Backtrack:  
Blog
 
SCOM alert: "Data Access Service SPN Not Registered"
by lunarg on September 4th 2015, at 11:23

You may encounter the following alert if SCOM's System Center Data Access Service is (re)started:

Alert Description
Source: Data Access Service - SCOM01.contoso.com
Full Path Name: SCOM01.contoso.com\Data Access Service - SCOM01.contoso.com
Alert Rule: Data Access Service SPN Registration
Created: 26/08/2015 15:43:06

The System Center Data Access service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/SCOM01 and MSOMSdkSvc/SCOM01.contoso.com to the servicePrincipalName of CN=S_scom_das,OU=Users,DC=contoso,DC=com

This alert is logged if the required SPNs for the SDK/DAS service (OMSDK service) are not present, and the account running the service is unable to create them automatically because of insufficient permissions.

This article contains fictional account and server names. Be sure to replace them according to whatever names you have running!

Verify required SPNs

Verify the existence of the required SPNs using the command prompt and setspn -L:

setspn -L CONTOSO\s_scom_das
Registered ServicePrincipalNames for CN=s_scom_das,OU=Users,DC=contoso,DC=com:
        MSOMSdkSvc/SCOM01
        MSOMSdkSvc/SCOM01.contoso.com

setspn -L CONTOSO\SCOM01
Registered ServicePrincipalNames for CN=SCOM01,OU=Computers,DC=contoso,DC=com:
        MSOMHSvc/SCOM01
        MSOMHSvc/SCOM01.contoso.com

If you have more than one management server, verify the existence of all SPNs for all of the servers (4 per server, as in the above example output).

Note that the SPNs MSOMSdkSvc/SCOM01 and MSOMSdkSvc/SCOM01.contoso.com should not be present on the computer account, unless you are running the SDK/DAS service as LOCAL SYSTEM.

If the SDK/DAS service is running as LOCAL SYSTEM instead of a domain service account, the output of setspn -L should be:

setspn -L CONTOSO\SCOM01
Registered ServicePrincipalNames for CN=SCOM01,OU=Computers,DC=contoso,DC=com:
        MSOMHSvc/SCOM01
        MSOMHSvc/SCOM01.contoso.com
        MSOMSdkSvc/SCOM01
        MSOMSdkSvc/SCOM01.contoso.com

(Re)create missing SPNs

If any of the SPNs are missing, you can manually create them with setspn -S:

For the service account (only if running as a domain service account):

setspn -S MSOMSdkSvc/SCOM01 CONTOSO\s_scom_das
MSOMSdkSvc/SCOM01.contoso.com

And for the computer account (although less likely to be missing):

setspn -S MSOMHSvc/SCOM01 CONTOSO\SCOM01
setspn -S MSOMHSvc/SCOM01.contoso.com CONTOSO\SCOM01

If the service is running as LOCAL SYSTEM, the SPNs (MSOMSdkSvc/SCOM01 and MSOMSdkSvc/SCOM01.contoso.com) that are supposed to be registered on the service account (CONTOSO\s_scom_das), will have to be registered on the computer account (CONTOSO\SCOM01) instead.

Recurring alert in SCOM 2012

In SCOM 2012, you may get an alert about this every time the SCOM server is restarted. This is normal as SCOM wrongfully checks the presence of the MSOMSdkSvc/SCOM01 and MSOMSdkSvc/SCOM01.contoso.com SPNs on the computer account. This alert would not appear if the SDK/DAS service is running as the LOCAL SYSTEM account, but this is bad practice.

This alert is technically a bug. Your best bet is to ignore this alert, or create an override for it.

 
 
 
 
« April 2024»
SunMonTueWedThuFriSat
 123456
78910111213
14151617181920
21222324252627
282930    
 
Links
 
Quote
« Have you tried turning it off and on again? »
The IT Crowd