By shahar nusbaum

Well there might be a few guides like this around the web and I have used most of them,

But for the past 3 mounts I have been battling with this scenario where the agent would stay in "not monitor" state after been approved in the pending management pane and the agent had 21007 and 21016 events on the operations manger event log on the workgroup / dmz server  I wanted to monitor.

If you have a working gateway and after your approve the agents in pending mode and used to momcertimport with successful results and you still receive event id's like21007 and 21016 on the workgroup / DMZ agent this guide is for you.

Well my solution is available for you here

Well first of all and very basic (but not for me) I have 2003 enterprise ca server so I used this guide to create my certificate template

To create a certificate template - http://technet.microsoft.com/en-us/library/bb735413.aspx

I flowed that guide to the letter and still those event id's and no communication to my gateway.

 Something was missing,

The first change I noticed was that I now I had no option to save a certificate to local computer certificate store this of course is because of the server 2008 enrolment  pages that would need administrator right witch the internet explorer does not use  

So in order to export the certificate to a file I had to use internet explorer

There under tools -> internet options -> content 

There is a certificates section.

Click the certificate button and you can export your certificate from there

Remember to export the private key after clicking the next batten leave this mark

Don’t mark include all certificates it the certification path if possible

The momcertimport tool will not be able to import the certificate

We will deal with the root ca needed in the workgroup / DMZ server in a minute

Then you can save your certificate to a pfx file and copy it to the server you want to monitor

Keep it in a shared folder for the duration of the install process because you will need it for the gateway server as well as the workgroup / DMZ server.

One more certificate is needed before we can continue and again I used this guide

http://technet.microsoft.com/en-us/library/bb735413.aspx  I used the section called "To download the Trusted Root (CA) certificate"

Notice that you might not be able to get to the web site of your ca server form the workgroup computer so you can do that from your root management server and just save it in the folder were you saved your ca for the workgroup / DMZ server you wanted to monitor

And on one last note before we begin: while most guide say the certificate subject a.k.a the name filed is fqdn don’t just push your domain name in the computer name.
cheek before logon to the workgroup / DMZ server  and Go to start -> computer -> properties – check the full computer name and copy the exact name to your gateway host file if no dns resolution is available

NOW FOR THE STEP BY STEP GUIDE

1.    PREPERING TO INSTALL  THE AGENT ON THE WORKGROUP MECHINE 

 I recommend  you copy this folders  form your scom CD  to one folder you can move around in your environment, let's call that our "scomdmz" inside you will need this folders
* SupportTools
* agent
I recommend  you copy this files to that same folder
* server_cert.pfx (certificate you created using a template for your workgroup / DMZ server)

* CA_certificate_chain.p7b (for the trusted Root (CA) certificate)
move this file to your workgroup machine  (keep a copy of your server_cert.pfx to copy to your gateway server later  )

2.     INSTALLING THE AGENT ON THE WORKGROUP MECHINE

run the msi installation on your server  if there is no dns resolution for your gateway server ping –a the ip address to see if you get the name of your gateway server,  if not you will need to add your gateway server fqdn name to your host file – it's in c:\windows\system32\drivers\etc


(we use the example in our org…)

I KNOW THIS IS A VERY BASIC STUFF RIGHT HERE – I want this guide to be able to apply even to those who don’t deal with this in a daily manner

 now this to prevent any human typing Mistake write the fqdn gateway server in the host file copy & paste it to the management computer name I recommend also copy & paste to command line and telnet the computer name to your gateway on 5723 to check connectivity.
Click next your almost home free…

3.     IMPORTING THE CERTIFICATES TO YOUR GATEWAY AND SERVER

THIS WILL BE SPLIT IN TO TWO PARTS

A.  IMPORTING THE CERTIFICATES ON YOUR DMZ SERVER YOU WANT TO MONITOR -  

 using the momcertimport tool   
-on the workgroup / DMZ server go to start -> if 2008 type cmd if 2003 go to run type cmd
one thing very imported cheek -  if you're on server 2008 check to see if your command prompt run with administrator rights (if not right click the icon before you press enter and  run it as administrator)



the tool is in the SupportTools folder (the one we copied earlier if you flowed step one)
so! The way to run this tool is simple get to it in the command prompt and the give the server certificate file like so
c:\dmzfolder\SupportTools\i386\momcertimport  server_cert.pfx type the password for the key and you will need to receive successfully  state message

