Thanks Kevin. From: [email protected] [mailto:[email protected]] On Behalf Of Kevin Holman Sent: Thursday, December 11, 2014 8:45 PM To: [email protected] Subject: [msmom] RE: OpsMgr SPN's
Yes - your SPN's are correct. Since you are running the SDK service as Local System, the SPN for the SDK will be placed on the Computer AD object for the management server, and NOT on the SDK domain user account, since this doesn't exist. The management server has a workflow that tries to write the SPN to the management server object on ever SDK service startup. If this fails to write, we log the event which triggers that silly alert. You should disable that rule which generates the alert because writing the SPN on every service startup was not the best idea. It fails in the majority of environments because most domains don't allow this by default. Therefore, a SCOM admin just needs to verify SPN's after a deployment, set them if necessary, and then consider it a done deal. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marcum, John Sent: Thursday, December 11, 2014 9:27 AM To: [email protected]<mailto:[email protected]> Subject: [msmom] RE: OpsMgr SPN's Yea, I read that before posting. It left me with more questions. He is specifically running the services as a domain user not local system. One comment in his blog leaves me to think that the "error" I am seeing is not an error at all but I wasn't sure I was interpretting the blog correctly. "*Note - In SCOM 2012 - you might notice that every time your management server service is restarted, or rebooted, that we log an event (and create an alert) that the SPN's are incorrect. This event/alert is in error, it is complaining the the SDK SPN is missing from the management server COMPTUER account, which should ONLY be the case if you were using local system for the SDK service. Ignore this event and alert." From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Page, Stuart F. Sent: Thursday, December 11, 2014 9:03 AM To: [email protected]<mailto:[email protected]> Subject: [msmom] RE: OpsMgr SPN's Kevin Holman has a good article on OpsMgr 2012 SPN's: http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx I used this article intensely while configuring this for our environment. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marcum, John Sent: Thursday, December 11, 2014 9:41 AM To: SCOM List ([email protected]<mailto:[email protected]>) Subject: [msmom] OpsMgr SPN's I have a single management server with SQL running on an always oon cluster. I am running the Data Access Service as local system. Are these SPN's correct? C:\Users\myusername>setspn -L mydomain\MYSERVERNAME Registered ServicePrincipalNames for CN=MYSERVERNAME,OU=Servers,OU=NSV,OU=BackEnd,DC =mydomain,DC=com: AdtServer/MYSERVERNAME.mydomain.com AdtServer/MYSERVERNAME MSOMSdkSvc/MYSERVERNAME.mydomain.com MSOMSdkSvc/MYSERVERNAME MSOMHSvc/MYSERVERNAME.mydomain.com MSOMHSvc/MYSERVERNAME TERMSRV/MYSERVERNAME TERMSRV/MYSERVERNAME.mydomain.com WSMAN/MYSERVERNAME WSMAN/MYSERVERNAME.mydomain.com RestrictedKrbHost/MYSERVERNAME HOST/MYSERVERNAME RestrictedKrbHost/MYSERVERNAME.mydomain.com HOST/MYSERVERNAME.mydomain.com ________________________________ John Marcum MCITP, MCTS, MCSA Desktop Architect Bradley Arant Boult Cummings LLP ________________________________ [H_Logo] ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer.
