Wednesday 30 May 2012

System Center 2012 Service Accounts & Permissions

Following on from my first post which set the scene for what I was trying to achieve with my new test environment (Dubbed the Customer Experience Center within Trustmarque!) I promised a post capturing some of the information you might find yourself needing when setting up an environment.

In this post I thought I would provide some information around the requirements for some of the accounts System Center 2012 requires when installing and some of the immediate accounts for the base configuration.

I think that all this information is already out there, but this post helps to pull it all into one central location and hopefully easier to digest.

All this information is of course assuming that you:
  1. Have already drawn up a design for your System Center 2012 Infrastructure with considerations to components, layout, performance sizing etc...
  2. You already have all your base VM's and SQL installs done.
  3. All Pre-reqs are installed.
  4. You know how to install the System Center 2012 Components. 
If you need more information on points 3 & 4 then a further post is coming listing lots of install guides and powershell scripts to install the pre-requisites.

Couple of tips first though:

Tip # 1 - Ensure the account used during install has rights to create databases on the SQL instance(s)/server(s) you specify during installation and can add security rights etc. Easiest option is to give the account SQL SysAdmin privileges and then look to revoke later.

Tip #2 - While using the Local System or Network Service option for the accounts is the easiest, I would personally only recommend this for lab/test environments.

Tip #3 - Again, using the same account over and over is easiest, but from a security and also risk mitigation perspective, separate accounts is what I recommend.  For example, using one account for all services possibly across multiple products would mean more than one system would fail if this account became locked out.

Tip #4 - If using (and it's recommended) domain accounts for the SQL services, don't forget to ensure the SPN's are registered for them.

Tip #5 - Staying on SPN's, ensure the data access service accounts get their SPN's registered

Tip #6 - Rule of least privileges.  It's always tempting just to drop the accounts into either the local admins group, sysadmin or heaven forbid the domain admins group.  Hopefully this information will help with only assigning the accounts the least amount of privileges they require which will always be best practise.

Below are a series of tables with example account names, their purpose and the permissions they require.
I've used the domain of TrustLab in this example so all accounts are in the format of <DomainName>\<AccountName>
Like I say, these are examples only, use your own naming conventions for service accounts.

Virtual Machine Manager Accounts

Account ExamplesPurposePermissions
TrustLab\SCVMMSA SCVMM Service Account Local Admin rights on VMM Server
TrustLab\SCVMMHVHost Adding Hyper-V hosts to VMM Local Admin rights on target Hyper-V server.
TrustLab\SCVMMOMCon SCVMM to SCOM connector account SCOM Administrator Role
SCVMM Administrator Role
TrustLab\DomJoin Domain Joining Account used in templates for VM Deployment Do not grant the account interactive logon rights.
Use Delegate Control in AD:
Computer Objects -
Reset Password
Validated write to DNS host name
Validated write to service principal name
Read/Write Account Restrictions

This object and all descendant objects -
Create/Delete Computer Objects

Configuration Manager Accounts

Account ExamplesPurposePermissions
TrustLab\SCCMNA SCCM Network Access Account Requires "Access this computer from the network" right on the Distribution Points.
Minimum rights to access content on the Distribution Points.
TrustLab\DomJoin Domain Joining Account used within task sequences to join the OS to the domain. Do not grant the account interactive logon rights.
Use Delegate Control in AD:
Computer Objects -
Reset Password
Validated write to DNS host name
Validated write to service principal name
Read/Write Account Restrictions

This object and all descendant objects -
Create/Delete Computer Objects
TrustLab\SCCMCP SCCM Client Push Account Do not grant the account interactive logon rights.
Must be local admin on the target devices you push clients to.
TrustLab\SCCMRA SCCM Reporting Service Point Account Account is granted rights if chosen as a new account during Reporting Point creation from the console.

N.B. There are FAR too many accounts to realistically list for ConfigMgr, please refer to the link above for a full breakdown.  Listed are the most common ones needed for the base install.

Operations Manager Service Accounts

Account ExamplesPurposePermissions
TrustLab\SCOMAA SCOM Action Account Local Admin (NOT Domain Admin)
TrustLab\SCOMDA SCOM Data Access Account Local Admin
TrustLab\SCOMDR SCOM Data Warehouse Read Account Setup assigns Read to DW DB.
Best Practice to ensure account has SQL Logon rights before installation
TrustLab\SCOMDW SCOM Data Warehouse Write Account Setup assigns Read to Operational DB, Write to DW DB.
Best Practice to ensure account has SQL Logon rights before installation

N.B. Always use the same Action Account & Data Access Account for each Management Server you deploy.
N.B. This list does not cover RunAs accounts for management packs such as the SQL or AD MP's.  Please refer to the applicable guide for the management pack for details/requirements.