YOU GOT THIS FAR – you stop and started the health service like asked in the momcertimport tool after imported the certificate  and still receive those 21007 and 21016 events  you will need to fallow this few steps

 What you need now is another certificate to be imported.
    1.     Go to start mmc -> file -> add/remove snap-in…
    2.     Add certificates add computer account, click next choose local                                            computer click ok and exit – it's all you need for the console

    3.     Go to the Trusted Root Certification Authorities folder on the folder Certificates right click all tasks -> import…
and import your  CA_certificate_chain.p7b we prepared in step 1 this guide
and import it to the Trusted Root Certification Authorities folder
the folder contains certificates that in most time already be in there
but don’t skip this stage.



B. IMPORTING THE CERTIFICATES ON TO YOU GATEWAY SERVER – again this is for all of you battling with  error id  21037 on your gateway (and of course any kind of lack of communication between the agent and your gateway server )

    1.     Go to start mmc -> file -> add/remove snap-in…
    2.     Add certificates add computer account, click next choose local                                            computer click ok and exit – it's all you need for the console
    3. Go to the Trusted Root Certification Authorities and import your
server_cert.pfx we talked about in step one to that folder
    3. Go to Personal folder and import it to that folder ass well



note: we are importing the certificates of the server that we want to monitor into our gateway  Trusted Root Certification Authorities and to the personal folder

4.     CHEKING THE COUMNICATION -

after all the certificates have been imported to  the gateway server and to our soon to be monitored server, in order for this changes to take affect well have to do the fallowing steps

restart health service known as system center management on your gateway
restart health service known as system center management on your  root management server
restart health service known as system center management on your dmz server

Check your DMZ server event viewer to see if the error id repeats

Some changes take time you might want to wait 5-10 minutes after 10

Minutes you need restart the health service again on your DMZ server and cheek your event viewer for the id's if still receive restart the health service again on your root management server and your gateway server


this is my solution and I would like to thank Yossi tali and Gal Hutman

For their help in finding this solution

Free Evaluation Copies: https://portal.nice.de

So what if you would like to modify how one of the existing templates works or create your own? There is no documentation available that I have found that describes how to do this so that is what I’m setting out to do in this article.

Creating a custom template involves two main components:

• The template elements in a management pack. I’ve attached a working sample and added lots of comments so please have a look through.
  
•  A compiled UI screen written in managed code (c# in this case).

A word of warning: the authoring console will not help with either of these.

Here are the steps you can use to create your custom UI screen:

1. Using Visual Studio, create a new class library
   
2. Delete the class1.cs file that gets created by default
3. Add references to the necessary OpsMgr DLLs. You can find these in C:\Program Files\System Center Operations Manager 2007\ as well as the SDKBinaries folder within that folder.
4. Add a new User Control to the project named EventDetailsPage
5. Double click on the user control to open the designer screen. Add your UI widgets from the toolbox. I’ve added two text boxes named txtEventID and txtEventSource.
6. Open the code view of your user control and make the following changes by copying and pasting from the code that I’ve attached to the article:
   1. Add all the “using” statements
   2. Change the class to inherit from UIPage
   3. Add the SavePageConfig() method
7. Build the project
8. Copy the DLL that you’ve just compiled to the OpsMgr program files folder.

Now you are ready to run your new template!

Import your management pack and go to the authoring templates. Your new template will show up in the list. When you run the wizard, your UI screen will allow the user to input values.

A note on how OpsMgr processes templates when you’re done with the wizard:

• OpsMgr replaces $TemplateConfig/ConfigValue$ variables in the implementation section of the template with the user-provided values.
  
  
• Merges the implementation section into the management pack that you specified on the first wizard screen.
  
  
• Creates a for the template and puts every generated element in the folder using s. When you click on your template after running the wizard, OpsMgr uses this folder system to display previous output of the template. This is also how it knows what to delete if you delete template output. A side effect of this is that it is assumed that you will create elements with unique IDs for each run of the template. If you create non-unique elements, OpsMgr will effectively delete all runs of the template when any single run is deleted.

