Automate SCOM 2016 installation with PowerShell

This blog post demonstrates how to automate installation of SCOM 2016 and its requirements using PowerShell. If you’d like, you can also use it partly to install just software prerequisites or service accounts.

My demo lab is configured in the following way:

  • SCOM Server –  VM with up to 8Gb RAM, 4vCPU, Windows Server 2016
  • SCOM VMs has an Internet Connection (to get Report Viewer/Runtime)
  • SQL Server – VM with up to 4Gb RAM. Windows Server 2016
  • Database Services, Full Text and Reporting Services – Native were installed on the SQL Server VM.
  • These machines are also joined to the same domain
  • SCOM media copied to the <systemdrive>\SCOM2016
  • I checked the script using my domain administrator account
  • Download link is available at the bottom
What does the script do?
  • Downloads and installs Report Viewer Controls and required Runtime
New-Item $env:systemdrive\SCOM2016Reqs -ItemType Directory
Invoke-WebRequest http://download.microsoft.com/download/A/1/2/A129F694-233C-4C7C-860F-F73139CF2E01/ENU/x86/ReportViewer.msi -OutFile $env:systemdrive\SCOM2016Reqs\ReportViewer.msi
Invoke-WebRequest http://download.microsoft.com/download/F/E/E/FEE62C90-E5A9-4746-8478-11980609E5C2/ENU/x64/SQLSysClrTypes.msi -OutFile $env:systemdrive\SCOM2016Reqs\SQLSysClrTypes.msi
Start-Process "$env:systemdrive\SCOM2016Reqs\SQLSysClrTypes.msi" /qn -Wait
Start-Process "$env:systemdrive\SCOM2016Reqs\ReportViewer.msi" /quiet -Wait
Write-Host "The Report Viewer Controls and Runtime have been installed" -ForegroundColor DarkCyan
  • Creates required service accounts, SCOM administrator group in the specified OU and configures required permissions (local admin rights for the SCOM admin group)
Install-WindowsFeature RSAT-AD-PowerShell
$adcn=(Get-ADDomain).DistinguishedName
$dname=(Get-ADDomain).Name
New-AdUser SCOM-AccessAccount -SamAccountName scom.aa -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdUser SCOM-DataWareHouse-Reader -SamAccountName scom.dwr -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdUser SCOM-DataWareHouse-Write -SamAccountName scom.dww -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdUser SCOM-Server-Action -SamAccountName scom.sa -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdGroup -Name SCOM-Admins -GroupScope Global -GroupCategory Security -Path "OU=$ouname,$adcn"
Add-AdGroupMember SCOM-Admins scom.aa,scom.dwr,scom.dww,scom.sa
Add-LocalGroupMember -Member $dname\SCOM-Admins -Group Administrators
#SQL Server service accounts (SQLSSRS is a service reporting services account)
New-AdUser SQLSVC -SamAccountName sqlsvc -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
New-AdUser SQLSSRS -SamAccountName sqlssrs -AccountPassword (ConvertTo-SecureString -AsPlainText $svcpass -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$adcn"
Write-Host "The service Accounts and SCOM-Admins group have been added to OU=$ouname,$adcn" -ForegroundColor DarkCyan

  • Configures SQL Server by creating required Windows Firewall rules and adding SCOM-Admins group to the administrators on the server
$secpasswd = ConvertTo-SecureString $sqlpass -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("$dname\$sqluser", $secpasswd)
$psrem = New-PSSession -ComputerName $sqlsrv -Credential $cred
Invoke-Command -Session $psrem -ScriptBlock{
Install-WindowsFeature RSAT-AD-Powershell
Set-NetFirewallRule -Name WMI-WINMGMT-In-TCP -Enabled True
New-NetFirewallRule -Name "SQL DB" -DisplayName "SQL Database" -Profile Domain -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Server Admin Connection" -DisplayName "SQL Admin Connection" -Profile Domain -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Browser" -DisplayName "SQL Browser" -Profile Domain -Direction Inbound -LocalPort 1434 -Protocol UDP -Action Allow
New-NetFirewallRule -Name "SQL SRRS (HTTP)" -DisplayName "SQL SRRS (HTTP)" -Profile Domain -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL SRRS (SSL)" -DisplayName "SQL SRRS (SSL)" -Profile Domain -Direction Inbound -LocalPort 443 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Instance Custom Port" -DisplayName "SQL Instance Custom Port" -Profile Domain -Direction Inbound -LocalPort $sqlserverport -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Server 445" -DisplayName "SQL Server 445" -Profile Domain -Direction Inbound -LocalPort 445 -Protocol TCP -Action Allow
New-NetFirewallRule -Name "SQL Server 135" -DisplayName "SQL Server 135" -Profile Domain -Direction Inbound -LocalPort 135 -Protocol TCP -Action Allow
Add-LocalGroupMember -Member $arg[0]\SCOM-Admins -Group Administrators} -ArgumentList $dname
Write-Host "The SQL Server $sqlsrv has been configured" -ForegroundColor DarkCyan
  • Installs Web Console prerequisites (ISS and so on)
Install-WindowsFeature NET-WCF-HTTP-Activation45,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors, `
Web-Http-Logging,Web-Request-Monitor,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,Web-Metabase,Web-Asp-Net,Web-Windows-Auth
Write-Host "The Web Console prerequisites have been installed" -ForegroundColor DarkCyan
  • Installs the SCOM Server (OMServer, OMConsole and OMWebConsole).
$arglist= @("/install /components:OMServer,OMConsole,OMWebConsole /ManagementGroupName:$mgmtgroup /SqlServerInstance:$sqlsrv\$sqlinstancename /SqlInstancePort:$sqlserverport",
"/DatabaseName:OperationsManager /DWSqlServerInstance:$sqlsrv\$sqlinstancename /DWDatabaseName:OperationsManagerDW /ActionAccountUser:$dname\scom.sa",
"/ActionAccountPassword:$svcpass /DASAccountUser:$dname\scom.aa /DASAccountPassword:$svcpass /DataReaderUser:$dname\scom.dwr",
"/DataReaderPassword:$svcpass /DataWriterUser:$dname\scom.dww /DataWriterPassword:$svcpass /WebSiteName:""Default Web Site""",
'/WebConsoleAuthorizationMode:Mixed /EnableErrorReporting:Always /SendCEIPReports:1 /UseMicrosoftUpdate:1 /AcceptEndUserLicenseAgreement:1 /silent')
Start-Process -FilePath $env:systemdrive\SCOM2016\setup.exe -ArgumentList $arglist -Wait
Write-Host "The SCOM has been installed. Don't forget to license SCOM" -ForegroundColor DarkCyan
  • Once SCOM is installed, verify installation logs located at  <username>\AppData\Local\SCOM\LOGS\OpsMgrSetupWizard.txt .
    Additionally, don’t forget to set a valid SCOM 2016 product key by using the  Set-SCOMLicense –ProductId <key>

