This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
-^ : i ^ : . l d j > S M P E l e r i i B r i t [ N ( j m B - - ' R H r , E A T 0 ( S . P S . P W S t f r i H S . M P d t : k . 8 N M P D « v i u E f " l S ^ - <[nsiancsSettmgs> + <Settings> c/[nstanceSettjng5> +
FIGURE 8 . 5 2
'.-<
SNMP discovery XML.
By default, Operations Manager sends a get command against the discovered SNMP devices every 120 seconds. The get is targeted at OID 1.3.6.1.2.1.1.5.0, which is sysName (in full—iso.org.dod.internet.mgmt.mib-2.system.sysName). The monitor summary is shown in Figure 8.53.
Exploring SNMP Device Monitoring
FIGURE 8 . 5 3
491
SNMP monitor.
If the device does not respond, the Availability monitor's state will change and impact the entity health. When monitoring SNMP devices, check the Operations Manager event log to ensure functionality. A number of events can occur, the most common of which are shown in Table 8.7. These events will be the most commonly seen when troubleshooting SNMP. Use the table to detect and resolve the SNMP monitoring issues.
NOTE It is recommended to expand the Operations Manager Maximum log size as 15360KB yields an average of 3 3 , 7 0 0 events before the events are overwritten.
492
CHAPTER 8
TABLE 8 . 7
Using Operations Manager for Monitoring and Alerting
Common SNMP Monitoring Event Errors
Event ID Type
Description
Resolution
11001
Error
Error sending an SNMP GET message to IP Address
Open the rule detailed in the description. Find the OID that the rule is trying to GET, and ensure that the OID is responding. If the OID does not have a value or isn't available, exclude the rule from the device.
11052
Warning
Module was unable to convert parameter to a double value Original parameter: '$data/ SnmpVarBinds/SnmpVarBind[l]/ Value$' Parameter after $Data replacement: " Error: 0x80020005 Details: Type mismatch. One or more workflows were affected by this. Workflow name:
Open the rule detailed in the description. Find the OID that the rule is trying to GET, and ensure that the OID is responding. If the OID does not have a value or isn't available, exclude the rule from the device.
40000
Error
A monitoring host is unresponsive or has crashed. The status code for the host failure was 2164195371.
Importing too much $null data into Operations Manager causes the monitoring host to crash. Remove the bad MP/rule-sets and flush the health service cache on the MS monitoring the SNMP devices.
Summary Operations Manager provides the best approach to monitoring Microsoft-based infrastructure. By leveraging the core m a n a g e m e n t packs, Operations Manager can provide key insight into the environment, thus eliminating guesswork and aiding troubleshooting efforts, creating repeatable responses to known issues, and creating a central c o m p a n y knowledge base. Operations Manager requires active involvement by way of administration. Alerts should be mitigated or disabled if n o t actionable. In an ideal scenario, responsibilities within Operations Manager will be delegated; for example, all SQL alerts will be resolved or overridden by the DBA team. Custom m a n a g e m e n t packs are used in one-off scenarios, with distributed applications created to m o n i t o r end-to-end scenarios for the NOC to view and alert from.
Best Practices
493
The success of an Operations Manager deployment depends on the infrastructure to be monitored—is the organization ready to move to the next level, by moving away from being reactive?
Best Practices The following are best practices from this chapter: • If there are users who will receive alerts but not have access to the Web console, create a notification channel that doesn't include an alert link in the body of the SMTP message. • Before performing maintenance work on Operations Manager itself, disable notification subscriptions. That prevents alerts from being generated during the maintenance. • When creating new rules and monitors, create them as disabled by default. Then create overrides to enable the rules and monitors for specific instances of objects. • Use the Look For feature of the console when searching for discoveries, monitors, and rules to override or edit. • Be sure to back up custom management packs, Management Pack Templates, and override management packs using the Export Management Pack function. • Take the time to explore, configure, and tune any management packs that are deployed. Each management pack operates differently and has different tuning requirements to optimize its performance. • Be sure to keep the management packs updated, as Microsoft routinely releases updates to the core management packs. • Use Management Pack Templates to create monitoring for web applications, database sources, services, processes, and ports. • Use the distributed application to create application models for monitoring, alerting, and reporting on custom applications. • Create custom management packs with the Authoring Console for more sophisticated applications or for publication.
CHAPTER 9
IN T H I S CHAPTER
Using Operations Manager for Operations and Security Reporting
•
Reporting from OpsMgr
•
Generating and Scheduling Reports
•
OpsMgr 2007 R2 Maintenance Reports
•
Audit Collection Services Reporting
System Center Operations Manager (OpsMgr) 2007 R2 not only monitors and collects information on the performance and health of monitored servers and applications, but also provides a myriad of ways to view that information. One of the key features of the OpsMgr platform is to provide a flexible reporting system. The Reporting data warehouse keeps a long-term historical record of the data collected and provides a mechanism to generate trending, availability, and security reports in a variety of formats and delivery mechanisms.
