The following message was posted as an email to this blog last Thursday:

In Operations Manager 2007 Unleashed, you say that it is possible to create synthetic transactions using VBscript. You go on to work through a few examples of synthetic transactions based on pre-defined templates in Operations Manager. As part of this, you describe how to use watcher nodes to run these transactions.
Unfortunately I've not been able to find many examples of people who are actually doing this, so I'm turning to your site in desperation. I have an FTP server and need to prove that I can establish a connection and transfer a file to it. What I thought was the hard bit - I'm not a coder! - is done. A small VBscript establishes a connection, transfers a files and returns the status code to Operations Manager in a property bag.
What I'm struggling with is the simple bit: where to run it. I don't want to run it on the FTP server itself, as this wouldn't prove anything. Ideally I would like to use a watcher node, but I can't find a way to do this without using one of the pre-defined templates for synthetic transactions, none of which allow me to run my own VBscript. Am I missing something obvious?
By the way, and regardless of whether you can answer this post or not, System Center Operations Manager 2007 Unleashed is a truly excellent book. In my 12 year career I've read through many IT titles. This one really stands as an example of what a good IT book should be: it covers the theory, operation and real-life scenarios (for example database sizes) in just the right level of detail.
Andy

Unfortunately, Andy's communication preference settings don't allow us to respond to him, and we would like some additional details as we may need to have him try some things.

Andy, can you email ops-mgr@hotmail.com with an email address that we can reply to? Thanks!

At MMS 2008 last May, Microsoft announced their direction to use Operations Manager to manage non-Windows systems (for more information, see Kerrie’s articles “Of Flying Pigs” at http://www.networkworld.com/community/node/27600 and “The Dynamic Datacenter” at http://www.networkworld.com/community/node/27354). This article discusses our experiences testing a beta version of the (Cross Platform) X-Plat software.

The Conventional OpsMgr Gateway Role

Let’s say you have computers at a branch office, in the offices of a partner or customer, or in a datacenter that resides on an untrusted and/or unconnected network. You put an OpsMgr gateway server on that remote network and connect it to your main OpsMgr management group with certificate-based authentication. Cool technology, and you are now monitoring those remote systems from your main location without standing up any new connectivity and potentially increasing the attack surface.

New OpsMgr/X-Plat Gateway Scenario

Before Microsoft introduced the Cross-Platform beta 1 refresh, you could not leverage that secure yet lightweight OpsMgr gateway service for monitoring any Linux computers at your remote location with anything more than a basic SNMP heartbeat. This article reviews this new feature of the Microsoft System Center Operations Manager 2007 Cross Platform Extensions Public Beta 1 Refresh. The software allows OpsMgr gateway servers to discover and fully manage non-Windows computers at remote network locations. This capability opens a new market for Operations Manager with a novel solution to extend management to Linux and other X-Plat systems such as HP-UX or Solaris and even AIX, which were previously out of reach of native System Center tools.

Note: We review here the second released beta for X-Plat. Features and function will change in the released product. Microsoft plans to release X-Plat as part of an update to OpsMgr in 2009.

Demo environment

An OpsMgr management group with Internet-facing gateway servers includes a gateway server at a remote datacenter. All gateway servers trust the same Certificate Authority (CA) and use unique identity certificates issued by the mutually trusted NOC CA for encryption and authentication. There is a Red Hat Enterprise Linux server (RHEL) at the remote site. We want to use the gateway server to monitor the Linux server from the NOC.

Here are the steps we took to discover and manage the RHEL box at the remote datacenter:

1. Install the X-Plat extensions on a selected management server and consoles. The official name of the installable is “System Center Operations Manager Cross-Platform Extensions.” Prerequisites include OpsMgr 2007 SP1 and WS-Management (WS-Man) 1.1.
   
   Something we liked a lot is that you don’t need to touch the RMS or any high-value management servers to use X-Plat. You only need to install X-Plat extensions on the management server you will run the discovery wizard from.
   
