Gateway Server Role Scenario

The Gateway Server role allows the Discovery Wizard in Operations Manager to discover target computers in workgroups, across one-way trusted and untrusted domains, and provides communication between the target computer and the Management Server. The security requirements of Operations Manager 2007 also bring PKI into a prominent role in many environments where it is has previously been underutilised or non-existent.

There are two primary goals for the gateway server:

1. Minimize the number of points of traffic between two secured environments, (for example, a Customer and Service Provider network)

2. Maximize the use of Kerberos based authentication when it is available, because the TCO associated with Kerberos is lower than with certificates.

Operations Manager introduces a more secure communication model than in its previous versions in that mutual authentication is now required by default between an agent and a management server, as well as between Gateway Servers and Management Servers.

Mutual authentication can be achieved via Kerberos in trusted scenarios where all machines are in the same Active Directory domain or in a domain with a two-way trust relationship. However, in cases where machines outside the trusted environment must be monitored, Kerberos authentication is not possible. In these cases, Operations Manager 2007 can utilize x.509 certificates for mutual authentication in a variety of scenarios. Certificates can be deployed to any Windows operating system that supports an Operations Manager 2007 agent.

The Gateway facilitates communication between the target agent-managed computers and a Management Server, easing management in un-trusted and distributed environments. It may be easiest to think of a Gateway as a management server that simply relays information received from agents to another management server. In real terms a gateway is effectively a management server without direct database access. When you approve a gateway, it appears as a management server in the Operations Console.

To ensure high availability, the Gateway Server on the customer site can be implemented with a secondary gateway to allow agents to failover in the event of the primary gateway becoming un-available also a gateway can be configured for failover to both a primary and secondary management server on the service provider side, allowing Gateway communication to continue in the event of a Management Server failure. The Gateway Server also does not require membership in an Active Directory domain, so it is perfect for the typical service provider scenario where quite often a customer site is separated from the Service Provider by some kind of security boundary. Alternatively, agent-managed computers can be configured to communicate directly to a management server while authenticating via certificates, this is suitable where you have a very small number of agents or where implementation of a Gateway Server is not possible.

Common Deployment Scenario for Multi Tenant Environments.

Gateway with Agent-managed Member Servers

In this scenario, monitoring of a remote, un-trusted AD domain is desired. All servers desired for management in the remote domain are members of the same AD domain as the Gateway Server. There is no trust relationship between the two domains. In this scenario, certificate authentication will be required only between the management server and gateway server, as no trust relationship exists. Agent-managed computers in the remote AD domain will be authenticated via Kerberos for communication with the Gateway Server. Thus, certificates must be secured for both the Management Server and Gateway Server in the remote domain.

Gateway with Agent-managed Workgroup Servers

In this scenario, monitoring of a remote, un-trusted AD domain is desired. Some servers desired for management by the Gateway Server are members of a workgroup. In this scenario, certificate authentication will be required not only between the management server and gateway server, but also between the Gateway Server and agent-managed computers. 

Agent-managed Workgroup Servers - Gateway in Workgroup

In this scenario, monitoring of a remote, DMZ or workgroup environment is desired. An additional requirement to minimize the number of points of communication between the isolated environment and the Management Server exists, making deployment of a Gateway Server an appropriate choice. In this scenario, certificate authentication will be required not only between the management server and gateway server, but also between the Gateway Server and agent-managed computers. 

While there is no programmed limit for the number of agents that can be managed within a single Management Group, information from live environments has established certain limits. Performance has been shown to degrade beyond 6,000 agents, so you should always plan for one Management Group for every 6,000 agents.

The official supported limit for the number of agents that can communicate to a gateway server is 1,500. 

Connected Management Groups Scenario

This deployment scenario is comprised of multiple management groups, each of which can be of the single or multiple server configurations type. This deployment scenario is exceptionally flexible and is mostly used to provide monitoring, alerting, and reporting services in complex environments.

This is extremely useful in the service provider scenario as it allows the connection to multiple instances of a Management Group that may exist on customer sites providing a "single pane of glass" for viewing critical alert data.

Connecting management groups offers these additional services:

• Consolidated monitoring and alerting for greater than 6,000 agents
• Consolidated monitoring across trust boundaries

Operations Manager 2007 Server Roles

This configuration supports all Operations Manager server roles and makes use of the Operations Manager Connector Framework to enable bidirectional communication between the connected groups and local groups.

Common Uses

This deployment scenario can be used when the service provider requirement is to link to a complete Operations Manager Management Group on a customer site to allow a consolidated view of all monitored activity and consolidated management of that data.

