There is already a very good deployment guide posted on Microsoft Docs here: https://docs.microsoft.com/en-us/system-center/scom/deploy-overview
The deployment guide provides an excellent walkthrough of installing OpsMgr 2016 for the “all in one” scenario, where all roles are installed on a single server. That is a very good method for doing simple functionality testing and lab exercises.
The following article will cover a basic install of System Center Operations Manager 2016. The concept is to perform a limited deployment of OpsMgr, only utilizing as few servers as possible, but enough to demonstrate the roles and capabilities in OM2016. For this reason, this document will cover a deployment on 3 servers. A dedicated SQL server, and two management servers will be deployed. This will allow us to show the benefits of high availability for agent failover, and the highly available resource pool concepts. This is to be used as a template only, for a customer to implement as their own pilot or POC, or customized deployment guide. It is intended to be general in nature and will require the customer to modify it to suit their specific data and processes.
This also happens to be a very typical scenario for small environments for a production deployment. This is not an architecture guide or intended to be a design guide in any way. This is provided “AS IS” with no warranties, and confers no rights. Use is subject to the terms specified in the Terms of Use.
Server Names\Roles:
- SQL1 SQL Database Services, Reporting Services
- SCOM1 Management Server Role, Web Console Role, Console
- SCOM2 Management Server Role, Web Console Role, Console
Windows Server 2016 will be installed as the base OS for all platforms. All servers will be a member of the AD domain.
SQL 2016 will be the base standard for all database and SQL reporting services.
High Level Deployment Process:
1. In AD, create the following accounts and groups, according to your naming convention:
- DOMAIN\OMAA OM Server Action Account
- DOMAIN\OMDAS OM Config and Data Access Account
- DOMAIN\OMREAD OM Datawarehouse Reader Account
- DOMAIN\OMWRITE OM Datawarehouse Write Account
- DOMAIN\SQLSVC SQL Service Account
- DOMAIN\OMAdmins OM Administrators security group
2. Add the OMAA, OMDAS, OMREAD, and OMWRITE accounts to the “OMAdmins” global group.
3. Add the domain user accounts for yourself and your team to the “OMAdmins” group.
4. Install Windows Server 2016 to all server role servers.
5. Install Prerequisites and SQL 2016.
6. Install the Management Server and Database Components
7. Install the Reporting components.
8. Deploy Agents
9. Import Management packs
10. Set up security (roles and run-as accounts)
Prerequisites:
1. Install Windows Server 2016 to all Servers
2. Join all servers to domain.
3. Install the Report Viewer controls to any server that will receive a SCOM console. Install them from https://www.microsoft.com/en-us/download/details.aspx?id=45496 There is a prereq for the Report View controls which is the “Microsoft System CLR Types for SQL Server 2014” (ENU\x64\SQLSysClrTypes.msi) available here: https://www.microsoft.com/en-us/download/details.aspx?id=42295
4. Install all available Windows Updates.
5. Add the “OMAdmins” domain global group to the Local Administrators group on each server.
6. Install IIS on any management server that will also host a web console:
Open PowerShell (as an administrator) and run the following:
Add-WindowsFeature NET-WCF-HTTP-Activation45,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Request-Monitor,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,Web-Metabase,Web-Asp-Net,Web-Windows-Auth –Restart
Note: The server needs to be restarted at this point, even if you are not prompted to do so. If you do not reboot, you will get false failures about prerequisites missing for ISAPI/CGI/ASP.net registration.
7. Install SQL 2016 to the DB server role
- Setup is fairly straightforward. This document will not go into details and best practices for SQL configuration. Consult your DBA team to ensure your SQL deployment is configured for best practices according to your corporate standards.
- Run setup, choose Installation > New SQL Server stand-alone installation…
- When prompted for feature selection, install ALL of the following:
- Database Engine Services
- Full-Text and Semantic Extractions for Search
- Reporting Services – Native
- On the Instance configuration, choose a default instance, or a named instance. Default instances are fine for testing, labs, and production deployments. Production clustered instances of SQL will generally be a named instance. For the purposes of the POC, choose default instance to keep things simple.
- On the Server configuration screen, set SQL Server Agent to Automatic. You can accept the defaults for the service accounts, but I recommend using a Domain account for the service account. Input the DOMAIN\sqlsvc account and password for Agent, Engine, and Reporting. Set the SQL Agent to AUTOMATIC.