The sample UIPage I’ve attached barely scratches the surface of what is possible. Some fodder for future articles or your own exploration:

·         There is a built-in SDK connection available in the UIPage so you can populate drop-down lists with monitored computers for example

·         The UIPage has various properties that give you the context in which it is running such as a reference to the template itself

·         You can handle the user editing your template as well as just creating new ones

·         You can create custom UI for other workflows such as rules, monitors ,etc

Microsoft System Center Data Protection Manager (DPM) 2010 allows you to protect client computers - desktops and laptops. Backup administrators can centrally configure data protection for the desktops and laptops in their environment. Additionally, administrators can give their end users the ability to define and manage their own backups. DPM 2010 enables end users to perform their own recoveries by leveraging the Previous Versions feature in Windows.

In this article I will show how to protect client using DPM2010

in the protection group tab , click on the left site on Create protection Group, that will open a window has two choices , backup servers or Backup Clients , in our case we are going to select Clients , then click Next

Note

If you want to add multiple computers, you can create a .txt file containing the computers you want to add. To add the computers, click Add Multiple Computers. You must enter each computer in the file on a new line. We recommend that you provide the fully qualified domain name (FQDN) of the target computers. For example, enter multiple computers in a .txt file as follows:

Comp1.abc.domaian.com
Comp2.abc.domain.com
Comp3.abc.domain.com

If DPM cannot find any of the computers that you specified in the .txt file or that you entered in the Text file location box, the failed set of computers is placed in a log file. Click the Failed to add machines link at the bottom of the page to open the log file.

in the Select Group Member window select the client that you wish  in my case I would like to backup W7D.gomaalab.local

On the Specify Inclusions and Exclusions page, specify the folders to include or exclude for protection on the selected computers.

a. Type the folder names in the Folder column using variables such as %programfiles%, or you can use the exact folder name. Select Include or Exclude for each entry in the Rule column.

b. Select Allow users to specify protection members to give your end users the choice to add more folders on the computer that they want to back up. However, the files and folders you have explicitly excluded as an administrator cannot be selected by the end user.

c. Under File type exclusions specify the file types to exclude using their file extensions, and then click Next to continue.

in the select Data protection method,  select the  protection method that suite your need either short-term or long-term , then click Next

click next , and specify your short-term recovery goal

notice there is  new option to specify after how long DPM will raise an alert if the Client will not be available for backup, in my case I configured for 18 days 

On the Allocate Storage page, specify the size of data to be protected on the computer. I recommend that you co-locate multiple data sources to one DPM replica volume. Click Next to continue.

Note

I recommend that you co-locate your data if you have a large number of client computers. You will not be able to protect 750 or more client computers with one DPM server without co-locating your data. I recommend that you do not co-locate if you have less than ten client computers in a protection group.

in the summary window  click create Group then close

Islam Gomaa

Islam @ IslamGomaa.com

• Phase 1: User Profile Loading
• Phase 2: Applying Group Policy Objects (GPOs)
• Phase 3: User Environment Initialization and Active Setup
• Phase 4: Logon Script Execution.

Get more information in the article Logon Process Monitoring for Citrix XenApp published on hermes.softlab.com.

Data Protection Manager 2010 is part of the System Center family of management products from Microsoft. It delivers unified data protection for Windows servers such as SQL Server, Exchange, SharePoint, Virtualization and file servers -- as well as Windows desktops and laptops. DPM is designed as a best-of-breed backup & recovery solution for Windows environments from Microsoft. DPM provides the best protection and most supportable restore scenarios of your Windows environment from disk, tape and cloud. Windows customers of all sizes can rely on Microsoft to provide a scalable and manageable protection solution that is cost-effective, secure and reliable.

