I recently had the task of enabling monitoring of an Azure Stack Integrated System using System Center Operations Manager.
Below I will go through the process of how this is done and what to consider a long the way.
Secondly, you probably don’t need this blog post as the documentation for this process is spot on!
The SCOM bits (MP and Docco) can be found here:
The pre-reqs for my deployment – There are more to consider so you should still RTFM. Also your deployment could differ to mine:
- MAS 1803 or higher – I have 1808
- SCOM 2012 R2 or higher (don’t put the SCOM components on MAS itself…) – I have SCOM 1807
- Internet connectivity from you SCOM console (only for MAS deployed using AAD)
- .Net4.5 or later on all SCOM Mgmt Servers
- The Azure Resource Manager Admin endpoint certificate must be in the Trusted Roots of the SCOM Management Servers
- Azure Stack PowerShell Modules and Tools from github
- Service Owner credentials
The first 4 items on the list were already met for me so I started at the ARM certificate stage.
Import the PFX of the ARM Admin endpoint (adminmanagement.<region>.<domain>) to your management servers as this is the endpoint SCOM will use to do its monitoring
The Trusted Roots on the SCOM servers:
Assuming you’ve met all the other criteria, make sure you install the PS and tools on the SCOM management servers.
The process is very well documented and straight forward so I won;t go over that here, but for completeness you can see the modules installed.
Import the Azure Stack MP to SCOM – I am using version 126.96.36.199 which is the most current as of October 2018.
I like to do a visual check before configuring. Under Monitoring we can see the new views and dashboards
As all good SCOM admins will tell you, check the event viewer for any issues on your management servers
Once we’re happy everything is still humming a long nicely, lets register our deployment.
Enter the ARM admin endpoint URL – https://adminmanagement.<region>.<domain>
Next is the authentication mode. User Principal Name or Service principal Name.
A brief description in the manual highlights the functionality differences between them.
“Microsoft Azure Stack Management Pack supports two authentication scenarios using User Principal Name (UPN) and Service Principal Name (SPN). UPN is simpler to configure, but it does not work when multi-factor authentication is enforced.
On the other hand, SPN works in any environment and allows assigning permissions in a more flexible way. Using a Service Principal allows the Management Pack to be used in environments with multi-factor authentication.”
Even though we don’t have MFA on this deployment (yet) and the UPN is simpler, I decided to use a SPN to register.
We could pre-create the SPN in AAD, I am opting for the auto creation using the wizard. A little further on you’ll be able to see the result of an auto created SPN so take a look at that as it might influence your decision here…
Enter the service admins credentials
Do as the instructions tell you and record these values somewhere safe…
At this point, I did a visual check in AAD to identify the app registration
Note the name etc. If you want to manage your naming convention this might be a reason you register your app manually. This didn’t bother me so I decided to continue on…
Choose your resource pool to do the monitoring. These are the SCOM management servers (or gateways) that will be pinging the ARM endpoint and require the certificate in the Trusted Root.
All things being equal you should get the magic green tick after 15 seconds or so.
Go back to the monitoring section and you should see your MAS scale unit getting discovered.
And the same in the new web console
Checking the alerts view and we see straight away that it reflects the health and alert status from within the Stack Admin portal.
The classes created from the management pack – as with all MP’s you import, I suggest you crack it open and have a look at it with MPViewer.exe
You’re probably thinking there must be a catch… Trying to use many of the 3rd party MP’s out there to monitor appliances is often a nightmare and a massive hack. Monitoring MAS from SCOM is very simple!
From here you would setup your subscriptions as per normal SCOM practice…