There is no official limit on the number of Management Groups that you can connect to in this scenario.

High Level Architecture for Mixed Multi-Tenant Environment

In the case of many large service providers quite often the environment would be a mix of both connected and non-connected management groups, therefore a tiered architecture would be suitable.

This may consist of a master Management Group (or Local Management Group) which would host a roll up of alerts from all connected management groups and second management group which would be the collection point for all data from non-connected Management Groups.

Data Warehouse collection at the Master Management Group level would consist of purely Alert and Discovery Data and this would be the primary connection point for other Management Tools or any Ticketing System, this would also provide a high-level, global data collection point for customer facing scorecarding and reporting.

Any customer owned Management Groups would connect directly to this tier via the Microsoft Connector Framework (MCF), with performance and inventory data being collected locally on their sites.

A Second Management Group would be implemented as a connection point for any non-Management Group sites which would have local Gateway Servers for relaying data from local agents, this Management Group would also be connected to the Master Management Group via the MCF. This second tier would have Data Warehouse Collection Capabilities for Performance Metrics and Inventory Data and would provide a second data collection point for customer facing scorecarding and reporting.

 The following diagram shows an example of how this architecture may look:

Connecting to other Management or Helpdesk Ticketing Systems

The Operations Manager 2007 R2 release saw the introductions of a number of free Interoperability connectors, these include HP Openview, Tivoli TEC, Remedy Helpdesk and a universal connector.

With the recent acquisition of Opalis Integration Center by Microsoft a number of other connection options have been added to the product such as Omnibus Netcool and HP Service Center.

Microsoft also has a close collaboration with EMC around the SMARTS network management toolset, which includes the purchase of some of the EMC SMARTS IP for addition to the next version of the product.  This collaboration has led to a recent release of a a bidirectional adapter package from Microsoft called the EMC Smarts Connector for Microsoft System Center Operations Manager 2007. The adapter will let Operations Manager users view Smarts topology and root-cause reports using their own interfaces. Smarts will also be able to suck in data from Operations Manager.

Operations Manager also comes with an extensive SNMP Trap collection feature allowing you to receive traps from any SNMP enabled system as well as being able to probe other systems ( via SNMP) for information.

Management Escalation

Operations Manager 2007 has a very extensive and flexible subscription based notification system which supports output to SMTP enabled mail systems, Microsoft Office or Live Communication Server (for delivery of messages to Office Communicator clients), GSM for SMS Text Messaging integration via a suitable GSM enabled device, as well as any command line supported medium.

This subscription mechanism supports a very granular and targeted alert stream, allowing you to alert down to a single object or alert over a variety of parameters (such as time raised, severity, business priority etc.).

Operations Manager also supports Alert Ageing which allows you to put a time expiry on un-answered alerts meaning that you can escalate them to higher tiers of Management or too other Operators.

Hardware Support for All Platforms

Microsoft has full support for Operations manager 2007 from most of the large Hardware Vendors such as HP, Dell, Fujitsu Siemens and IBM. Each of these vendors provide a full Operations Manager 2007 management Pack which typically integrates with the local hardware agent and contains Vendor specific knowledge in alerts generated.

Role based administration

Operations Manager 2007 can monitor many different types of applications in the enterprise and these applications can be administered by multiple teams. As the Operations Manager administrator, you can limit access to each team so they access only their monitoring data. Role-based security allows you to grant access to monitoring data, tools, and actions on a team-by-team basis.

Except for the Administrator role, you can add Active Directory security groups or individual accounts to any of these predefined roles. You can add Active Directory security groups only to the Administrator role.

Adding users or groups to a role mean that those individuals will be able to exercise the given role privileges across the scoped objects (including any inherited objects).

Operations Manager also allows you to create custom roles based on the Operator, Read-Only Operator, Author, and Advanced Operator profiles. When you create the role, you can further narrow the scope of groups, tasks, and views that the role can access. For example, you can create a role entitled "Exchange Operator" and narrow the scope to only Exchange-related groups, views, and tasks. User accounts assigned to this role will only be able to run Operator-level actions on Exchange-related objects.

Measuring and Displaying Customer Service Levels

One of the most challenging aspects of providing a managed service to a customer is being able to visualise the value of the service you are providing back to the customer in a format that can be consumed and understood by  any level of the business.

