Saturday, 28 May 2016

System Center Operations Manager 2012 R2 - Post Configurations - Part 2

Hello Everyone,

In this blog, I will explain about some post configurations steps after SCOM Installations like import management pack, About SCOM Agent & it's methods.

To see SCOM Prerequisites & Installation Process, Click Here!

Let's start with step by step process in details... 

Import Management Packs: 

SCOM monitors any application or services based on certain monitoring settings which are available in respective management packs for any application or service. Like, for monitoring any application say Lync application then You need to download and import Lync monitoring pack.

There are mainly 2 types of Management Packs in SCOM:

  • Sealed Management Packs: These are the default MPs for certain monitors available in SCOM which can not be customised but can be overrides by creating new rules and save them in new custom management packs. 
  • Unsealed Management Pack: These are the downloaded MPs for any application which You want to monitor and are customisable as per required monitoring rules. These MPs are imported in SCOM for configuring monitor of any other applications (or any third party application) which You are using in your environment. You can monitor any application through SCOM if and only if management pack for the application is available/provided by vendor for monitoring through SCOM.
For detailed explanation about Management Packs, Click Here! 
By default, after new deployment of SCOM, We should download and import some Management Packs for monitoring and these MPs list includes: 

  • Windows Server
  • IIS
  • Hyper-V
  • Failover Cluster/NLB
  • SQL Server
  • Other commonly used application like Lync, etc.
Let's start with process for Importing MPs in SCOM.

When You download MP, Run the setup file. This will ask to extract the file in Local Drive. Once You extract the files then You can see available MPs list. 

Now, You have to open SCOM console and Import those extracted lists of MPs in SCOM.

NOTE: Many MP's have other dependent MPs which must be imported first. If any dependency MP is missing then importing MP will fail to install. Then You have to open properties of that failed MP to see the dependent MPs.

Open SCOM Console, click on Administration Tab, Right click on Management Packs and Click on Import Management Packs: 


Click on Add, choose Add from Disk, Select all extracted List of MPs from the extracted Path and Click Install:


Once all MPs are installed then Click on Close:


This is how You have to installed all required MPs in SCOM.

About SCOM Agent:

SCOM Agent is a small setup file which is installed on windows machines which we want to monitor or from the machine where any application which is running and we want to monitor that application through SCOM. 

This agent collects all required data about monitoring of any application or service and send the same to SCOM for generating alerts or reports. 

SCOM Agent installation methods:

There are basically three ways to install SCOM Agent:

  • Discovery Method in SCOM Console: If machines is in network, domain joined with authentication rights and reachable to SCOM Machine then we can use this method to discover and install SCOM Agent. This method is also known as Push installation method. Using this method, we can discover Windows, Unix and Linux OS machines. 
  • By Running SCOM Setup on machine: When You run setup on machine, There is an option to install agent. Click on it and install SCOM agent. 
  • Manual Installation by using command line: You can copy the SCOM Agent file on machine and run the SCOM agent installation command.
NOTE: All methods requires domain authentication (either in same/trusted domain or using certificate authentication for SCOM Machine FQDN) and network reachability in both direction.

This is all about some basic information of some post configuration steps.

In next blog, I will explain about complete SCOM Console overview with screenshots and what all things can be done with SCOM.

In Later posts, I will explain about SCOM Agent installation process step by step, configuring PRO-Tips, reporting and default dashboards in SCOM.

Happy Reading!!!

If You like my posts then follow my updates:

http://www.mdtechskillssolutions.com

Join my Facebook group for updates on trending technologies/technical references/issues etc:
https://www.facebook.com/groups/technicalskillsenhancementworld/

Wednesday, 18 May 2016

Microsoft Bit-locker Administration & Monitoring (MBAM) - Prerequisites, Deployment Process & Testing - Part 1

Hello Everyone,

In this blog, I will explain about MBAM (Microsoft Bit-locker Administration & Monitoring). 