   There are 32-bit and X64 versions of X-Plat, and also full server and console only versions (a total of four .MSI files to select from). Install the console-only executable on other OpsMgr consoles you will use to monitor the cross-platform systems from.
2. Import the desired X-Plat management packs. The server X-Plat extensions setup defaults to dumping about 14 management packs (for all the operating systems supported by X-Plat) to the %programfiles%\System Center Management Packs folder. You only need to import the libraries and management packs needed to manage your target systems. To manage the RHEL 5 box, we imported these management packs:
   • WS-Management Library
   • Linux Operating System Library
   • Unix View Library
   • Red Hat Operating System Library
   • Red Had Enterprise Linux Server 5 Operating System management packs
3. Run ImportXSLT.cmd on those computers where you installed the X-Plat extensions (management server and consoles). This small step changes how the task output and diagnostic and recovery messages generated by Health Explorer on Unix and Linux computers are displayed. This step has to take place after the X-Plat management packs are imported or you will receive an error.
4. Install the X-Plat extensions on the gateway server. Repeat the installation, similar to the management server. An additional step is that we create a UnixAgents folder in the AgentManagement folder of the gateway server. Extract the UnixAgents.zip that comes with X-Plat to that folder. When the gateway pushes the agent to the Linux server at the datacenter, the Linux bits will come from that folder.
5. Configure the management group Run As Accounts. There is some manual work for the OpsMgr administrator to let the X-Plat extensions on the gateway server know what the credentials are to access the Linux computer.
   1. In the Administration -> Security -> Run As Accounts node of the Operations console, create two new Run As Accounts of the Basic Authentication type. One is a normal user account on the Linux computer and one is a privileged account. For the demo, we used the same root account and password for both Run As accounts. Name the accounts something that identifies them with the gateway server.
   2. In the Security -> Run As Profile node, locate the Unix Privileged Account and associate it with the privileged Run As Account and the target of the gateway server with X-Plat Extensions. Similarly, associate the Unix Action Account Run As Profile with the normal user Run As Account and the target of the gateway server.
   3. This beta release of X-Plat extensions only provides for a single pair of Run As Accounts per management server or per gateway server that performs the discovery and monitoring. To monitor other Linux computers with different sets of credentials requires an additional management server or gateway server for each set of credentials. This is a product limitation we hope is overcome in future releases.

6. Discover and accept the Linux server from the management server. This is just like using the Discovery Wizard from the Administration space of the Operations console, except you launch the X-Plat discovery process from the Overview page of the Cross Platform management pack in the Monitoring space. (In later releases X-Plat discovery is expected to migrate to the Administration space and integrate with Windows computer and network device discovery.)
   • An issue with this beta release of X-Plat is that support for discovery of the most current versions of some Linux distributions isn't there. In our environment where the demo Linux computer is located, datacenter security polices require Linux distributions be kept current.

     While RHEL 5.2 is the current release, X-Plat only discovers up to RHEL 5.1. (Our hope and assumption is that the RHEL 5.1 agent will work on 5.2.) We expect that with future releases of X-Plat, there will be a community effort to keep X-Plat management packs updated with discovery support for more versions and releases.

     There is a manual install option for the X-Plat agent, which in this case would be as follows (the RPM file can be found in the UnixAgents folder on the gateway server):

     rpm -i scx.1.0.1-151.rhel.x86.rpm

     Another solution that enables use of the automatic discovery and integrated features of the X-Plat management packs is to 'trick' the discovery into thinking that the RHEL 5.1 version is installed on the target computer. We used this method, and pushed the version RPM file for 5.1 to the target computer running RHEL 5.2 with this command:

     rpm -i --force redhat-release-5Server-5.1.0.2.i386.rpm

     The --force switch is used since there is a file version downgrade. That RPM file is part of the RHEL 5.1 Server distribution. To later restore the RHEL 5.2 version file, it's enough to run the command "yum update redhat-release-5server" for the single package, or "yum update" to update any other pieces with patches since it was installed.

   • Perform the discovery from the console of a management server where X-Plat Extensions is installed. You need privileged access to the Linux server to push the agent. If you don’t have a superuser account, you need to provide the root user password. After you specify the IP address and privileged account information for the target, if the computer is discoverable, it will shortly appear as seen in this screenshot of the Select Computers to Manage step in the Unix and Linux Computer Management Wizard:

After approving the discovered Linux computer, the gateway server uses SSH to push the System Center Cross-Platform (SCX) agent to the /tmp folder of the Linux computer. After a few minutes you can query the state of the two services that are started by the SCX agent. See this screen shot of an SSH session from the gateway server to the managed Linux server, confirming that the WS-Man daemon and the CIM server are up:

Managing Red Hat Linux with Operations Manager

Soon after completing these actions, the RHEL computer appeared in the Linux Servers state view of the OpsMgr console. Next, data started appearing in the memory and processor-related views. Some hours later, the disk and network views were populated. We received some alerts regarding invalid SSH authentication attempts, and we immediately had a solid feeling about our ability to really manage Linux boxes from Windows with OpsMgr.

