• Article

System Center

What's New in System Center Essentials SP1

Pete Zerger

 

At a Glance:

  • Easier installation with integrated installer package
  • Enhanced overrides for fine-tuning management packs
  • Support for workgroups
  • New health state recalculation task

With the release of System Center Essentials 2007 last July, Microsoft made good on its commitment to midsize businesses, bridging the gap between expensive, complex enterprise tools and shareware

solutions to deliver a unified management solution for IT operations. Essentials 2007 is specifically designed to meet the challenges faced by the midsize business, where IT pros often perform a broad range of tasks.

Essentials is easy to install and configure, enabling IT pros to proactively monitor and manage clients and servers, as well as track hardware and software assets. It is designed to simplify traditionally complex tasks, like application and IT service monitoring, client and server software deployment, and troubleshooting desktop issues.

Since the initial release, Microsoft has been collecting feedback from customers in the field who are already using Essentials to manage their IT infrastructure, and this information has been incorporated into the first service pack for the product. More than simply delivering bug fixes, SP1 introduces significant enhancements that make the product more flexible in meeting customer needs in a variety of deployment scenarios. Moreover, performance improvements considerably enhance the user experience and streamline administration.

In this article, I'll review the key advancements delivered in Essentials 2007 SP1. I'll also look at how they can make managing your environment even easier.

Easier Installation

The SP1 integrated installer package rolls up all Essentials hotfixes to date, making installation an easy task that requires just a few clicks. Essentials can now also be configured to use a remote 64-bit SQL Server® 2005 instance, while the Essentials Server resides on a 32-bit Windows Server® 2003 instance. This grants administrators greater flexibility in utilizing the existing server infrastructure in their environment in a distributed Essentials deployment topology. Moreover, Windows Server 2008 will be a supported platform for the Essentials 2007 SP1 Server, console, and agent. Full support for Windows Server 2008 is expected sometime shortly after the new OS is released to manufacturing.

Better Console Performance

If you've used the RTM release of Essentials 2007, you'll appreciate the dramatically more responsive Essentials Console interface in SP1. Performance has been improved in Alert, Event, Performance, State and Task Status Views. For example, in all Alert views, changes in data fetching (retrieval) results in alert data selection that is as much as three times faster. Actions and reports are now fetched in the background, which further improves UI performance. Likewise, context-based Tasks and Reports (displayed in the Actions pane in the right-hand side of the Operations Console) are loaded in the background, allowing the Views to respond more quickly to your selections.

Alert knowledge that is displayed in the Alert Details pane can now be shown or hidden according to the user's preference simply by clicking the Show Knowledge or Hide Knowledge links (see Figure 1). This preference is then remembered when viewing future alerts. Administrators can now also perform copy-and-paste of Alert details with the standard keyboard shortcuts (such as Ctrl+C and Ctrl+V).

Figure 1 Alert Details pane with Show/Hide Knowledge links

Figure 1** Alert Details pane with Show/Hide Knowledge links **(Click the image for a larger view)

Override Enhancements

Overrides are used to tune your management packs, disabling rules and monitors where they are not needed, as well as for tweaking various threshold values. There are several significant improvements related to overrides that not only make tuning rules and monitors to your environment easier, but that also provide greater visibility into the overrides already present in your Essentials environment. The result is a reduced need to create custom rules and less time spent trying to identify the overrides present in your environment.

For example, after you have created an override for any management pack object, you can now look at the summary of overrides for the object type in the Overrides Summary box. Essentials 2007 SP1 ensures that the description of the override target is complete. If you create an override for Logical Disk Free Space for the C:\ drive of Server1, for example, the summary will display 'server1/c:'. An example may clarify the importance of this change.

Notice in Figure 2 that in this Overrides Summary for the Windows Server 2003 Logical Disk Free Space in the Essentials 2007 RTM release, it is impossible to tell which computer is hosting the C:\ drive instance targeted by the override. In the same Overrides Summary in Essentials SP1, you can see that the Name column now displays not only the target drive instance, but also the computer hosting that drive (see Figure 3).