Operations Manager 2007 delivers the ability to define an IT service (or distributed application) by selecting the components that together deliver that IT service, along with their inter-relationships. For example, a web service may comprise of the web server, application pools, a database, and the servers that each are hosted on.  By monitoring a defined number of characteristics of each of those components, Operations Manager is able to determine both the health and performance of each component through 3 states:

• Healthy, indicating that the component being monitored is operating within expected parameters.
• Warning, indicating a performance or health threshold has been exceeded, and that while the component is operating, attention is required to prevent service disruption or restore performance.
• Critical, indicating that the component being monitored has entered an unhealthy state that requires immediate attention, and that the availability and performance of that component are compromised.

This feature is one of the most powerful features of Operations Manager as it gives the ability to be able to group together all of the components that make up a service and in the event of an outage very quick root cause analysis of the source of an outage of performance problem can be identified by simply clicking on a problem path button.

This is also extremely useful to the service provider as it gives him the ability provide metrics back to the customer on the core services that he is being paid to manage through Operations Manager 2007 R2's in built Service Level Reporting capability.

The Service Level Reporting capability in Operations Manager 2007 R2 (also called "service level objectives" or SLOs) leverages this same functionality maintained in the Distributed Application concept to determine both availability and performance metrics for monitored IT services. It does this by calculating the overall time that the components that comprise that IT service remain in a particular state to arrive at the following metrics:

• Availability, calculated as the time the components that comprise the service are in a healthy or warming state. Only a critical state counts against the availability metric, since even if it is in a warning state the IT service is seen as being accessible by end users, (e.g., a web service may take a long time to respond, but it does eventually deliver a web page).
• Performance, calculated as the time the components that comprise the IT services are in a healthy state. Both warning and critical states count against the performance metric, (e.g., if a database transaction is expected to complete in less than 300ms, and the actual transaction takes 2 seconds, then this will be seen as a performance impact).

Once you have defined your Distributed Applications and Service Level Objectives you can use the in-built Service Level Report to display the results or can display the data in a much more effective format using the Service Level Dashboard.

The Service Level Dashboard for Operations Manager R2 is a free download from the Microsoft Solution Accelerator team which is an application built on Windows SharePoint Services 3.0. It is designed to work with an existing Operations Manager 2007 R2 infrastructure configured to monitor business-critical applications. The dashboard evaluates an application or group over a time period that the administrator selects during setup, determines whether it met the defined service level commitment, and displays summarized data about the service levels.

In Operations Manager 2007 R2, you define your service goals. The Service Level Dashboard evaluates each SLO over the defined dashboard time period and determines if it met the goal during that period. The dashboard displays each SLO and identifies its states, based on defined service level targets.

The following diagram illustrates, at a high-level, the process flow that occurs within the Service Level Dashboard environment:

The Service Level Dashboard integrates with the Operations Manager Data Warehouse database and displays service level metrics on the Windows SharePoint Services interface. All the customized and personalized data associated with the Web Parts of the Service Level Dashboard is stored in the Windows SharePoint Services Content database.

The dashboard can summarize the current status and health of all defined SLOs against an application or group of objects. Key measures used to evaluate various aspects of the health of defined SLOs include such information as service level metrics, mean time to repair (MTTR), mean time between failures (MTBF), and service level trends.

As this Dashboard can be used in SharePoint or WSS, it can easily be imported into a public facing portal for on-line consumption by the customer.

Custom SLA Scorecarding

As the needs of the Service Provider often varies from some of the functionality that is provided from Operations Managers "out-of-the-box" availability and SLA Reporting, there is often a need to publish key data collected from Operations Manager in executive level dashboards and scorecards to give customers a "10,000" feet view of their environment so they understand the value the service provider is bringing in managing their infrastructure also key performance metrics can be presented allowing IT stakeholders within those businesses to make key decisions without the complication of having to run their own reporting infrastructure.

This extra level of reporting can easily be provided through extending Operations Managers reporting capability to utilise some of the new, native SQL 2008 reporting capabilities.

By using some of the new reporting controls now in SQL 2008, very effective, customer ready scorecards can be created which can easily be tied to an individual customer by using a combination of

Gordon McKenna - System Center Operations Manager MVP

Technical References:

Gateway Server and Certifcate-based Authorization Scenarios in Operations Manager 2007: http://www.systemcentercentral.com/Downloads/DownloadsDetails/tabid/144/IndexID/7885/Default.aspx

Tracking Service Levels with Operations Manager 2007 R2: http://download.microsoft.com/download/9/B/4/9B4829DC-55A5-46E7-9C9A-91B49EBB6320/SC_OpsMgr2007_R2-ServiceLevelMonitoring.pdf

Service Level Dashboard for System Center Operations Manager 2007: http://technet.microsoft.com/en-us/library/dd630553.aspx

Agentless Exception Monitoring (AEM) of System Center Operations Manager and System Center Desktop Error Monitoring (DEM) are identical features with the only difference being that AEM is shipped with Operations Manager 2007 and DEM is shipped with Microsoft Desktop Optimization Pack (MDOP) SKU’s.  These features leverage the Microsoft Error Reporting (formerly known as Dr. Watson) or Windows Error Reporting client applications for reporting the crash or hang.