Here is a screenshot of an alert related to security of the SSH services on the RHEL box:

An Internet-facing web server is going to get a lot of intrusion attempts against any open service. We secured the SSH services on the RHEL box with these host rules (and the alerts stopped!):

1. Edit /etc/ssh/ssh_config
   1. “vi /etc/ssh/ssh_config”
   2. Press “i” to allow modification of file contents

2. Modify line to restrict SSH protocol to version 2
   1. Locate line “# Protocol 2,1”
   2. Remove “#” from beginning of line, and “,1” from end of line.

3. Save the file
   Press “:wq” and press enter

4. Modify hosts.deny file to deny all hosts access to SSH
   1. “Vi /etc/hosts.deny”
   2. Press “i” to allow modification of file contents
   3. Add this to the next available blank line: “sshd: ALL”
   4. Press “:wq” and press enter

5. Modify hosts.allow file to permit specific hosts to connect via SSH
   1. “vi /etc/hosts.allow”
   2. Press “i” to allow modification of file contents
   3. Add this to the next available blank line: “sshd: <ip address of permitted host> <ip address of permitted host> …..” (…. = etc, not literal)
   4. Press “:wq” and press enter

Monitoring Views

The next screenshot expands all the branches in the Cross Platform Servers view folder (left) created when you import the X-Plat management packs for Red Hat Linux. Focus (right) is on a 24-hour performance view of Physical Disk target “sda” in the RHEL server.

Reports

When you select a Linux server in the Linux Server State view folder, in the Actions pane you will see a dozen targeted Unix Computer Reports available for on-the-fly generation. Here is the 7-day Memory Performance History (Pages per Sec) report for the RHEL computer:

Distributed Application Possibilities

X-Plat Extensions creates OpsMgr objects for monitored components of discovered Linux computers. This expands the universe of objects available to create Distributed Applications (DAs) to include Linux disks, processors, network interfaces and the like.

• We created a DA that contains two components of classes Windows 2008 Logical Disks and Linux Logical Disks. This DA represents the health of the logical disks of all the web farm members, regardless of their OS.
  
• Relationships are defined as Web Server Farm Logical Disks Uses Linux Logical Disk and Web Server Farm Logical Disks Uses Windows 2008 Logical Disk. See the screenshot of the DA below, open in the Distributed Application Designer:

True Cross-Platform Performance Monitoring

By creating a Performance view that targets the DA we created, we can assess aggregated logical disk performance across Windows and Linux members of a web server farm in a remote data center. Now we have "apples to apples" metrics in the same pane of management glass! See this screenshot of X-Plat in full motion:

Remote Task Execution

A final systems management value-add we find in the current X-Plat release is a small collection of Unix Computer Tasks, which are available in both the Operations console and Web console. These tasks are:

• Run VMStat (a short report on virtual memory statistics, paging block I/O, traps, system and CPU usage),\
• Memory Information (paging and swap data)
• Top 10 CPU Processes

In this screenshot we demonstrate listing the top 10 CPU processes on the Linux server:

Contributors: Thanks to Jacob Linscott, Linux Guru at datacenter provider Softlayer for help on the RHEL versioning; and to Kevin Clark, NOC Manager at managed services provider ClearPointe for the command list that secured the SSH service.

Our friend Walter Chomak (http://wchomak.spaces.live.com/) previously posted September 16th, 2008 that his blog would become less active due to some internal projects he was taking on at Microsoft (see http://wchomak.spaces.live.com/blog/cns!F56EFE25599555EC!1657.entry). Well a week later, he's back! - but at a new location. See http://blogs.technet.com/wchomak/ for his latest postings.

On August 28, this blog passed the 200,000 mark for page views since its creation! Thank you to everyone who has contributed to the blog via articles, comments, or questions. We are glad this blog serves a useful purpose :). Thank you also to everyone who has sent words of thanks and encouragement regarding System Center Operations Manager 2007 Unleashed and Microsoft Operations Manager 2005 Unleashed. Authoring books is a lot of work, but hearing how it has helped so many makes that all worthwhile!