Figure 2 Overrides Summary in Essentials 2007 RTM

Figure 2** Overrides Summary in Essentials 2007 RTM **(Click the image for a larger view)

Figure 3 The same Overrides Summary in Essentials 2007 SP1

Figure 3** The same Overrides Summary in Essentials 2007 SP1 **(Click the image for a larger view)

Alert severity can have a substantial impact on the volume of alert traffic being collected by administrators. Until now, if an Essentials Rule in a sealed management pack was configured to generate a critical alert that was not critical on some servers, administrators could not do anything to adjust this setting, as alert severity and priority were not exposed in rule overrides. The only workaround was a labor-intensive exercise of creating overrides to disable the rule for some machines, followed by recreating the rule(s) in an unsealed management pack where alert parameters could be manipulated—clearly not an ideal situation from an administration perspective.

This problem is handled neatly in SP1, with both alert severity and priority exposed as override parameters in all sealed management pack rules, as shown in Figure 4. Administrators can thus quickly and easily lower or raise the severity and priority of the alerts generated by rules in Essentials 2007 by creating overrides.

Figure 4 Alert severity and priority rule overrides

Figure 4** Alert severity and priority rule overrides **(Click the image for a larger view)

You may also have noticed the Enforced checkbox in Figure 4, which is not present in the console interface in the Essentials RTM release. In cases where multiple overrides are enabled for an object, the override with the Enforced flag selected will be given higher priority. This can come in handy when the same override is set for two groups of objects and some objects have membership in both groups. By setting the Enforced option on the override you want to take precedence, you can be certain exactly which override setting is applied.

To make the creation of new management packs easier, Essentials 2007 SP1 introduces the ability to copy views from any existing management pack to an unsealed management pack. The copy operation is supported for all types of views (such as Event, Alert, Performance, Dashboard, and Diagram) and can be done in the Monitoring space. For example, if you have created a management pack for Active Directory® overrides and want to use one of the Active Directory management pack views in the Active Directory overrides management pack, you would simply select the desired view, and then copy and paste it into the desired custom management pack folder in the Navigation pane in the Monitoring space.

New Override Reporting

Also worth mentioning is the new Overrides Report in the Microsoft® Generic Reporting Library, located in the Reporting pane of the Essentials Console. This report provides a way to describe overrides from the perspective of the management pack in which they are stored or according to the management pack to which they are applied (see Figure 5). Users are able to set report parameters to exclude sealed MP overrides from the report. This is an important filtering option because sealed management packs from Microsoft and others contain many overrides you will not care about when reporting on changes made in your own environment.

Figure 5 Overrides Report parameters

Figure 5** Overrides Report parameters **(Click the image for a larger view)

If you follow the Microsoft best practice of creating a separate custom management pack for each sealed management pack (one for the Active Directory MP, one for the Exchange MP, and so forth), you will have the ability to more effectively narrow the scope of the report to view the overrides that apply to a specific management pack.

Once you have selected the appropriate unsealed management packs, you can run the report, which displays output as pictured in Figure 6. Note that the report clearly displays the rule or monitor to which the override applies (the Affected element column), as well as the Installed and Deleted date and time associated with the monitor. This illustrates the fact that the Overrides Report serves as not only a list of active overrides, but also as a report of override configuration change history.

Figure 6 Overrides Report detail

Figure 6** Overrides Report detail **(Click the image for a larger view)

Finally, at the bottom of the detail view for each affected Rule or Monitor, you will find a hyperlink labeled Rule configuration view. This link launches a separate Rule view or Monitor view with scope of the view already targeted at the affected object type. For example, if you click the Rule configuration view link for the override pictured in Figure 6, which is an override on a rule targeting the Active Directory Domain Controller Server 2003 Computer role, note that the resulting Rule view will only display rules that target that object type.