Because this is a hybrid user group meeting there are two ways to register.
1. If you would like to use Live Meeting to attend the meeting remotely, register here http://www.clicktoattend.com/?id=146192
2. If you would like to go to the Alpharetta, GA Microsoft Campus to attend the meeting please register here, this will help us with planning for lunch requirements. https://www.usergroupsupportservices.com/UGEventView.ugss?EventID=8775
 

DATE & TIME
March 5, 2010
10:00 AM – 4:00 PM Eastern Time Zone
 

Lunch provided by Prowess http://www.prowesscorp.com
 

“At Prowess Consulting, we focus on providing technology marketing, technical writing, IT infrastructure, and managed services to Fortune 500 companies. We make businesses stronger by delivering the right information at the right time. We are trusted by the largest organizations to deliver results through innovative and customized solutions.”
 

THE AGENDA
 

9:45 AM 10:00 AM Opening and Introductions
10:05 AM 11:00 AM Prowess Presentation
11:05 AM 11:50 AM Introduction to Microsoft App-V and the Enterprise
11:55 AM 12:40 PM SCCM R3 Features and Benefits
12:45 PM 1:00 PM Break
1:05 PM 1:50 PM Ed Wilson Powershell Best Practices
1:55 PM 2:40 PM MP Authoring Resource Kit
2:45 PM 3:40 PM What is SCUP and How Do I Use It?
3:35 PM 4:00 PM Closing
 

PRESENTER BIOGRAPHIES
 

Steve Bucci
Steve is a Senior Support Engineer with Microsoft System Center Support in Charlotte, NC. He supports Application Virtualization (App-V), Microsoft Enterprise Desktop Virtualization (MED-V), and Virtual Machine Manager (SCVMM). He has worked for Microsoft for the past 8 years.
 

Brian Shaw
Brian has been with Microsoft the past 2.5 years and is currently holding the position of Senior Support Escalation Engineer supporting SMS, Configuration Manager (SCCM), and WSUS. Brian has been supporting SMS for well over 10 years, starting with SMS 1.2. Brian is currently the CSS Beta Engineer supporting the development and release of SCCM R3.
 

Ed Wilson
Ed is a senior consultant at Microsoft and a well-known scripting expert. He is a Microsoft Certified Trainer who delivers popular scripting, networking, and administration workshops to Microsoft employees and customers worldwide. He’s written several books on Windows scripting, including Microsoft Windows Powershell Scripting Guide, Microsoft Windows Scripting Self-Paced Learning Guide, and Microsoft VBScript Step by Step. Ed holds more than 20 industry certifications, including MCSE and CISSP.
 

Cory Delamarter
[Unavailable at this time.]
 

Jason Lewis
Jason is a Program Manager on the System Center Configuration Management SE Team at Microsoft. He’s been with the team for over 5 years working on products such as Systems Management Server 2003 SP2 and R2, including the Custom Updates Publishing Tool (CUPT), Inventory Tool for Custom Updates (ITCU), System Center Updates Publisher (SCUP), and Configuration Manager 2007 R2. Jason also authors a blog at http://blogs.technet.com/jasonlewis where he covers products that he’s working on including “FYI” and “How To” topics.

Thank you for your continued support!

Scott Moss
Microsoft MVP (Operations Manager)
Vice President Atlanta SMUG http://www.atlsmug.org
President System Center Virtual user Group  http://systemcenterusergroup.org

• In part 1 - basics of building a CentOS Management Pack,.
• In part 2,  how to build the actual MPs.
• In part 3, MP installation and validation.

To view the entire series at the source, click the Download button.

Click Download to read the entire article...

Kevin writes: This is something a LOT of people make mistakes on – so I wanted to write a post on the correct way to do this properly, using a very common target as an example.

When we write a monitor for something like “Processor\% Processor Time\_Total” and target “Windows Server Operating System”…. everything is very simple. “Windows Server Operating System” is a single instance target…. meaning there is only ONE “Operating System” instance per agent. “Processor\% Processor Time\_Total” is also a single instance counter…. using ONLY the “_Total” instance for our measurement. Therefore – your performance unit monitors for this example work just like you’d think.

