Private Preview - 2019 Update Rollup 1: User's Guide

System Center Operations Manager
Private Preview – 2019 Update Rollup 1
User’s Guide
Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
System Center Operations Manager

Table of Contents
1. New features in SCOM 2019 UR1 ..................................................................................................... 4
2. Multi-language installer for SCOM components ........................................................................... 4
3. One Click Patching Experience for Management Server ............................................................... 4
4. Distro-Agnostic Management Pack for Linux ................................................................................. 7
5. Red Hat Enterprise Linux 8 Support ................................................................................................. 8
6. Performance and Reliability improvements in the Linux agent.................................................. 15
7. Updates to Azure Management Pack ............................................................................................ 16
8. Updates to Storage Spaces Direct Management Pack ................................................................ 16
9. Support for Group Managed Service Accounts ............................................................................ 16
Log-on as a service right ......................................................................................................................... 17
Generate Security Audits ..................................................................................................................... 18
Database Changes ................................................................................................................................... 19
System Center Data Access Service ........................................................................................................ 37
System Center Configuration Service ..................................................................................................... 39
Data Reader Account .............................................................................................................................. 40
Data Warehouse Write Account ............................................................................................................. 43
Action Accounts ...................................................................................................................................... 46
Create Run As Accounts .......................................................................................................................... 51
Discovery and Push Install of the agent .................................................................................................. 51

1. New features in SCOM 2019 UR1
System Center Operations Manager (SCOM) 2019 Update Rollup 1 private preview
supports new features/feature updates that are detailed in the following sections:
• Multi-language installer for SCOM components
• One Click Patching Experience for Management Server
• Distro-agnostic Management Pack for Linux
• Red Hat Enterprise Linux 8 Support
• Performance and Reliability improvements in the Linux agent
• Updates to Azure Management Pack
• Updates to Storage Spaces Direct Management Pack
• Support for Group Managed Service Accounts (gMSA)
2. Multi-language installer for SCOM components

The following components now have a single installer each for all supported languages
instead of language specific installers. The installer will auto-pick the language based
upon the system’s language settings.
• Console
• ACS
• Web Console
• Reporting
3. One Click Patching Experience for Management Server

SCOM 2019 Update Rollup 1 introduces a frictionless way of patching the SCOM
management server.
The improvised user interface will guide you through the installation steps which will
patch the management server, update the databases and update the management
packs.

Steps to get started with UI Experience:
• Run the file KB4533415-AMD64-Server.exe which is present in the One_Click_UI

folder
• Accept the EULA and wait for the wizard to finish

• Click the ‘Setup Log’ link to open the log
• Click the relevant setup log for more information
• Click the ‘Help’ link to get a list of FAQs. This is not present in the preview but will
be present in the GA build of SCOM 2019 UR1.
You may also use the KB4533415-AMD64-Server.msp for interface-less patching

mechanism such as patching via SCCM etc. It shall also patch the server, update the
databases and management packs.
Recommendation:
It is recommended to update the primary server first
FAQs:
Please read through this <KB Article> for more details.
• Will the one click patching experience patch the entire SCOM deployment
including the agents?
Answer: No, it’ll only update the management server, databases and
management packs. All other components need to be patched in the existing
manner.
• What will happen in case of a failure at any step?
Answer: The patch will stop at the first point of failure. You will be shown the links
to view the respective logs so that you may fix the issues and execute the patch
again.
In case you’re not using the UI for patching then you may visit the following
locations to view the logs:
Setup Log: C:\Users\<UserName>\Appdata\Local\SCOM\Logs
SQL Logs: <SCOM install directory>\server\ SQL Script for Update Rollups
\SqlExceptions_{version}.log
MP Import Logs: <SCOM install directory>\server\ Management Packs for
Update Rollups\ManualMPImport_{version}.log
• I, as an admin do not have permissions on the databases. How will the patching
work then?
Answer: The patching does not use admin account
• Will all the management packs will be imported?
Answer: Only the management packs existing in the customer’s environment will
be updated if an update is available for them.
• Will I be able to uninstall the management server patch?
Answer: Uninstallation of the management server patch will not be supported

• How do I know that the patch has been successfully applied?
Answer: Navigate to Administration>Operations Manager Products in the SCOM
console and check the ‘Version’ field. Additionally, ‘Update Installed’ and ‘KB
Number’ field will also indicate if a particular component is updated to the latest
version.
4. Distro-Agnostic Management Pack for Linux

As of today, SCOM offers management packs for each supported Linux distribution. This
has led to the existence of several ‘distro and version specific’ management packs which
need regular servicing. Also, with any new Linux distribution support, a new management
pack was being rolled out in the past. The journey to streamline these management
packs and their maintenance starts with SCOM 2019 Update Rollup 1.
The existing universal management packs are being enhanced in SCOM 2019 UR1. Any
new Linux platform support will be made available via these management packs
depending upon the kind of distribution, rpm or deb. These management packs will also
be version and distribution agnostic, which means that for all future Linux platform
support the same management pack will be updated instead of releasing a new
management pack per Linux distribution.
FAQ:
• What Linux platforms will these management packs support?