scom16_installation

That’s it. Just run the script, provide values for SQL Server connection/credentials and etc and wait until the SCOM installation is complete.

I uploaded the script, so feel free to use it (please mention my blog once you shared the script or part of it. Let’s respect each other!)

DOWNLOAD THE SCRIPT

How to customize a VMware ESXi image and install it in a Hyper-V VM

I’ve been doing recently  VMware ESXi deployment in my lab environment and would like to share main steps required to make it work on nested Hyper-V. Needless to say, nested virtualization works great only for demo and labs, therefore, running ESXi under Hyper-V is a completely unsupported in production environments.

Anyway, carry out the following steps to install ESXi (6.0, in my case. although these steps should work for newer versions as well):

1. Download VMWare ESXi offline bundle available at product download page (e.g. ESXi6.0). You can also download a ESXi image customized by vendor. For example, here is a direct download link for Dell’s ESXi 6.0 image which includes Dell’s VIBs in addition to built-in installation bundles provided by VMware.

2. Download the driver  which allows running ESXi as a VM under Microsoft Hyper-V (net-tulip, it’s actually a network driver which should be added to ESXi image. Otherwise, ESXi installation will be blocked)

3. Copy the downloaded files to the same folder (e.g. ‘D:\Images\VMware ESXi 6\’). It’ll be used as a work folder.

4. Download and install VMware PowerCLI 6.3 or newer

5. Once PowerCLI is installed,  run it and set location to the folder containing the files, then add offline depot ZIP files to the current PowerCLI session as shown below:

cd 'D:\Images\VMware ESXi 6\'
Add-EsxSoftwareDepot .\esxi60_bundle.zip
Add-EsxSoftwareDepot .\net-tulip-1.1.15-1-offline_bundle.zip

6. Retrieve the name of the standard image profile and note it (it’ll will be used as a clone for a new profile):

Get-EsxImageProfile|ft Name

7. Create a new image profile by cloning existing profile which name you just noted, and then add the driver’s package to the profile:

#Create a new image profile
New-EsxImageProfile -CloneProfile ESXi-6.0.0-2494585  -Name rlevchenko.com -Vendor custom

#Add custom packages
Add-EsxSoftwarePackage -ImageProfile rlevchenko.com -SoftwarePackage net-tulip -Force

image

If AcceptanceLevel is set to PartnerSupported by default (as in the picture above) and custom packages which you are going to add to the image profile have Community acceptance level, you will receive an error during creating an ESXi ISO and it’s installation . To resolve this, set the acceptance level of the image profile to CommunitySupported by running the following command: Set-EsxImageProfile -AcceptanceLevel CommunitySupported –ImageProfile rlevchenko.com

image

8. Now it’s time to create an ISO from the customized ESXi image.To do this, run the following command:

Export-EsxImageProfile -ImageProfile rlevchenko.com -FilePath D:\Images\esxi60_custom.iso -ExportToIso -Force

Create a new VM with the following settings:

  • Generation 1
  • Static RAM (> 4Gb is recommended)
  • More than 1vCPU
  • Legacy network adapter connected to the switch

A sample of VM’s configuration is shown below:

image

9. Once you finished to configure a VM, enable virtualization extensions on the VM’s CPU. Optionally, you can download a script available at github to check VM’s configuration and  enable nested virtualization. Both options are allowed:

#Option 1
Set-VMProcessor -VMName "vHost-01" -ExposeVirtualizationExtensions $True

#Option2
 .\Enable-NestedVM.ps1 -vmName "vHost-01"

10. Turn on the VM, attach the created ESXi ISO and press TAB on the boot screen, then type ignoreHeadless=TRUE and press Enter. Otherwise, ESXi boot will hang while booting  (I assume it’s all because ESXi is running on non-HCL hardware. VM is a bit out of the HCL list..).

esxi on hyper-v_1

11. Complete ESXi installation process (as usual), reboot it and press SHIFT+O during the startup, and then enable ignoreHeadless option again as shown in the screenshot:

esxi on hyper-v_4

Once ESXi is successfully started, define settings for management network, enable a Shell, and then press Alt+F1 to enter to a console. We need to set a VMKernel boot-time parameter. Otherwise, you will always need to enable ignoreHeadless after every reboot.

Provide root credentials and  type esxcfg-advcfg -k TRUE ignoreHeadless

esxi on hyper-v_6

Close the console by pressing ALT+F2, reboot ESXi and verify that it starts up seamlessly.

That’s it. Now you have a ESXi host running on a Hyper-V VM.

Until then,

enjoy your day :)!