Thursday, April 12, 2012 10:34 PMHello, I have integrated SCOM 2012 RTM and SCVMM 2012 RTM and am having lots of issues that were not present with 2007/2008 family integration. For starters, my SCOM environment manages multiple untrusted domains, etc. When enabling VMM integration I now get hundreds of alerts about "Unable to verify Run As Account", stating that is cannot login as the VMM service account for all clients that don't live in same domain as SCVMM server. For starters why do my physical servers, and all VMs need to be distributed with this account? The alert is also expected logically, because this is impossible to distribute a Run As account to every agent in a multi-domain untrusted environment. Also according to this configuration, the Virtual Machine Manager Connection Account created in SCOM is set to less secure (distributed to all agents), which is why the alert is coming up; additionally less secure setting is typically bad practice. Why does SCVMM do this by default? Can it be changed? What are options here? It seems to me only the SCOM management server should need this Run As account, not every agent? Thoughts on this? Thanks!
- Edited by bcehr Thursday, April 19, 2012 1:08 AM
Tuesday, April 24, 2012 3:28 PMI'm running into the same thing. Can this Run As account be safely set to 'More secure' and added only to the SCOM server?
Monday, April 30, 2012 12:53 PMLooking at the Profile for the Account in SCOM it says "This profile is used to connect to Virtual Machine Manager management server" So I've changed this to a more secure distribution and limited it purely to the RMS and the VMM Server. But I can't find any info as to whether or not this is acceptable.
Tuesday, May 01, 2012 9:42 AMModerator
I did open a connect item on this some time ago - not sure if you'll be able to view it:
In case you can't view it, the response was - "we need this for PROTip to work (only the remediation part). If PROTip remediation is not intended, then the user can change it to more secure. "
I can confirm that I have changed this setting to "More Secure" and it does work.
Tuesday, May 01, 2012 12:42 PMGraham, thanks for posting that info (I don't have access to that part of connect so I couldn't find it). Just to confirm, this wasn't required for 2008, but a new requirement is 2012, correct (we had integration working in 2008 R2 without these types of problems)? Many of my Hyper-V VMs are in Workgroups and untrusted domains (which causes problems here), which according to the requirement for the RunAs account, it looks like ProTips is only supported for domain systems?
Tuesday, June 12, 2012 4:28 PM
You can set the Account to be more secure and add your OM Management servers and VMM Server to it.
If your PRO MP remediation needs to run from any other computer(in trusted domain) , you will also need to add those to the list.
[Disclaimer] This posting is provided "AS IS" with no warranties, and confers no rights. User assumes all.
Wednesday, July 11, 2012 7:53 PM
Chetan, what about SCOM Gateway Servers (in untrusted domains). I attempted to do what you described, but now I get the following error for all my SCOM Gateway servers:
System Center Management Health Service Credentials Not Found Alert Message
An account specified in the Run As profile "Microsoft.SystemCenter.VirtualMachineManager.2012.VMMServerConnectionRunAsProfile" cannot be resolved.
If I attempt to add the Gateway servers into the Run As Account (More Secure list) then I get the "Run As Account Could Not Log On", which I am sure if because of the untrusted domain scenario.
How do I solve for this scenario without causing all my Gateway servers to throw alerts? Thanks!