MBAM tool is used to encrypt drives using PIN to increase the security layer for OS drives, fixed drives or external drives.

This tool is used to configure Bit-locker Drive Encryption for client machines to secure official data from unauthorised access. Microsoft provide MBAM Group Policy Templates which can be configured as per requirements & then deploy them on Client's machines. After that You can monitor client's machines for compliance status using reports. 

Using MBAM, it is also easy to recover the key or Lost PIN using self service portal. 

Let's start with prerequisites, deployment process & testing for MBAM.


Prerequisites:

  • Hardware Requirement for MBAM Server:
  • OS Requirements for MBAM Server & it's Database Server:
  • SQL Server requirements for MBAM Database:
  • Hardware Requirements for MBAM Database Server:
  • Supported Client Machine Operating System Requirements:

  • Required Software:

           NOTE: MDOP Setup can be downloaded from Microsoft License Portal.
  • Required Accounts:
  • MBAM Server Informations:
For MBAM, 2 Servers will be required. One Server for MBAM Database & other server MBAM Server itself. MBAM include multiple roles which needs to configured on both servers respectively as per requirement & details are explained below for each components:


These are the basic prerequisites which needs to be ready before starting deployment. I will explain other prerequisites during deployment with step by step further.

MBAM Database Server - SQL Server 2012 SP1 Installation & Configuration:

Prerequisites:


  • Install IIS Role & .Net Framework Features from Server Manager using Add Roles & Features:






SQL Server 2012 SP1 Installation:

Run the set-up as administrator:


Follow further instructions by clicking next, next, accept license agreement & select below mentioned features for Database installation:
  • Database Engine Services
  • Reporting Service - Native
  • Client Tools Connectivity
  • Management Tools - Basic & Complete
Change the drive path for installation if You want to install it in other drive then default:



Choose Default Instance:


Provide SQL service accounts credentials:



Check Collation:



Give SA account password and add all accounts:



Select Install & Configure for Reporting Service Configurations:



Click Next & Install:



After Installation, Connect to SQL Server:



Open Account Properties:



Give below permissions to accounts:

  • DBReader
  • Processadmin

Now, Register SPN for Application Pool Account for Administration & Monitoring Website & Self-Service Portal. 

To register SPN, Go to Domain machine, Open command prompt as administration & Run below command:

Setspn -s http/"FQDN of MBAM Server" Domain_Name/ApplicationPoolAccount_Name


MBAM Roles configurations on MBAM Database Server:

Run the MBAM 2.5 SP1 Setup:



Click Next:



Accept License Agreement:



Click Next:



Click Next:



Click Install:


Click Finish:





Post-Configurations:

Open the MBAM Console and add below roles:

  • Compliance & Audit Database
  • Recovery Database
  • Reports
Click on Add New Features:


Select above mentioned features and Click Next:


Click Next:


Provide Details as per below mentioned to configure database:


and,


Provide below details to configure reports:


and,


Click Next, Next & Close:


Check if Database is created:



Check if Required Folder for MBAM is created in Reports:


Expand Folder and check if required database is created:


MBAM Server - Prerequisites & MBAM 2.5 SP1 Installation:

Prerequisites for MBAM Server Role:

Install complete IIS Role & .Net Framework features from Add Roles & Features:



and,



Install AspNetMVC4Setup for Self Service Portal configurations on MBAM Server:



Click Install:


Click Close:




MBAM 2.5 SP1 Installation:

Run the MBAM 2.5 SP1 Setup on MBAM Server:



Click Next:



Accept License Agreement:



Click Next:




Click Next:




Click Install:




Click Finish:





Post Configurations:

Open MBAM Console & Click on Add Features to add below features:

  • Administration & Monitoring Websites
  • Self Service Portal
Click on Add New Features:


Select above mentioned features:


Click Next:




Provide the required details as shown in below screenshots:




and,



and,




and,



Click Add & Close:


Open IIS Manager and check if all websites are configured correctly:



Open:  
http://MBAM_Server_FQDN/HelpDesk/ using MBAMAppPool user account:


Open: 
http://MBAM_Server_FQDN/SelfService/  using MBAMAppPool user account:


Accept & Click Continue:


Open: http://MBAM_Server_FQDN/MBAMAdministrationService/:



Click on AdministrationService.svc:


Open: http://MBAM_Server_FQDN/MBAMComplianceStatusService/:


Click on StatusReportingService,svc:


Open: http://MBAM_Server_FQDN/MBAMRecoveryAndHardwareService/:


Click on CoreServices.svc:


All configurations are completed now.

Next task is to configure MBAM GPO Templates.

MBAM Group Policy Template configuration & deployment:

You need to download and configure group policy template for MBAM as per requirements. Below are the steps & reference links given which needs to be followed:


NOTE: For each OS Version, You must configure separate Policies like for Windows 7, Windows 8 or Windows 10 will be having separate policies.

  • After that create separate OU's based on client's machines OS Version and add respective OS Machines to particular OU's.
  • Deploy configured policies to OU's respectively based on OS version.

MBAM Client Deployment:


There are many ways to deploy MBAM Client to the test machines, like using SCCM, Group Policies or manually using command.

Copy the MBAM Client set-up to Client Machine & Run the below command in elevated command prompt:

MBAMClientSetup.exe /acceptEula=Yes

This set-up is available in MBAM Set-up folder only.

Note: When configuring the MBAM services via Group Policy there are two policy timers that are configured. Client Checking Status Frequency (Default: 90 Minutes) and Status Reporting Frequency (Default: 720 Minutes)
These timers have corresponding registry settings that can be manually changed to initiate their checks immediately when the MBAM client is restarted. This is generally performed quickly to initiate the user prompt for starting the encryption process as well as forcing the status reporting to update. These Keys and the values to which they should be changed to initiate their checks are listed below:

HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement

Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1

After making changes in system Registry, Restart the MBAM Client Agent on client machines.

From the Start screen, type cmd, Right-click the cmd tile and then click Run as administrator. At the command prompt, run the following commands to restart the MBAM Client Agent: 

net stop mbamagent
net start mbamagent


If above times are not changed then you have to wait for the above time to auto prompt for encryption as per configured in policy.

MBAM 2.5 SP1 Testing on Client Machine:

Either wait for 90 minutes to Auto Prompt to start the encryption windows of MBAM Client or open the MBAMClient UI from C:\Program Files\Microsoft\MDOP MBAM\MBAMClientUI.exe.

Click start once the set-up console opens:


Enter the password for encryption:


Monitor the process:

Note: This process may takes several hours depending upon size of used disk space. There is no such particular time period for any disk size.

Also, If in any case during encryption, If You shut-down the machine then encryption will start from last point where it was stopped after next time machine starts.



Once encryption is completed, Click exit & restart the machine:


Once machine is restarted then It will ask to provide encryption password so provide the PIN:



If in case You forget the PIN then You can recover it through self-service Portal. 

After credentials verified, It will prompt for User Login:


Same process is followed to encrypt the fixed drives. After encryption of fixed drive, once You restart the machine then a lock symbol is created on fixed drive as shown below:


To unlock fixed drive, double click on it then a console will open to provide password:


Click unlock:


Once password is verified, Drive will be decrypted and You can access the data:


You can check the status report as well:


In reports, You can see the reason for non-compliant status as well.


This is all about MBAM 2.5 SP1 Deployment Process as standalone.

Reference Link:

https://technet.microsoft.com/en-gb/itpro/mdop/mbam-v25/index

Happy Reading!!!

If You like my posts then follow my updates:

http://www.mdtechskillssolutions.com

Join my Facebook group for updates on trending technologies/technical references/issues etc:

https://www.facebook.com/groups/technicalskillsenhancementworld/