The MOM Management Pack

  • Article

All of the Management Packs depend on the health and availability of the Microsoft Operations Manager (MOM) server components and agents, as well as the successful forwarding and retention of monitoring data.

The MOM Management Pack monitors problems with agent deployment and configuration, communications failures, security issues, and the MOM Connector framework. Automated tasks provide easy access to common network administration and diagnostic tools. Reports call attention to performance bottlenecks and provide data for capacity planning.

Table 3.1 summarizes the monitoring scenarios for the MOM Management Pack. The MOM Management Pack has undergone extensive modeling and testing to ensure that minimal configuration is required for most deployments.

Best Practices

It is recommended that you review the following best practices for Management Packs.

Changing Management Packs

It is recommended that you do not change any MOM Management Pack settings until you have performed a thorough analysis to determine whether changes are required. If changes are required, ensure that these changes are adequately tested.

  • If you change company knowledge or enable a disabled setting, you can edit the original rule. This is possible because these settings are preserved when you import the Management Pack by using the update option.

  • If you change an enabled rule, follow these guidelines:

    • Make a copy of the rule that you want to change.

    • Disable the original rule.

    • Make changes to the copy of the rule, and commit these configuration changes.

    • Conduct tests on the copy of the rule.

Important

  • Before you change any of the MOM Management Pack settings, refer to The Microsoft Operations Manager 2005 Management Pack Guide, which is available from the MOM product Web site.

  • Additional guidance for Management Pack authoring is provided in the Microsoft Operations Manager (MOM) 2005 Management Pack Development Guide.

  • Guides for other Management Packs, such as Active Directory and Exchange Server 2003 are also available at the MOM Web site, and you should review these documents before implementing any changes.

Additional Management Packs

It is recommended that you install additional Management Packs for your MOM deployment. The following Management Packs will extend the depth and breadth of monitoring for all of the MOM components.

Note

Management Pack version numbers are provided to help you locate the most recent version of the Management Packs. The Management Packs listed are available from the Download Center of the MOM Web site.

  • Windows Base Operating System - Monitors the performance and availability of Microsoft Windows Base Operating System 4.0 and later versions (MP version: 05.0.2803.0000).

  • SQL Server 2000 - Detects and sends alerts about critical events. Helps indicate, correct, and prevent service outages or configuration problems (MP version: 05.0.2803.0000).

  • Internet Information Services (IIS) - Monitors IIS events in the Windows NT and IIS event logs. For IIS 5.0 and IIS 6.0, it includes a script that polls and tracks the responsiveness of your IIS server (MP version: 05.0.2803.0000).

  • Microsoft Baseline Security Analyzer (MBSA) - Performs security vulnerability assessments and security update scans of computers running Microsoft Windows 2000 or later (MP version: 05.0.2803.0000).

  • Microsoft Windows Server Clusters - Highlights events that may indicate possible service outages or configuration problems, so that you can take action. The highlighted events provide information about many parts of a server cluster (MP version: 05.0.2803.0000)

Installing and Tuning Management Packs

It is recommended that you install the Management Packs in batches, and then fine-tune and optimize each one. This approach is considerably easier than enabling and disabling large numbers of rules. Most Management Packs should not require you to make large-scale changes, in order to optimize for your environment. Generally, changing less than 5 rules in an MP is the most that is required. You can, typically, identify these rules by using the most common event and alert reports.

If you want to disable multiple rules, either disable processing rule groups associated with computer groups, or just computer groups, rather than disabling all processing rule groups or all rules.

Importing and Exporting Reports

Note the following information related to importing and exporting reports:

  • The report import/export component of the Import/Export Management Packs Wizard does not support either the import or export of linked reports.

  • When exporting reports using the import/export utility, password information is not exported if the underlying data source uses Structured Query Language (SQL) authentication for security reasons. When these reports are imported on a different computer, the reports will be broken because they will not contain the password. In this scenario, the work-around is to edit the data source and enter the required password.

Importing Management Packs with Custom Tasks

When you use MOM to import a Management Pack that contains a custom task, the custom task is not visible in the Administrator console navigation pane after the import is completed.