- Kerrie, Cameron, John, and Andy   8/28/08

This is the final of a five part series discussing lessons learned through installing System Center Operations Manager onto a fully Windows 2008 environment (DC, RMS, SQL, and Reporting servers). You can see previous posts in this series at:

• http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!695.entry  OpsMgr by Example - Server 2008 POC – Part 1 (Domain Controller)
• http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!710.entry  OpsMgr by Example - Server 2008 POC - Part 2 (Database Server)
• http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!719.entry  OpsMgr by Example - Server 2008 POC - Part 3 (Root Management Server)
• http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!728.entry  OpsMgr by Example - Server 2008 POC – Part 4 (Data Warehouse Server) 

At this time, we have successfully completed all of the required pieces of the environment other than the reporting components. This post discusses installing the Reporting Server on Windows Server 2008. The Reporting Server installation is definitely the most error-prone part of the entire OpsMgr installation, be it on Windows 2003 or Windows 2008.

Hotfixes for OpsMgr 20007 – Windows 2008 Servers with Agents

Each of the servers in this configuration needed to have three hotfixes applied to them:

• 951327
• 952664
• 953290

After applying these hotfixes, you will need to reboot the system.

OpsMgr Prerequisites

The .NET Framework 3.0 components are not installed by default. You can install these in the Server Manager by adding the Application Server role.

Prior to installing the reporting components for Operations Manager, follow the steps identified in KB article 938245 (http://support.microsoft.com/kb/938245/) to configure reporting services on Windows Server 2008.

Do not attempt to install the reporting components on a system until you can successfully browse to both http://localhost/reports and http://localhost/reportserver on the reporting server. Configuration is required within the Reporting Services Configuration. Browsing of either of the above URL’s will not work until the Reporting Services Configuration is working, we display a functional example below. During our configurations we needed to create a new Report Server Virtual Directory, configure the Database Setup section, and perform an IISReset of the website to get it to a green state for the first six items, as shown in this screenshot:

A successful browse of http://localhost/reports and http://localhost/reportserver will look like this:

Do not pass go, do not collect $200/We spent several hours trying to resolve issues that were actually related to configurations necessary for SQL 2005 Reporting Services to work on Windows Server 2008. Installing the reporting components on a system that does not already have functional reporting services will just make the situation worse.

The prerequisites for the Reporting Server component include SQL Server 2005 with Reporting Services (which in turn requires the Web role, etc) with SQL 2005 Service Pack 2 applied.

OpsMgr Reporting Server installation

The installation of Operations Manager’s Reporting Server worked just the same as on a Windows 2003 platform (once the prerequisites had been configured correctly).

What’s Next?

• Validate reporting functionality both from the existence of the reports and the ability to get valid data from the reports (the Management Pack ODR report is a simple one to validate this with).
• Deploy Operations Manager agents into the environment.
• Integrate additional management packs.
• Wait on official support for Windows Server 2008 as a platform for all of the Operations Manager components.

Lessons Learned

• It is possible you will get an error "Unable to connect to the remote server" when browsing to http://localhost/reports or http://<servername>/reports. For steps on how to address this, check out http://r0nwilliams.spaces.live.com/blog/cns!62A0019E9E556103!190.entry.
• Without question, getting SQL 2005 Reporting Services working on Windows 2008 was the most complex piece of the installation. Focus on getting a functional SQL Reporting server before continuing (see http://support.microsoft.com/kb/938245/ for details).

This is the fourth of a five part series discussing lessons learned through installing System Center Operations Manager onto a fully Windows 2008 environment (DC, RMS, SQL, and Reporting servers). You can see previous posts in this series at:

• http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!695.entry  OpsMgr by Example - Server 2008 POC – Part 1 (Domain Controller)
• http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!710.entry  OpsMgr by Example - Server 2008 POC - Part 2 (Database Server)
• http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!719.entry  OpsMgr by Example - Server 2008 POC - Part 3 (Root Management Server)

We previously installed and configured the Operations Manager database and the Root Management Server (see parts 2-3 of this series). The next step is installing the Data Warehouse server, followed in Part 5 by the series, which discusses the most difficult of the steps – the reporting server installation.

Hotfixes for OpsMgr 20007 – Windows 2008 Servers with Agents

Each of the servers in this configuration needed to have three hotfixes applied to them:

• 951327
• 952664
• 953290

After applying these hotfixes, you will need to reboot the system.

OpsMgr Prerequisites

The prerequisites were checked for the Data Warehouse in part 2 of this article (http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!710.entry), since the same server is hosting both the Operations database and the Data Warehouse components in this environment.

OpsMgr Data Warehouse installation

The installation of Operations Manager’s Data Warehouse worked the same as on a Windows 2003 platform.

Firewall change

The SQL firewall change discussed in part 2 of this series (http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!710.entry) provides the documentation for the firewall rule change required to allow connectivity to the SQL Server.

Lessons Learned

There were no surprises when installing the Data Warehouse server on Windows Server 2008.