- Check the box to grant Volume Maintenance Task to the service account for the DB engine. This will help performance when autogrow is needed.
- On the Collation Tab – you can use the default which is SQL_Latin1_General_CP1_CI_AS
- On the Account provisioning tab – add your personal domain user account and/or a group you already have set up for SQL admins. Alternatively, you can use the OMAdmins global group here. This will grant more rights than is required to all OMAdmin accounts, but is fine for testing purposes of the POC.
- On the Data Directories tab – set your drive letters correctly for your SQL databases, logs, TempDB, and backup.
- On the Reporting Services Configuration – choose to Install and Configure. This will install and configure SRS to be active on this server, and use the default DBengine present to house the reporting server databases. This is the simplest configuration. If you install Reporting Services on a stand-alone (no DBEngine) server, you will need to configure this manually.
- Choose Install, and setup will complete.
- You will need to disable Windows Firewall on the SQL server, or make the necessary modifications to the firewall to allow all SQL traffic. See http://msdn.microsoft.com/en-us/library/ms175043.aspx
- When you complete the installation – you might consider also downloading and installing SQL Server Management Studio Tools from the installation setup page, or https://msdn.microsoft.com/en-us/library/mt238290.aspx
SCOM Step by step deployment guide:
1. Install the Management Server role on SCOM1.
- Log on using your personal domain user account that is a member of the OMAdmins group, and has System Administrator (SA) rights over the SQL instances.
- Run Setup.exe
- Click Install
- Select the following, and then click Next:
- Management Server
- Operations Console
- Web Console
- Accept or change the default install path and click Next.
- You might see an error from the Prerequisites here. If so – read each error and try to resolve it.
- On the Proceed with Setup screen – click Next.
- On the specify an installation screen – choose to create the first management server in a new management group. Give your management group a name. Don’t use any special or Unicode characters, just simple text. KEEP YOUR MANAGEMENT GROUP NAME SIMPLE, and don’t put version info in there. Click Next.
- Accept the license. Next.
- On the Configure the Operational Database screen, enter in the name of your SQL database server name and instance. In my case this is “DB01”. Leave the port at default unless you are using a special custom fixed port. If necessary, change the database locations for the DB and log files. Leave the default size of 1000 MB for now. Click Next.
- On the Configure the Data Warehouse Database screen, enter in the name of your SQL database server name and instance. In my case this is “DB01”. Leave the port at default unless you are using a special custom fixed port. If necessary, change the database locations for the DB and log files. Leave the default size of 1000 MB for now. Click Next.
- On the Web Console screen, choose the Default Web Site, and leave SSL unchecked. If you have already set up SSL for your default website with a certificate, you can choose SSL. Click Next.
- On the Web Console authentication screen, choose Mixed authentication and click Next.
- On the accounts screen, change the accounts to Domain Account for ALL services, and enter in the unique DOMAIN\OMAA, DOMAIN\OMDAS, DOMAIN\OMREAD, DOMAIN\OMWRITE accounts we created previously. It is a best practice to use separate accounts for distinct roles in OpsMgr, although you can also just use the DOMAIN\OMDAS account for all SQL Database access roles to simplify your installation (Data Access, Reader, and Writer accounts). Click Next.
- On the Microsoft Update screen – choose to use updates or not. Next.
- Click Install.
- Close when complete.
- The Management Server will be very busy (CPU) for several minutes after the installation completes. Before continuing it is best to give the Management Server time to complete all post install processes, complete discoveries, database sync and configuration, etc. 10 minutes is typically sufficient.
2. (Optional) Install the second Management Server on SCOM2.
- Log on using your domain user account that is a member of the OMAdmins group, and has System Administrator (SA) rights over the SQL instances.
- Run Setup.exe
- Click Install
- Select the following, and then click Next:
- Management Server
- Operations Console
- Web Console
- Accept or change the default install path and click Next.
- Resolve any issues with prerequisites, and click Next.
- Choose “Add a management server to an existing management group” and click Next.
- Accept the license terms and click Next.
- Input the servername\instance hosting the Ops DB. Select the correct database from the drop down and click Next.
- Accept the Default Web Site on the Web Console page and click Next.
- Use Mixed Authentication and click Next.
- On the accounts screen, choose Domain Account for ALL services, and enter in the unique DOMAIN\OMAA, DOMAIN\OMDAS accounts we created previously. Click Next.
