Tech Ed NZ: Managing IT as a Service

THe second topic that we presented at Tech Ed New Zealand.

Covered how to use solutions such as Operations Manager, Service Manager, Orchestrator and the upcoming VMM2012 to assist in Private Cloud deployments and managing infrastructures that will be providing IT services

Check it out: http://www.ms4u.info/2011/08/microsoft-tech-ed-new-zealand-2011_4418.html

Intel vPro and System Center

In typical desktop management, using any standard management product like System Center Configuration Manager, we would typically depend on the Operating System to be healthy and regularly doing its gym workouts. So what happens when an Operating System fails? No more desktop management. Thats kind of ironic isn’t it?

So.. i was going through the Intel vPro chipset and its remote management capabilities lately and found some pretty interesting facts.

So vPro is essentially the ‘Business chipset’ by Intel that contains capabilities to do magic stuff while your machine is offline. There’s a catch to this though... the main plug still has to be switched on.. AHA!! Glitch in the matrix!!!.. come on... we’re in the electronic age.. we still need power.

I wanted to just quickly talk about what integration capabilities that Intel vPro can provide for Microsoft System Center. Lets take the 3 products...

1. System Center Configuration Manager 2007
2. System Center Operations Manager 2007
3. Softgrid Application Virtualization

System Center Configuration Manager 2007

With ConfigMgr, once provisioned, it allows for :

· remote asset inventory without needed the operating system to be on.

· Serial over LAN to perform CMOS configuration changes remotely

· IDE redirection – such that if an operating system were to crash, you could boot onto a remote ISO image sitting on a a server somewhere

· Wake-On-Lan

· Remote software updating

At present moment however, there is no support for Hardware based filtering which i was told will come in the next patch or version

System Center Operations Manager 2007

With OpsMgr, you have the Intel AMT Management Pack which provides for all that u see under the ConfigMgr features PLUS System Defense. System Defense allows for Hardware based filtering such as applying policies to filter traffic via the network interface

Softgrid Application Virtualization

If you already know what Softgrid can do, i also wrote about how ConfigMgr 2007 R2 will offer an integration to deploy Virtual Apps ( ) With the Intel vPro chipset, you could possible perform Wake-On-Lan on to a machine and push the Virtual Application package so that when the user gets in the morning.. Poof! App is on the desktop. Prepare for sudden gasp of awe from the user.

To know more details on it, i recommend u to check out the Intel vPro expert center http://communities.intel.com/community/vproexpert

I will be configuring all the above in the next couple of weeks when i return from Houston and will be posting all the findings.

Keep this channel on.

Tech Ed SEA session: Increasing Security and Compliance with System Center Part 1

So here I am basking in the Houston sun and mingling with about 7000 other people during the Worldwide Partner Conference. I got a couple of thoughts while i was walking through the sessions and thus here I am at the Wireless lounge to pen my thoughts. What happen to good ole pen and paper? Well.. i saved a tree today J

I was going through my initial ideas of what I will be presenting in Part 1 of the Increasing Security and Compliance session at Tech Ed and here are a couple of areas that I am going to be covering:

- Overall introduction on how System Center can leverage on a secure IT organization infrastructure

- Security Best Practices and how or which System Center technology can help

- A look at Operations Manager 2007 Built-with-security aspects (e.g. Run As Profiles, Reports security, encryption, mutual authentication)

- A look at Operations Manager Audit Collection Services

- A look at Configuration Manager 2007 Built-with-security aspects (native mode, firewall security)

- A look at Configuration Manager 2007 Patch Management architecture and best practices

- A look at Configuration Manager 2007 Desired Configuration Monitoring compliance reporting

- A look at Configuration Manager 2007 Network Access Protection and Remediation Services

- A look at Data Protection Manager 2007 and achieving backup compliance

This would lead in nicely to Part 2. Any other thoughts or ideas anyone?

Operations Manager Service Pack 2.. What would you want to see?

The Product Team is currently working on Operations Manager Service Pack 2. What do you think? What would you like to see personally in Service Pack 2? Please comment

Management Pack Roadmap till Q3 2008

Quite a few people has asked me what the availability of Management Packs there are and what's coming soon. So i thought i'd share this with you. This was actually pulled out from MS. Hope it helps you plan on what's coming.