In June 2007, we posted OpsMgr by Example: Configuring Baselines (http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!183.entry), which discussed working with the baselines in the Exchange 2003 management pack for OpsMgr 2007.

Microsoft released the most recent update to the Exchange 2003 management pack 8/21/08, available for download at http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF454F4-6D34-4FB9-9E0B-F5B68C6EDC4F&amp;displaylang=en&displaylang=en. This newest version of the MP lowers the sensitivity of Self Tuning Threshold (STT) rules and monitors, increasing the threshold at which the monitors alert.

In addition, the following Self Tuning Threshold monitors were disabled and replaced with static "consecutive samples over threshold" monitors:

• MSEchangeIS\RPC Averaged Latency
• MSExchangeIS Mailbox\Send Queue Size
• SMTP Server\Remote Retry Queue Length
• SMTP Server\Local Queue Length
• SMTP NTFS Store Driver\Messages in the queue directory
• MSExchangeIS Transport Driver\TempTable Current
• SMTP Server\Remote Queue Length

For additional information, check the "How to Configure Self Tuning Threshold Monitors" section of the management pack guide, OM2007_MP_ExSrvr2003.doc. This section describes how the STTs work.

We see this change in the Exchange 2003 management pack as a logical step forward, and were glad that community sites like this one are having an impact in the product evolution.

This is the third of a five part series discussing lessons learned through installing System Center Operations Manager onto a fully Windows 2008 environment (DC, RMS, SQL, and Reporting servers). In this post, we will install and configure the Operations Manager Root Management Server (RMS), as we now have a functional Windows 2008 SQL Server (see Part 2 of this series at http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!710.entry).

Hotfixes for OpsMgr 20007 – Windows 2008 Servers with Agents

Each of the servers in this configuration needed to have three hotfixes applied to them:

• 951327
• 952664
• 953290

After applying these hotfixes, you will need to reboot the system.

Additional hotfixes are required that are specific to the servers with installed OpsMgr components. These include:

• 954049
• 951380

OpsMgr Prerequisites

There are several prerequisites for installation of the Root Management Server (plus the console and the web console).

• With Windows 2008, we need to add the Web Server role (including ASP.net, windows authentication, IIS 6.0 management compatibility and ASP). For background on this, we worked from the article on how to install and configure reporting services on Windows Server 2008 available at http://msdn.microsoft.com/en-us/library/bb839480.aspx.
• Using the Application Server role adds the .Net framework components.
• We ended up installing the Windows PowerShell via a command line (ServerManagerCmd –i Powershell).

OpsMgr RMS, Web Console, Console Install

Installing the Operations Manager’s RMS, Operations Console and Web Console components worked just the same as on a Windows 2003 platform. The only item to note is if the RMS cannot contact the OpsMgr database server, it will display this error:

Check out the video showing the installation steps:

Firewall change

The RMS installation made the required changes for the Windows 2008 firewall. These included the following ports:

• Health Service (5723)
• SDK (5724)
• Web Console (51908)Application Error Monitoring (51906)
• Connector Framework (51905)
• Customer Experience Improvement Program (51907)

Lessons Learned

• Windows Server 2008 now installs as roles several of the prerequisite components required for OpsMgr.
• The Windows 2008 firewall creates the appropriate firewall rules to allow OpsMgr to function on the system.

A while back, Kerrie wrote a post about downtime and managing IT Operations at http://www.networkworld.com/community/node/20187. As a follow-up to that, she just participated in a blog interview with StackSafe about IT Operations and how Operations Manager can help you in managing your downtime (and uptime!). Check it out at http://www.stacksafe.com/blog/kerrie-meyler-a-microsoft-mom-mvp-dishes-about-it-operations/08/19/2008/.

This is the second of a five part series discussing lessons learned when installing System Center Operations Manager onto a fully Windows 2008 environment (DC, RMS, SQL, and Reporting servers). Since we now have a functional Windows 2008 domain controller (see Part 1 of this series at http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!695.entry), our next step is installing and configuring the Operations Manager database server.

SQL Installation

Installation prerequisites for the Operations Manager database components included first performing a standard SQL 2005 installation, and then installing SQL 2005 SP2. 

Windows Server 2008 adds the Web Server as a role. If you have not the Web Server and the asp.net option, this shows as a warning during the SQL Server installation. Since this server will not provide reporting services or other web based features, we can ignore those warnings during our installation process. We installed SQL Server using default configurations, with the exception of choosing a domain user account to be the SQL Server service account.