- On the Diagnostic Data screen – click Next.
- Turn Microsoft Updates on or off for SCOM, Next.
- Click Install.
- Close when complete.
3. Install SCOM Reporting Role on the SQL server.
- Log on using your domain user account that is a member of the OMAdmins group, and has System Administrator (SA) rights over the SQL instances.
- Locate the SCOM media. Run Setup.exe. Click Install.
- Select the following, and then click Next:
- Reporting Server
- Accept or change the default install path and click Next.
- Resolve any issues with prerequisites, and click Next.
- Accept the license and click Next.
- Type in the name of a management server, and click Next.
- Choose the correct local SQL reporting instance and click Next.
- Enter in the DOMAIN\OMREAD account when prompted. It is a best practice to use separate accounts for distinct roles in OpsMgr, although you can also just use the DOMAIN\OMDAS account for all SQL Database access roles to simplify your installation. You MUST input the same account here that you used for the OM Reader account when you installed the first management server. Click Next.
- On the Diagnostic Data screen – click Next.
- Turn Microsoft Updates on or off for SCOM, Next.
- Click Install.
- Close when complete.
You have a fully deployed SCOM Management group at this point.
What’s next?
Once you have SCOM up and running, these are some good next steps to consider for getting some use out of it and keep it running smoothly:
1. Fix the Database permissions for Scheduled Maintenance Mode
- The database permissions need to be edited to stop errors and allow Scheduled Maintenance to work:
- https://kevinholman.com/2016/10/22/enabling-scheduled-maintenance-in-scom-2016/
2. Set the Operations Manager Administrators User Role
- Add your OMAdmins Global Group. Ensure you, your team, and the SCOM DAS and Action accounts are members of this group FIRST.
- Remove BUILTIN\Administrators from the Operations Manager Administrators User Role, to secure your SCOM installation.
3. Apply the latest Update Rollup.
- At the time of this blog posting that is UR6. But you should always find and apply the most current CUMULATIVE update rollup.
- Note: Wait at LEAST one hour after installing SCOM 2016, before you attempt applying an update rollup. SCOM continues to deploy components after installation, and we want to allow those to fully deploy before updating.
- https://kevinholman.com/2018/10/31/ur6-for-scom-2016-step-by-step/
4. Set SCOM License.
- By default all SCOM 2016 installations deploy as “180 Day Evaluation”. You need to apply your license key to make sure your production deployments don’t time-bomb.
- https://kevinholman.com/2017/06/29/dont-forget-to-license-your-scom-2016-deployments/
5. Optimize SQL Server for growth and performance
- Pre-size the OpsDB: When we installed each database, we used the default of 1GB (1000MB). This is not a good setting for steady state as our databases will need to grow larger than that very soon. We need to pre-grow these to allow for enough free space for maintenance operations, and to keep from having lots of auto-growth activities which impact performance during normal operations. A good rule of thumb for most deployments of OpsMgr is to set the OpsDB to 50GB for the data file and 25GB for the transaction log file. This can be smaller for POC’s/LAB’s but generally you never want to have an OpsDB set less than 10GB/5GB. Setting the transaction log to 50% of the DB size for the OpsDB is a good rule of thumb.
- Pre-size the Data Warehouse: You will need to plan for the space you expect to need using the sizing tools available and pre-size this from time to time so that lots of smaller autogrowths do not occur. The sizing helper is available at: http://www.microsoft.com/en-us/download/details.aspx?id=29270
- Limit SQL MAX memory reserving memory for the OS.
- Set Power Management plan in OS to “High Performance”
- (Optional) Create a high performance TempDB: (This is already configured by default in SQL 2016) https://technet.microsoft.com/en-us/library/ms175527(v=sql.105).aspx
- (Optional) Optimize MAXDOP: https://support.microsoft.com/en-us/help/2806535/recommendations-and-guidelines-for-the-max-degree-of-parallelism-configuration-option-in-sql-server
- If you have a SQL Always On scenario – the secondary replicas need a SQL script run on them: https://kevinholman.com/2017/08/27/scom-2016-event-18054-errors-in-the-sql-application-log/
6. Set up SQL maintenance jobs.
- Be proactive. Set up your Database Backups, Transaction Log backups, and your Re-index jobs now.