Answer: These management packs will support discovering and monitoring
RHEL-8 and SLES-15. Any new platforms will also be supported via these
management packs in future.
These management packs will not discover and monitor RHEL-7 and SLES-12.
They will continue to be supported using the existing, respective management
packs for them.
Steps to discover and monitor platforms other than RHEL 7 and SLES 12:
1. Install 2019 UR1 Server and Console Patch.

2. Import following MPs from Microsoft System Center 2019 MP for Unix and Linux
Preview.msi:
i. Microsoft.Unix.Library.mp
ii. Microsoft.Linux.Library.mp
iii. Microsoft.Linux.Universal.Library.mp
iv. Microsoft.Linux.Universal.Monitoring.mp
v. Microsoft.Linux.UniversalR.1.mpb (Discover/Monitor RPM distros)
vi. Microsoft.Linux.UniversalD.1.mpb (Discover/Monitor Debian distros)

3. Run Discovery from the Discovery Wizard in Console.
5. Red Hat Enterprise Linux 8 Support

Red Hat Enterprise Linux 8 will be supported from SCOM 2019 UR1 onwards and the
same is a part of this preview.
Please use the universal management pack as outlined in the previous section to
discover and monitor RHEL-8.
To create new workflow or override existing workflows in the universal MP for RHEL-8
groups can be created with dynamic members.
Steps to Create Groups with Dynamic Members:
i. Go to Authoring Pane, right click on “Groups” and select “Create a new Group” to
open “Create Group Wizard”.
ii. Enter General Properties of Group and then click Next

iii. We don’t intend to add Explicit Members to this group as we also need to add
objects which will be discovered in future so move to Dynamic Members by
clicking Next and then click on “Create/Edit rules...” button.
iv. In the “Create Group Wizard – Query Builder” pop up select “Universal Linux
Computer” and click on “Add”. In the Property select “Universal Linux Computer
Platform” to define the Linux distro to add to the group. Here we are creating
group which will contain all Red Hat Linux distributions (RHEL-8, RHEL-6 etc.) so
adding value as “Red Hat Distribution”. Alternatively, to add SUSE Linux
Enterprise Server distributions (SLES11, SLES15 etc.) add value as “SUSE
Distribution”

v. If specific version of a distro needs to be added to this group, then click on
“Insert” and select “AND”

vi. In the Property select “Universal Linux Computer Platform Version” to define the
Linux distro version to add to the group.
vii. Click on “Next” and then click on “Create” to create the group

viii. Discover the distro and then check Group Members by selecting the group and
clicking on “View Group Members...” on the right pane

ix. Now select any workflow which needs to be overridden and then right-click on it
select “Overrides” -> “Override the Rule” -> “For a Group” and then select the
Group and click on “OK”

x. Override the required property and click on “Apply” and then “OK”

6. Performance and Reliability improvements in the Linux agent
To improve the reliability, a separate process has been introduced to send the heartbeat.
Earlier the performance and heartbeat collection threads used to run under the same
process context. Due to this, any delay in performance data collection was affecting the
system availability.
With this change now you can see one extra ‘omiagent’ process running under ‘omi’ user
during heartbeat collection.

To improve the performance, X-Plat filter variable is being introduced in override. You
may override discovery/monitor behavior for X-Plat MP by introducing SQL queries in
Filter parameter. This will help in restricting monitoring to entities of interest.
Apart from this SCX logging level has also decreased from Info to Warning to avoid
quick filling up of disk space.
7. Updates to Azure Management Pack

The Azure Management Pack’s Community Tech Preview was made available in October
2019 and will be refreshed shortly to include newer capabilities:
Oct 2019 CTP: https://www.microsoft.com/en-us/download/details.aspx?id=58013
8. Updates to Storage Spaces Direct Management Pack

Please hit this link to try out the Community Tech Preview of the latest in the S2D
Management Pack:
https://www.microsoft.com/en-us/download/details.aspx?id=100782
9. Support for Group Managed Service Accounts