Operations Manager 2007 SP1 Important HotFix Released

Heads up guys! The Product Team has just released a Hotfix for Ops Manager SP1 that addresses some important areas.

Please note: This patch applies to System Center Operations Manager 2007 SP1 Only

These are the problems that were identified from a couple of management packs that this hotfix will solve

• Uable to discover CSDVersion on Windows Vista machines
• Unable to discover operating system properties on Windows 2000 SP4
• Agent HandleCountThreshold monitor does not restart Health service on exchange agent if HandleCountThreshold is exceeded
• ACS Collection rule references a wrong EventID
• Performance collection raises erroneous alerts for disabled services due to unavailable perf counters
• A script bug prevents cluster discovery where Virtual Server Name is a subset of the Physical Server Name.

If you suffer from the following symptoms... please download and apply the patch fast

• Dicover operating system properties on Windows 2000 SP4
• Discover CSDVersion on Windows Vista machines
• Restart Health service when HandleCountThreshold is exceeded
• Collect correct ACS event
• Discover cluster where Virtual Server Name is a subset of the Physical Server Name
• And additionally generates erroneous Alert for Performance Data Source Module when the services are disabled

Installation
This hotfix contains four management packs. Install these management packs from an Operations Manager console.

To extract the management pack files contained in this hotfix:

1. Copy the file: SystemCenterOperationsManager2007-SP1-KB951979-X86-X64-ENU.MSI to either a local folder or accessible network shared folder.
2. Then run:
   SystemCenterOperationsManager2007-SP1-KB951979-X86-X64-ENU.MSI locally on each applicable computer that meets the predefined criteria.
   
   Note: The installation path is typically the following: Program Files\System Center Hotfix Utility

This hotfix contains the following updated Management Packs which must be imported into Operations Manager. These management packs are located in the folder noted above.

Microsoft.SystemCenter.2007.mp (Version 6.0.6278.19)
Microsoft.SystemCenter.ACS.Internal.mp (Version 6.0.6278.19)
Microsoft.SystemCenter.Internal.mp (Version 6.0.6278.19)
Microsoft.Mom.BackwardCompatibility.mp (Version 6.0.6278.19)

For additional information about this issue, see KB article KB951979 at http://support.microsoft.com/

New look Management Pack Guides

Boss!! the Plane!! the Plane!!!...

What's arrived?? Well the new site for Management Pack Guides that is.

Management Pack Guides for Operating Systems and Technologies
http://technet.microsoft.com/en-us/library/cc540358.aspx

Management Pack Guides for Server Products
http://technet.microsoft.com/en-us/library/cc540357.aspx

What I like about this new site is the bottom that has the option to provide or read community content. This is important as we get notes from the field.

System Center Capacity Planner for Operations Manager 2007

Roll out the red carpets! Blast the horns! Bring in the cheerleaders! cause the long awaited model for Operations Manager 2007 is finally here! woohoooo..

If you are aware of System Center Capacity Planner 2007, it is the tool to assist in design and planning for Microsoft solutions. At release, the only model available was for Exchange 2007.

The Ops Manager Product Team released the RTM model for Ops Manager yesterday and its downloadable from http://www.microsoft.com/downloads/details.aspx?FamilyID=6fec1f12-a62c-4e8d-8a19-56879192adc3&displaylang=en

You need SCCP 2007 installed first then all you've got to do is download the model and install it.

Now the next step i would like to see is the ability of SCCP to channel data from Ops Manager and plot trends in performance and recommend a design that could possibly improve the overall performance and scalability :)

Operations Manager 2007 Design Tips from the Field

The following are some tips to consider when designing your Operations Manager 2007 infrastructure. These tips were based on my personal experience which was re-confirmed by several other MVPs who experienced similar, as well as discussions with the Ops Manager product team at Microsoft.

