A Primer on Installing SCOM 2007 R2 and Windows Azure Application Monitoring

You can find the full procedures in the SCOM 2007 R2 Deployment Guide and Azure Management Pack documentation, but I am providing this to give you visuals with some “hard won” experience that augments those instructions and provides a bit more hand-holding. The first order of business will be to verify that you have your SCOM 2007 R2 up to the CU3 patch level, which is required for the Azure Management Pack to work. I would strongly suggest you go here and follow the instructions precisely. When it’s all said and done, your version number from the About dialog in the SCOM management console should be 6.1.7221.49. Update: CU4 is now available, which you can find here. The procedure is pretty much the same. One thing you must remember if you want to use the Authoring Console is to make note of the known issue in the CU4 documentation regarding exporting of management packs from the Operations Console. Just search on "New management pack edit issue". Basically, the updated reference is no longer recognized by the Authoring Console, so you will have to set the SystemCenter reference in your exported management pack to 6.1.7221.0. I know, really dumb bug.

One thing that I and others have done is to get fooled into thinking the CU3 (or now, CU7 as of March 2013) installation is complete based on the “foreground” dialog below, when we suddenly see the “background” splash screen with Start “pop under” the main installation dialog, as seen below. The installation is anything but “complete” at this moment. If you do not see the Start splash screen pop under the main installation dialog, then that means you did not, per the instructions, launch from an elevated command prompt. You must do this or your installation will not complete properly. Just run the installation program from a command prompt that was started by using the Run as Administrator option and you'll be all set.


When you select the “Close” button on the dialog above, you must then continue the install with the other dialog behind it, where you will select the “Run Server Update” link (note that this is for a typical single server install, or a two server install with a database server and a single management server). This will continue the install for the cumulative updates, which will be three individual installs that CU3 initiates in sequence (you will be called on to press the “Finish” button for each, so don’t head out for coffee just yet).


Once you’re done with the CU3 install, you’re ready to install the Azure Management Pack (Release Candidate), which can be found here. The install dialog is shown below, which installs in just a few seconds.


The management pack installation is not all you have to do. This install simply places the management pack on the file system, which you will have to then import in the SCOM console. Once the install is done, it will launch Windows Explorer, which will show the folder location where the management pack was extracted during the installation, as seen below. Copy the path, as you will need this in the next step for the import.


The next step is to launch the SCOM console. Here, you will select the Administration view, right-click on the Management Packs node, and select “Import Management Packs…” You would then navigate to the folder the install pointed you to previously, and select the Azure management pack in that folder, as seen below.


You can verify that the management pack is loaded by scrolling to the bottom of the list of management packs, where you should see the Windows Azure management pack, as seen below.


Now that the management pack is installed, you’re ready to setup SCOM so it can access your Azure subscription. If you already have a Management Certificate uploaded to Azure, you will just need to import that certificate into your certificate store on your SCOM server using the Certificate Manager (from the Start button, type “certmgr.msc” in the Search box). Be sure to import the certificate into the Trusted Root Certification Authorities folder. If you haven’t done so already, and need to create a management certificate, then I would suggest using the IIS Manager to perform a self-cert. You would launch IIS Manager, and double-click on the Server Certificates icon, as seen below.


This will take you to the Server Certificates window (as seen below) where you can perform the self-cert by selecting the “Create Self-Signed Certificate…” link.


Verify that the new self-cert certificate is now in the certificate store, as seen below.


Now that you have your certificate, you will need to export it from the Certificate Manager in both private key (.pfx) and public key (.cer) forms. SCOM will need the private key version in order to authenticate SCOM to your Azure subscription. You will have to upload the public key version as a “management certificate” to the Azure portal. On the window below, you would right-click the certificate, select “All Tasks,” and then select “Export…” to yield the Certificate Export Wizard, which is used to export both the private and public key certificates to the desktop. You can consult the Azure documentation to learn how to upload the certificate to the Azure management portal as a management certificate.


Now you have to actually setup the credentials in SCOM, leveraging the certificate you uploaded to the Azure management portal. This certificate will give you access to the Azure subscription from SCOM. Below, I have selected the Administration view to demonstrate where you must setup your credentials using Binary Authentication (i.e., the certificate itself) and Basic Authentication for access to Azure (specifically, the password associated with your certificate that you entered when you exported the certificate with the private key).


Right-click on the Accounts node and select “Create Run As Account…”, which will show the dialog box below. Here you will select “Binary Authentication” for the Run As Account type. Provide a display name, and select Next.


Now you must select the exported certificate file with the private key (.pfx extension) that you created earlier for the management certificate you uploaded to Azure.


After you are done setting up the binary authentication (the certificate), you must next setup the password for certificate authentication. Again, you would right-click on the Accounts node and select “Create Run As Account…” The Run As Account type would be “Basic Authentication” in this case.


Here is where we will provide the password for the private key of the certificate we setup in the previous step. You can use any username, but will have to provide the password for the private key for the certificate.


Now that we have the authentication setup, we can now select the Authoring view, where we will see the Management Pack Templates. You should see Windows Azure Application as one of the Management Pack template nodes.


From here, you can right-click the Windows Azure Application node and select the “Add Monitoring Wizard…” item. You will see the screen below, where you will select Windows Azure Application and then select Next.


On the Name and Description page of the wizard, provide the desired name and description for your new monitoring type. Leave the default destination management pack and click Next.


On the Application Details page of the wizard, you will have to provide the following information:

  1. The precise Hosted Service Name as seen in the Azure Management Portal
  2. The Subscription ID from the Properties pane, seen after selecting your Azure subscription in the Azure Management Portal
  3. The Deployment slot of your application, which will either be Staging or Production
  4. The Azure Certificate Run As Account, which will be the Azure Binary account you created earlier
  5. The Azure Certificate Password Run As Account, which will be the Azure Password account you created earlier

Once you have entered this information, you will select Next.


The next step will be to select a proxy account. You should just select the Browse button, and when the dialog is presented, select the Search button, and then select your server name, as seen below. Select Next when it takes you back to the original dialog if you don’t have a proxy server. If so, then enter your proxy server address and then select Next.


You’re now done, and can select the Create button on the final page of the wizard.


Presuming you have entered everything correctly, you should now see your new Azure application monitor in the list.


Now select the Monitoring view. Locate the Windows Azure node and expand it. Then click on the Deployment State node and select your Azure application in the list. Your console should look as seen below.


With a little patience, you should eventually see the Detail View populated with information on your Azure deployment. You may have to refresh the page a couple of times before you see the results. If the console is unable to make the connection to your Azure deployment, you will find out here, and can check for errors in the Event Log to uncover problems such as failing authentication. You can also check the Active Alerts node to see if the console has problems accessing your deployment.

In a later blog, I will provide more specifics on the various Windows Azure nodes in the SCOM 2007 R2 console.