5 Self-Service Portal along with Service Catalog design and configuration
  • Get to know about Incident, Problem, and Change Management processes and configuration
  • Get to grips with performing advanced personalization in Service Manager
  • Discover how to set up and use automation with and within Service Manager 2016
  • Work with Service Manager Data Warehouse
  • Find out what Security Roles are and how to implement them
  • Learn how to upgrade from SCSM 2012 R2 to SCSM 2016

The book can be ordered here:

https://www.amazon.com/dp/B01N5FL2SK

I also want to call out this is the 4th book that I have authored or co-authored. Here is a shot of all 4.

I have also been fortunate to be a technical reviewer on 5 other books. Here is a shot of them.

These books have all been on System Center products. I am stepping into a new era. Be on the lookout for more of a focus on cloud based solutions and know there is exciting stuff coming in the near future!

Read more

SCOM 2016 EXECUTE permission was denied on the object ‘sp_help_jobactivity’, database…

Short blog post here. After deploying SCOM 2016 if you see this error after clicking on the new Maintenance Schedules:

An exception was thrown while processing GetMaintenanceScheduleInfoList for session ID uuid:33c42f9a-9967-4f94-b7cd-800007beb49b;id=17.
Exception message: The creator of this fault did not specify a Reason.
Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UnknownDatabaseException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to The EXECUTE permission was denied on the object ‘sp_help_jobactivity’, database ‘msdb’, schema ‘dbo’.
The data access service account might not have the required permissions).

Go change the System Center Data Access Service from running under local system account to run under your SCOM domain account that has the proper access to the SQL instance that the Operations Manager database is running on. That should fix this error. And don’t forget to apply UR2!

Read more

Backup Strategy should include Security

Planning for protection as a part of an IT Service Continuity plan often takes into consideration backup of applications and data as well as restore. But what about security?

When planning for protection of applications and data in your environment security should right up there in the forefront. “Backup Security” should be a key part of the plan.

Security in the context of backup can be thought of #1 as securing the backups, and #2 backups being used as an added measure for security breach mitigation. Let me break this down further.

In regards to securing backups you want to do things like encrypt backup data as it travels offsite, encrypting backup data at rest, being able to protect encrypted data, requiring security pins or further authentication of admins and more.

In regards to backup as an added measure for security backup becomes a direct part of Security planning in organizations. Sometimes when security measures fail backups are the only thing that can save you as a last resort. Backups are commonly becoming a way to recover from ransomware attacks as an alternative to paying the hackers. Here is a real world example.

Recently an unnamed hosting providers entire data center became hostage to a ransomware attack. This hacker got in due to a mistake of one of the system admins (more on how to protect at this level later) and basically had full domain admin rights to everything. Keep in mind majority of the servers in this scenario are for customers.

In this case the hosting provider had two choices. Option #1 go to the dark web via a tor network and pay a ton of money in bitcoin for the decryption key. Option #2 Restore everything from offsite backups and pray.

This hosting provider went for option #2 and thank goodness it worked. In this case if it weren’t for a solid offsite backup solution this hosting provider would have been up a creek without a paddle.

It is becoming more common that ransomeware will actually target backups because these are a high target and hackers understand this is a last resort for companies to save themselves. If the backups are deleted there is no other choice but to pay the ransom. This raises the security level of the backups. Administrative actions on backups need an extra layer of security.

Microsoft Business Continuity products help with not only protection but also security. These products consist of System Centers Data Protection Manager (DPM) and Operations Management Suites Azure Backup (AB) and Azure Site Recovery (ASR). In this post I am only going to touch on DPM and AB.

Some exciting things have been happening with Azure Backup and Data Protection Manager to ensure security is front and center as a part of your enterprise backup solution. Microsoft’s goal with the backup security is to provide prevention, alerting, and recovery.

More about this including a video can be found here:
https://azure.microsoft.com/en-us/blog/azure-backup-security-feature

Just yesterday DPM update rollup 12 for 2012 and update rollup 2 for 2016 was announced. Along with UR2 comes some enhanced security features for DPM. These will be called out later in this blog post. Microsoft has rolled out some great security features to both across hybrid clouds. I will go ahead and break these down.

– Azure Backup –

Encrypted backup data at rest
Described in DPM section.

Security PIN
With Azure Backup you can require a security pin for sensitive operations such as removing protection, deleting data, or changing other settings in Azure Backup itself such as changing a Passphrase.

Azure Backup also has some other security measures in place like a minimum retention range to ensure a certain amount of backup data is always available and notifications upon critical operations to subscription admins or others as specified.

NOTE: These security features are now also available in DPM with the UR’s (UR 12 for 2012 and UR2 for 2016) announced yesterday. When an administrator changes the passphrase, or delete backup data, you need to enter the PIN if you have Enhanced Security Enabled. Also, there is a minimum retention range of 14 days for cloud protected data that is deleted.

