none
Lync SCOM management pack issue RRS feed

  • Question

  • Hi

    I have depolyed Lync enterprise and SCOM 2007 R2. The Lync deployment works fine and i have succesfully added the windows OS and Lync management packs in SCOM and they also work fine. I have also installed a watcher node for synthetic transactions and its here i got into some problems.. All the health monitors except for 5 works fine.
    These 5 are:
    Audio Video Conferencing Synthetic Transaction Availability Health - User Services Watcher for Pool lync.domain.com
    Instant Message Conferencing Synthetic Transaction Availability Health - User Services Watcher for Pool lync.domain.com
    Instant Messaging Synthetic Transaction Availability Health - User Services Watcher for Pool lync.domain.com
    Peer To Peer Audio Video Synthetic Transaction Availability Health - User Services Watcher for Pool lync.domain.com
    Presence Synthetic Transaction Availability Health - User Services Watcher for Pool lync.domain.com

    For testing purposes i looked closer at the one for Presence. The Knowledge page contains this:
    Summary
    This monitor represents the availability of Presence as monitored by Synthetic Transactions.

    Cmdlet Executed: Test-CSPresence

    For more information on this cmdlet, open a Microsoft Lync Server 2010 Management Shell window and type:

    Get-help Test-CSPresence -detailed

    Configuration
    To configure users for Synthetic Transactions to execute periodically please use the New-CSHealthMonitoringConfiguration cmdlet.

    Causes
    The following are possible causes for this failure:

    • Configuration errors
     
    • Server/Component is down for maintenance.
     
    • Network/connectivity issues between Watcher node (where the ST executes) and the Front-end Pool.
     
    • Component specific errors. 

    Resolutions
    Configuration errors: Most common issues are: Test user password is invalid or expired, Test users have not been configured correctly for this Pool. Please refer Synthetic Transaction Internal Alerts View for more details

    Server/Component is down for Maintenance: Please ensure that you put Synthetic Transactions in maintenance mode before performing server/pool maintenance. To do this, use the Task LS Start Pool maintenance in the Pools view.

    Network/Connectivity issues: Look at Alert Context tab for more details on the exact connectivity error “ such as DNS resolution errors or Connection Timeout. You can also get more details on Connectivity errors by looking at Port Check Alerts view.

    Component specific errors: Look at Alert Context tab for more details on the component specific error. The specific Front-end server (within the load-balanced Front-end Pool) that responded to this execution of the synthetic transaction is listed in the Alert Context along with the Exception Message associated with the failure.


    As far as i know and have tested everything is configured properly. So i desided to test it manually from the watcher node with the two synthetic transaction test users using the following from the lync management shell:
    $cred1 = Get-Credential "domain\testuser1"
    $cred2 = Get-Credential "domain\testuser2"
    Test-CsPresence -TargetFQDN lync.domain.com -SubscriberSipAddress "sip:testuser1@domain.com" -SubscriberCredential $cred1 -PublisherSipAddress "sip:testuser2@domain.com" -PublisherCredential $cred2

    Guess what, it worked (result:success)! Anyone been able to set up the synthetic transactions for lync in scom? Please share your thoughts!

    Regards
    Jonatan

    Thursday, April 28, 2011 1:35 PM

Answers

  • Fixed it!
    Not shure exactly what was missing, but i published the topology again (after adding a new sip domain), run local setup, reinstalled the certificate and added a firewall rule to allow any communication from all the servers in the Lync deployment to communicate with the ST node.

    • Marked as answer by Jonatan V Friday, May 13, 2011 2:20 PM
    Friday, May 13, 2011 2:20 PM

All replies

  • After some more digging in the management shell i have found out the following:
    If i run this command it works:
    $cred1 = Get-Credential "domain\testuser1"
    $cred2 = Get-Credential "domain\testuser2"
    Test-CsPresence -verbose -TargetFQDN lync.domain.com -SubscriberSipAddress "sip:testuser1@domain.com" -SubscriberCredential $cred1 -PublisherSipAddress "sip:testuser2@domain.com" -PublisherCredential $cred2

    If i just run this it doesnt, and i get the exact same error as when scom does the job:
    Test-CsPresence -TargetFQDN lync.domain.com -verbose

    Just for fun i tried the working command from the management shell but running from the "nt authority\network service" account (because that is what the scom agent does on the synthetic transactions watcher node). And that also worked.
    Then i ran Test-CsPresence -TargetFQDN lync.domain.com -verbose and i get the same error again.

    One thing i notice is that when i read the verbose output of the commands the "registration request hit against" says sip/lyncfrontend.domain.com with the working command and Unknown with the other..