Although the custom task is successfully imported and created, you may have to refresh the Tasks folder, in the MOM 2005 Administrator console, for the custom task to be displayed correctly. To do this, use the following procedure.

Refresh the Tasks list in the Administrator console

  1. In the Navigation pane, expand the Management Packs node to show the Tasks folder.

  2. Right-click Tasks, and then click Refresh.

Management Pack Monitoring Scenarios

The following tables provide summary information about the monitoring scenarios for each of the recommended Management Packs including the Management Pack for MOM 2005. This information is extracted from each of the guides that are available for each Management Pack.

Table 3.1 MOM 2005 Management Pack

Scenario

Description

Agent deployment and upgrade

  • Installation success and failure

  • Upgrade success and failure

  • Uninstall success and failure

Agent monitoring

  • Heart beats

  • Script failures

  • Service discovery problems

  • Managed code responses

  • Task failures

  • Provider problems

  • Override issues

  • Queues

Agentless monitoring

  • Agentless monitoring failures

  • Permissions issues

Management Server monitoring

  • Response failures

  • Computer discovery issues

  • Service discovery issues

  • Database communication issues

  • Queues

  • User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) communication issues

Database monitoring

  • Database space issues

  • Configuration issues

  • Authentication issues

  • Grooming issues

Reporting monitoring

  • Microsoft SQL Server Reporting Server service issues

  • Data warehouse grooming issues

MOM Connector framework monitoring

  • Forwarding and inserting issues

  • Data configuration issues

Security

  • Legacy Client connections refused

  • Large number of legacy connections refused

  • Agents failing authentication

  • Port floods and unauthorized access attempts

  • Connection negotiations failures

  • Manual agent connections refused

Performance monitoring

Agent:

  • Processor time

  • Private bytes

  • Alert processing and incoming time

  • Network bytes sent and received

Database:

  • Insertion time for alert

  • Performance

  • Service discovery and event data

Management Server:

  • Channel errors

  • Fragmented packets

  • Total connections (agents)

  • Total legacy connections (MOM 2000 Service Pack 1 (SP1) agents)

  • Network bytes sent and received

Note

Previous versions of the Microsoft Management Packs, for MOM 2000 and MOM 2000 SP1, will work with MOM 2005. However, older Management Packs do not support new features such as state awareness and run-time tasks.

Table 3.2 Windows Base Operating System Management Pack

Scenario

Description

Windows NT 4.0

Windows 2000 Server

Windows Sever 2003

Service and application management

  • Core Windows service up/down status

  • Unexpected service terminations

  • Service configuration issues

  • Service account and authentication issues

Core Windows service up/down status only

X

X

Reliability

  • Detection of reoccurring application terminations

  • Gathers data on system shutdowns for shutdown reporting

  • Reports system failures (for stop error reporting)

 

X

X

Storage

  • Share availability issues

  • Share configuration issues

  • Local storage resource availability

  • Local storage free space

  • File system integrity and corruption issues

Local storage free space only

X

X

Networking

  • IP address conflicts

  • Disconnected network adapters

  • Duplicate network names

 

X

X

Performance measuring

  • For most commonly used performance data

 

X

X

Performance threshold monitoring

  • Physical Disk - Avg. Disk sec.

  • Physical Disk - Avg. Disk sec./Read

  • Memory - Pages/sec.

  • Processor - % Processor

  • Processor - % DPC

  • Processor - % Interrupt Time

  • Memory - % Committed bytes in use

  • Memory - Available megabytes

X

X

X

State monitoring and service discovery

  • Base OS services

  • Storage

  • Messenger service

  • Computer browser

  • Logical Disk Manager service

  • Dynamic Host Configuration Protocol (DHCP) client

  • Domain Name Service (DNS) client

  • Remote Procedure Call (RPC) health

  • Server service

  • Transmission Control Protocol/Internet Protocol (TCP/IP) NetBIOS Helper service

  • Hardware discovery

  • Event log

  • Workstation service

X

X

X

Table 3.3 SQL Server Management Pack

Scenario

Description

Enterprise configuration support

  • Multiple instance-aware

  • 100% cluster-aware ( Active/Passive and Active/Active)

