TechNet Magazine > Home > Issues > 2007 > August >  System Center: Keep an Eye on Your Servers with...
System Center
Keep an Eye on Your Servers with Operations Manager 2007
Pete Zerger
 
At a Glance:
  • New features in Operations Manager 2007
  • Using the operations console
  • The role of roles
  • Powerful new reporting

System Center Operations Manager 2007 offers a great leap forward in the Microsoft operations management platform. Operations Manager 2007 represents a paradigm shift in strategy, moving from computer-focused monitoring to a true service-oriented
monitoring platform. While the new model bears some resemblance to its predecessor as an agent-based monitoring solution, carrying forward concepts familiar to any Microsoft® Operations Manager (MOM) 2005 administrator, much has changed. As you'll see, there are exciting new features, new management interfaces, and lots of additional resources for learning more about this latest addition to the Microsoft System Center Family.

Management Interfaces
In no place are the changes more apparent than in the new management interfaces. Gone are the separate Operations and Administrator consoles, and in their place is a consolidated Operations Console that delivers administrative, authoring, operational, and reporting functions (see Figure 1). Also gone is the single, often confusing folder tree of the MOM 2005 Administrator Console. An interface that looks much like Outlook® takes its place, exposing five function-specific workspaces: monitoring, authoring, reporting, administration, and my workspace.
Figure 1 Operations Console (Click the image for a larger view)
The monitoring workspace exposes alert, state, performance, and diagram views of the network infrastructure in a clean interface, similar to what you'd see in the Operator Console in MOM 2005.
The Authoring workspace is where you configure new rules and create groups on which rules and monitors will operate. A dramatically improved reporting interface is integrated into the Operations Console, eliminating the need to visit a separate reporting Web site. An interface for executing administrative tasks, such as computer and network device discovery and configuration of security and notification settings, is also included. Finally, My Workspace allows users to create custom views, save frequently used views and searches, and configure custom alert notification subscriptions.
The Operations Console is loaded with context-sensitive help, including links to product documentation, online webcasts, and conceptual guidance. The Operations Console also includes rich search functionality, allowing users to define advanced search criteria for any object type, returning results based on object type and value characteristics defined in the search.
The Actions pane in the Operations Console offers a host of context-sensitive tasks that provide information on object configuration and state, and it allows you to launch the new Health Explorer for the targeted object (see Figure 2). In Health Explorer, the tree structure representing the health of the monitored objects for a given entity (monitored object) is hierarchical. Every entity is monitored on at least four parameters: Availability, Configuration, Performance and Security. These values cascade up; the state of each of these parameters is calculated based on the state of monitors that reside underneath it in the hierarchy.
Figure 2 Health Explorer (Click the image for a larger view)
Health Explorer diagnoses failures on monitored objects and gives you the ability to act on error conditions by clicking hyperlinks within the event detail. You also run any diagnostic or recovery task appearing in the details pane of the Health Explorer (as in Figure 3) on demand, or configure the task to run automatically when an alert is generated. The output of any diagnostic task (such as retrieving a list of running processes) will be displayed automatically in the details pane when the state change event is highlighted.
Figure 3 Diagnostics and recoveries (Click the image for a larger view)

Web Console
The Web-based management capabilities of Operations Manager are greatly expanded in this release. The Web Console exposes the functionality of the Monitoring and My Workspace areas of Operations Console through Internet Explorer®, providing the same views available in Operations Console, including a fully functional Actions pane for executing context-based tasks, along with the ability to put monitored objects into maintenance mode (see Figure 4).
Figure 4 Web Console (Click the image for a larger view)
A mobile Web Console that allows access from any Web-capable mobile device is also included. The Web Console provides an RSS feed that delivers alerts to the Outlook 2007 Inbox or the RSS aggregator of your choice.

Command Shell
The Operations Manager Command Shell is a powerful interface that allows complete administrative control from the command line. Many complex tasks can be initiated in a single line of code (known as a one-liner). The Command Shell is a specially configured instance of Windows PowerShell™, the object-oriented command-line environment based on the Microsoft .NET Framework. This gives you access to a host of functions, called cmdlets, that can execute any task available in the Operations Console GUI—and a whole lot more. These cmdlets allow you to quickly and easily execute a task against multiple target objects (such as putting large numbers of agents in maintenance mode) that would be more time-consuming to perform through the Operations Console. For example, to export a list of all open critical alerts to a Web page, execute the following in the Operations Manager Command Shell window:
get-alert | where {$_.Severity -gt "Warning" -and $_.ResolutionState -eq 0 } | format-table 
monitoringobjectdisplayname,name,severity,
description
The object-oriented nature of Windows PowerShell is what makes the Command Shell so powerful. You get the power of the Operations Manager .NET class libraries without the need to know C# or Visual Basic® .NET.

