I was working on a Windows 2008 Failover Clustering Scenario when I began to observe (over several days) some 'new' Alerts in the SCOM2k7 SP1 Console. One of those new Alerts is titled 'SDK SPN Not Registered'. Upon initially seeing this Alert I, 1) logged into a Domain Controller as a Domain Admin, 2) issued the 'setspn.exe -l corp\om_sdk_and_config' Command (which responds with the Service Principal Name (SPN) for the SCOM2k7 SP1 SDK and Config Account), 3) input the appropriate parameters to 'manually register SPN Values for the SDK and Config Account, and, 4) moved on, believing I had remedied the Alert. Unfortunately, several days went by before I had an opportunity to review 'outstanding' Alerts in the SCOM2k7 Console. The Alert was back!
I then spent some time reading the SCOM2k7 SP1 Blog entries and querying terms like 'SDK and SPN' where I found Pete Zerger, MVP and Owner of the systemcenterforum.org had offered a remedy to this Alert. Pete thoroughly detailed the remedy - and I thought I would take Pete's remedy one step further by offering Screen Captures of the steps Pete derived to solve this Alert.
Figure 1 - The 'SC Operations Manager 2007 SP1 Console' displaying the 'Warning Alert' titled 'SDK SPN Not Registered'. The remedy to discontinue this Warning Alert is to add the appropriate ACL on specific Active Directory Attributes for the SDK and Config User Account to allow both 'Read and Write' to update the Service Principal Name (SPN). Validation of the proper SPN Records for the SDK and Config User ID occurs using the 'setspn -l' Command as outlined in the 'Resolution' section of the Alert. Even with the proper SPN Values registered, if the SDK and Config Account cannot 'write' to the SPN Attribute, this Warning Alert will occur.
Figure 2 - Here are the User IDs that support the SC Operations Manager 2007 SP1 Single Server Topology on Windows 2008. The Actions to remedy will focus on the User ID titled 'om_sdk_and_config' in the Active Directory Users and Computers Console.
Figure 3 - Use of Active Directory Service Interface (ADSI) Edit is required to solve the Warning Alert. Select the Organization Unit in which the SDK and Config User ID resides and then 'Properties' for the SDK and Config User ID.
Figure 4 - On the 'Properties' for the SDK and Config User ID select the 'Security' Tab, then, select 'Add' to add another Access Control Entry for the User Name 'Self'.
Figure 5 - The addition of another Access Control Entry (ACE) provides the Object for editing and modifying the 'Write Permission' on the SPN Attribute.
Figure 6 - Once the new ACE for 'Self' is set, select 'Advanced' for editing the SPN Attribute.
Figure 7 - Navigate and highlight the 'Self' Permission named 'Special' with an 'Inherited from' value of '<not inherited>' and an 'Apply to' value of 'This Object Only', then select 'Edit'.
Figure 8 - In the dialogue window titled 'Permission Entry from <the name of the SDK and Config User ID>', move to the 'Properties' Tab.
Figure 9 - Next, navigate down the list of Active Directory Attributes for the SDK and Config User ID to an attribute titled 'Write servicePrincipalName' and select the Check Box in the 'Write' column (allowing 'Write Access' to this single Attribute for this Single Usre ID).
Figure 10 - Upon confirming the 'Allow' Check Box is full on the 'Write servicePrincipalName' then select 'Ok'.
Figure 11 - To proceed and complete this task sequence, continue to select 'OK' from the remaining 'open windows' in ADSI Edit.
Figure 12 - This is the final 'Open Windows' to complete the task sequence. Next, I will clear the 'Warning Alert' in the SCOM2k7 SP1 Console.
Figure 13 - In the SCOM2k7 SP1 Console I 'Right Mouse Click' the Warning Alert titled 'SDK SPN Not Registered' and select 'Close Alert'. The actions taken in this sequence will allow the SDK and Config User ID to 'properly write' the SPN Attribute as required for SC Operations Manager 2007 SP1.
Summary: In this Blog entry I remedy a 'Warning Alert' titled 'SDK SPN Not Registered' in the System Center Operations Manager 2007 SP1 Console. This resolution, as derived by Pete Zerger, MVP, and posted on the systemcenterforum.org Web Site provides relief from this recurring Warning Alert for System Center Operations Manager 2007 SP1.
If you'd like to 'Learn Advanced IT' - check out our new website exchangesummit.net! Use coupon code 'ITPS-777' for $100 off (through 9/1/2009) the Forefront Client Security SP1 Single Server Topology on Windows 2008. Detailed Course Description -15 hours of video training. Free video content as well!
Posted
Aug 10 2009, 03:21 PM
by
lynn lunik