•
Service Level Tracking
•
Service Level Dashboards
NOTE Management packs frequently include reports that are installed when the management pack is imported. This includes Windows Server, Active Directory, Exchange, SQL, and the cross-platform management packs. These reports are discussed in Chapter 8, "Using Operations Manager for Monitoring and Alerting."
This chapter focuses on using the generic reports and the security reports, including the following: • Performance reports • Alert reports • Availability reports • Service Level Tracking reports
496
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
In addition, the new Service Level Tracking (SLT) feature and Service Level Dashboards (SLDs) are covered, as they use the Reporting data warehouse and SLD is a form of interactive reporting.
Reporting from OpsMgr The reporting in Operations Manager is based on SQL Reporting Services. This is a flexible reporting engine and allows reports to be viewed ad hoc, saved to favorites, exported, or delivered. Reports that are generated ad hoc can also be exported to the following: • Word • Adobe Acrobat PDF • Comma-separated value (CSV) • TIFF • MHTML (web archive) • Excel • XML
NOTE Reports cannot be exported before generating the report ad hoc. Exporting a report regenerates the report. In other words, the report export process generates the report twice. This can be a significant factor when exporting a complex report. If this is an issue, a report can be scheduled with a one-time schedule and delivered to a file share.
Reporting Services can generate and deliver reports on a schedule. This is very helpful, as it eliminates the need for the administrator to remember to generate reports and instead delivers them automatically. Reports can be delivered to the following: • Email • Windows file share • Null (used to create a cache of the report) Delivered reports (file share or email) can be delivered in the same formats as exporting, but also support two additional formats: • RPL Renderer • HTML 4.0
Reporting from OpsMgr
497
The HTML 4.0 format is useful for generating web pages for dashboard type sites in combination with the Windows file share delivery format. The Report Page Layout (RPL) Renderer format is a special binary format that supports Report Builder 2.0 and interactive viewing of the generated report. OpsMgr management packs commonly include a variety of preconfigured reports to show information about the operating system or the specific application they were designed to work with. These reports are run in SQL Reporting Services. The reports provide an effective view of systems and services on the network over a custom period, such as weekly, monthly, or quarterly. They can also help you monitor your networks based on performance data, which can include critical pattern analysis, trend analysis, capacity planning, and security auditing. Reports also provide availability statistics for distributed applications, servers, and specific components within a server. Availability reports are particularly useful for executives, managers, and application owners. These reports can show the availability of any object within OpsMgr, including a server (shown in Figure 9.1), a database, or even a service such as Windows Server 2008 R2 that includes a multitude of servers and components. The Availability report shown in Figure 9.1 indicates that the SP server was down on 9/29/2009 for about 4.17% of the time or just slightly over 1 hour. The rest of the time it had been up.
V2T/im vafítot vn/nn YH/ZM* iwvho» vwvm ttnpm w*pm • 'jppuws«»"!')-if; m OOrt* Hjrtfjngj
FIGURE 9 . 1
M OOiWHQün-ii'-í t >jp tiU'n.Hgj.
M'LPLÜM-n
Availability report.
•
• UP i Montr' di Mfcd]
UP
498
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
The reports can be run on demand or at scheduled times and delivered via email. OpsMgr can also generate HTML-based reports that can be published to a web server and viewed from any web browser. Vendors can also create additional reports as part of their management packs.
Generating and Scheduling Reports The Operations Manager 2007 R2 infrastructure collects many Windows Server 2008 R2 data points. This information can be presented in reports, which can be generated ad hoc or scheduled. The scheduling option is very useful, as it reduces the need to actively open the console; instead, the reports are delivered via email.
Performance Reports Performance reports are useful for graphing performance counters and data, which OpsMgr collects in droves. The Performance report can be used to create multiple charts of multiple series of performance data. Any data collected by Operations Manager can be graphed. The performance data is automatically summarized by hour and by day to reduce the size of the database and the time to generate reports. The Performance reports are composed of charts and series within the charts. A Performance report can have multiple charts, each with a different set of series. For example, there could be a chart of disk performance series and a chart of processor performance series. Or there could be a chart for each server with performance counters for the server as the series. The series are essentially the data collected by a performance collection rule. They can be formatted by style, color, and scale to produce the right look in the chart. The style of each of the series can be: •
Area
•
Column
•
Line
•
Point
•
Spline
•
Spline area
•
Step line
The style can vary by series within the same chart, so the column style could be chosen for one series (for example, processor performance) and line for the memory utilization. This can be used to create important distinctions in the chart series. The spline style is a mathematical function that is useful when smoother graphs are wanted. The step line
Generating and Scheduling Reports
499
style is used when no smoothing or extrapolating at all is wanted. The color of the series within a chart can be varied as well. The colors available are as follows: •
Light Blue
•
Dark Green
•
Light Red
•
Yellow
•
Black
•
Dark Blue
•
Light Green
•
Orange
•
Light Gray-Blue
•
Brown
The user interface cycles through the colors as series are added and loops back up to the top as more series are added to the chart. The colors can be chosen manually as well. Finally the series scale can be adjusted to format the chart properly. The counter can be scaled up by choosing a scale value larger than 1.0000 (the default) such as 10.0000 or can be scaled down by choosing a value smaller than 1.0000 such as 0.1000. The series in the chart do not have to be the same and can be mixed and matched as needed. One important point is that the object selected must match or be contained as the rule selected as the basis of the series. For example, an administrator or application owner might want to get a weekly graph of the Processor/% Processor Time, Paging File/% Usage, and Memory/% Committed Bytes in Use for a given system. To schedule this report on a System Center Operations Manager server for email delivery, use the following steps: 1. Launch the Operations Manager 2007 R2 console. 2. Select the Reporting space. 3. Select the Microsoft Generic Report Library node. 4. Select the Performance report and click Open. 5. In the From field, select Advanced. 6. Change the Offset to - (minus) and the number of days to 7. Click the green check mark (OK) to save the selections. The From field will show "Today -7 day(s)". 7. Change both the From and the To times to 12:00 AM. 8. In the Objects section, click the Change button to select what to graph. 9. In the Settings pop-up window, click the New Chart button.