Support for Workgroup Computers

One of the significant points of customer feedback related to the need to manage servers and workstations in workgroup configurations. Many environments have at least one server sitting in a perimeter network or branch office not joined to the domain. Because Essentials requires mutual authentication between the Essentials Server and agent-managed computers, workgroup machines residing outside the trust boundary of the Essentials server also fall outside the scope of Essentials agent deployment. In many environments, this means potentially leaving key components of the infrastructure unmonitored and outside the Essentials patch management process. How can we securely manage these machines?

SP1 introduces certificate-based authentication for scenarios where Active Directory and Kerberos authentication is not available. This requires both the Essentials Server and the agent-managed computer have a X.509 digital certificate installed. The digital certificate can be issued from either a Windows® Standalone or Enterprise root Certificate Authority. If you do not currently have a Windows Certificate Authority in your environment, you can install this feature through Add/Remove Programs on a domain controller or member server in your environment, including the Essentials Server. For more information on Certificate Services and Public Key Infrastructure (PKI) in Windows Server 2003, see microsoft.com/windowsserver2003/technologies/pki.

To configure certificate-based authentication in Essentials, you first request and issue a certificate to both the Essentials Server and the computer targeted for management. The request can be entered via a Web site on the server acting as the Certificate Authority.

After the certificate is issued and installed, it must be "registered" for use with Essentials by using the MOMCertImport command-line utility. To complete the certificate configuration, you simply export the certificate to a file (in .pfx format) and run MOMCertImport on the local computer with the following syntax:

MOMCertImport.exe <cert path \ name>

Once all of these steps have been executed on the Essentials Server and the computer targeted for management, these systems can mutually authenticate and then securely exchange data over an encrypted channel. To complete the agent deployment process, just perform a manual installation of the Essentials agent on the target computer.

Network and Device Monitoring

Essentials 2007 delivers network device monitoring functionality capable of discovering common attributes of many SNMP-enabled network devices. While SNMP version 2c (SNMPv2c) is the most widespread today, all network devices are not created equal. With that in mind, SP1 delivers support for SNMP version 1 (SNMPv1) to accommodate monitoring of a variety of older network devices, such as some UPSs, routers, and print servers that are not SNMPv2c-capable. As Figure 7 shows, administrators can tell Essentials which SNMP version to use through an additional dropdown field in the Computer and Device Management Wizard.

Figure 7 Enhanced interface for network device discovery

Figure 7** Enhanced interface for network device discovery **(Click the image for a larger view)

Enhanced Update Management

Significant improvements in update management are also delivered in SP1. Windows Server Update Services (WSUS) 3.0 auto-approval rules allow you to specify different products and update classifications, such as automatic approval for definition updates for Microsoft Word.

Support for multiple auto-approval rules has also been added to Essentials, bringing its functionality on par with that of the WSUS 3.0 platform (see Figure 8). This empowers administrators to create auto-approvals for multiple categories of updates, including Windows Vista® critical updates and service packs for the 2007 Office system. Auto-Approval rules will then be applied to all updates that are currently on the WSUS server. As a result, by clicking the Run Rule(s) Now task in the Auto-Approvals dialog, administrators can apply changes immediately to existing updates that are present in the Essentials Console.

Figure 8 Auto-Approvals in Update Management

Figure 8** Auto-Approvals in Update Management **(Click the image for a larger view)

With the added support for agent deployment to computers in workgroup configurations, administrators will be able to control update management for their entire environment from the Essentials Console.

Calculating Object Health State

In the past, when viewing the state of monitors in the Health Explorer, administrators had to wait for the periodic refresh of monitor state to determine if Recoveries or other corrective actions were successful. New in the SP1 version of the Health Explorer is the Recalculate Health task, which performs on-demand recalculation of monitor health (see Figure 9). This can substantially expedite the troubleshooting process by eliminating minutes of wait time between corrective actions while waiting to see if the monitor state returns to healthy.