- https://kevinholman.com/2017/08/03/what-sql-maintenance-should-i-perform-on-my-scom-2016-databases/
7. Configure Data Warehouse Retention.
- This should be done up front, don’t wait for the DW to fill your disks with data you aren’t required to keep.
- https://kevinholman.com/2010/01/05/understanding-and-modifying-data-warehouse-retention-and-grooming/
8. Optimize your management servers registry
9. Enable Agent Proxy as a default setting
- I prefer to simply enable agent proxy for all agents. The BEST way to do this is to enable Agent Proxy as a default setting. That way you will never have to mess with this again:
- https://kevinholman.com/2017/03/10/enable-proxy-as-a-default-setting-in-scom-2016/
10. Configure Administration Settings per your requirements:
- Database Grooming
- Automatic Alert Resolution
- Heartbeat configuration (modify only if required)
- Manual Agent Installs (Reject, Review, or Accept)
11. Backup Unsealed Management packs
- You need to set this up so that in case of a disaster, or an unplanned change, you will have a simple back-out or recovery plan that wont require a brute force restore of your databases. I have seen this save many a customer’s bacon when they had this available, and cause them great pain when it wasn’t.
- https://kevinholman.com/2017/07/07/scom-2012-and-2016-unsealed-mp-backup/
12. Deploy an agent to the SQL DB server.
- This process has not changed from OpsMgr 2012, so you would use the typical mechanism to push or manually install. You can also refer to: https://technet.microsoft.com/en-us/system-center-docs/om/manage/managing-discovery-and-agents
- You could also deploy any additional agents at this point.
13. Import management packs.
- https://docs.microsoft.com/en-us/system-center/scom/manage-mp-import-remove-delete
- Using the console – you can import MP’s using the catalog, or directly importing from disk. I recommend always downloading MP’s and importing from disk. You should keep a MP repository of all MP’s both current and previous, both for disaster recovery and in the case you need to revert to an older MP at any time.
- Import the Base OS and SQL MP’s at a minimum.
14. Configure Notifications:
15. Deploy Unix and Linux Agents
16. Configure Network Monitoring
- https://blogs.technet.microsoft.com/kevinholman/2011/07/20/opsmgr-2012-discovering-a-network-device/
17. Configure SQL MP RunAs Security:
- https://kevinholman.com/2010/09/08/configuring-run-as-accounts-and-profiles-in-opsmgr-a-sql-management-pack-example/
- https://kevinholman.com/2016/08/25/sql-mp-run-as-accounts-no-longer-required/
18. Continue with optional activities from the Quick Reference guide:
19. (Optional) Configure your management group to support APM monitoring.
- http://technet.microsoft.com/en-us/library/hh543994.aspx
- Import supporting management packs for IIS 7, 8, and 10, and APM Web for IIS 7, 8, and 10.
20. (Optional) Deploy Audit Collection Services
- http://technet.microsoft.com/en-us/library/hh298613.aspx
- Install the audit collector on a management server, and create a database on a SQL server.
- Upload the reports for ACS, my command is: UploadAuditReports.cmd “SQL1” http://SQL1/ReportServer “c:\acs”
- Create and set a filter:
- http://technet.microsoft.com/en-us/library/hh230740.aspx
- https://kevinholman.com/2017/02/16/how-to-test-your-acs-filter-to-ensure-it-is-valid/
- My initial filter for lab use is: adtadmin /setquery /query:”SELECT * FROM AdtsEvent WHERE NOT (EventId=4768 OR EventId=4769 OR EventId=4624 OR EventId=4634 OR EventId=4672 OR EventId=4776)”
- You will need to grant NETWORK SERVICE full control to the AdtServer registry key to set a filter at the command line: http://social.technet.microsoft.com/Forums/en-US/operationsmanagerreporting/thread/ab22685e-36a1-49a9-b90e-d39ead31901f
21. Learn MP authoring.
- Fragments the fast and easy way with Visual Studio: https://kevinholman.com/2016/06/04/authoring-management-packs-the-fast-and-easy-way-using-visual-studio/
- Download MPAuthor: http://www.silect.com/mp-author/
Kevin, I’m just starting to get more familiar with setting up SCOM monitoring for Linux/UNIX servers and don’t see many Fragments to help with some custom configs for monitoring Processes and Filesystems.
interested in a simple fragment to help identify certain processes by an owner or type (java) and since they are different number of processes on each APP server, I’m not sure how to best setup the logic so that it knows the count on the server and alerts if one process is unavailable. Also for Filesystems we need to identify certain APP related filesystems and alert the APP team when they are reaching predetermined thresholds. any help with these would be greatly appreciated.
