Install SCOM 2016 (minimal admin access)

-
This will install SCOM 2016 in a lab without giving all accounts admin access.

Note: The SQL eval expires so you will need to re-build MS1 each time. The SQL services and SSMS won't start and event 17051 is in the Application log. You can just keep re-arming DC1.

Servers

Name Description
DC1.lab.com Domain controller
MS1.lab.com SQL + SCOM 2016

Accounts

Name Description
om-install Used to install/maintain SQL & SCOM. Access removed post install.
om-msa Mgmt server action account. Local admin on mgmt server.
om-das Data access/Config account. Local admin on mgmt server.
om-rdr Data reader account. Member of 'Domain Users' only.
om-wrt Data writer account. Member of 'Domain Users' only.
om-admin SCOM Admin only. Not local server admin.
sql-srv Runs all SQL services.

Groups

Name Description
SRV-Admins Local server administrators.
OM-Admins SCOM Admin group. Added post install.
SQL-Admins SQL Admin group. Added during install.

Install DC1

  1. Rename the computer.
  2. Add the IP address (VBox nic set to NAT). Do not use on work networks.
  3. Install Virtualbox guest additions and reboot.
  4. Add the DNS and AD DC roles and run dcpromo.
  5. When computer has 180-day Microsoft license set VBox nic type to Host-only Adapter.

Disable firewall + screen saver

  1. Run this:
netsh advfirewall set allprofiles state off

Disable screen saver

Control Panel > Power Options > High performance > Change plan settings > Never for both.

Disable UAC

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v EnableLUA /t REG_DWORD /d 0

Setup accounts

  1. When DC1 is functional run these:
::START

::Create OU
dsadd ou "ou=Objects,DC=lab,DC=com"

::Create users
dsadd user cn=om-install,ou=Objects,DC=lab,DC=com -samid om-install -upn om-install@lab.com -fn om-install -display om-install -desc "SCOM Install Account" -pwd P@ssword -pwdneverexpires yes -disabled no

dsadd user cn=om-msa,ou=Objects,DC=lab,DC=com -samid om-msa -upn om-msa@lab.com -fn om-msa -display om-msa -desc "SCOM Mgmt Server Action Account" -pwd P@ssword -pwdneverexpires yes -disabled no

dsadd user cn=om-das,ou=Objects,DC=lab,DC=com -samid om-das -upn om-das@lab.com -fn om-das -display om-das -desc "SCOM Data Access/Config Account" -pwd P@ssword -pwdneverexpires yes -disabled no

dsadd user cn=om-rdr,ou=Objects,DC=lab,DC=com -samid om-rdr -upn om-rdr@lab.com -fn om-rdr -display om-rdr -desc "SCOM Reader Account" -pwd P@ssword -pwdneverexpires yes -disabled no

dsadd user cn=om-wrt,ou=Objects,DC=lab,DC=com -samid om-wrt -upn om-wrt@lab.com -fn om-wrt -display om-wrt -desc "SCOM Writer Account" -pwd P@ssword -pwdneverexpires yes -disabled no

dsadd user cn=om-admin,ou=Objects,DC=lab,DC=com -samid om-admin -upn om-admin@lab.com -fn om-admin -display om-admin -desc "SCOM Admin Account" -pwd P@ssword -pwdneverexpires yes -disabled no

dsadd user cn=sql-srv,ou=Objects,DC=lab,DC=com -samid sql-srv -upn sql-srv@lab.com -fn sql-srv -display sql-srv -desc "SQL Server Account" -pwd P@ssword -pwdneverexpires yes -disabled no