MFA
MFA is Multi-Factor Authentication. Microsoft has MFA available as a part of Azure Active Directory. Within Azure Backup you can configure it to require MFA of admins when performing critical operations. By enabling MFA you would then ensure via authentication from a second device usually physical to the user that they are who they say they are.

NOTE: When you enable security settings they cannot be disabled.

Ransomware attacks
Described in DPM section.

– Data Protection Manager –

Backup data encrypted during offsite transfer
When data is sent from DPM to Azure Backup it is encrypted before it even leaves your four walls. Data is encrypted on the on-premises server/client/SCDPM machine using AES256 and the data is sent over a secure HTTPS link.

Encrypted backup data at rest
Once backup data is on Azure it is encrypted at rest. Microsoft does not decrypt the backup data at any point. The customer is the only one with the encryption key that can decrypt the backup data. If this key is lost not even Microsoft can decrypt your backup data. This is very secure.

Protection and recovery of encrypted computers
The release of Hyper-V on Windows Server 2016 included a new feature known as Shielded virtual machines (VM’s). This feature essentially utilizes Virtual Trusted Platform Module (vTPM) technology and BitLocker to encrypt a VM to encrypt virtual machines at the virtual layer. This means if a VM is physically copied off a Hyper-V host whoever has the VM will not be able to get to the data on the virtual hard drive.

With the release of DPM 2016 it supports protecting Shielded VM’s. DPM can protect Shielded VM’s regardless if they are VHD or VHDX. This is great news because as a secure organization you should want to encrypt your virtual machines and DPM can protect them. This gives you an added layer of security on top of having backups.

Ransomware attacks
In today’s world ransomware attacks are a common thing. These type of attacks are targeted at small, medium, and large enterprise businesses. No company is too small or too big to be put in the crosshairs of ransomware attacks. A well-known attack is Cryptolocker.

As mentioned before in this blog post backups are an alternative to paying the ransom of a ransomware attack. They key here is to ensure you have a solid offsite backup in place such as Azure Backup. Having that offsite backup will ensure you can get your data back even if the ransomware attack get ahold of your onsite backup data.

I even go as far as to recommend sticking to the 3-2-1 rule (3 copies of backup data 2 offsite and 1 onsite). This way if something happens to one of your offsite copies of data you have another one. It may seem overkill to have 2 offsite copies but you would be surprised how often offsite backup data is accidently destroyed.

So there you have it. Security is a critical part of any backup solution. It is clear that Microsoft realizes this based on the security enhancements they have made to both Azure Backup and Data Protection Manager 2016. Their goal is to ensure both backup solutions are enterprise ready. I have been working with DPM for years and Azure Backup as soon as it came out. I know the team behind these products have a lot of new features and functionality planned for the future of these products and I am looking forward to it.

Read more

Fun @ the MVP Summit 2016

This year at the MVP Summit was a great one.

I learned a lot of stuff mostly about OMS, System Center, and Azure Stack.

I cannot talk about any of it. 🙂

I can however talk about some of the fun times we had and share some pictures.

 

First picture….a warm welcome to MVP’s from around the world.

image001

Here is a picture of the US MVPs at the summit!

all-us-mvps

Me at the Microsoft Enterprise Engineering Center in Redmond.

image003

image005

Read more

VMware VM Backup in DPM Setup

Today Microsoft released the availability to protect VMware virtual machines with System Center Data Protection Manager (DPM). This is a feature the community has been asking to get for a long time. Again the DPM team continues to deliver! Again the team has brought this new functionality to existing customers via an update rollup. You do not have to wait for a new version of DPM to start protecting VMware. This functionality is enabled in DPM 2012 R2 through update rollup 11. Download DPM 2012 R2 UR 11 from this link:

http://catalog.update.microsoft.com/v7/site/search.aspx?q=3162908

For DPM 2016 this funcionalty will come out of the box.

Now lets look at the install, setup, and recovery of VMware VM’s.

INSTALL THE UPDATE:

VMwareinDPM (17)

VMwareinDPM (1)

VMwareinDPM (2)

ADD VMWARE CREDENTIALS:

VMwareinDPM (3)

NOTE: This is an agentless backup. DPM does not install and agent here. It only connects to the VMWare host.

 

ADD VMWARE SERVER TO DPM:

VMwareinDPM (4)

VMwareinDPM (5) VMwareinDPM (6)

My VMWare server did not have a proper certificate. I had to add the following reg key:

DisableSecureAuthentication.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\VMWare]
“IgnoreCertificateValidation”=dword:00000001

It worked after that.

 

PROTECTING VMS:

VMwareinDPM (8) VMwareinDPM (9)

You can add a single VM as shown in the following screenshot.

VMwareinDPM (10)

Or set the protection to Auto.

VMwareinDPM (11)

If set to auto VM’s that are added to this host will automatically be protected.

There was no downtime during the protection of the VMWare VMs.