 

Feature Summary

• Protection for Windows clients, while they are online or offline, with easy-to-use wizards for establishing protection, retention and alert schedules. A single DPM server can protect over 1,000 Windows clients, while end users are able to restore their own data using Windows Explorer or Microsoft Office.
• Protection of Microsoft Virtualization platforms, including Hyper-V R2 Live Migration / Cluster Shared Volume (CSV) configurations. DPM can also restore single-file items from host-based VM backups.
• Enhanced Protection for SQL Server, scaling to over 2,000 databases per DPM server, and offering auto-protection of new databases per SQL instance. DBA’s can now restore their own databases, through a self-service restore utility for SQL Server.
• Enhanced Protection of Exchange Server, scaling to over 40TB of email and support for Exchange 2010 Database Availability Groups (DAG), as well as CCR/SCR in Exchange 2007.
• Enhanced Protection for SharePoint, without the requirement for a recovery farm with SharePoint 2010, and scaling up to 25TB farms with over 1M items. New content databases are now auto-protected without administrator interaction.
• DPM 2010 is truly enterprise-ready, scaling to over 100 servers with over 80TB per DPM server, and includes new Auto-grow, Auto-heal, Auto-protect features for a lights-out reliable protection and recovery solution.

System Requirements

• Supported Operating Systems: Windows Server 2008; Windows Server 2008 R2

.NET Framework 3.5 with Service Pack 1 (SP1)
Microsoft Visual C++ 2008 Redistributable Package
Windows PowerShell 2.0
DPM 2010 must be installed on a Windows Server 2008 or Windows Server 2008 R2 64-bit computer that is located in an Active Directory domain that is running in 2003-mode or better.
DPM 2010 can protect machines running 32-bit or 64-bit Windows Server 2003, 2003 R2, 2008 or 2008 R2, as well Windows XP, Windows Vista or Windows 7.
If you are protecting data over a wide area network (WAN), there is a minimum network bandwidth requirement of 512 kilobits per second (Kbps).

Try Microsoft System Center Data Protection Manager 2010 RTM free for 180 days

Building your own DPM server doesn't mean getting all the components and build a server as these old days,  this what you can do.

Dell offers the  PowerEdge R200 with 8 GB ram and mirrored SAS drive  with 10K RPM and QNAP offers  the TS-809U-RP Turbo NAS that offers  14 TB on RAID 5. combining both Hardware you can build your own DPM appliance for less than 6000 $.

ISlam Gomaa

ISlam @ IslamGomaa.com

Click the Download button and you'll be redirected to the source.

When DPM runs a protection job, ScriptingConfig.xml on the protected computer is checked. If a pre-backup script is specified, DPM runs the script and then completes the job. If a post-backup script is specified, DPM completes the job and then runs the script.

when I Say Protection Job that include “replica creation, express full backup, synchronization, and consistency check.”

This is the raw file in the Protected Server:

>”Path\Script Parameters”      

"Path\Script Parameters”      

30   

in this example I am deleting  some files using the  “PreBackup.cmd" batch file prior to the backup job

protection the F: drive.

example :

http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns="http://schemas.microsoft.com/2003/dls/ScriptingConfig.xsd">

   
      
           "F:\PreBackup.cmd"
      

  90
 

For each data source, complete the DatasourceScriptConfig element as follows:

1. For the DataSourceName attribute, enter the data source volume (for file data sources) or name (for all other data sources). The data source name for application data should be in the form of Instance\Database for SQL, Storage group name for Exchange, Logical Path\Component Name for Virtual Server, and SharePoint Farm\SQL Server Name\SQL Instance Name\SharePoint Config DB for Windows SharePoint Services.
2. In the PreBackupScript tag, enter the path and script name.
3. In the PreBackupCommandLine tag, enter command-line parameters to be passed to the scripts, separated by spaces.
4. In the PostBackupScript tag, enter the path and script name.
5. In the PostBackupCommandLine tag, enter command-line parameters to be passed to the scripts, separated by spaces.
6. In the TimeOut tag, enter the amount of time in minutes that DPM should wait after invoking a script before timing out and marking the script as failed.

Note:

The backup job will not happen and will generates the following error in the following cases :

The configuration of the pre-backup script or the post-backup script XML for Volume F:\ is incorrect. (ID 30193 Details: Internal error code: 0x809909F4).

The execution of the pre-backup script for Volume F:\ returned an error. (ID 30189 Details: Internal error code: 0x809909F0) .

