Tips from field for SCOM 2012 R2 Update Rollup Installation

Every software needs to be up-to-date in order for their proper functionality. SCOM is no different in this case. Let’s see how applying an Update Rollup can be done in the proper way for SCOM 2012 R2.

I have explained this scenario based on SCOM 2012 R2 UR4 but the process is much similar for UR5 as well.

Performing the Update Rollup Installation

Below is the list of steps that you need to follow when performing a UR installation.

Apply MSPs to relevant server roles

First of all you have download the relevant update packages for the particular UR. If your SCOM servers are configured to receive updates directly from Microsoft Update (WSUS or Internet) for System Center Products you can go ahead and approve the relevant update packages. Here I’m referring the manual method of update installation as most servers are configured with strict update policy.

You can download UR4 update package from here. In UR4 there are 5 updates but based on your deployment you’ll have to apply the updates. As an example no need to apply Web Console update if you haven’t deployed that component in your SCOM environment. After you have downloaded the packages extract them to a central location.

Before you proceed with applying the MSPs perform below tasks.

    • Make sure all servers are up-to-date with latest patch updates.
    • Close SCOM Console if it is running in all servers.
    • In some cases you will have to stop System Center Data Access Service and System Center Management Configuration service on all management servers. But it wasn’t necessary in my case.

To apply the MSPs follow below procedure.

    • Open a Command Prompt with Elevated Rights (as Administrator)
    • Browse to the location where you have extracted the MSPs.
    • Install the MSP from command prompt. There won’t be any notification once it is installed other than it returning a blank cursor. But you can notice file version changes when you install each MSP as described in Kevin Holman’s Blog. Kevin’s post was focused on UR4 but the idea is same. Build numbers for SCOM 2012 R2 as follow and you can see same when you check the file versions as described in Kevin’s blog.
Build Number KB Release Date Description
7.1.10226.0 SCOM 2012 R2 RTM
7.1.10226.1011 KB2904678 2014, January 27 SCOM 2012 R2 Update Rollup 1
7.1.10226.1015 KB2929891 2014, April 23 SCOM 2012 R2 Update Rollup 2
7.1.10226.1037 KB2965445 2014, July 29 SCOM 2012 R2 Update Rollup 3
7.1.10226.1046 KB2992020 2014, October 28 SCOM 2012 R2 Update Rollup 4
7.1.10226.1052 KB3023138 2015, February 10 SCOM 2012 R2 Update Rollup 5

Install the MSPs in below order (Yes the order matters)

  • Management server or servers
  • Gateway servers
  • Web console server role computers
  • Operations console role computers

021715_0624_Tipsfromfie2.pngCheck whether Particular UR has been installed successfully

Once you have installed the MSPs it’s critical that we check whether the installation was successful as intended. There is an excellent PowerShell script written by Jure Labrovic which can be found in TechNet Gallery which will help you to achieve this. Note that this script is validating against UR4 bust it’s just a matter of tweaking the script to make it work for UR5. I did not use Operations Manager Shell but I did use regular PowerShell with administrator elevation. (You may need to Set-ExecutionPolicy to Unrestricted if you already haven’t done that.)

Here is my result when I run this script in one of my management servers.

Execute SQL scripts on SCOM databases

This part is rather is but you need to do several important tasks that you need to perform before you do so.

    • Stop System Center Data Access Service and System Center Management Configuration service on all management servers.
    • Perform a full backup of both OpeartionsManager & OperationManagerDW databases. This is just in case if anything goes wrong.

Here is how you execute the SQL scripts.

    • You can find the scripts at %SystemDrive%\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server \SQL Script for Update Rollups\ in any management server that you have updated with MSPs.
    • There are two scripts that need to be executed. Execute Update_rollup_mom_db.sql in OperationsManagerDB and UR_Datawarehouse.sql in OperationsManagerDW.
    • If you get a warning about line endings, choose Yes to continue.021715_0624_Tipsfromfie4.png
    • If you get an error when you run any of the scripts do not continue. Try running same multiple time before you move into the other script. Usually this happen if you haven’t stopped the services in management servers which results in deadlocks in the databases.
    • You will see an output similar to below if everything went smoothly.021715_0624_Tipsfromfie5.png

Manually Import Management Packs

Now you have to manually import some management packs that were updated in the UR. These can be found at %SystemDrive%\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\Management Packs for Update Rollups. Here is the list of MPs that you need to import in UR4.