  • Monitors SQL Server 64- bit edition

Service and database availability and health

  • Availability of SQL Server

  • SQL Agent services

  • Full Text Search service

  • Alerts on databases in suspect and emergency states

Database connectivity

  • Local connectivity

  • Database connectivity issues

  • Port bind errors

  • Configuration errors

  • Protocol problems

  • Corrupt system databases

Remote connectivity

  • Connects to SQL Server remotely to simulate the client experience

  • Tests database response time with custom Transaction Structured Query Language ( TSQL) query

  • Evaluates intermediate network connectivity

  • User-defined criteria:

    • Query to execute

    • Database to query

    • Response time

    • Client computers

Database space

  • Intelligent free space monitoring monitors the remaining space in all databases and transaction logs

  • Files and file groups aware

  • Enterprise adjustable warning and error thresholds

  • Separate threshold for:

    • Logs and databases

    • System databases

    • TempDb

    • User databases

Service pack compliance

  • Check computers running SQL Server for compliance with a minimum (user-defined) service pack or hotfix level

  • Generate success and failure alerts for auditing

  • Service pack and compliance reports display version, build, and service pack levels

Configuration monitoring

  • Alert on configuration inconsistencies in your enterprise for each database, including:

    • Auto Close

    • Auto Create Stats

    • Auto Shrink

    • Auto Update Stats

    • Cross Database Chaining

    • Torn Page Detection

Blocked processes

  • Monitors blocking system process IDs (SPIDs) based on a blocking duration threshold time. Alert details include:

    • Blocked SPID

    • Blocked by SPID

    • Program Name

    • Block duration

    • Login Name

    • Database Name

    • Resource

    • Topped blocked report allows further details on data, including top blocking users, application, and average blocking time

Replication monitoring

  • Monitors the health of SQL Server replication and alerts on replication failures.

Long running agent jobs

  • Job run time measured in real time, and compared against a predetermined threshold.

Security monitoring

  • Monitors SQL Server security and audit events:

    • Denied administrative functions

    • Single-user mode startup

    • License compliance

    • Shutdowns

    • Configuration problems

    • Collection of audit data

    • Successful and failed Logins

    • Trusted and untrusted connections

Backups and jobs

  • Failed SQL Agent Jobs

  • Job corruption

  • Failed notifications

  • SQL e-mail problems

  • Failed backups

  • Full backups

  • Incremental/differential backups

  • Restore errors

Server performance

  • Poor disk responses

  • Excessive SQL process CPU use

  • Deadlocks

  • Excessive user connections

  • Schema-specific performance problems

Table 3.4 IIS Management Pack

Scenario

Description

IIS 5.0

IIS 6.0

Service availability

  • Monitors the availability and health of the following services:

    • World Wide Web Publishing Service

    • File Transfer Protocol (FTP)

    • Network News Transport Protocol (NNTP)

    • Simple Mail Transfer Protocol (SMTP)

    • HTTP Filter

    • IIS Admin

X

X

Application availability and integrity

  • Alerts and reports on client detected errors, including Server Too Busy

  • Detects configuration problems with Web sites and applications

X

X

Security

  • Performs basic detection of unauthorized access attempts

  • Detects brute force attacks and denial of service attacks

  • Automatically blocks attackers by IP address

X

X

Site Integrity

  • Detects missing links from Web logs

  • Detects invalid URLs

  • Detects de-activated Web sites

X

X

World Wide Web Publishing Service specific

  • Worker process failures

  • Service configuration problems with Web site stopped states

  • Configuration issues

  • Web site binding issues

  • Misconfigured bindings

  • Logging issues

X

X

Related services

  • Unexpected failures

  • Configuration related failures

  • Inability to create application pools

  • Identity issues

  • Service startup and shutdown timeouts

  • Worker process recycle requests and events

 

X

Table 3.5 MBSA Management Pack

Scenario

Description

Windows 2000 Server

Windows Server 2003

Set up of Microsoft Baseline Security Analyzer (MBSA)