“now chubby will be happy again”

Thanks

ISlam @ IslamGomaa.com

param (
[string[]]$dpmserverlist = @()
)
#region traps
trap [Exception] {
    writelog $("TRAP: DPMinactivateAlert: $Error")
    $Error >> $logfile
    $log = Get-EventLog -List | Where-Object { $_.Log -eq "Application" }
    $log.Source = "DPMinactiveAlert"
    $log.WriteEntry("TRAP: DPMinactiveAlert: $error", [system.Diagnostics.EventLogEntryType]::Error,9911)
    writelog $Error
    $Error.Clear()
    exit 1
}
#endregion
#region functions
function writelog
{
    #write to console and logfile, pre-able with date time
    param([array]$msg)
    $dt = (Get-Date).ToString("MM/dd/yy HH:ss")
    "$dt :: " >> $logfile
    if ($debug) {Write-Host "$dt :: " -NoNewline}
    for ($i = 0;$i -lt $msg.count;$i++) {
        if ($debug) {Write-Host $msg[$i]}
        $msg[$i] >> $logfile
    }
}

function LoadDPMsnapin {
    #load PS snap-in if not already
    param ()
    if (Get-PSSnapin | ?{$_.name -like "Microsoft.DataProtectionManager.PowerShell"}) {
    }
    else {
        Add-PSSnapin -name Microsoft.DataProtectionManager.PowerShell
    }
}
#endregion

#START
$debug = $true
$Error.clear()
$version = "v1.1"
[datetime]$now = Get-Date
$format = "HH:mm:ss"
LoadDPMsnapin
$logfile = "{0}\DPMinactiveAlert.LOG" -f , (get-location)
writelog "DPMinactivateAlert $version`n log output is written to $logfile`n`n"
$srv = Connect-DPMServer $env:computername
$alctl = $srv.AlertController
$alctl.RefreshAlerts()
Writelog ("Inactivating {0} alerts" -f $alctl.ActiveAlerts.Count )
#Don't log, alerts go to inactive and are still accessible
#could filter on $a.ErrorInfo.RecommendedAction to be "None"
if ($srv.GetProductInformation().version.major -gt 2 ){
    foreach ($a in $alctl.ActiveAlerts.Values) {$a.ResolveAlert()}
}
else {
    foreach ($a in $alctl.ActiveAlerts) {$a.ResolveAlert()}
}
writelog "Done inactivating alerts!"

In Windows Server 2008 you can add your iSCSI disks to the DPM server, make them dynamic and then add the disk into the DPM storage pool and you're done.  

In Windows Server 2003 you follow the same steps but when rebooted the server, you'll notice that all your iSCSI disks are offline.  The disks can be brought back online manually in disk management but this is not really a practical solution, the disks can also be brought online by opening the DPM console on the server, but again this solution is equally impractical.

To resolve the problem, change the start up type of the DPM service to Automatic.  By doing this, your iSCSI dynamic disks will be brought online automatically after reboot.

One final point thought though, if you are deploying DPM please consider using Windows Server 2008 x64 as the base Operating System as not only will you have better performance but you'll also be fully prepared to upgrade to DPM 2010 next year.  DPM 2010 will only be supported on Windows Server 2008 x64 so to avoid any upgrades, rebuilds and all the associated problems that cam with upgrading and rebuilding, use Server 2008 x64 if you can !

If you are a Small Medium Business looking for a non expensive backup storage solution, I recommend QNAP Appliance  specially TS-809U-RP Turbo NAS it support up to 8 disk 2 TB each and provide Total Throughput 114.9 MB/sec  on Read and 103.1 on Write.

Gateway Server Role Scenario

The Gateway Server role allows the Discovery Wizard in Operations Manager to discover target computers in workgroups, across one-way trusted and untrusted domains, and provides communication between the target computer and the Management Server. The security requirements of Operations Manager 2007 also bring PKI into a prominent role in many environments where it is has previously been underutilised or non-existent.

There are two primary goals for the gateway server:

1. Minimize the number of points of traffic between two secured environments, (for example, a Customer and Service Provider network)

2. Maximize the use of Kerberos based authentication when it is available, because the TCO associated with Kerberos is lower than with certificates.

Operations Manager introduces a more secure communication model than in its previous versions in that mutual authentication is now required by default between an agent and a management server, as well as between Gateway Servers and Management Servers.

Mutual authentication can be achieved via Kerberos in trusted scenarios where all machines are in the same Active Directory domain or in a domain with a two-way trust relationship. However, in cases where machines outside the trusted environment must be monitored, Kerberos authentication is not possible. In these cases, Operations Manager 2007 can utilize x.509 certificates for mutual authentication in a variety of scenarios. Certificates can be deployed to any Windows operating system that supports an Operations Manager 2007 agent.

