locked
Sharepoint 2010 MP for SCOM 2007 R2 - issues with monitoring account RRS feed

  • Question

  • I've just started testing this MP. I have a couple of questions I hope someone can help me with.

    First off, it is recommended to have only one SP2010 Farm per SCOM environment. However I'll have 4 of them (3 for PRD and 1 for ACC). What kind of issues will I likely run into if I don't follow the recommendation in the MP guide?Will I really have to set up 3 more SCOM Management Groups just for SP2010 monitoring?

    It is also recommended to use the original SP2010 Farm admin service / Installation account for the monitoring. However, because of the multi-farm setup I would like to have a more generic service account for monitoring. If I setup this new account, give it Farm Admin and SQL DB Admin rights, the OM eventlog gives me an error stating that it can't figure out which farm any server (I listed in the .config file) is associated with. (it actually refers to the guide.. which doesn't even have a troubleshooting section... )

    So what more rights / settings do I need to set to an monitoring account, in order for it to work?

    Thanks for any input!

    kind regards, Pieter

     

    Monday, September 27, 2010 9:24 AM

Answers

  • Nicholas,

    could you please be more specific? I've read the documentation front to back, but there's nothing in there on the questions I'm asking. I've even mentioned that the references in the eventlog alert to the documentation are bogus, there is no troubleshooting section in the documentation.

    I realize that I'm asking questions on subjects that are outside the recommended MS settings, but using a separate monitoring account and / or monitoring multiple farms is not that exotic that it can not (should not) be done.

    I've opened a case with MS PS on this, if I get any info from there I'll post it here. I'm sure it will help others who want to monitoring SP2010 with SCOM

    Kind regards, Pieter

    • Marked as answer by Nicholas Li Wednesday, October 6, 2010 3:29 AM
    Tuesday, October 5, 2010 8:19 AM
  • For those of you who ran into the same issue, here's what I found out with the help of MS PS.

    It appears (!) that the initial discovery needs the real FarmAdmin (install) Account for the initial discovery of relations / objects within the SP2010 farm. Once that is done, you can replace the credentials with a dedicated monitoring account. The rights required on this monitoring account are (gasp...):

    local admin on all SP2010 Front End and Application server
    local admin on all SQL boxes that host SP2010 DB's
    dbo for the actual SP2010 DB's
    and of course full farm admin rights within SP2010.

    Luckily you can remove local / interactive login from the account but still...

    I'm wondering if MS will ever make it more friendly to more secure (low privilege) environments, but this is what I needed to get it to work reliably.

    Also, for multiple farms, with multiple install accounts I had to run a discovery under every set of credentials to discover the entire farm for that account and could finally put in the monitoring service account credentials.

    I've suggested them to let the productteam know that it might be a good idea to update the docs, with a reference to the eventid 0 error about the discovery failure and the rights / procedure needed for (initial) discovery and monitoring.

    Hope this helps for somebody out there! :)

    kind regards, Pieter

     

    • Marked as answer by Pieter Bovy Monday, October 18, 2010 11:50 AM
    Monday, October 18, 2010 11:50 AM

All replies

  •  

    Regarding the configurations, please refer to the management pack guide:

     

    Microsoft SharePoint 2010 Products Management Pack for System Center Operations Manager 2007

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5c73415d-97ba-4bdc-8e92-2c4ea4507f91&displaylang=en

     

    Hope this helps.

     

    Thanks.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Nicholas Li Monday, October 4, 2010 3:02 AM
    • Unmarked as answer by Pieter Bovy Tuesday, October 5, 2010 8:15 AM
    Friday, October 1, 2010 9:33 AM
  • Nicholas,

    could you please be more specific? I've read the documentation front to back, but there's nothing in there on the questions I'm asking. I've even mentioned that the references in the eventlog alert to the documentation are bogus, there is no troubleshooting section in the documentation.

    I realize that I'm asking questions on subjects that are outside the recommended MS settings, but using a separate monitoring account and / or monitoring multiple farms is not that exotic that it can not (should not) be done.

    I've opened a case with MS PS on this, if I get any info from there I'll post it here. I'm sure it will help others who want to monitoring SP2010 with SCOM

    Kind regards, Pieter

    • Marked as answer by Nicholas Li Wednesday, October 6, 2010 3:29 AM
    Tuesday, October 5, 2010 8:19 AM
  •  

    Thank you for your update. I am sorry the information I provided is not helpful. Hope you can get more valuable information from the case you opened and we are looking forward to your sharing.

     

    Thanks!


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, October 6, 2010 3:31 AM
  • For those of you who ran into the same issue, here's what I found out with the help of MS PS.

    It appears (!) that the initial discovery needs the real FarmAdmin (install) Account for the initial discovery of relations / objects within the SP2010 farm. Once that is done, you can replace the credentials with a dedicated monitoring account. The rights required on this monitoring account are (gasp...):

    local admin on all SP2010 Front End and Application server
    local admin on all SQL boxes that host SP2010 DB's
    dbo for the actual SP2010 DB's
    and of course full farm admin rights within SP2010.

    Luckily you can remove local / interactive login from the account but still...

    I'm wondering if MS will ever make it more friendly to more secure (low privilege) environments, but this is what I needed to get it to work reliably.

    Also, for multiple farms, with multiple install accounts I had to run a discovery under every set of credentials to discover the entire farm for that account and could finally put in the monitoring service account credentials.

    I've suggested them to let the productteam know that it might be a good idea to update the docs, with a reference to the eventid 0 error about the discovery failure and the rights / procedure needed for (initial) discovery and monitoring.

    Hope this helps for somebody out there! :)

    kind regards, Pieter

     

    • Marked as answer by Pieter Bovy Monday, October 18, 2010 11:50 AM
    Monday, October 18, 2010 11:50 AM
  • we have similar problem with the Sharepoint 2010 Managementpack. We have to open a call to solve the problem.

    it is a good idea that the product team should update the docs. The actual docs are really useless.

    Lehugo

     

     

    Thursday, November 11, 2010 11:48 AM