Service Manager Service Accounts

Account ExamplesPurposePermissions
TrustLab\SCSM Admins
(This is a group not an account)
Management group administrators Account used to run setup must be able to add users to this group as it will try to auto add the user to it.
TrustLab\SCSMSA SCSM Service Account Local Admin on SCSM Server(s)
Must be same account for DW & MS Servers.
TrustLab\SCSMRA SCSM Reporting Account Nothing specific, will be granted rights in SQL during install.
TrustLab\SCSMAS SCSM Analysis Services Account Nothing specific, will be granted rights in SQL during install.
TrustLab\SCSMWF SCSM Workflow Account Normal User permissions, but must have mailbox and send permissions for notifications.
Manually add account to Service Manager Administrators after install if not present.

N.B. I haven't listed the accounts here that are used for setting up SharePoint which will be needed when installing SharePoint dedicated for the Self Service Portal as I am not a SharePoint expert and would recommend seeking dedicated SharePoint best practise advice for that.

Service Manager Connector Accounts

Account ExamplesPurposePermissions
TrustLab\ SCSMADCON Active Directory Connector Account AD Read
Advanced Operator in Service Manager
TrustLab\SCSMOMCICON SCOM CI Connector Account Operations Manager - Operator Privileges
Service Manager -Advanced Operator
TrustLab\SCSMOMALCON SCOM Alert Connector Account Operations Manager - Administrator
Service Manager -Advanced Operator
TrustLab\SCSMCMCON SCCM Connector Account SCCM SQL DB -smsdbrole_extract & db_datareader roles
Service Manager -Advanced Operator
TrustLab\SCSMSCOCON SCORCH Connector Account Read Properties, List Contents and Publish permissions to the root Runbook folder and all child objects. Grant via the Runbook Designer.
TrustLab\SCSMVMMCON SCVMM Connector Account SCVMM Administrator
Local Admin on VMM Server
Service Manager -Advanced Operator

Orchestrator Service Accounts

Account Examples PurposePermission
TrustLab\SCORCHSA Orchestrator Management Service Recommended to be a domain account. No special permissions required other those that the installer assigns during installation.
TrustLab\SCORCHSA Orchestrator Runbook Service Recommended to be a domain account so that if Runbooks require access to remote resources, rights can be granted to this account.
TrustLab\SCORCHSA Orchestrator Runbook Server Monitor service Same account used as Orchestrator Management Service and same rights required.

N.B. As is common with most deployments of Orchestrator, if you install the Management Server and Runbook Server components at the same time on the same server they will both use the same service account.
N.B. To deploy an IP to Runbook Designer, ensure the account running the Deployment Manager has local admin rights on the target otherwise you will get Access Denied.

Part 2 - Service Accounts & Permissions

Part 3 - Installation Guide Links
Part 4 - Partner Solutions & Extensions

Friday 25 May 2012

It's all gone a bit quiet...

Well the blog may have gone a bit quiet, but my life certainly hasn't been hence the lack of posts.

Since coming back from MMS @ Vegas I've been frantically tying up loose ends at work, preparing the new Customer Experience Environment with all the RTM versions, prepping it ready for our customer event (which was a huge success with people queueing up to talk to me about System Center!), demoing and presenting at the event and now I've just finished a series of Webinars on various System Center 2012 components and the Private Cloud in general at a pace of 2 a day for the last week.

In between all this I've had to fit calls in with customers and complete documentation and reports.


I'd like to say it's going to be quieter for the next couple of weeks, but I know it's not from my diary being stacked, but I'm going to deliberately make some more time so I can wrap up some of the following:

  1. Finish the blog posts regarding Building the Private Cloud Customer Experience Center with System Center 2012
  2. Get some work done on my chapters for an upcoming book
  3. Finish and release an updated Asset Management pack for SCSM 2012
  4. Record the presentations I've just done this week on System Center 2012 and the Private Cloud and upload them for all to see

Friday 11 May 2012

Service Manager Telephony Integration

All I can say is wow.