Support for Group Managed Service Accounts (gMSA) is being added in SCOM 2019
UR1 and the same is available as a part of this preview.
As of today Operations Manager makes use of the following accounts:
▪ Action Accounts
o Default Action Account-Management Server Action Account
o Agent Action Account
o GW Server Action Account
o Run As Accounts
▪ System Center Configuration Service and System Center Data Access Service (needs
to be a part of local admin group)
▪ Data Reader Account (for SSRS)
▪ Data Warehouse Write Account (for DW)

▪ Agent Installation Account
o MSAA by default, needs admin rights on the target
o machines
The following steps outline the changes are required to be made by the SCOM admin
should they wish to leverage gMSA. The scope of this document is the usage of gMSA in
SCOM, and not creating the gMSA accounts. You may refer to this link for knowing more
about gMSA and their creation.
Verify if managed service accounts can be used on the machine:
Run the following powershell command for each gMSA account. If it returns ‘True’, then
gMSA is ready to be used on the machine.
Test-ADServiceAccount <gMSA_name>
Log-on as a service right

It is important to grant the gMSA, log on as a service right.
Navigate to Computer Configuration\Windows Settings\Security Settings\Local

Policies\User Rights Assignment
Grant Log on as a service to the gMSA as shown below:

Generate Security Audits
Navigate to Computer Configuration\Windows Settings\Security Settings\Local

Policies\Generate security audits
Grant access to the gMSA accounts to run security audits:

Database Changes
Create the following users and assign the respective roles. These are like the ones usually
done for non-gMSA accounts:
Action Account
System Databases: msdb
In the SQL Server Management Studio, navigate to Databases>System

Databases>msb>Security>Users
Create a new user
Select the user type as Windows User
Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momActGMSA’ which is the gMSA for Action
Account in the directory

Assign the following roles for the action account:
SQLAgentOperatorRole
SQLAgentReaderRole
SQLAgentUserRole
Operations Manager DB:
In the SQL Server Management Studio, navigate to Databases>Operations Manager

Database>Security>Users

Create a new user
Check names for the action account ‘momActGMSA’ which is the gMSA for Action
Assign the following roles for the action account:
db_datareader
db_datawriter
db_ddladmin
dbmodule_users
Data Access Service Account

Systems Database: msdb

Databases>msdb>Security>Users
Create a new user

Check names for the action account ‘momDASGMSA’ which is the gMSA for Data Access
Service Account in the directory
Assign the following roles to the account:
SQLAgentReaderRole
SQLAgentUserRole

Operations Manager DB:

Create a new user
Check names for the action account ‘momDASGMSA’ which is the gMSA for Data
Access Service Account in the directory
configsvc_users
db_accessadmin
db_datareader
db_datawriter
db_ddladmin
db_securityadmin
dbmodule_users
sdk_users
sql_dependency_subscriber

OperationsManager DW:
In the SQL Server Management Studio, navigate to Databases>OperationsManager

DW>Security>Users
Create a new user
Check names for the action account ‘momDASGMSA’ which is the gMSA for Data
Access Service Account in the directory

apm_datareader
db_datareader
OpsMgrReader
Data Writer Account

Operations Manager Database:

Create a new user
Check names for the action account ‘momDWGMSA’ which is the gMSA for Data Writer
apm_datareader
apm_datawriter
db_datareader
dwsynch_users


DW>Security>Users
Create a new user
Check names for the action account ‘momDWGMSA’ which is the gMSA for Data Writer

apm_datareader
db_datareader
db_owner
OpsMgrWriter
Data Reader Account

System Databases: master

Databases>master>Security>Users
Create a new user
Check names for the action account ‘momRepGMSA’ which is the gMSA for Data Reader
Assign the following role to the account:
RSExecRole

System Databases: msdb

Databases>msdb>Security>Users
Create a new user

Check names for the action account ‘momRepGMSA’ which is the gMSA for Data Reader
RSExecRole
SQLAgentReaderRole
SQLAgentUserRole


DW>Security>Users
Create a new user
Check names for the action account ‘momRepGMSA’ which is the gMSA for Data
Reader Account in the directory
apm_datareader
db_datareader
OpsMgrReader

Report Server Database:
In the SQL Server Management Studio, navigate to

Databases>ReportServer>Security>Users
Create a new user

db_owner
RSExecRole
Report Server Temp Database:
In the SQL Server Management Studio, navigate to

Databases>ReportServerTempDB>Security>Users
Create a new user

db_owner
RSExecRole

System Center Data Access Service
The Log On credentials for this service account needs to be changed from services.msc.
Before changing the credentials, the gMSA needs to have logon as a service right as
described here, and should have access to generate security audits as described here
to be added to the local administrators group on the machine on which management

server is installed, like shown below.
Existing data access service account:

Change the account to a gMSA from services.msc

System Center Configuration Service
The Log On credentials for this service account needs to be changed from services.msc
Validate that both the services are running with gMSA

Data Reader Account
The data reader account can be changed in two ways:
1. From services.msc
Please remove the existing password, otherwise an error calling out ‘Please enter a valid
password’ will be prompted.
Validate that the SSRS is running with gMSA
2. From Reporting Service Configuration Manager

Select Authentication Type as Service Credentials, which is already specified as a gMSA
earlier in the Reporting Services Config Manager

For SSRS Execution Account, continue using the non-gMSA accounts
The gMSA account seems to be accepted from the UI, but upon generating a report in
SCOM, failure is observed. This is because the reporting service tries to login interactively
rather than service logon, which is a requirement for gMSA. This experience is yet to be
fixed in SQL.
Until then non-gMSA account needs to be used for reporting services.
Data Warehouse Write Account

SCOM stores the credentials for the Data Warehouse Write account within a Run As
Account called Data Warehouse Action Account.

Change the username to a gMSA. The moment the username is edited the password
field becomes blank.

Once the gMSA user name is provided succeeded by a ‘$’ the password fields are auto-
filled and grayed out

Validate that the monitoringhost.exe uses gMSA credentials for DW Write Account
Action Accounts
In the SCOM Console, navigate to Administration>Run-as configuration>accounts.
Default Action Account

Change the credentials of the default action account to gMSA

Validate that monitoringhost.exe runs as gMSA

Default Action Account Run-as profile
Change the Default Action Account Run-as profile to use the gMSA Run-as default action
accounts
Data Warehouse Report Deployment Account

Validate that monitoringhost.exe runs as gMSA for reporting

Microsoft Monitoring Agent
To alter the agent action account in the MMA, change the credentials from the target
agent machine.
Create Run As Accounts

While creating a new run as account, enter the gMSA in the user name field followed by
a ‘$’ sign. Do not fill any password and continue to create the Run As Account
Discovery and Push Install of the agent

When a gMSA is provided during the discovery process, leave the password field blank
when you suffix ‘$’ at the end of the user name. The agent should install without issues
on the target machines.


Private Preview - 2019 Update Rollup 1: User's Guide

Uploaded by

Copyright:

Available Formats

Private Preview - 2019 Update Rollup 1: User's Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Private Preview - 2019 Update Rollup 1: User's Guide

Uploaded by

Copyright:

Available Formats

What are the new features introduced in SCOM 2019 UR1?

What are the new features introduced in SCOM 2019 UR1?

What are the changes made to support Group Managed Service Accounts?

What are the changes made to support Group Managed Service Accounts?

System Center Operations Manager

Private Preview – 2019 Update Rollup 1

Microsoft System Center

Microsoft System Center

Microsoft System Center

2. Multi-language installer for SCOM components

3. One Click Patching Experience for Management Server

Microsoft System Center

• Run the file KB4533415-AMD64-Server.exe which is present in the One_Click_UI

Microsoft System Center

You may also use the KB4533415-AMD64-Server.msp for interface-less patching

It is recommended to update the primary server first

Please read through this <KB Article> for more details.

Microsoft System Center

4. Distro-Agnostic Management Pack for Linux

• What Linux platforms will these management packs support?

1. Install 2019 UR1 Server and Console Patch.

Microsoft System Center

5. Red Hat Enterprise Linux 8 Support

Steps to Create Groups with Dynamic Members:

ii. Enter General Properties of Group and then click Next

Microsoft System Center

Microsoft System Center

Microsoft System Center

Microsoft System Center

Microsoft System Center

Microsoft System Center

Microsoft System Center

Microsoft System Center

7. Updates to Azure Management Pack

Oct 2019 CTP: https://www.microsoft.com/en-us/download/details.aspx?id=58013

8. Updates to Storage Spaces Direct Management Pack

9. Support for Group Managed Service Accounts

As of today Operations Manager makes use of the following accounts:

Microsoft System Center

Verify if managed service accounts can be used on the machine:

Log-on as a service right

Navigate to Computer Configuration\Windows Settings\Security Settings\Local

Grant Log on as a service to the gMSA as shown below:

Microsoft System Center

Navigate to Computer Configuration\Windows Settings\Security Settings\Local

Grant access to the gMSA accounts to run security audits:

Microsoft System Center

In the SQL Server Management Studio, navigate to Databases>System

Create a new user

Select the user type as Windows User

Microsoft System Center

Microsoft System Center

Operations Manager DB:

In the SQL Server Management Studio, navigate to Databases>Operations Manager

Microsoft System Center

Select the user type as Windows User

Assign the following roles for the action account:

Data Access Service Account