Murphy’s Law: Anything that can go wrong, will go wrong
The aim of this series of posts is to detail multiple issues encountered during installation of FIM Reporting and their troubleshooting, resolution and/or workarounds.
This particular post talks about the nightmare I had installing SCSM for FIM Reporting on a Customer’s Production environment.
FIM Reporting Installation requires SCSM Management Server and SCSM Data Warehouse to be installed. First thing to do after installing the aforementioned two components is to register the DW with SCSM Management Server. It’s fairly simple wizard based process (https://technet.microsoft.com/en-us/library/hh914224.aspx). This step enables reporting and shows the Reporting tab.
This step also kicks off the MPSyncJob. Its only after MPSync finishes, one can move to the next step. This bit is time taking but usually doesn’t fail. However, once I ran into an issue which baffled me and in the end made me feel really silly about myself. I waited for two days nothing happened. On clicking on the details on the right hand pane,
This is what I would see while MPSync Job would continue to be in Running State.
In the affected environment SCSM Management server and DW server are on separate servers. Upon inspecting the data warehouse server, I could see that the modules on the MPSync hadn’t started yet.
The health service would report errors like below (on SCSM Management Server)
’
One such error:
I reviewed the account requirements again for SCSM Management Server
• Add the account used to install the Management Server to the SCSM MS Management Group. (Done)
• Add the Management Server service account, to the Local Administrators group on the SCSM Management Server. (Done)
• Add the SCSM MS Management Group to the local Administrators group on the SCSM Management Server. (Done)
• Add the SCSM MS Management Group to the local Administrators group on the database server for SCSM. (Done)
• Grant the SCSM MS Management Group, the System Administrator role on the SQL Server Instance which will host the Management Server database. (Done)
Repeated the same with DW accounts as well. Still No Luck !!
This lead me to look a little deeper and what I found surprised me and made feel stupid.
The groups and the service accounts were part of local admins, and hence allowed logon locally (contrary to the error messages in the event log)
However, Deny log on locally was another story, all service account were restricted local logon permissions through a GPO as is the case in Most customer environments. The System Center Documentation mentions Local Administrator rights, which is actually a composite of multiple atomic rights like local logon. However, this often conflicts with AD security policies hence, an exception must be taken for SCSM MS and SCSM DW service accounts and Management Group. Interestingly, this requirement is explicitly mentioned in the SCOM Documentation (https://technet.microsoft.com/en-us/library/hh495662.aspx)
Then, once the accounts are allowed local logon, the setup is rerun for both SCSM MS and DW and voila! MPSync finishes in the next one hour. Then we can proceed to the next step.
This will be in a series of posts on troubleshooting FIM Reporting issues. Stay Tuned for the next one.
You must log in to post a comment.