Signature Consultancy have released a killer feature addition to Service Manager, Telephony Integration.

I've had customers ask about this feature as a comparison against other service desk solutions and always had to advise that it wasn't possible, but now it is!!

SMTI provides hooks into your IPT system, identifies the incoming caller and then provides the ability to quickly list and see details surrounding open calls for that user.

The features don't stop there though, you can also log a "quick" incident straight from SMTI without having to go back to the full console.

I'm not sure how/if I could put this into my demo environment but as soon as I get chance I'll certainly try to take a deeper look.

For further information either download the trial from the Signature website or contact them for further information.

Thursday 10 May 2012

Building the TESG Private Cloud Customer Experience Centre - Part 1

Every year my employer holds an event for customers (and potential new customers) to show case what we do and give customers a chance to meet our partner vendors.

This year, nicely coinciding with just after the System Center 2012 release, I landed the brilliant job of setting up something to demonstrate our System Center and Desktop expertise.

And so the concept of the Private Cloud and Optimised Desktop Customer Experience Centre was born.

The goal?
  1. To showcase the full System Center 2012 suite
  2. To showcase the interactions of each component and how they drive efficiencies
  3. To showcase an elastic and easily scalable datacentre that can flex into the Public Cloud
  4. To showcase the dynamic desktop with OS, Data, User and Application layers abstracted
  5. To showcase BYOD and specifically desktop/application access on tablet devices

Over a couple of blog posts I'll aim to share some of the planning, thoughts and tips & tricks that went into building it.
What I'll not be doing is guides on how to install the different components as there are plenty of them out there, but I will post links to some relevant good guides.

My original test lab was made up of a couple of HP Proliant DL380 G7's with some shared space pinched off the corporate SAN, but as this was going to need to host a lot more and it would need to be "slightly" portable for attending events like the T360 it was time to purchase some upgrades.
  1. More memory.  Upgrade from 64Gb per host to 128Gb
  2. Dedicated Storage.  iSCSI SAN that would also allow me to show some of the VMM storage management features (N.B. More details on this later, plus some pitfalls to watch out for!)
  3. Dedicated Switches.  To show SCOM network management & keep the environment self contained.
  4. More NIC's.  The original environment only had 4 onboard NICs, not good enough.
  5. Flight case to rack it all in to make it portable (kind of!)
Now that might sound slightly overkill for a test/demo environment.  However, I have a laptop which is quite capable of showing 2-3 of the System Center products at the same time, but this Customer Experience Center had to host the following:
  • Active Directory
  • Virtual Machine Manager
  • Operations Manager
  • Service Manager
  • Configuration Manager
  • Data Protection Manager
  • Orchestrator
  • App Controller
  • SQL 2008 R2 Server
  • SharePoint Enterprise Server
  • Exchange
  • Lync
  • ForeFront UAG
  • ForeFront TMG
  • File Servers
  • XenDesktop Mgt Server
  • XenDesktop VDI Desktops
  • XenApp Mgt Server
  • XenApp App Servers
  • Remote Desktop Session Hosts
  • Remote Desktop Broker/Gateway/Licensing
  • RDS/Hyper-V VDI Desktops
  • Dedicated Win 7 Admin Workstations
  • Citrix NetScaler VM Appliance
  • App-V Sequencer Workstations
When you consider that all of this needs to be up and running at the same time, my laptop just wasn't going to cope!

So far this has spread out across 34 VM's and there's still more to come...

This is a quick example diagram that I drew up to show the Hyper-V layout

Once all the hardware components were installed and racked then Hyper-V was the first thing to tackle and all I can say is thank god for Aidan Finn and his blog:

Lots of useful posts, for example:

I'm going to leave the rest for the next post, but I just want to mention something that came to light when I installed the first System Center component, Virtual Machine Manager.

This is a logical first place to start if you've got the chance to build a private cloud from scratch like I have as you can implement Service Templates for deploying your VM's to help structure the environment and provide servicing and scale out options.

However, I hit a problem almost straight away, I struggled to get it to see my storage provider.

Originally I was ordering a Dell Equalogic iSCSI SAN for the environment, but due to certain disks not being available and increased costs for alternatives I was suggested to look at a DotHill AssuredSAN 2332.

The first thing I did was ask/check it supported SMI-S protocol, which it did as this is what VMM requires for the new features.
However when trying to set it up in VMM, it soon came to light that it only supported SMI-S 1.3 whereas VMM requires version 1.5.