The Gateway facilitates communication between the target agent-managed computers and a Management Server, easing management in un-trusted and distributed environments. It may be easiest to think of a Gateway as a management server that simply relays information received from agents to another management server. In real terms a gateway is effectively a management server without direct database access. When you approve a gateway, it appears as a management server in the Operations Console.

To ensure high availability, the Gateway Server on the customer site can be implemented with a secondary gateway to allow agents to failover in the event of the primary gateway becoming un-available also a gateway can be configured for failover to both a primary and secondary management server on the service provider side, allowing Gateway communication to continue in the event of a Management Server failure. The Gateway Server also does not require membership in an Active Directory domain, so it is perfect for the typical service provider scenario where quite often a customer site is separated from the Service Provider by some kind of security boundary. Alternatively, agent-managed computers can be configured to communicate directly to a management server while authenticating via certificates, this is suitable where you have a very small number of agents or where implementation of a Gateway Server is not possible.

Common Deployment Scenario for Multi Tenant Environments.

Gateway with Agent-managed Member Servers

In this scenario, monitoring of a remote, un-trusted AD domain is desired. All servers desired for management in the remote domain are members of the same AD domain as the Gateway Server. There is no trust relationship between the two domains. In this scenario, certificate authentication will be required only between the management server and gateway server, as no trust relationship exists. Agent-managed computers in the remote AD domain will be authenticated via Kerberos for communication with the Gateway Server. Thus, certificates must be secured for both the Management Server and Gateway Server in the remote domain.

Gateway with Agent-managed Workgroup Servers

In this scenario, monitoring of a remote, un-trusted AD domain is desired. Some servers desired for management by the Gateway Server are members of a workgroup. In this scenario, certificate authentication will be required not only between the management server and gateway server, but also between the Gateway Server and agent-managed computers. 

Agent-managed Workgroup Servers - Gateway in Workgroup

In this scenario, monitoring of a remote, DMZ or workgroup environment is desired. An additional requirement to minimize the number of points of communication between the isolated environment and the Management Server exists, making deployment of a Gateway Server an appropriate choice. In this scenario, certificate authentication will be required not only between the management server and gateway server, but also between the Gateway Server and agent-managed computers. 

While there is no programmed limit for the number of agents that can be managed within a single Management Group, information from live environments has established certain limits. Performance has been shown to degrade beyond 6,000 agents, so you should always plan for one Management Group for every 6,000 agents.

The official supported limit for the number of agents that can communicate to a gateway server is 1,500. 

Connected Management Groups Scenario

This deployment scenario is comprised of multiple management groups, each of which can be of the single or multiple server configurations type. This deployment scenario is exceptionally flexible and is mostly used to provide monitoring, alerting, and reporting services in complex environments.

This is extremely useful in the service provider scenario as it allows the connection to multiple instances of a Management Group that may exist on customer sites providing a "single pane of glass" for viewing critical alert data.

Connecting management groups offers these additional services:

• Consolidated monitoring and alerting for greater than 6,000 agents
• Consolidated monitoring across trust boundaries

Operations Manager 2007 Server Roles

This configuration supports all Operations Manager server roles and makes use of the Operations Manager Connector Framework to enable bidirectional communication between the connected groups and local groups.

Common Uses

This deployment scenario can be used when the service provider requirement is to link to a complete Operations Manager Management Group on a customer site to allow a consolidated view of all monitored activity and consolidated management of that data.

There is no official limit on the number of Management Groups that you can connect to in this scenario.

High Level Architecture for Mixed Multi-Tenant Environment

In the case of many large service providers quite often the environment would be a mix of both connected and non-connected management groups, therefore a tiered architecture would be suitable.

This may consist of a master Management Group (or Local Management Group) which would host a roll up of alerts from all connected management groups and second management group which would be the collection point for all data from non-connected Management Groups.

Data Warehouse collection at the Master Management Group level would consist of purely Alert and Discovery Data and this would be the primary connection point for other Management Tools or any Ticketing System, this would also provide a high-level, global data collection point for customer facing scorecarding and reporting.