Computer and Device Discovery
Computer discovery and agent deployment have evolved in Operations Manager as well. You can discover agents using the Computer and Device Management Wizard from the Operations Console, allowing administrators to search Active Directory® or manually enter a target computer or list of computers (see Figure 5). Detailed Lightweight Directory Access Protocol (LDAP) queries allow for more granular targeting of specific computers for agent deployment.
Figure 5 Advanced discovery via Active Directory query (Click the image for a larger view)
The wizard lets you discover Simple Network Management Protocol (SNMP)-enabled devices, which can then be targeted for monitoring in management pack rules.
Integration with Active Directory is another significant improvement. It lets administrators register management group information in Active Directory (via a simple utility) so Operations Manager agents can locate the appropriate management server by querying Active Directory at startup. The new integration also allows administrators to automate and simplify agent deployment by including an Operations Manager agent in a machine image, deploy agents via popular systems management platforms (such as Systems Management Server 2003 or System Center Configuration Manager), or through Group Policy.

Security
Operations Manager 2007 can be used to monitor many types of applications, some of which may need to be restricted to certain support personnel. Fortunately, the new role-based security model has five default user profiles that group access based on common job functions, ranging from read-only operator to administrator. Each of the default user roles is based on one of these default profiles. User roles define which types of operations can be performed by a user and the scope of these rights. You can also create custom roles by selecting one of these default profiles and then setting the scope of the role to restrict visibility of monitoring data to the desired subset of monitored objects, tasks, and views. Both standard and custom user roles based on these user profiles can be assigned to Active Directory security groups, placing user provisioning tasks back into the hands of security administration staff.
Run As Execution, also new in Operations Manager 2007, provides a secure infrastructure for managing the credentials required to perform specific actions. For example, some monitoring tasks may require highly privileged credentials or even non-Windows-based credentials.
Run As Accounts must be associated with a Run As Profile, which can in turn be associated with a rule or task that requires special privileges. The Run As Profile lets management pack authors abstract the account requirement during the authoring process so the admin can associate an appropriate Run As account after the management pack has been installed in Operations Manager.
Operations Manager 2007 delivers greater security than its predecessor in communications between agents and management servers by requiring mutual authentication. In trusted environments, mutual authentication can be achieved through Kerberos. For untrusted and perimeter network environments, the situation can become more complicated. Mutual authentication requires certificate-based authorization using x.509 certificates, which will require organizations to consider their Public Key Infrastructure (PKI) options if they don't have this in place.

Server Roles
While the management server, operations database, and reporting server roles from MOM 2005 remain in Operations Manager, new management server roles have been introduced. The root management server role isolates critical functions such as user authorization, notification, and management of console connections to a dedicated role in the infrastructure. For best performance, the root management server should be dedicated to this role and no agents should be configured to report to this server.
The new gateway server role accommodates more efficient use of management computers across untrusted domains and perimeter environments by providing a single communication back to the management server. In many cases, agents in the target domain can be authenticated to the gateway server via the Kerberos protocol, minimizing the need for certificate-based authentication and reducing administrative effort and total cost of ownership.

Reporting
Users will find that Operations Manager 2007 delivers notable improvements in reporting, with an integrated Reporting space in the Operations Console. Likewise, security for reporting is integrated with overall Operations Manager security.
There are a number of major architectural changes, including when and how data is delivered to the reporting database. Gone is the nightly Data Transformation Services (DTS) task that transferred the previous day's reporting data from the operations database. Instead, data is inserted directly into the reporting database at the same time it is inserted into the operations database, resulting in almost no latency.
Operations Manager reports contain new smart parameter headers, providing the flexibility to define and report on specific and relative date and time ranges, including restricting report output to a user-defined range of business hours. The object picker in the smart parameter header provides search, in order to simplify the task of targeting objects for reports. In scheduling reports, the flexible date picker eliminates the need to modify report definition files to achieve a specific relative date range in recurring reports (see Figure 6).
Figure 6 Configuring business hours (Click the image for a larger view)
Another reporting improvement aims to ensure that reports render quickly, even when they executed on extended date ranges. To that end, Operations Manager reporting data is automatically pre-indexed and aggregated into hourly and daily summary data points, which are used in all Operations Manager reports. In addition to having the data already compiled, this improves data warehouse scalability as the raw data points can be compressed in the database much more aggressively without impact to historical reporting capability.
By far, the most impressive improvements involve the content and features of the rendered reports themselves, which present historical performance and availability data in a format relevant to network engineers and IT managers.
Figure 7 shows a standard performance report, which consists of a graph with a table. Both the lines in the graph and the descriptions in the table provide click-through to a detail report, as shown in Figure 8.
Figure 7 Standard performance report (Click the image for a larger view)
Figure 8 Performance detail report (drill-down) (Click the image for a larger view)
Availability reporting in Operations Manager is based on object state. Any object that can have state can be targeted in an availability report out of the box. You can move from the detail report to an availability report in a single click (see Figure 9).
Figure 9 Availability report (Click the image for a larger view)
For management packs without reports, there are generic reports that will accommodate reporting of availability and performance of almost any managed object, sharply reducing the need to author custom reports.
Administrators will be pleased to find that out of the box, Operations Manager 2007 supports multiple management groups reporting to a single reporting data warehouse. Reporting security is integrated with the role-based security of the product, allowing administrators to control report access through Active Directory security groups.