1. Always setup a minimum of 1 RMS and 1 MS. Do not have agents report directly to the RMS. remember that the RMS functions to distribute configuration information to all MS. Having additional load on to this process is not recommended. Besides, with this, you'll have a failover scenario in place.
2. 3-node clusters for RMS is not supported
3. To have a affordable failover strategy for your Operations DB, use SQL Log shipping. Unfortunately, DB Mirroring is an unsupported method.
4. When dealing with multi-site monitoring (branches), use a Gateway Server instead of a MS. Have MS in close proximity with your SQL Server. Why? Cause whenever MS needs to write data, it establishes a SQL ODBC connectivity. This takes up resources and the data is uncompressed. By using a GWS, data is compressed and the connection to a MS is always connected.
5. Have a dedicated MS for reporting from a GWS. Do not have other agents reporting to the same MS as a GWS. Reason is that Management Servers divide their processes by number of connections. Let's say that you have 10 servers reporting to the GWS. When the MS receives that connection, it is treated as 1. If you had an additional of 10 servers reporting to that MS, the MS will divide its performance 11 ways. You would then see a significant performance drop for the servers handled by the GWS. If GWS is the only one connected to the MS, it will be given the full 100%.
6. The RMS consumes CPU and RAM as its core process. So bulk up on these
7. Use 64-bit for the RMS so that there are opportunities to scale beyond 4GB of RAM
8. There is a Datawarehouse Grooming tool found in the Resource Kit that will help trim down the size of the Operations DW
9. Support for SQL 2008 will be around the August 2008 timeframe or SP2. This will be cool cause there will be no dependency on IIS
10. Each GWS can support up to 800 Agents with the SP1

For more of these tips on hardware sizing, check out my man Satya Vel's blogpost on the Ops Manager Team Blog

http://blogs.technet.com/momteam/archive/2008/04/10/opsmgr-2007-hardware-guidance-what-hardware-do-i-buy.aspx

The Ops Manager model for System Center Capacity Planner will be out pretty soon.

Cross Platform Monitoring with Operations Manager

A follow up to Interop Connectors is the Cross Platform Monitoring. Finally.. I can blog about it. Being under NDA sometimes is so frustrating :)

At the Keynote on the first day it was announced and you can read about it on MVP Maarten Goet's blog (http://www.techlog.org/archive/2008/04/29/opsmgr_cross_platform__first_s)

Ultimately the plan is to be able to support Linux and Unix platform monitoring out of the box. Support for MAC Server is in the plan.

Some of the features planned for V1:

• Discovering non-Windows System using IP range
• Deploy Agent as part of Discovery Wizard
• WS-Man based Agent channel
• Caching Events in a case of network failure
• Ability to manually install agents
• Discover entities on non-Windows System post Agent deploy
• Unit, aggregate and dependency monitors with Knowledge Articles
• Collect and Monitor Performance counters
• Collect and Moniror Event from non-Windows Systems and store in Live DB and DatawarehouseDB
• Diagnostic and recoveries
• Tasks that execute simple commands and return output to UI
• Support for customized UI pages
• Support for non-Windows entities in Distributed Application Designer
• Reports for data
• Templates for custom monitoring rules and MPs
• Agent Uninstall and Upgrade

The plan.. RTM at MMS 2009 with a dependency on Ops Manager 2007 SP2.

The install will be a single one which would then add the necessary components.. Copying SSH modules, Copy the Transforms, and Copy the Management Pack

A "System Center Operations Manager 2007 Cross Platform Extensions" folder will be created in the root drive. The Agents are located in this folder

To get it functional with the BETA, the following has to be done:

1. Import Management Packs

1. Create Run As Accounts
2. Associated Run As Accounts with Run As Profiles (Within the Management Pack is the Run As Profiles of Unix Action Account and Unix Privilege Account. The Management Pack will automatically select which profile to use in different scenarios)
3. Import XSL Transforms (must be done after Management Pack as it addresses certain components in the Management Pack)

Right now, configuring will be done through the Monitoring space due to limitations of Ops Manager SP1. Upon SP2, it will be back to normal in the Administration space



The Discovery and Agent Deployment Process

1. First it will discover using the scope (IP, DNS, IP Range)
2. It will then discover whether there is already an agent installed.
3. If its not install, SSH will be used to discover what UNIX or Linux platform, distribution and version the non-Windows system is
4. Once the platform is noted as supported, the package is then deployed
5. Once the Agent is installed, data about the non-Windows system will be inserted into the DB

I was typically impressed with how diagnostics are automatically configured to run and this is all part of the Management Pack

The following are the log files that are monitored:

• SU command execution
• Toor login failures
• Critical authentication errors
• Breakin attempts
• SSH authentication failures
• Custom templates to be used

Here are somemore screenshots on the Health Explorer and Performance Dashboard

I will be doing up a step by step configuration guide to get the BETA working. I'll post it once its done.