Hotfixes for OpsMgr 20007 – Windows 2008 Servers with Agents

Each of the servers in this configuration needed to have three hotfixes applied:

• 951327
• 952664
• 953290

After applying these hotfixes, you will need to reboot the system.

Additional OpsMgr Prerequisites

The database server for this environment will host both the Operations Manager database and the Data Warehouse functions. After installing SQL 2005 and patching it with SQL 2005 SP2, a prerequisites check indicated the server was ready for installing both the Operational Database and Data Warehouse OpsMgr components.

The next step was installation of the Operations Manager database. We used the default configurations, as shown in the video below.

Firewall change

To allow the SQL Server to communicate on the default port we need to create a new inbound rule to allow SQL Server port TCP port 1433. This assumes of course that you are using the default port, if you use a different port (such as installing a second instance), you will need to change the firewall to allow that port to communicate.

After installing this rule, log into another system in your environment and validate that telnet can connect to the SQL server on port 1433. Windows Server 2008 does not install the telnet client by default in Windows Server 2008, so you must add that feature prior to testing the ability to connect to the SQL Server.

Lessons Learned

Installing the Operations Manager database components is straightforward as long as you remember to install the appropriate hotfixes and create a firewall rule to allow inbound communication to port 1433.

Some great blogs have been covering information on Windows 2008. Definitely look into:

• http://blogs.technet.com/kevinholman/archive/2008/08/05/my-experience-installing-a-scom-management-server-on-windows-server-2008.aspx - a great write-up on installing OpsMgr on Windows Server 2008
• http://blogs.technet.com/kevinholman/archive/2008/07/29/how-do-i-know-if-i-have-all-the-required-hotfixes-on-windows-server-2008-to-be-supported-for-a-opsmgr-agent.aspx - write-up on required hotfixes

Page 390 of System Center Operations Manager 2007 Unleashed discusses modifying the Registry settings for the EnableADIntegration key on the RMS and management servers. This information was based on our own experiences and testing during earlier versions of OpsMgr 2007, as well as recommendations from Microsoft. Microsoft has since changed the behavior such that this Registry key hack is no longer recommended, and can actually cause problems.

We will be changing the information in the next printing of the book and the errata to say:

To complete the process of activating OpsMgr integration with AD, validate that the registry key HKLM\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectionManager\EnableADIntegration is set to 0.This is the default setting.

There has been some confusion regarding how to configure this setting on management servers. However, do not change it to 1; the value should actually be the default configuration of 0. Changing the value to 1 is not required and actually may cause issues on the management servers.

This is the first of a five part series that discusses lessons learned when installing System Center Operations Manager in a Windows 2008 environment. Windows Server 2008 introduces some features that impact how applications are deployed and configured. Specific areas that affect application deployment and configuration are server roles and the Windows 2008 firewall.

Windows 2008 Server Roles

Windows 2008 uses server roles to simplify the process of installing and to minimize the maintenance and potential security vulnerabilities of the system. Windows 2008 Server initially installs without activating any of these server roles. Examples of server roles include:

• Active Directory Certificate Services
• Active Directory Domain Services
• Active Directory Federation Services
• Active Directory Lightweight Directory Services
• Active Directory Right Management Services
• Application Server
• DHCP Server
• DNS Server
• Fax Server
• File Services
• Hyper-V (64-bit OS only)
• Network Policy and Access Services
• Print Services
• Terminal Services
• UDDI Services
• Web Services
• Windows Deployment Services

The Windows 2008 Firewall

The Windows 2008 firewall, by default, is active on Server 2008. As you install various roles, the Operating System adapts the firewall rules so that the new roles will function. As an example, port 80 is opened inbound to the server if web services are activated.

Since Windows 2008 does not define SQL Server as a server role, firewall rules are not automatically configured when you install SQL Server. http://cameronfuller.spaces.live.com/blog/cns!A231E4EB0417CB76!1427.entry includes a discussion on how SQL Server needs to have firewall rules changed so the configuration manager can access the SQL Server databases.

Server Roles for our OpsMgr Configuration

The servers involved in the configuration we will be discussing in this series include a domain controller, database server, Root Management Server (RMS), data warehouse, and reporting server. We will discuss them in the following order:

• OpsMgr by Example: Server 2008 POC – Part 1 (Domain Controller)
• OpsMgr by Example: Server 2008 POC – Part 2 (DB)
• OpsMgr by Example: Server 2008 POC – Part 3 (RMS)
• OpsMgr by Example: Server 2008 POC – Part 4 (DW)
• OpsMgr by Example: Server 2008 POC – Part 5 (Reporting)

Installing the Domain Controller

The first step to build our Windows 2008 environment was installing a Windows 2008 domain controller using default configurations. Each server in our configuration was installed within Windows 2008 Hyper-V (a good discussion on installation of Hyper-V is available as part of http://cameronfuller.spaces.live.com/blog/cns!A231E4EB0417CB76!1273.entry, look at the first step). The following video shows the steps involved in the installation of a new domain controller into a new forest/new domain.