Notification
The Notification engine has undergone a complete retooling in Operations Manager 2007, emerging with new features that administrators have been clamoring for, including additional notification options (called notification channels) such as instant message and SMS (this requires a third party SMS provider be installed on the management server). Notification subscriptions now include a scoping option so administrators can limit the visibility of object types and groups available to operator roles and more accurately target notification subscriptions.
Alert aging (escalation) allows notification to be sent when an alert that meets the criteria defined in the subscription remains in a given resolution state for a period of time defined by the user.
Message formats can now be customized on a per-subscription basis, allowing message format customization down to the individual user level. Plus, self-service notification in the My Workspace pane of the Operations Console allows users to define their notification device and subscription settings. These are just some of the notification features you'll find extremely convenient.

Management Packs
Management packs still represent the base framework of service and application monitoring in Operations Manager 2007, delivering application knowledge direct from the Microsoft product teams. However, they shift from server monitoring to service-oriented monitoring—focusing on the health of the service being delivered.
Space constraints preclude going into depth here, but you should note that the simple object type model of MOM 2005 (computers and computer groups) has been revamped as an extensible model with dozens of monitored object types that can be targeted. The end result is a rich development environment for third-party ISVs to deliver outstanding line-of-business, network, and cross-platform offerings.
Simple monitoring rules, similar to those available in MOM 2005, are used for a variety of common monitoring tasks, such as text and Event Log monitoring, WMI event queries, scripts executed on a schedule, and a vastly improved SNMP trap provider that eliminates the need to compile SNMP management information bases.
However, in Operations Manager monitors detect change in the state of managed objects. Monitors include many functions not seen in MOM 2005 providers, such as TCP port checking, synthetic transactions for database and Web site connectivity, ASP.NET application and Web service monitoring, and perhaps most importantly, service-oriented monitoring for distributed line-of-business applications. I'll cover these in a bit more detail momentarily.

Self-Tuning Thresholds
Sometimes behavior is not known for a given counter. For such situations, Operations Manager provides self-tuning threshold monitors. A self-tuning threshold monitor uses a learning process over the defined business cycle (usually one week, but perhaps as short as one day) to determine the normal values for a specified performance counter object and to then define thresholds based on operational norms recorded during the learning period. These thresholds represent expected activity, including sharp drops or spikes in resource utilization, as might be experienced during nightly application and system maintenance.

Synthetic Transactions
For a more dynamic picture of application health, Operations Manager offers synthetic transactions, which are actions run in real time against monitored objects. Synthetic transactions can be created for Web site browsing sequences, database connectivity and TCP port monitoring. You can specify the server nodes from which the transactions will run (called watcher nodes) as well as the desired monitoring interval. If multiple watcher nodes are chosen, the results can then be compared to determine if the experience from each node is the same.
The Web Application Editor used to capture Web browser sequences also allows administrators to define warning- and error-level response-time thresholds, as well as specify performance counter collection for individual operations within page load and link retrieval. Secure (SSL) browser sequences requiring a variety of authentication methods (such as Basic or NTLM) are supported.
Overrides, a familiar MOM 2005 concept, are used to adjust the configuration of Operations Manager settings for monitors, attributes, and rules for an object or a group of managed objects (see Figure 10). The use of overrides is key to controlling the amount of data that is collected by Operations Manager. You can use groups and overrides together to narrow the focus of the monitor, rule, attribute, or object discovery to a target group of objects not only in your own management packs, but in those of Microsoft and third-party ISVs as well.
Figure 10 Override parameters for a service monitor (Click the image for a larger view)

Line-of-Business Application Monitoring
The new Distributed Application Designer lets you create a service-level picture of critical applications, and then delivers a summary health indicator of distributed application components. This includes any discovered object type, such as a Web service, SQL Server™ database, and even non-Windows devices such as network routers and switches. Object relationships and current health state can then be viewed in a diagram.
To make this powerful feature more accessible, Microsoft offers several distributed application templates to give administrators a starting point for defining their own line-of-business applications. Templates for many common scenarios are available, including ASP.NET Application and ASP.NET Web service, Line of Business Web Application, Messaging, SharePoint® Portal Farm, and Terminal Services Farm.
New templates can be added to the Management Group through Microsoft or third-party management packs, which then appear in the Add Monitoring Wizard. Distributed application monitors for Active Directory, Exchange, and Operations Manager are pre-deployed and cannot be edited.

