SCOM Agent Deployment Automating

What do others do to ensure that every server in their environment has a SCOM agent installed? I am running SCOM 2016 and the bulk of my servers are VM so I was thinking we might add it to the template for server deployment to make sure that all new servers get the agent. I also need a way to go back and ensure all existing servers have the agent installed.

I am also finding an issue with rouge servers getting added by some of my IT groups that did not go through the server team for getting added so they are not in the right OU in AD so we do not see them in SCCM or SCOM.

So any tips for helping to audit and ensure everything is monitored

Same here. We have a small team that builds the servers. A script which is called by SCCM installs SCOM agent and another one the Antivirus Client. - I would say it’s half - automated at the moment.

The ‘assurance’ question sounds interesting actually. I have an idea and will try a little bit. :slight_smile:

Hi,

I have put together a few lines PowerShell which can be used as a SCOM rule to compare servers in Active Directory with the SCOM inventory.

The script goes like this:

$scomAPI              = New-Object -comObject "MOM.ScriptAPI"
$propertyBag          = $scomAPI.CreatepropertyBag()

$messageText = “”
$numberUnmonitored = 0

try {

Get-Module -ListAvailable -Name ActiveDirectory
$allMonitoredServers  = Get-SCOMAgent | Select-Object -ExpandProperty ComputerName | Sort-Object -Property ComputerName

$allADServers         = Get-ADComputer -Filter * -Properties OperatingSystem | Select-Object -Property OperatingSystem, Name, DistinguishedName `
                            | Where-object { $_.OperatingSystem -match "Windows Server"} | Sort-Object -Property Name

$devTestADServers     = $allADServers     | Where-Object {$_.DistinguishedName -notMatch 'DevTest'} #Optionally. - Required in this environment.
$devTestADServerNames = $devTestADServers | Select-Object -ExpandProperty Name

$difference           = Compare-Object -ReferenceObject $devTestADServerNames -DifferenceObject $allMonitoredServers
$missingInScom        = $difference | Where-Object {$_.SideIndicator -eq '<='} | Select-Object -ExpandProperty InputObject

$numberUnmonitored    = $missingInScom.Count 

} catch {

$messageText          = "Failed to load data from Active Directory. RSAT installed?"
$numberUnmonitored    = 1000

}

if($numberUnmonitored -gt 0) {
$messageText = “$($numberUnmonitored) Servers are not monitored via SCOM Agent. n" $messageText += "Details: n $($missingInScom)”
$propertyBag.AddValue(“Result”,“OverThreshold”)
} else{
$messageText = “All server in AD are monitored via SCOM Query.”
$propertyBag.AddValue(“Result”,“UnderThreshold”)
}

$propertyBag.AddValue(“MessageText”,$messageText)

$propertyBag

Below the steps in SCOM:

1 Like

Continue ...

![Rule-Criteria-Unchanged.gif|858x646](upload://9dTlxlwZA7v3k5szig0z0CDgXtA.gif)

*Not tested, but should work :slight_smile:

I have two powershellscripts I run to compare which machines are present in AD but missing in SCOM or SCCM. I run it once a week.

$ScomAPI = New-Object -comObject "MOM.ScriptAPI"
$propertybag = ""
$PropertyBag = $ScomAPI.CreatePropertyBag()
$errorhash = ""
$status = $true
$cmcomps = ""
$adcomps = ""
$omcomps = ""
$cmcomps = Invoke-Sqlcmd -Query "select Name,sitecode,Clientversion,LastHardwareScan,LastMPServerName,CNIsOnline,max(CNLastOfflineTime) CNLastOfflineTime, max(CNLastOnlineTime) CNLastOnlineTime from v_CollectionMemberClientBaselineStatus where CNIsOnline='True' and CollectionID like 'InsertcollectionIDHere' group by Name,sitecode,Clientversion,LastHardwareScan,CNIsOnline,LastMPServerName order by Name;" -ServerInstance "InsertCMSQLnameHere" -Database "CMDatabasename"
$date = (Get-Date).AddDays(-31)
$adcomps = Get-ADComputer -Properties * -Filter {(servicePrincipalName -notlike "MSCLUSTER*") -And (OperatingSystem -like "Windows Server*") -and ($_.memberof -notcontains "CN=Pathtogroupthatcontainscomputersthatshouldnotbeincmorscom")} -SearchBase "OU=pathwehereserversreside" | Where-Object {$_.PasswordLastSet -gt $date} | select name
$errorhash = $errorhash + "Computers missing from CM:"
foreach ($adcomp in $adcomps)
{
$adcomp2 = ""
$adcomp2 = $adcomp.name
$match = $false

foreach ($cmcomp in $cmcomps)
{
$cmcomp2 = ""
$cmcomp2 = $cmcomp.name
if ($adcomp2 -eq $cmcomp2)
{
$match = $true
$date2 = (get-date).AddDays(-7)
if ($cmcomp.CNlastonlinetime -lt $date2)
{
$date3 = $cmcomp.CNlastonlinetime
$status = $false
$errorhash = $errorhash + "Computer not online last 7 days:" + $adcomp2 + $date3
}
}
}
if ($match -eq $false){
$errorhash = $errorhash + "," + $adcomp2
$status = $false
}
}
}


$errorhash = $errorhash + "Computers missing from SCOM:"
$omcomps = Get-SCOMAgent | select computername
foreach ($adcomp in $adcomps)
{
    $adcomp2 = ""
    $adcomp2 = $adcomp.name
    $match = $false

    foreach ($omcomp in $omcomps)
    {
        $omcomp2 = ""
        $omcomp2 = $omcomp.computername
     if ($omcomp2.length -gt 15){$omcomp2 = $omcomp2.substring(0,15)}
      
        if ($adcomp2 -eq $omcomp2) 
        { 
            $match = $true
        }
    }
    if ($match -eq $false){
        $errorhash = $errorhash + "," + $adcomp2 
        $status = $false
    }
}


if ($status -eq $false)
{
$PropertyBag.AddValue("State","Error")
$PropertyBag.AddValue("MessageText",$errorhash)


}
else{
$PropertyBag.AddValue("State","Ok")
}


$PropertyBag

These are some really good ideas I will have to look at them. Has anybody included them in their VM Ware templates as that would be the quickest way to get it on new machines since we are 95% VMware on our machines and any physical box would be an anomaly.

I used this script from Microsoft Technet. I have this running on alternating weeks on different SCOM servers to help load balance. Sends a nice HTML report after it runs as well. https://blogs.technet.microsoft.com/heyscriptingguy/2012/02/13/use-powershell-to-automate-scom-agent-installations/


Process - Process - Process! I am aware of at least one org that will not allow a machine to be built without documentation, asset management, and reg keys (used for SCOM discovery) defined beforehand. We’re a small org with only 3 guys deploying VMs - A semi-regular check of AD with PowerShell and a comparison to SCOM is the only way we get this done ourselves.