Any customer owned Management Groups would connect directly to this tier via the Microsoft Connector Framework (MCF), with performance and inventory data being collected locally on their sites.

A Second Management Group would be implemented as a connection point for any non-Management Group sites which would have local Gateway Servers for relaying data from local agents, this Management Group would also be connected to the Master Management Group via the MCF. This second tier would have Data Warehouse Collection Capabilities for Performance Metrics and Inventory Data and would provide a second data collection point for customer facing scorecarding and reporting.

 The following diagram shows an example of how this architecture may look:

Connecting to other Management or Helpdesk Ticketing Systems

The Operations Manager 2007 R2 release saw the introductions of a number of free Interoperability connectors, these include HP Openview, Tivoli TEC, Remedy Helpdesk and a universal connector.

With the recent acquisition of Opalis Integration Center by Microsoft a number of other connection options have been added to the product such as Omnibus Netcool and HP Service Center.

Microsoft also has a close collaboration with EMC around the SMARTS network management toolset, which includes the purchase of some of the EMC SMARTS IP for addition to the next version of the product.  This collaboration has led to a recent release of a a bidirectional adapter package from Microsoft called the EMC Smarts Connector for Microsoft System Center Operations Manager 2007. The adapter will let Operations Manager users view Smarts topology and root-cause reports using their own interfaces. Smarts will also be able to suck in data from Operations Manager.

Operations Manager also comes with an extensive SNMP Trap collection feature allowing you to receive traps from any SNMP enabled system as well as being able to probe other systems ( via SNMP) for information.

Management Escalation

Operations Manager 2007 has a very extensive and flexible subscription based notification system which supports output to SMTP enabled mail systems, Microsoft Office or Live Communication Server (for delivery of messages to Office Communicator clients), GSM for SMS Text Messaging integration via a suitable GSM enabled device, as well as any command line supported medium.

This subscription mechanism supports a very granular and targeted alert stream, allowing you to alert down to a single object or alert over a variety of parameters (such as time raised, severity, business priority etc.).

Operations Manager also supports Alert Ageing which allows you to put a time expiry on un-answered alerts meaning that you can escalate them to higher tiers of Management or too other Operators.

Hardware Support for All Platforms

Microsoft has full support for Operations manager 2007 from most of the large Hardware Vendors such as HP, Dell, Fujitsu Siemens and IBM. Each of these vendors provide a full Operations Manager 2007 management Pack which typically integrates with the local hardware agent and contains Vendor specific knowledge in alerts generated.

Role based administration

Operations Manager 2007 can monitor many different types of applications in the enterprise and these applications can be administered by multiple teams. As the Operations Manager administrator, you can limit access to each team so they access only their monitoring data. Role-based security allows you to grant access to monitoring data, tools, and actions on a team-by-team basis.

Except for the Administrator role, you can add Active Directory security groups or individual accounts to any of these predefined roles. You can add Active Directory security groups only to the Administrator role.

Adding users or groups to a role mean that those individuals will be able to exercise the given role privileges across the scoped objects (including any inherited objects).

Operations Manager also allows you to create custom roles based on the Operator, Read-Only Operator, Author, and Advanced Operator profiles. When you create the role, you can further narrow the scope of groups, tasks, and views that the role can access. For example, you can create a role entitled "Exchange Operator" and narrow the scope to only Exchange-related groups, views, and tasks. User accounts assigned to this role will only be able to run Operator-level actions on Exchange-related objects.

Measuring and Displaying Customer Service Levels

One of the most challenging aspects of providing a managed service to a customer is being able to visualise the value of the service you are providing back to the customer in a format that can be consumed and understood by  any level of the business.

Operations Manager 2007 delivers the ability to define an IT service (or distributed application) by selecting the components that together deliver that IT service, along with their inter-relationships. For example, a web service may comprise of the web server, application pools, a database, and the servers that each are hosted on.  By monitoring a defined number of characteristics of each of those components, Operations Manager is able to determine both the health and performance of each component through 3 states:

• Healthy, indicating that the component being monitored is operating within expected parameters.
• Warning, indicating a performance or health threshold has been exceeded, and that while the component is operating, attention is required to prevent service disruption or restore performance.
• Critical, indicating that the component being monitored has entered an unhealthy state that requires immediate attention, and that the availability and performance of that component are compromised.

