Sunday, November 15, 2009

SCOM: Operations Console Reporting locks SDK and Config Account

Update 11-26-2009: Microsoft has documented this problem as a bug but only for internal purposes. Only when more customers are having similar problems, they will give it prority for fixing. But, if you do have this problem you can fix it on your own. Using the descriptive explanation in this blog.


This blog post is about a bug i found in the Operations Console in Operations Manager 2007 R2. This bug can lock your SDK and Config Service Account.

Consider this example. You manage two SCOM environments from one main domain (domain A) and there's a one-way trust between domain A and domain B (2 seperate forests, B trusts A).

When you want to use the Reporting feature from the Operations Manager of your Management Group in Domain B, the console this will show an error because this operation is not allowed by design.
Error message when you try to run a report in System Center Operations 
Manager 2007: "Message: Loading reporting hierarchy failed.” “Access is 
denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))”

If you want to know more about this, read this blog:
http://blogs.technet.com/operationsmgr/archive/2009/01/27/opsmgr-2007-error-running-report-message-loading-reporting-hierarchy-failed-access-is-denied.aspx

But, there's caveat. If you use the same login name (a.k.a. SAM-Acount-Name) for the SDK and Config Service Account in both domains, the Operations Console (running in domain A but pointing to Management Group in domain B) will lock the SDK and Config Service Account in domain A.
What!!! Yep, eventhough we are working with on our Management Group in domain B, the SDK and Config Service Account in domain A is locked because the login name for this account is the same in both domains. After investigating the audit trail logs the server who locked the SDK and Config Service Account was the RMS server of the Management Group in domain B.
Remember that this only occurs if there´s a one-way trust.


Sent to Microsoft - Official bug
After investigating this problem en finding the cause, I created a case at Microsoft Support. After a few weeks they were able to reproduce this problem. This is now an offical bug. Unfortunately Microsoft can not say when this bug is going to be documented or even will get fixed.

Workaround
Rename the SDK and Config Service Account 'samAccountName' in Domain B. Or use the work around as mentioned in Prakish' post: http://blogs.technet.com/operationsmgr/archive/2009/01/27/opsmgr-2007-error-running-report-message-loading-reporting-hierarchy-failed-access-is-denied.aspx

0 reacties:

Post a Comment