Once the domain controller reboots, validate that Active Directory Users and Computers shows the new DC appearing in the Domain Controllers container. You will want to validate DNS by verifying that the DNS Server role is installed and the forward lookup zone is created correctly.

With the domain controller installed and DNS functional, we can start installing prerequisites on the various Operations Manager components. The first step in this process is the Operations Manager database, which we will discuss in part 2 of this series.

Lessons Learned:

Windows 2008 affects how you install and configure applications; through using server roles and configuration changes required to the Windows 2008 firewall.

We received a question from someone whose mail settings did not allow a reply (see http://ops-mgr.spaces.live.com/default.aspx?_c01_BlogPart=blogentry&_c=BlogPart&handle=cns!3D3B8489FCAA9B51!541). The question was:

I have a small question about "Adding Network Devices with PowerShell" that you write about in your book.
In your example you connect NetworkDevice to $agent add-remotelymanageddevice -proxyagent $agent -device $discovery_results.custommonitoringobjects
But how I can connect NetworkDevice to Management Server (it's not in get-agent output)?

The answer:

Adding a network device to management with PowerShell does not require that you furnish the name of a management server. If we understand your question correctly, you asked about 'connecting NetworkDevice to Management Server.'

Let's explain the PowerShell cmdlet used in the eighth and final cmdlet in a series of cmdlets in our Powershell script that together assemble an array of inputs, and feed those inputs to the last cmdlet.

The add-remotelymanageddevice cmdlet is fed only the inputs -proxyagent and -device.

The involved management server will be the primary management server associated with the proxy agent--but that is not part of the action of adding the network device to management. We only need the name of the proxy agent.

The Discover-and-Add-Network-Devices.ps1 is a PowerShell script for discovering and adding network devices. It was developed in conjunction with Chapter 17, "Monitoring Network Devices," of System Center Operations Manager 2007 Unleashed.

SUMMARY

Most organizations run anti-virus (AV) software on their servers and workstations to detect and fix computer viruses. However, running antivirus software on server software systems such as Operations Manager can cause data corruption and have a detrimental effect on performance.

MORE INFORMATION

There are particular folders and files that should be excluded from anti-virus scanning.

• These include the SQL Server database files used by Operations Manager components as well as system database files for the master database and tempdb.
• You will also want to exclude queue and log files used by Operations Manager from anti-virus scanning.
• These include but are not limited to files under %ProgramFiles%\System Center Operations Manager\Health Service State\ and its subdirectories.
• Other areas to exclude from scanning is the OpsMgr install and wbem directories.
• You will want to exclude the page file from anti-virus scanning and the Windows temp directory (%windirtemp%) as well.

If you use a firewall, you will need to open up the ports for installing the agent (135), client communication (5723), email communication (25), and potentially others. The ports used by Operations Manager 2007 are listed in Table 1.

Table 1. Communication Paths and Ports

UPDATE 7/21/08: Rod Trent recently posted an article on recommended antivirus exclusions, see http://myitforum.com/cs2/blogs/rtrent/archive/2008/07/18/recommended-antivirus-exclusions-for-opsmgr.aspx.

In May 2008, Microsoft released public previews (Release Candidate 0, known as RC0) for new two server products:

• Essential Business Server (EBS) 2008
• Small Business Server (SBS) 2008

Our blog article earlier in July (http://ops-mgr.spaces.live.com/Blog/cns!3D3B8489FCAA9B51!576.entry) focused on EBS; this article looks at the management features and scenarios for SBS 2008 (RC0). Many people have been waiting for SBS 2008, as this product will replace the broadly deployed SBS 2003—Microsoft's customer-premise server solution for the very small organization.

