SCOM2012: SPN registration Error

Forum: Operations Manager4
Viewing 15 posts - 1 through 15 (of 15 total)
  • #112231
    Profile photo of HanzJR
    HanzJR
    Participant

    Hi,

    I’ve installed SCOM 2012 a few days ago, today I received an error which says that “Data Access Service SPN Not Registered”. The Data Access Service is using a Domain account, this error occurs after restarting the system.

    1 Management Server MMS-Server

    1 Database Server SQL-Server (SCOM only)

    I searched for some workarounds and found http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx

    After I read this article I checked the spn registration by typing:

    setspn -L DOMAIN\OpsMgrSDKConfig

    The entries for the MSOMSdkSvc/MMS-Server and MSOMSdkSvc/MMS-Server.mydomain.net where missing, so I updated the spn and added the missing items by typing:

    setspn -A MSOMSdkSvc/MMS-Server DOMAIN\OpsMgrSDKConfig

    setspn -A MSOMSdkSvc/MMS-Server.mydomain.net DOMAIN\OpsMgrSDKConfig

    After I completed this step I’ve closed the active alert for the missing spn and restarted the system, but I received the same error again.

    What should I do to solve this?

    Best Regards

    #112234
    Profile photo of Vince McShane
    Vince McShane
    Participant

    I’ve never added SPN’s to the SDK account and I haven’t had any issues, even though the Data Acces Service runs as the sdk account. I have MSOMSdkSvc registered to the MS servers. Is the error definately “Missing”? Not “Duplicate”?

    #112235
    Profile photo of HanzJR
    HanzJR
    Participant

    Alert Description

    The System Center Data Access service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/MMS-Server and MSOMSdkSvc/MMS-Server.mydomain.net to the servicePrincipalName of CN=MMS-Server,OU=SCOM2012,OU=SC2012,OU=Servers,DC=mydomain,DC=net

    This is the alert Description form SCOM active alerts.

     

    #112236
    Profile photo of Vince McShane
    Vince McShane
    Participant

    when you run setspn -L MSSERVERs does it list the MSOMSdkSvc ?

    That’s the only place I have it registered.

    #112237
    Profile photo of HanzJR
    HanzJR
    Participant

    As the article form Kevin Holmans says, I checked the SPN entries:

    of the MYDOMAIN\OpsMgrSDKConfig Account (run as account of Data Access Service).

    setspn -L MYDOMAIN\OpsMgrSDKConfig

    The Result was that follwing entries were missing:

    MSOMSdkSvc/MMS-Server 

    MSOMSdkSvc/MMS-Server.mydomain.net

    After I checked this I added them manually to this spn. (as Admin)

    The Next step was to check the MMS-Server.

    setspn -L MYDOMAIN\MMS-Server

    I got the same result as in the article, as you can see in Holmans article there are no MSOMSdkSvc entries for this source.

    Kind Regards

    #112238
    Profile photo of Vince McShane
    Vince McShane
    Participant

    Sorry I can’t help more.

    when I run setspn domain\msserver I get
    MSOMSdkSvc/MMS-Server
    MSOMSdkSvc/MMS-Server.mydomain.net
    + others

    I don’t have any against the sdk account. I’ve installed SCOM 2012 a few times and never altered these.

    #112246
    Profile photo of HanzJR
    HanzJR
    Participant

    C:\>setspn -L MYDOMAIN\OpsMgrSDKConfig
    Registered ServicePrincipalNames for CN=OpsMgrSDKConfig,OU=Users,OU=OpsMgr,
    DC=mydomain,DC=net:
    MSOMSdkSvc/MMS-Server.mydomain.net
    MSOMSdkSvc/MMS-Server

    C:\>setspn -L MMS-Server
    Registered ServicePrincipalNames for CN=MMS-Server,OU=SCOM2012,OU=SCCM201
    2,OU=Server,DC=mydomain,DC=net:
    MSOMHSvc/MMS-Server.mydomain.net
    MSOMHSvc/MMS-Server
    CmRcService/MMS-Server
    CmRcService/MMS-Server.mydomain.net
    WSMAN/MMS-Server
    WSMAN/MMS-Server.mydomain.net
    TERMSRV/MMS-Server
    TERMSRV/MMS-Server.mydomain.net
    RestrictedKrbHost/MMS-Server
    HOST/MMS-Server
    RestrictedKrbHost/MMS-Server.mydomain.net
    HOST/MMS-Server.mydomain.net

    #112247
    Profile photo of Vince McShane
    Vince McShane
    Participant

    I’m really not 100% on what to do here. You could try moving them to the server, you can move them back if it doesn’t work.

    setspn -D MSOMSdkSvc/MMS-Server.mydomain.net MYDOMAIN\OpsMgrSDKConfig
    setspn -D MSOMSdkSvc MYDOMAIN\OpsMgrSDKConfig
    setspn -A MSOMSdkSvc/MMS-Server.mydomain.net MMS-Server
    setspn -A MSOMSdkSvc MMS-Server

    #112248
    Profile photo of Andy Dominey
    Andy Dominey
    Participant

    Hanz,

    Your last post looks like the SPN’s are now configured correctly. Are you saying the alert is still being generated despite the current SPN configuration?

    Andy

    #112249
    Profile photo of Bernie Pannone
    Bernie Pannone
    Participant

    I had the exact same problem.  I verified all of my SPN’s where correct and just did overrides for each one.  I did not have access to AD and that team did not have the time to look at SCOM permissions etc.  So I just did a Pre-CYA document and email and moved on.

    Things to Check:
    Is the AD MP installed?
    Has OoMads been installed on each DC?
    Are permissions correct on the SCOM container?

    #112250
    Profile photo of HanzJR
    HanzJR
    Participant

    The error is still persistent….

    I’ve installed SQl on a sperate Server and SCOM with MMS role and console on an other one.

    This state is directly after compelting the installation…..and now after correcting the spn

    #112252
    Profile photo of Andy Dominey
    Andy Dominey
    Participant

    Having done a bit of research this looks like a bug: http://social.technet.microsoft.com/Forums/en-US/operationsmanagergeneral/thread/5bc1c85a-1558-4ac3-8f07-412354e4b346/

    There is a suggestion that it goes away with UR3 but I wouldn’t bet on it. Since your SPN’s look like they are configured correctly, I think it’s safe to either live with the error or disable it for now through an override and keep an eye on the release notes for future Update Rollups for a permanent fix.

    Andy

    #112287
    Profile photo of HanzJR
    HanzJR
    Participant

    I solved this issue.

    I added SDKConfig  to the DomainAdmins Group and restarted the Data Access Service. After the service was started I removed the SDKConfig from the DomainAdmins Group, the service “registered all needed spns” again and now everything works fine.

    For some reason the recommended way to grant the read/write spn permission to the SDKConfig account didn’t worked.

    Thanks alot for your great healp

    Kind Regards

    Äktschn Hanz

    #112289
    Profile photo of HanzJR
    HanzJR
    Participant

    I think I will run into this problem agian….. By adding a new Management Server this will occur another time.

    #230791
    Profile photo of Bennnn
    Bennnn
    Participant

    Yep temporarily add the service account to daomin admins – perfecto !

     

    fixed it for me.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.