Set up automatic SCOM maintenance mode

-
Now this is something I am quite pleased with however after coming up with the idea and Googling I found plenty of other cleverer people had come up with this before me!

Here's one very good example:

http://operatingquadrant.com/2009/08/15/scom-automatically-starting-maintenance-mode-when-servers-are-rebooted-for-patching/

Anyways one of the maybe overlooked aspects of SCOM notification is that you can run commands, meaning that an event/alert can then trigger a series of scripted actions.  Really cool.

What the blog above explains is how to use this feature to check for an event signalling that the Windows server is going to reboot this is event ID 22 from Windows Update. 

I use event ID 1074 as we do not reboot our servers automatically when patching, we do however use Citrix and some of these servers have a reboot scheduled. 

Event 1074 is raised by USER32 in the SYSTEM log when a scheduled reboot is attempted.  So you can now safely put your servers into maintenance mode when they are scheduled to reboot.

The basic outline for acheiving this magic is relatively simple.
1. Create a management pack to monitor all servers for event 1074 (or/and 22)
2. Write some powershell to put a machine into maintenance mode.
3. Create a command notification to watch the monitor state and run the powershell when needed.

Here's the powershell:

#Connect to the RMS server and initialize the command shell
param($sHost)
trap [Exception]{
                $error = "Error " + $_Exception.Message;
}
$rmsServerName = "c6174.uk01.apmn.org"
Add-PSSnapin "Microsoft.EnterpriseManagement.OperationsManager.Client" -ErrorVariable errSnapin;
Set-Location "OperationsManagerMonitoring::" -ErrorVariable errSnapin;
new-managementGroupConnection -ConnectionString:$rmsServerName -ErrorVariable errSnapin;
set-location $rmsServerName -ErrorVariable errSnapin;
$time = [DateTime]::Now
$nMinutes = 20
$class = get-monitoringclass -name:Microsoft.Windows.Computer
$computerObj = $class | get-monitoringobject | where {$_.name -like “$sHost*”}
# write an event
$EventLog = new-object System.Diagnostics.EventLog('Application')
$EventType = [System.Diagnostics.EventLogEntryType]::Information
$EventLog.MachineName = "."
$EventLog.Source = "Maintenance Script Output"
$EventLog.WriteEntry("Result = $error`ntime = $time`nHost= $sHost`nClass = $class`nMonitor Object = $monObj",$EventType,1024)
New-MaintenanceWindow -MonitoringObject $computerObj -Comment “Planned Maintenance – scripted” -StartTime $time -EndTime $time.AddMinutes($nMinutes)

Comments

  1. Srinivas11 March 2015 at 16:04

    Hi,
    Thanks for the post.

    Can you guide on the step 3 " Create a command notification to watch the monitor state and run the powershell when needed." please?

    ReplyDelete
  2. AK18 May 2015 at 14:35

    Srinivas thanks for the comment - sorry its taken so long to reply. I do not have access to SCOM anymore so but from what I remember creating a command notification is pretty straight forward...

    ReplyDelete

Post a Comment

Popular posts from this blog

PXE booting, MDT and 802.1x

-
Image
Oh dear. We implemented site wide 802.1x when we moved. This has caused numerous issues which we are still tracking down and killing with fire. Again "only-when-we-needed-it" struck as we had a new starter and need to build a machine. Ah.   No PXE.  However thankfully we were able to make a bootable USB using 802.1x and get our build working again from MDT in our 802.1 environment. Here's how we did it.   Caveats:  I'm assuming you know MDT and how PXE works. We use Computer certificates as the 8021x auth method. 802.1x is working in our environment GPO is used to start the wired 802.1x service on built machines. GPO is used to configure the network profile to use 802.1x What you need Get a USB stick to take your WinPE 4GB may be enough Make sure you are running an up to date working MDT installation! Create a machine certificate which has a long expiry date, you don't want to be making USB WinPE images every month!! Export the machine
Read more

Intune installation requires a wire...or does it?

-
If you are using Intune (great!) it assumes you have a wired connection (not great) - this is more of an issue as some machine now no longer have built in ethernet ports. It is possible to connect to your wireless - albeit in a slightly awkward way.....here's how During the OOBE hit SHIFT+F10 to get a command window and type either; start ms-settings: To get the settings window or start ms-availablenetworks: To see the network fly outs. Thanks to  Using a wireless network connection with Windows Autopilot white glove – Out of Office Hours (oofhours.com)
Read more

Security Policy 1001

-
We had an annoying warning showing every 5 minutes on our Read Only Domain Controllers.  This didn't affect service but meant we were losing our logs of important events (should the have occurred) "Security policy cannot be propagated. Security Configuration Server (in services.exe) is not ready. This is probably in system reboot. Policy will be tried again in the next propagation." Source: SceCli Event: ID 101 We tracked this down to a GPO which was populating the local Administrators group. Obviously a Domain Controller has no local users or groups so this was causing the issue. Ensuring that the GPO did not apply to the Domain Controllers - yes the GPO was linked at the root! fixed the issue. It is strange that we did not see the warnings on our main Domain Controllers only on the Read Only DC's as this would have affected all DCs the same (I would have thought)
Read more