::Create groups and add users
dsadd group cn=SRV-Admins,ou=Objects,DC=lab,DC=com -desc "Local Server Administrators Group"  -members "CN=om-install,OU=Objects,DC=lab,DC=com" "CN=om-msa,OU=Objects,DC=lab,DC=com" "CN=om-das,OU=Objects,DC=lab,DC=com"

dsadd group cn=OM-Admins,ou=Objects,DC=lab,DC=com -desc "SCOM Administrators Group"  -members "CN=om-install,OU=Objects,DC=lab,DC=com" "CN=om-msa,OU=Objects,DC=lab,DC=com" "CN=om-das,OU=Objects,DC=lab,DC=com" "CN=om-admin,OU=Objects,DC=lab,DC=com"

dsadd group cn=SQL-Admins,ou=Objects,DC=lab,DC=com -desc "SQL Administrators Group" -members "CN=sql-srv,OU=Objects,DC=lab,DC=com" "CN=om-install,OU=Objects,DC=lab,DC=com"

::END

Install MS1

  1. Rename the computer.
  2. Add the IP address (VBox nic set to NAT). Do not use on work networks.
  3. Install Virtualbox guest additions and reboot.
  4. When computer has 180-day Microsoft license set VBox nic type to Host-only Adapter.
  5. Add to domain.
  6. Log in as lab\administrator.

Disable firewall + screen saver

  1. Run this:
netsh advfirewall set allprofiles state off

Disable screen saver

Control Panel > Power Options > High performance > Change plan settings > Never for both.

Disable UAC

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v EnableLUA /t REG_DWORD /d 0

Setup local groups

  1. Log in as lab\administrator and run this then logoff:
net localgroup administrators /add lab\SRV-Admins
net localgroup "Remote Desktop Users" /add lab\om-admin

The last line allows lab\om-admin rdp to MS1.lab.com.

Install SQL 2014

Install .NET pre-reqs

  1. Log in to MS1.lab.com as lab\om-install
  2. Mount the Windows server ISO.
  3. Open admin Powershell and run this command. This also fulfils the requirement to have .dotnet installed for the SQL install.
Add-WindowsFeature NET-WCF-HTTP-Activation45,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Request-Monitor,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,Web-Metabase,Web-Asp-Net,Web-Windows-Auth –Restart -Source D:\sources\sxs

Install SQL 2014

  1. If you are re-using a server make sure the .NET Framework 3.5 feature is installed otherwise the SQL pre-reqs fail.
  2. Copy SQL ISO from Passport drive to C:\temp. It's in Backup\Anth\Work\DXC\Apps\SQL\2014\SQLServer2014SP2-FullSlipstream-x64-ENU.iso 
  3. Run C:\temp\setup.exe.
  4. Click on Installation and choose stand-alone install.
Use defaults unless specified.
  • Add these features:
    • Database Engine Services
    • Full-Text and Semantic Extractions For Search
    • Reporting Services - Native
    • Management Tools - Complete
  • If using a named instance, type the name in Named Instance and Instance ID or it will error. I usually call it SCOMINST.
  • Use sql-srv for these services & set them all to auto start:
    • SQL Server Agent
    • SQL Server Database Engine
    • SQL Server Reporting Services
Apparently collation no longer matters but I still set it to SQL_Latin1_General_CP1_CI_AS.
  • Add the SQL-Admins group at the SQL Administrators prompt.
  • Leave Reporting Services Native Mode as Install and configure.
  • Kick off the install then restart when done.

Install SCOM 2016

  1. Log in to MS1.lab.com as lab\om-install
  2. Install SQLSysClrTypes_SQL2012.msi (yes you need this) then ReportViewer.msi. These are in C:\Data\SCOM\Apps.
  3. Copy SC2016_SCOM_EN.EXE to C:\temp, extract it and launch the install.
  4. Select all install options.
  5. Enter MG name.
  6. Enter SQL name and instance.
  7. Use the following service accounts:
    • Msaa -  lab\om-msa
    • Das - lab\om-das
    • Reader - lab\om-rdr
    • Writer - lab\om-wrt
  • Open the console when finished.
  • Add lab\OM-Admins to Operations Manager Administrators and remove BUILTIN\Administrators.

Notes

The install was successful and I didn't get any errors. I would have thought that om-rdr & om-wrt accounts would need to be in local admin group.

Comments

Post a Comment