This feature is one of the most powerful features of Operations Manager as it gives the ability to be able to group together all of the components that make up a service and in the event of an outage very quick root cause analysis of the source of an outage of performance problem can be identified by simply clicking on a problem path button.

This is also extremely useful to the service provider as it gives him the ability provide metrics back to the customer on the core services that he is being paid to manage through Operations Manager 2007 R2's in built Service Level Reporting capability.

The Service Level Reporting capability in Operations Manager 2007 R2 (also called "service level objectives" or SLOs) leverages this same functionality maintained in the Distributed Application concept to determine both availability and performance metrics for monitored IT services. It does this by calculating the overall time that the components that comprise that IT service remain in a particular state to arrive at the following metrics:

• Availability, calculated as the time the components that comprise the service are in a healthy or warming state. Only a critical state counts against the availability metric, since even if it is in a warning state the IT service is seen as being accessible by end users, (e.g., a web service may take a long time to respond, but it does eventually deliver a web page).
• Performance, calculated as the time the components that comprise the IT services are in a healthy state. Both warning and critical states count against the performance metric, (e.g., if a database transaction is expected to complete in less than 300ms, and the actual transaction takes 2 seconds, then this will be seen as a performance impact).

Once you have defined your Distributed Applications and Service Level Objectives you can use the in-built Service Level Report to display the results or can display the data in a much more effective format using the Service Level Dashboard.

The Service Level Dashboard for Operations Manager R2 is a free download from the Microsoft Solution Accelerator team which is an application built on Windows SharePoint Services 3.0. It is designed to work with an existing Operations Manager 2007 R2 infrastructure configured to monitor business-critical applications. The dashboard evaluates an application or group over a time period that the administrator selects during setup, determines whether it met the defined service level commitment, and displays summarized data about the service levels.

In Operations Manager 2007 R2, you define your service goals. The Service Level Dashboard evaluates each SLO over the defined dashboard time period and determines if it met the goal during that period. The dashboard displays each SLO and identifies its states, based on defined service level targets.

The following diagram illustrates, at a high-level, the process flow that occurs within the Service Level Dashboard environment:

The Service Level Dashboard integrates with the Operations Manager Data Warehouse database and displays service level metrics on the Windows SharePoint Services interface. All the customized and personalized data associated with the Web Parts of the Service Level Dashboard is stored in the Windows SharePoint Services Content database.

The dashboard can summarize the current status and health of all defined SLOs against an application or group of objects. Key measures used to evaluate various aspects of the health of defined SLOs include such information as service level metrics, mean time to repair (MTTR), mean time between failures (MTBF), and service level trends.

As this Dashboard can be used in SharePoint or WSS, it can easily be imported into a public facing portal for on-line consumption by the customer.

Custom SLA Scorecarding

As the needs of the Service Provider often varies from some of the functionality that is provided from Operations Managers "out-of-the-box" availability and SLA Reporting, there is often a need to publish key data collected from Operations Manager in executive level dashboards and scorecards to give customers a "10,000" feet view of their environment so they understand the value the service provider is bringing in managing their infrastructure also key performance metrics can be presented allowing IT stakeholders within those businesses to make key decisions without the complication of having to run their own reporting infrastructure.

This extra level of reporting can easily be provided through extending Operations Managers reporting capability to utilise some of the new, native SQL 2008 reporting capabilities.

By using some of the new reporting controls now in SQL 2008, very effective, customer ready scorecards can be created which can easily be tied to an individual customer by using a combination of

Gordon McKenna - System Center Operations Manager MVP

Technical References:

Gateway Server and Certifcate-based Authorization Scenarios in Operations Manager 2007: http://www.systemcentercentral.com/Downloads/DownloadsDetails/tabid/144/IndexID/7885/Default.aspx

Tracking Service Levels with Operations Manager 2007 R2: http://download.microsoft.com/download/9/B/4/9B4829DC-55A5-46E7-9C9A-91B49EBB6320/SC_OpsMgr2007_R2-ServiceLevelMonitoring.pdf

Service Level Dashboard for System Center Operations Manager 2007: http://technet.microsoft.com/en-us/library/dd630553.aspx