Management Pack Availability
Management packs written specifically for Operations Manager 2007 (called optimized management packs) are designed to take advantage of the new features in Operations Manager 2007 and are scheduled to be available for new software releases starting in 2008. However, existing MOM 2005 management packs can be converted to Operations Manager 2007-friendly format using the MPConvert utility, or they can be transferred from an existing MOM 2005 installation using the MOM 2005-to-Operations Manager 2007 migration tool; both tools can be found on the Operations Manager 2007 CD. Microsoft is actually converting the MOM 2005 management packs to Operations Manager 2007-compatible format, so this should generally be necessary only for home-grown management packs.

Audit Collection
Audit Collection delivers the solution to automate collection and centralized archival of distributed Windows Security Event Logs. It is designed for medium and large enterprises requiring collection and analysis of a high volume of Security Event Log data for internal and external compliance auditing. Audit Collection consists of four roles: the Collector, Forwarders, the database role, and the reporting role. The Collector is the server that "catches" events and inserts them into the Audit Collection database. The Forwarder is a service that sends Security Event Log events in near real time, minimizing the likelihood that local administrators can interfere with Security Log Events. The Forwarder service is included in the Operations Manager 2007 agent, but is disabled until Audit Collection is enabled for a given agent.
Audit Collection employs automatic nightly database maintenance, ensuring consistently good report-rendering performance across large datasets. Audit Collection maintains a rolling dataset (stored for 14 days by default) that can be adjusted by administrators to meet their organizational requirements. For analyzing collected events, Audit Collection includes a Reporting role including a base set of about 20 audit reports as well as a high-performance WMI subscriber, providing an easy interface for ad hoc queries without the need to grant administrators database access directly.

Client Monitoring
The new client monitoring features in Operations Manager 2007 enable administrators to monitor desktop operating systems and applications, to help determine which errors are occuring most frequently so efforts can be directed to achieve the greatest benefit for the organization. The error data collected is used to produce detailed views and reporting, giving the administrator a readily available source of information to facilitate support decisions.
Client monitoring in Operations Manager 2007 actually consists of three levels that can be enabled individually:
Agentless Exception Monitoring (AEM) enables the administrator to monitor operating systems and applications for crashes and errors. The administrator can direct these reports that would previously have gone directly to Microsoft to a Management Server, from which they can then be forewarded on to Microsoft if you choose to do so.
Customer Experience Improvement Program (CEIP) When you participate in the CEIP, you configure clients with Group Policy to redirect reports to an Operations Manager 2007 Management Server, instead of sending reports directly to Microsoft. The Management Servers are then configured to forward these reports to Microsoft.
It is important to note that the AEM and CEIP client monitoring components can be performed agentlessly.
Client Monitoring for Business-Critical Workstations involves actually deploying an Operations Manager agent to business-critical desktops. Management packs include those for Windows 2000, Windows XP, and Windows Vista, and the Microsoft Information Worker which monitors Microsoft Office, Internet Explorer, and other Microsoft desktop applications.

Give It a Try
As you can see, System Center Operations Manager 2007 brings a host of features designed to deliver service-oriented monitoring with integration in all the right places, allowing you to take advantage of existing investments in Active Directory, streamline administration, and reduce total cost of ownership. I encourage you to try this great new release and explore its possibilities.
You can download a 180-day trial copy of Operations Manager 2007 at microsoft.com/technet/opsmgr/2007/downloads/trials/privacy.mspx. For more information on Microsoft System Center technologies, visit the System Center Operations Manager homepage at microsoft.com/systemcenter/opsmgr. See System Center success stories (videos and case studies) on the new "Designed for BIG" Web site at designedforbig.com.

Pete Zerger is a consulting partner with AKOS Technology Services. Pete has nine years of experience in the IT industry, and he focuses on design and deployment of enterprise operations management, directory services, and messaging solutions. Pete holds an MCSE for Messaging, an MCTS for SQL Server 2005, and he is a Microsoft MVP for Microsoft Operations Manager.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
Page view tracker