Penguin in the Windows

Today at MMS, Microsoft released news that they will be supporting Cross Platform Monitoring through Ops Mgr 2007. To give you a feel of what this means?... Through the X Platform Monitoring component, Ops Mgr is able to monitor the non-Windows OS environments such as Unix and Linux... out of the box.

I had the privilege of speaking to the product team behind the development of this and got to see a demo and i must say its looking pretty impressive. Yes.. its developed in-house. The Agent is developed using Open Source standards such as WS-MAN

This will allow Ops Mgr to natively receive alerts and report data direct from a Unix/Linux box and partners can then build management packs on top of this to support applications that sit on the non-Windows operating systems.

The BETA is available at the Connect site http://connect.microsoft.com/

A Team blog was also released today at http://blogs.msdn.com/scxplat/

The second announcement was the improved connectors for HP OpenView and IBM Tivoli

Ops Manager 2007 Agent not connecting

I was in a Ops Manager Deployment last week and when we pushed the Agent to the Exchange Server, it got stuck in the Pending view and refused to move. The Operating System was Windows Server 2003 SP1 and had Windows Installer 3.1

Checking the logs at the Agent, we noticed the following error messages:

Event ID: 21016
OpsMgr was unable to set up a communications channel to server.domain.com and there are no failover hosts. Communication will resume when server.domain.com is both available and allows communication from this computer

Event ID: 21001
The OpsMgr Connector could not connect to MSOMHSvc/server.domain.com because mutual authentication failed. Verify the SPN is properly registered in the server and that is properly registered in the server and that, if the server is in a seperate domain, there is a full trust relationship between two domains

Event ID: 20057
Failed to initialize security context for target MSOMSvc/server.domain.com. The error returned is 0x80090303 (The specified target is unknown or unreachable). This error can apply to either the Kerberos or the SChannel package.

We verified that both servers are part of the same domain and DNS lookups were fine.

We then proceeded to check the SPN IDs and found out conflicting records.

To support mutual authentication, the server registers Service Principal Names that are tied to either the computer account or the user account. In this instance somehow, SPNs got registered with the OpsMgr server account as well as the OpsAdmin user account.

To solve this, I did the following:

1. From the domain controller, open a command prompt and then type the following string: ldifde -f domain.txt
2. Open the text file in Notepad and then search for the SPN that is reported in the event log. ServiceClass/host.domain.com (in this case look for MSOMHSvc/server.domain.com)
   Note the user accounts under which the SPN is located and the organizational unit the accounts reside in

Use one of the following options to delete the account SPN registrations from the accounts that should not contain registrations to ServiceClass/host.domain.com. (i.e. Typically any accounts containing an SPN registration for SeriviceClass/host.domain.com that services are not explicitly starting with). Make sure you know which credentials you want to keep (in this case the system account or the domain administrator) and see to it that the service is running with the credentials you want to use. Delete the other one.

Using ADSIEdit

1. Add ADSIEdit to the MMC and bind to the domain using the Domain well known naming context.
2. Navigate to each user account you previously documented (for my case, I went to the opsadmin user account)as having a duplicate SPN registration and right click the account and select properties.
3. Scroll through the list of attributes until you see servicePrincipalName, double click servicePrincipalName and remove the duplicate SPN registration and click on OK and exit ADSIEdit.

Then I proceeded to restart the Health Service on the Agent and wallahhhh!!! connected!..

A similar explanation can be found at: http://www2.wolzak.com/index.php?option=com_content&task=view&id=15&Itemid=2

Operations Manager Service Pack 1 Contents

Ops Manager 2007 SP1 is at RC code and can be downloaded from the connect.microsoft.com website. Here is a grasp of what it is all about...

Bug Fixes

Check out this site for a full listing of the fixes that SP1 does... http://www.systemcenterforum.org/features-in-sp1-rc-for-operations-manager-2007-series-wrap-up/

New Features
The new features that are in Operations Manager 2007 SP1 are:

• Improved performance and reliability when working with alerts, overrides, and searches.
• In all Alert views, performance has been increased through better fetching and yields alert row selection that is three times quicker. Actions and reports are fetched in the background, which further improves performance. Alert knowledge that is displayed in the Alert Details pane can be shown or hidden according to the user's preference.
• Operations Manager 2007 advanced search has been improved by enabling the ability to search across monitors and rules by their overrides.
• Support for the discovery and monitoring of both SNMP v1 and SNMP v2 network devices. Users can select which SNMP Community Version to search for in the Discovery Wizard.
• Support for exporting Operations Manager 2007 diagrams to Microsoft Visio VDX file format. Note that the Visio button is located on the toolbar when in a diagram view. Diagram layouts can now be saved and will be remembered when the diagram view is selected again.
• Support for copying and pasting (CTRL+C and CTRL+V) from the Alert details pane.
  