  • Places the MBSA binaries on all agent computers

  • Automatically downloads updated copies of the Mssecure.cab file

X

X

Security Reporting

  • Reports missing security patches

  • Reports missing service packs

  • Detects other security vulnerabilities known to Microsoft

X

X

MBSA Issues

  • MBSA setup issues on agent computers

  • Permissions issues on agents that prevent MBSA from scanning

  • MBSA scanning issues on agent computers

  • Issues with reading the MBSA output file on agents

X

X

Internet Explorer (IE) vulnerabilities

  • IE zones not configured for security

  • IE enhanced security configuration not enabled for administrators

  • IE enhanced security configuration not enabled for non-administrators

X

X

Internet Information Services vulnerabilities

  • MSADC and Scripts virtual directories are installed

  • IIS parent paths are enabled

  • IISADMPWD virtual directory is installed

  • IIS sample applications found

  • IIS Lockdown Tool not run on specific servers

  • IIS logging is disabled

  • IIS is installed on a domain controller

X

X

Windows operating system vulnerabilities

  • Local account password is blank or weak

  • Windows Firewall is disabled

  • Too many users in the local administrators group

  • Auto logon is enabled

  • "Password never expires" is set on local account

  • Current RestrictAnonymous registry setting presents a high security risk

  • Automatic updates are not enabled

  • Local guest account is enabled

  • Logon and logoff event auditing is disabled

  • File system is not NTFS

X

X

Microsoft SQL Server vulnerabilities

  • Everyone group has more than Read permissions to SQL Server registry keys

  • SQL Server or MSDE password is exposed in clear text log

  • SQL Server or MSDE local password is weak

  • BUILTIN\Administrators is a member of SQL Server SysAdmin role

  • SQL Server or MSDE service accounts are running as LocalSystem

  • Mixed-mode authentication

  • SQL Server or MSDE directory access is not secure

  • Guest account has access to one or more databases

  • SQL Server or MSDE is installed on a domain controller

  • Non-SysAdmin user has CmdExec privileges

  • Too many users are in the SQL Server SysAdmin role

X

X

Table 3.6 Windows Server Clusters Management Pack

Scenario

Description

Windows2000 Server

Windows Server 2003

Service monitoring

  • Cluster service stopping or stopped

  • Cluster service failed to start

X

X

Resource groups and resource health

  • Availability of resource groups

  • Resource group failover

  • Availability of disk, name, network and IP Address resources

X

X

Quorum resource monitoring

  • Quorum dependency errors

  • Quorum unavailable

  • Corrupt quorums

  • Read-only quorums

  • Quorum space alerts

X

X

Cluster node monitoring

  • Node failures to join cluster

  • Initialization failures

  • Cluster node evictions and eviction errors

X

X

Cluster network issues

  • Network configuration errors

  • Network communication failures

  • DNS issues

  • Kerberos authentication problems

  • Active Directory communication errors

  • IP address issues

X

X

General resource issues

  • Account or password issues

  • Disk corruption errors

  • Failure to bring resources online

  • Failed resources

  • Disk mount errors

X

X

Rule Overrides

Rule overrides is a valuable tool, provided by MOM, to enable you to override a rule for a computer or computer group. Overrides can be used and shared by rules, scripts, and the MOM APIs.

For example, in a scenario where there is a server with performance capabilities that are lower than other servers in the group, it can trigger a performance alert before the other servers in the same group. Rather than lower the performance threshold in the rule for all of the servers, you can create an override that identifies the server and the rule.

You must be a member of, at a minimum, the MOM Authors group to create an override in the Administrator console.

Use the following procedure to create an override for an event rule. You can use the same procedure to create an override for alert rules and performance rules.

Create an override for an event rule

  1. In the Navigation pane, locate the rule group for the rule.

  2. In the Details pane, right-click the rule name and click Properties.

  3. On the General tab, select the check-box for Enable rule-disable overrides for this rule.

    Note

    If the rule is disabled, the prompt for the check-box is Enable rule-enable overrides for this rule.

  4. Click the Set Criteria button to open the Set Override Criteria property page, and then click Add.

  5. Click the right-arrow button beside the Target: input area, and then pick Computer Group or Computer to specify the target.

  6. In the Add Computer property page, select a computer to add, and then click OK. Repeat steps 5 and 6 if you want to add more computers.

  7. By default, the Value: is Disable (0) if the rule is already enabled. Click OK.

  8. Click OK to close the Set Override Criteria property page, and then click OK to close the property page for the rule.