Figure 9 Recalculate Health Task in Health Explorer

Figure 9** Recalculate Health Task in Health Explorer **(Click the image for a larger view)

Similarly, the Reset Health task (present since RTM) has also undergone some important improvements to ensure that every monitor will actually respond to a request to reset its health state to healthy (green). This is even true of reset requests executed against the Essentials Server itself, which did not always respond to reset requests in the RTM release.

Scripted Diagnostics

Diagnostics are a special type of inline task new in Essentials 2007, allowing automatic or on-demand execution of data collection tasks when an alert is raised. An automatic diagnostic is one that is configured to be executed whenever a monitor goes into an error state. The results of the diagnostic appear in the Details pane of the State Change Events tab of the Health Explorer. An on-demand diagnostic appears as a hyperlink in the same area and can be executed simply by clicking on the link. Results are displayed in a pop-up window on the local machine.

As Figure 10 shows, SP1 extends the functionality of diagnostics by allowing scripts to be used in diagnostic tasks (as opposed to command-line responses only in RTM). This provides the framework for executing more elaborate and varied automated data collection responses when error conditions are encountered. Note that both VBScript and JScript® are supported for use in these diagnostic tasks.

Figure 10 Alert Details pane with Show/Hide Knowledge links

Figure 10** Alert Details pane with Show/Hide Knowledge links **(Click the image for a larger view)

Export to Visio

Another new feature in SP1 is support for exporting diagrams to Microsoft Visio® 2007 format, with a button exposed on the toolbar when the user selects a diagram view. This provides a very convenient documentation feature, as the Active Directory and Exchange Server 2003 management packs provide detailed topology diagrams right out of the box, saving administrators valuable time writing documentation. Furthermore, diagram layout preferences can be saved. These preferences will be remembered by the Essentials Console the next time the diagram view is selected.

Better Backup and Recovery Guidance

Immediately following installation of Essentials 2007 SP1, the installation wizard now automatically prompts the user to back up the Essentials Management Server encryption keys (see Figure 11). This key pair is used by the Essentials Server in the secure storage of Run As Credentials in the Operations database. These keys are also required in the event that Essentials Server must be restored from backup. Without this key pair, Essentials would need to be reinstalled and configured from scratch.

Figure 11 Essentials encryption key backup

Figure 11** Essentials encryption key backup **(Click the image for a larger view)

Improved Management Pack Quality

In addition to the many improvements in SP1 for Essentials, the Essentials product team is making great strides in improving the quality of the management packs for the Essentials platform through more varied and rigorous testing procedures, as well as through greater interaction with the various product teams and application subject-matter experts. The results will be reflected in the release of more management packs that take advantage of the new features in the Microsoft monitoring platform, including self-tuning thresholds, service-oriented monitoring using distributed application models, as well as the powerful reporting engine.

Microsoft will begin releasing more native management packs leveraging the new features in Essentials beginning in 2008. Management packs for Essentials 2007 can be downloaded from the System Center Management Pack Catalog at go.microsoft.com/fwlink/?LinkId=112399.

Give It a Try

SP1 delivers performance enhancements making System Center Essentials 2007 a wise investment for managing the IT infrastructure of your mid-size business. If you already have Essentials 2007 in your environment, download a copy of SP1 and experience the feature and performance improvements for yourself. If you have not yet deployed Essentials 2007 and want to try Essentials 2007 with SP1, you can download the SP1-integrated installer package. Both packages, as well as additional product information, can be found at the Essentials 2007 homepage at microsoft.com/systemcenter/essentials. 

Pete Zerger is a consulting partner with AKOS Technology Services and has nine years of experience in the IT industry. He focuses on design and deployment of enterprise operations management, directory services, and messaging solutions. Pete holds an MCSE for Messaging, an MCTS for SQL Server 2005, and he is a Microsoft MVP for Microsoft Operations Manager. He is founder of systemcenterforum.org, a popular community site covering Essentials 2007 and the System Center Suite.

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.