  • Microsoft.SystemCenter.TFSWISynchronization.mpb (There is a dependency Microsoft.SystemCenter.AlertAttachment.mpb for this MP. This can be found in Installation media for SCOM 2012 R2)
  • Microsoft.SystemCenter.Visualization.Library.mpb
  • Microsoft.SystemCenter.Visualization.Component.Library.mpb
  • Microsoft.SystemCenter.Advisor.mpb
  • Microsoft.SystemCenter.Advisor.Internal.mpb
  • Microsoft.SystemCenter.2007.mp

Apply agent update to manually deployed agents

For agents that you have previously installed via push installation, you will notice that they are under Pending Management view now. You can approve them to update the MOM agent. For manually installed agents you will have to install the updated agent which can be found in SCOM installation path of any management servers.

Update Linux/Unix MP and update *nix agents (Optional)

This is an optional step if you have deployed *nix agents. More information can be found in this KB article.

And that’s how we deploy a UR for SCOM 2012 R2.

Security Alert – Virtual Machine Manager Elevation of Privilege Vulnerability

Microsoft has recently identified an exploit in SCVMM that could allow user privilege elevation. Any hacker who leverages this vulnerability have to first login using Active Directory credentials and could gain administrative privileges and thereby can control VMs managed by a particular VMM Server. Basically this is a result of incorrect user role validation within VMM.

This affects Microsoft System Center Virtual Machine Manager 2012 R2 Update Rollup 4 (VMM Server update 2992024)

Microsoft has immediately released a patch for this issue. You can download the KB3023195 for VMM 2012 R2 Update Rollup 5 from here.

Another important thing to remember is if you have Administrator console installed on your VMM server, you need to install Admin Console Update for UR5 (KB3023914) which can be downloaded from here. When you are installing you’ll have to install UR5 for VMM followed by UR5 for administrator console for proper remediation of this threat.

SQL 2012 Cluster not monitored in SCOM 2012 R2

The hardest part of a SCOM deployment is proper configuration of the monitoring environment. Most of the times system administrators forget to follow the Management Pack Guide for a particular application and spends enormous time to troubleshoot what went wrong in their deployment. Today we are going to explore how to resolve such a scenario associated with SQL 2012 Management Pack.

Following alert has been raised by SCOM indicating there aren’t sufficient permissions to monitor a SQL 2012 cluster. The error says cannot login to database.

SQL 2012 Error 1The SQL Server Monitoring Account Run As profile contains the necessary action accounts for the SQL Management Pack.

SQL 2012 Error 2By default this Run As profile will use Default Action Account for SQL MP. But in this case the default action account doesn’t have database privileges for the SQL cluster. So the solution is to create a separate Run As account for SQL which maps to a domain account with database rights (you can use an account with db_owner in SQL as long as it doesn’t jeopardize your security or else you can use db_reader) and then add it to the SQL Run As profile.

SQL 2012 Error 3This error is result of tightened access model in SCOM which needs you to properly configure Run As accounts with proper rights assignment to different monitored workloads in SCOM.

Error 31551 in SCOM Data Wareshouse

In my recent encounter with a SCOM 2012 R2 Deployment I have faced a strange issue with Data Warehouse database. I was getting below error after initial deployment (few days passed) and health status of management servers always display as critical.

Failed to store data in the Data Warehouse. The operation will be retried. Exception ‘SqlException’: Login failed for user ‘scom_admin’

Error 31551 1In my case scom_admin is the default action account. After spending sometime on isolating the issue I’ve discovered the culprit as an incorrectly configured Run As profile.

The Data Warehouse SQL Server Authentication Account by default uses the SQL Server authentication. In my case I have incorrectly specified my default action account as the Run As account for this profile. This should be the sa account for servers hosting Data Warehouse DB not a domain account. After removing the Run As account credentials for this Run As profile the health status of the management servers were green again and the error has stopped prompting.

Error 31551 2