I’m a little confused, when installing SCOM with our personal domain account as per the instructions above, all the databases will be owned by this user after the install. What if this user leaves? Should the article be corrected to mention login with an account dedicated for the SCOM install and start the install from there. That way the account will never be tied to a user and the databases will be owned by it? Thanks!
Your first part is correct. However, a dedicated install account is not required. I’ll update the instructions to include a step to switch the database owner to the SDK/DAS account…. which is preferred since that will never go away.
Sounds good – Thanks.
p.s. When installing agents, there is no mention of the domain account to use. For security I’m assuming a temporary domain admin account could be used for doing a -mass discovery agent install-? or is there another preferred method?
Thanks again!
I am a fan of least priv. I don’t use Domain Admin for anything, except domain administration. I use an administrative account that has local admin rights on the servers to be monitored. If you don’t have accounts that have rights to servers, then using a domain admin account is ok. Most customers who administer SCOM do not have access to a Domain Admin account because those should be highly restricted and protected.
Thanks Kevin..!
Hello Kevin,
Thanks for sharing these steps!
I’d like your advice if possible…
I am planning to migrate to SCOM 2016 from SCOM 2012R2 in preparation for SCOM 2019.
In your model, you have 1 SQL server and 2 Management Servers…
Would you recommend the lightweight version from your example or would it make more sense for me to Build the new 2016 Servers to mimic my current configuration described below?
I’ve used the Sizing Tool and if I select the 1000/100 version, Its Minimum Hardware recommendation:
> 2 Management servers (1 for HA).
> 3 SQL Servers. (Operations Database, Operations Data Warehouse, Web Console/SQL Reporting Services)
Any advice you can share is very much appreciated, Thanks!
My current environment goes as follows:
> 1 Virtual SCOM Reporting Server
> 3 Virtual SCOM Management Servers
> 3 Physical SCOM SQL Servers (OperationalDB; DataWarehouse; ACS)
We have approximately,
1000 Agent Monitored Windows devices.
60 Agentless Monitored devices.
25 Unix/Linux devices.
15 Network Devices
100 Active Subscriptions
A follow up to this question… The end goal is to be on SCOM 2019.
From my understanding, I would need to migrate to SCOM 2016 before upgrading to SCOM 2019.
With that said, ‘could I’ or ‘would it make more sense’ to install SCOM 2016 on Windows Server 2019 then Upgrade to SCOM 2019.
Thanks again!
Andy, these questions are far too complex for a blog chat. Feel free to use the contact form which will start an email thread with me – and ask specific direct questions.
Hello Kevin,
Thank you for your blogs, they are very helpful. quick question regarding Windows Servers monitoring in SCOM2016, is there a single management, just like you wrote for SQL, to monitor all windows servers(2008, 2012, 2016, 2019) ?
Thanks
Kash.
No, there are distinct OS MP’s you need, for 2008, 2012, and then 2016+
Thanks for your quick response.
We are preparing an inplace upgrade to SCOM2019, but for now – the first step is to have all OS versions compatible with the new SCOM. So we are first preparing the OSses, as some of them are now still 2012R2. I would prefer to upgrade these to Server 2019, but is this supported with SCOM2016?
No
Hi Kevin,
I’m huge fan, learned so much..Thanks a lot.
We are upgrading our SCOM 2012r2 to 2019. (2012 R2 >2016 > 2019)
Since we are not allowed to do an in-place upgrade we are introducing new 2016 servers in existing SCOM
Then we add them as additional MS and once all the agent routing is configured we will decommission the old ones.
However I have a few challenges.
All our MS’s and DB servers are hosted in x domain which is going to be decommissioned
We would like to add new MS’s from Y domain, however we don’t have trust between these 2.
So when i’m trying to add the MS we are getting access denied error.
Kindly suggest a workaround for this.
I guess we will need to use mixed mode authentication to add the servers from y domain.
However, I’m confused about how to use the SQL account to takeover when we are trying to connect to the SQL DB using the setup. Cause when i’m launching the setup its taking my creds from Y domain, which has no access in X domain.
What you were attempting to do is unsupported. We do not support changing the domain of a management group. You need to build a new SCOM 2019 management group with a new management group name in the new domain.