The low price point of the SBS 2003 package made it a good seller, but integration features between the various server products in SBS 2003 was not as illustrious. Few customers used or appreciated the admin wizards, the pre-created SBS security groups, and similar features. In contrast, the integration in SBS 2008 is excellent and eliminates the otherwise complex setup and administration of Windows Server 2008 X64, Exchange 2007, SharePoint 3.0, Fax services, Certificate services, WSUS, and so on. For those Microsoft network owners with less than 2 servers and 75 clients, whether or not they already use SBS 2003, SBS 2008 is a compelling migration option to consider—particularly at the very small customer end, such as those installations that have less than 25 clients. SBS 2008's capability to accelerate and error-proof the installation and secure operation of these super-complex server technologies takes huge burdens take off the small network owner’s plate.

SBS 2008 Setup

Having just run through the EBS 2008 RC0 setup, we could contrast that 3-server install with lots of previous experience of independent setup of each server component, i.e. Windows Server 2008, Active Directory, Exchange 2007, Forefront, etc., which would be easily a 400% savings in time. Now we compare both those processes to the SBS 2008 RC0 setup, which approaches a ten-fold savings! The error-free setup of SBS 2008 on an HP ProLiant ML350 was just amazing. Immediately after setup, we were receiving Internet email. "Out of the box," every component, AD user account and Exchange mailbox, OWA with CA, secure SMTP Receive connectors, a very effective anti-spam and Exchange anti-virus, and lots more were correctly configured.

These were massive timesavings, and it was a relief to know that the Windows 2008/AD/Exchange/SharePoint lash-ups on that server were setup securely and according to Microsoft best practice. For more current news and tidbits about SBS (and EBS) 2008, a great starting place is the blog of Microsoft's Nicholas King at http://blogs.technet.com/nking/default.aspx.

SBS 2008 Native Management

Unlike its big sister EBS, SBS 2008 does not include a copy of the System Center Essentials 2007 management application. Microsoft decided to make SBS extremely simple in setup and operation, and with a very light resource footprint. Essentials 2007 has more features than necessary for the SBS target environment, and higher resource demands than the SBS architects wanted to support. Instead of Essentials, SBS 2008 includes a brand new mini-management environment known as the Windows SBS 2008 Monitoring Data Collection Service. The Data Collection Service does not appear to be a modified OpsMgr 2007 Health Service, but instead is a brand new mini-management stack developed just for SBS 2008. The installation has a local instance (named “SBSMONITORING”) of SQL 2005 Express on the SBS 2008 server that hosts the management database for the service. Outputs of the service include alerts that appear in the SBS Console, optionally emailed to an administrator. Here is a screenshot of the SBS Console, Network-> Computers view:

Our SBS 2008 network includes two client computers running Windows Vista. The clients were connected to the SBS domain by visiting an intranet web site on the SBS server and running an ActiveX control. This joined them to the domain and downloaded additional software such as the SBS Vista Gadget (see the "The SBS 2008 Vista Gadget" section later in this article). Clicking through on the Critical alert for the SBS server, it’s easy to read what the problem is, shown in the screenshot below (If you elect to receive email alert notifications, you’ll get exactly the text you see here.).

Similar to System Center Essentials 2007, SBS 2008 includes a daily report that can be emailed to the SBS administrators email distribution list. (SBS 2008 has an additional weekly report that is more detailed.)

One difference between the Essentials Daily Health Report and the SBS 2008 Summary Network Report is the SBS report does not include a software installed listing, but the SBS report does include server uptime, backup, and email usage and mailbox size sections not included with Essentials. The SBS report is also much more attractive. Here is an actual SBS Summary Network Report, open in Outlook 2007:

Remote Management Options for SBS 2008

Many SBS 2008 owners may want to outsource some aspect of server monitoring or management. A network service provider could leverage the native Windows SBS 2008 Monitoring Data Collection Service, and have the SBS server email the service provider with the alerts for follow-up investigation. That could work for a very low-capacity management service with relaxed timeframes for problem resolution. SBS 2008 includes Remote Web Workplace (RWW), as does EBS, and RWW is a secure way for the service provider to remotely access customer computers for support and service.

The SBS 2008 owner (or IT service provider that supports the SBS owner) may consider employing some additional technology (or partner with a service provider) for deeper monitoring and/or remote management than that provided by the native Windows SBS 2008 Monitoring Data Collection Service. Potential candidates in the Microsoft management portfolio to provide richer monitoring and management of EBS 2008 include:

• Essentials 2007
• Operations Manager 2007
• Remote Operations Manager 2007

Here are all the supportable topologies we can see for this scenario:

1. Essentials 2007 SP1 installed on a second server in the SBS 2008 domain, monitoring the SBS server with an agent component. Enable Service Provider mode using the wizard in the Start menu.
2. OpsMgr 2007 SP1 gateway server component installe