However – Logical Disk is very different. On a given agent – there will often be MULTIPLE instances of “Logical Disk” per agent, such as C:, D:, E:, F:, etc… We must write our monitors to take this into account. (continue at source) 

In this article I will give a step-by-step instruction how to configure Service Level Tracking on a Live Maps view and show the results using the Service Level Tracking report in OpsMgr and the Service Level Dashboard in SharePoint.

(continue at source)

1. Create a new rule.
2. For the rule type, select an Event Based from the NT Event Log.
   1. Select a custom management pack
3. Name your rule. I suggest to preceed it with your company name, as it makes much easier to locate the rules you have created.
   1. Specify for the rule target, Windows Server 2003 Computer. It could also be Windows Server to cover all version.
4. Select the Application journal or System journal

Now, you are the Build Event Expression section. We are going to build an expression that will collect all events from the Application journal, that are of level "ERROR". But we are going to include filtering for three specific events that we don't want alerts for. In this example, those events are Perflib, ID 1023 and ID 1400. And event Kerberos, ID 23.

1. First, delete the AND group plus the two expressions that are already present.
2. Then insert a new AND group and set the expression to Event Level Equals Error.
3. Notice the black arrow in the gray array, this tell which line is selected and it will be important throughout this demonstration.
4. Select the line which is the expression Event Level...
5. Insert a OR group. This OR group has to be indented to the right sight
6. We don't need the expression line, so remote it.
7. Make sure the OR group line is selected.
8. Insert a AND group.
9. In this group, we will specify one entry per Event source. In this exemple, we have three events to filter but only two source names.
10. For the first expression, set it to Event Source Does not equal Perflib
11. Insert a new expression and set it to Event Source Does not equal Kerberos
12. Now select the line OR group
13. Insert a new AND group. This group will be inserted below the OR group and has to be indented to the right and be at the same indention level as the previous AND group.
14. Set the expression to Event Source Equals Perflib
15. Insert another expression and set it to Event ID Does not equal 1023
16. Insert another expression and set it to Event ID Does not equal 1400
17. Whenever you need to add another ID, just select the last expression in this group and insert a new one.
18. Now select againt the OR group.
19. Insert a new AND group
20. Set the expression to Event Source Equals Kerberos
21. Insert another expression and set it to Event ID Does no equal 23

There you have it. If you need to add another event such as Print with ID 44. Then insert a new expression in the AND group containing the list of event source. And after selecting the OR group line, insert a new AND group to specify the IDs, as demonstrated above.

http://www.thebitstreamer.com/index.php/en/2009/10/29/scom-2007-come-agirare-la-limitazione-dei-sealed-mp

The new release can be downloaded here. If you are upgrading from Live Maps v2 or v3 a new license key is needed. Free edition user can request an updated key here, customers can request a new key by sending an email to sales@savision.com.

Feature Highlight

Health Details

A feature has been added to the Live Maps drawing view that allows you to optionally display the health details of a nested map or object. The details show the number of child objects in a particular state and the total number of open alerts.

State Filter

The list view state filter allows you to quickly filter on the health state of objects from within the Microsoft Operations console.

Windows Gadget

The Live Maps Windows gadget is now Windows 7 compliant and supports cross domain authentication.

Advanced List View Configuration

It is now possible, using the Live Maps Authoring console, to overwrite the label, add one or more discovered properties or change the image of a list view item.

Optimized for Large Environments

If large number of views are created, the size of the Live Maps authoring management pack might cause issues. Live Maps 4.1 has been optimized to reduce the size of the Savision default management pack and also offers you the option to select an alternative management pack to store your views and folders created with the Live Maps authoring console.

Web Console Configurator

A handy configuration utility has been added to change the Live Maps Web Console settings.

Do you wonder how Live Maps can maximize your System Center investment? Try it yourself with the Live Maps free edition or contact us for a demo!

Click the download button at right to get the full article.

As mentioned in the first post, unit monitors can be thought of as the workhorse of monitoring. Unit monitors are just that – a unit of monitoring. A self contained engine to monitor a specific item and reflect the result in terms of health state, alerting and diagnostic/recovery.

Aggregates act as a collector and consolidator of information and ultimately reflect the collective result of unit monitors. For any defined class in OpsMgr there are 5 defined aggregate monitors – Entity Health, Availability, Configuration, Performance and Security.