So lesson learnt, make sure that when checking specifications, especially SAN's that you check in detail, right down to the version number!

There is a useful table (I found this afterwards!) that details the supported arrays:

Part 1 - Building the TESG Private Cloud Customer Experience Centre
Part 3 - Installation Guide Links
Part 4 - Partner Solutions & Extensions

Tuesday 8 May 2012

Updated Update Rollup 1 for System Center 2012

No sooner do I finish pushing out my SCOM agents do I then see that Microsoft have released Update Rollup 1 for Operations Manager.

Normally I'd be quite happy and plod along with getting the update installed, but hang on a second, this update looks very familiar.

The article that I saw referenced in the update announcement is KB2686249, the same one that I blogged about here a couple of weeks ago.

In fact, it is the very same update, just with Operations Manager 2012 added, along with the updated Virtual Machine Manager Management Packs.

Now I'm not one to moan (yeah, I'm not going to get away with that statement!) but updating an update without increasing the rollup/update number isn't exactly the best way to go about it in my opinion.  Does this mean when the ConfigMgr update is ready we'll see yet another addition to the Update Rollup 1 package but with no name change?

The only reason this probably half bothers me is that I'm in the middle of setting up my new testlab/customer experience center for work and having just updated VMM and App controller by using Windows Update for a change rather than pulling the file down manually and I'm now a bit perplexed as Windows Update is unable to find the SCOM update for the console that is installed on my VMM server (not that it finds it for the SCOM management server either via WU).

And then to make matters worse, there's a "known issue" with the update:
  • No updates items appeared in Control Panel ARP after installing Update Rollup 1 (UR1). After installing UR1 on server and all roles (except Agent and Gateway), no update item appears in Control Panel ARP list.
  • The version number of the console does not change after installing Update Rollup 1 in the UI. After installing Update Rollup 1 ,the version number of the console is still 7.0.8560.0 in the UI
  • Why is this a problem?  Well if you were planning to distribute the console update via ConfigMgr then you're going to have to fall back to file version checking for targeting and it makes it just that tad harder for verification checking when you can't just simply ask a user to check their console version by check "help about"

    I'm not going to blog about the whole installation order/methodology as Kevin Green has already written this up nicely here:

    One thing he doesn't mention though is that after installing the Web Console fix, the following line requires adding to the web.config file.

    From the KB Article:
    Web console fixes will work after adding the following line to the %windir%\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web.config file:

    <machineKey validationKey="AutoGenerate,IsolateApps"
    decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

    The line should be added under <system.web>, as described in the following article in the Microsoft Knowledge Base:
    911722 ( ) You may receive an error message when you access ASP.NET Web pages that have ViewState enabled after you upgrade from ASP.NET 1.1 to ASP.NET 2.0
    All in all, there are 17 core updates to SCOM, 3 for Unix/Linux Monitoring and a lovely new feature - Oracle Solaris 11 (x86 & SPARC) support included in this updated update so it's definitely one to go and install.

    The VMM & App Controller update parts are available either through Windows Update or from here:

    The Operations Manager update packages can be downloaded from here:

    Orchestrator Install Problem

    I've just spent a couple of "fun" hours fighting with getting System Center 2012 Orchestrator installed.

    This was even more annoying than most failed software installs as I've not had a problem with installing SCORCH in the past, but this time it failed almost straight away.

    Each time I went through the install, changing various options as I went, even rebuilding the OS from scratch in case a windows update was messing it about, I hit the same error.

    MSI (s) (90:90) [07:22:09:721]: MainEngineThread is returning 1639
    Info 1639.Invalid command line argument. Consult the Windows Installer SDK for detailed command line help.

    It took me a while to cotton on as to what was causing this, but just to save someone else the time, watch out for complex passwords, you can't have a password that contains a " in it otherwise it will cause this problem as it passes the password along to the silent install string for the MSI which interprets it as the begining of a quote wrapper in the command line.

    So if I add the " into the command line, this is what the SCO ManagementServiceMSI was trying to run:

    Command Line: REPORTINGLEVEL=2 MYUSERNAME=TRUSTLAB\SCORCHSA MYPASSWORD=******"*** INSTALLDIR=C:\Program Files (x86)\Microsoft System Center 2012\Orchestrator REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Users\SCORCHAdmin\AppData\Local\Microsoft System Center 2012\Orchestrator CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=3068