    Seems to me that the scom job is not able to authenticate the test users, because it works if i supply the credentials when i run the command manually. Anybody familiar enough with scom that can tell me where i can see and modify the script/commands scom are using for a specific job? Or maby knows what im missing to get it working..


    Regards
    Jonatan



    • Edited by Jonatan V Friday, April 29, 2011 1:46 PM
    Friday, April 29, 2011 1:10 PM
  • HI Jonatan,

    To answer the question that you asked on my blog, yes you have to fill in the email field in the properties of the AD User.

    --------------------

    In your Active Directory, create two domain users that will be used by the Synthetic transaction monitoring scripts. Don’t forget to fill the email field in the user configuration screen. (Just the Email field, a real mailbox is not necessary)

     

     


    Christopher Keyaert - My OpsMgr / SCOM & Opalis blog : http://www.vnext.be
    Friday, April 29, 2011 1:43 PM
  • Some more info. When i run the best practice analyzer i get this error on the synthetic transaction watcher node:
    The trusted service entry in Active Directory for "stwatchernode" with fully qualified domain name (FQDN) "stwnsrv.domain.com" is not ready..

    Looks to like the watcher node itself needs a spn, but im not sure.

    Christopher, could you run setspn -l watchernodename and setspn -l domain\testuser and see whats registerd? Both for the machine account for the watcher node and for the synthetic transaction user account.

    Regarding spn and the sythetic transaction documentation. I do use a domain user as the sql service account, and spn are registerd for the user. ex: setspn -l domain\sqluser gives the output MSSQLSvc/lyncsql.domain.com:lync

    Regards
    Jonatan


    Tuesday, May 3, 2011 11:56 AM
  • did you install the Lync ST on a new fresh server or on the lync monitoring server ?

    From my side, I didn't register a spn for the ST whatcher node, and I use the NT Authority\Network Service for accessing the DB.

     


    Christopher Keyaert - My OpsMgr / SCOM & Opalis blog : http://www.vnext.be
    Tuesday, May 3, 2011 2:36 PM
  • Freshly installed server.
    Do you mean you use NT Authority\Network Service for the system center management service on the ST node? I also do that, but i use a domain user as service account on the sql server/backend DB containing the central management store.
    From the ST doc:
    If you are running SQL Server services using a domain account, you may get a failure “Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' .  In this case the recommend solution is to configure a SPN
    I do have spns set for the sql service account and i dont get any login failed notifications, but since the BPA says "The trusted service entry in Active Directory for "stwatchernode" with fully qualified domain name (FQDN) "stwnsrv.domain.com" is not ready.." it leads me to believe its a spn missing regarding the ST node itself, or possibly the test users.

    Could you please try setspn -l (to list spns) against the watcher node and one of the st test users and paste the output here? 
    That way i can verify if the setup does create spns or not.

    Regards
    Jonatan

    Tuesday, May 3, 2011 2:57 PM
  • For the server :

    MSSQLSvc/lyncmonitoringsrv.contoso.com:RTCLOCAL
    MSSQLSvc/lyncmonitoringsrv.contoso.com:59456
    WSMAN/lyncmonitoringsrv.contoso.com
    WSMAN/lyncmonitoringsrv
    TERMSRV/lyncmonitoringsrv.contoso.com
    TERMSRV/lyncmonitoringsrv
    RestrictedKrbHost/lyncmonitoringsrv
    HOST/lyncmonitoringsrv
    RestrictedKrbHost/lyncmonitoringsrv.contoso.com
    HOST/lyncmonitoringsrv.contoso.com

    In my environment the SQL Server services is not using a domain account, so ST run in the NT Authority\Network Service identity.

    And no spn for the two users used in the st.


    Christopher Keyaert - My OpsMgr / SCOM & Opalis blog : http://www.vnext.be
    Tuesday, May 3, 2011 3:10 PM
  • Ok, so no luck there.
    Any suggestions regarding the BPA error?  "The trusted service entry in Active Directory for "stwatchernode" with fully qualified domain name (FQDN) "stwnsrv.domain.com" is not ready.."

    And one other thing. The port you define for the stwatchernode, does it need to be configured in the firewall? If so where/how?

    Regards
    Jonatan


    Wednesday, May 4, 2011 8:17 AM
  • Fixed it!
    Not shure exactly what was missing, but i published the topology again (after adding a new sip domain), run local setup, reinstalled the certificate and added a firewall rule to allow any communication from all the servers in the Lync deployment to communicate with the ST node.

    • Marked as answer by Jonatan V Friday, May 13, 2011 2:20 PM
    Friday, May 13, 2011 2:20 PM