VMwareinDPM (12)

 

RECOVERING VMS:

You can see we can recover VM’s just like we can with Hyper-V.  You need to click on the VM folder to make the Recover option show.

VMwareinDPM (13)

If you click on a VM you will see the .vmdk files and can recover them.

VMwareinDPM (14)

The rest of the recovery process is the same as recovering a VM in Hyper-V.

VMwareinDPM (15) VMwareinDPM (16)

That concludes this post! Enjoy your ability to protect VMware with DPM.

Read more

Tool for Logging outgoing SCSM email issues

Recently I was working on a Service Manager project and outgoing email was not working properly.

The SMTP channel was setup properly. I ran a telnet session and attempted to send an email via telnet. Well the telnet session would connect just fine to the Exchange server but then would disconnect as soon as I tried to run some telnet commands.

I knew this was odd as I have never seen this before. There must have been an issue on the Exchange  server or a policy to disconnect telnet sessions.

I needed a better way to troubleshoot this issue before I went back to the Exchange admin.

I ran across a freeware tool called SendSMTP that was a huge help.

The tool can run somewhere and send emails via a GUI or even via command line.

This tool also does not install the .exe just runs right from a folder on the server so it is portable and can be removed easily after you are done testing/troubleshooting.

It also lets you specify many settings such as host, authentication, timeout and more.

The reason this tool is super helpful is because it has some built in logging.

As you can see in the following screenshots you can set the logging levels you want.

SendSMTP1
After you test sending an email you can either view either of the two log files
by clicking on View Log or by clicking on the Log tab.

SendSMTP2

I loaded this tool on the SCSM server and then tested sending an email both anonymously and using authentication. Both failed.

Because of the logging I was able to determine that the connection keeps being reset by the Exchange server as there are some access denied issues.

You can see the log as shown on the tools Log tab in the following screenshot.

SendSMTP3

I was able to give this directly to the Exchange admin for further troubleshooting. 🙂

I wanted to share this on my blog as this tool might come in useful for someone else as well.

You can download SendSMTP here:

Read more

New Productivity Software Suite for Service Manager

Two good friends of mine Microsoft MVP Marcel Zehner and Dieter Gasser‘s company ITnetX has recently released a Productivity Pack for Service Manager. This is great news because these guys and their teams know Service Manager inside and out. They have been building apps for Service Manager for some time and I have even been using some of them.

This new software suite introduces many new components that fill several existing gaps in Service Manager. The suite has a paid version and also offers some components for free. So what’s in this new suite? Let’s break it down.

ITSM Portal – The itnetX ITSM Portal is HTML5 and is a fast and intuitive alternative for the out-of-box SCSM Self-Service Portal. It allows end users to browse your IT Service Catalog, create new requests, view and update open requests, and work on activities as part of ITSM workflows.

The full suite also includes the following components:

  •     Advanced View Editor
  •     BillableTime
  •     Checklist Activity
  •     CMDB Visualizer
  •     Desktop Alert
  •     Power Print
  •     PowerShell Activity
  •     PowerShell Tasks
  •     PowerShell Workflows
  •     Preview Forms
  •     Send Mail
  •     SMA Connector

Here is a list of the free components:

  •     Advanced View Editor for SCSM FREE
  •     Advanced Console Search for SCSM FREE
  •     Billable Time for SCSM FREE
  •     Clone User Role for SCSM FREE
  •     Email Template Tester for SCSM FREE
  •     Entity Explorer for SCSM FREE
  •     MPB Maker for SCSM FREE
  •     Send Mail for SCSM FREE
  •     Update Transfer for SCCM FREE

I use the email template tester and advanced editor, in almost every Service Manager deployment I do. I am especially excited about a few of the components, these are:

CMDB Visualizer for SCSM lets you visualize any object that lives in the CMDB including its relations to other objects.

ITnetX1

PowerShell Activity for SCSM introduces an activity which runs custom PowerShell scripts. Scripts are stored in the CMDB and are triggered from PowerShell Activity within your processes. PowerShell Activities can be used just like you use runbook activities and add them to your Service Request, Change Request, and Release Record templates

ITnetX2

and the suite has an SMA Connector for SCSM!

I recommend you go check out this new software suite. Here is the link:

http://bit.ly/1P27Tlf

Read more

SCSM HTML5 Portal Prereq Script

This has to be the shortest blog post I have ever done. 🙂 Well here it is.

Out on the deployment article for the SCSM HTML 5 portal here https://technet.microsoft.com/en-US/library/mt622142.aspx you will see there are a number of prerequisites that are needed before you can install the portal. A while back I made a simple PowerShell script that can be used to install all of the HTML5 based Self-Service Portal prerequisites. I thought it might be good to share it.

SCSMHTML5SSPPre-reqs

Here is the link to download the script:

https://gallery.technet.microsoft.com/SCSM-HTML5-Portal-Prereq-ddeb504a

Read more