Setup and Recovery
The following are improvements in setup and recovery:

• To make backup and recovery easier, setup in Operations Manager 2007 SP1 starts the Secure Storage Backup Wizard at the end of setup, by default, to back up the RMS encryption keys. This is the same command-line tool used in the original version of Operations Manager 2007, but with an easier-to-use wizard interface. The wizard is actually started by using the command-line version of the tool when no parameters are passed to the tool or it is started from Windows Explorer. The Secure Storage Backup tool is located on the installation media in the Support Tools directory. The Secure Storage Backup Wizard can be started according to the user's preference.
• To make the recovery of a clustered RMS easier, Operations Manager 2007 SP1 enables the repromotion of the RMS cluster to the RMS role after it is fixed. This addresses the situation where a clustered RMS has failed and another management server in the management group has been promoted into the RMS role.

User Interface and Experience
The following are improvements in user interface and experience:

• To make the creation of new management packs easier, Operations Manager 2007 SP1 introduces the ability to copy views from any existing management pack to an unsealed management pack. This is done in the Monitoring view. For example, if you have created a management pack for SQL Server overrides and want to use one of the SQL Server management pack views in the SQL Server overrides management pack, you would simply select the desired view, right-click to copy it, and then paste it into the target management pack folder.
• In all Alert views in the Monitoring space and in the Web console, Operations Manager 2007 SP1 ensures that the Repeat Count value is incremented correctly.
• After you have created an override for any management pack object, you can look at the summary of overrides for the object type in the Overrides Summary box. Operations Manager 2007 SP1 ensures that the description of the override target is complete. For example, if you create an override for Logical Disk Free Space for the C:\ of Server1, the summary will display 'server1/c:'

Core Product
The following are improvements in the core Operations Manager 2007 product:

• SP1 ensures that when agents are uninstalled from a computer in the Administration space\Device Management container\Agent Managed node of the Operations Console, that they are also removed from the computer views in the Monitoring space.
• Scripts can now be used for diagnostic tasks.
• View names, data and, display strings in the Operations Console that have been collected from computers running different language versions of Microsoft Windows operating systems are displayed correctly.

Reporting
The following are improvements to reporting:

• When you are in a report, you can now choose to publish the report by selecting Publish from the File menu. This will allow you to publish reports to multiple locations, such as Microsoft Windows SharePoint Services Web sites.

Web Console
The following are improvements in the Operations Manager 2007 Web console:

• The Operations Manager Web console provides access to performance data. Users can then select specific counters to graph. In Operations Manager 2007 SP1, it is now possible to construct a filter for the desired performance counters to ease searching and navigation. This ability is available when a performance view is selected and displays in the Performance legend pane. The search options available are All items, Items in the Chart, Items not in the Chart, and Items by text search.
• The Web console has been further improved so that the Favorite Reports container is now available in My Workspace.

Audit Collection Services (ACS)
The following are improvements for ACS:

• New discoveries and views have been added. These features detect and indicate which agents and servers are ACS-forwarding enabled.
• There are more monitors and alert generating rules to track the health state of the ACS collectors. For example, Operations Manager 2007 SP1 includes the ability to watch the DB Queue % full level against default thresholds, such as the back-off threshold or disconnect threshold.
• The ACS forwarder feature is now supported on the Management and Gateway Server roles. The ACS Forwarder is disabled by default. When enabled, it will allow the inclusion of security auditing data for these server roles.
• When using ACS, one of the most common tasks is to enable forwarding on ACS agents. In Operations Manager 2007 SP1, an Operations Manager Command Shell script can be used to enable forwarding for entire computer groups, thereby greatly easing the deployment and administration of ACS.

Agentless Exception Monitoring (AEM)

AEM now provides an improved appearance and functionality of AEM reports.