500
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
NOTE A Performance report can have multiple charts on the same report. For this example, the report has a single chart with multiple counters.
10. With the [Chart] highlighted, enter DC1 Performance Chart in the Chart Title field in the Details section. 11. With the [Chart] highlighted, click New Series to add a new data series to the chart.
NOTE The series within a chart defaults to the line style and a scale of 1 . 0 0 0 0 , with each series taking the next color available starting with Light Blue.
12. With the series highlighted, click the Browse button in the Details section. 13. Select the Search By Counter tab. 14. Select the processor performance object and the % Processor Time counter in the pull downs, and then click Search. 15. The search will likely return multiple rules that collect the counter. Select the rule that corresponds to the operating system, in this case Processor % Processor Time Total 2008. Take note of the Rule Target column, which shows that the rule targets the Windows Server 2008 Operating System. This will be needed later.
NOTE If the rule selected does not match the object selected, the report returns no data. This is by far the most common problem with reports. Make sure that the object, or group of objects, selected is targeted by the rule.
16. Click OK to save the rule selection. If there were multiple instances of this counter, they would be displayed in the Rule section. 17. Click the Add Object button in the Details section. 18. Enter Windows Server 2008 in the Object Name field and click Search. Don't enter the full rule target noted previously, as it will return an empty search result. 19. Select the server name in the Path column and click Add. Figure 9.2 shows the results.
Generating and Scheduling Reports
To add Objects to tfiis report., search (or (he object, then add ihetri to Ihe "Selected objecto" Bet. ObicU Name. I Cortans
| |Window: Ceivet 2000
Nome
1 dass
I Polh
•."' Microsoft Windows Server 2000 U2 Crfeiprise
Wndows Opetaling Gystem
0rCMGn.cco.com
it' MiuiuïUlWinJuwsSmci 2008 R2Erfeipira; V" Mkniiuil Wkilwvx Snivra "Tlflft R? ßrifapbit
Wimkiws Oucidling Syslerii Willuvs: l~l| mnlil IIJ
VMZttu.ujiii
it" Mcrofort Window? Seiver 2008 R2 Erteipme
Wndowr Opetaling Sjutern
VM3.cco.eom
if' ' Microtcrt Windowr Seiver 2008 R2 Erteipri:e
Wrrfowi Opetaling Sjiîtem
VM4.cco.ccm
7 ' M crotoll Windows Seiver iUUW H2 Erteipme
Wrudowc Upetaling üyslern
HLt.cco.com
7 ' M«rosclt Windows Saver 2UUU R2 Ertcipmc
Wndows Upctoling System
VMDMi
• -Windows Scrvci 2009 Computer Grotp h-Li. r. 1 r w n r ._ <
Wndows Seiver 2008 Comp... i >£_..•-,..., c—-.y Inno r-
r
villi CCO tu im
|
Selected ot^eetï [ Name
1 Clou
^ M i r m u i l Wiriliwx Srawi PflTlfi R? F i î k i i k m
Wir« k iw; fl| iwrtl r i j Sydran
—
Remove
|
I Talh HPSMfiR laaiuun
*l OK
FIGURE 9 . 2
I
C.jr»:d
I
Adding a performance target object.
NOTE The OpsMgr inconsistent object-naming conventions make this a very tricky yet crucial step. The rule target was listed as Windows Server 2008 Operating System, yet the search of the objects showed a name of Microsoft Windows Server 2008 R2 Enterprise and a class of Windows Operating System. Either a detailed understanding of the OpsMgr schema or a bit of trial and error is needed to hunt down the correct object.
20. Click OK to save the object selection.
NOTE It might be tempting to select multiple objects in this step. However, this results in the total of the objects in a single series (that is, line) on the chart. If separate series are wanted, they need to be defined separately.
501
502
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
21. Click the New Series button and repeat steps 12 through 20. Change the Object/
Counter to Memory/% Committed Bytes in Use and select the Memory % Committed Bytes in Use 2008 rule. The object will already be available, so there is no need to search in step 18. 22. Click the New Series button and repeat steps 12 through 20. Change the Object/
Counter to Paging File/% Usage in Use and select the Page File Percentage Use 2008 rule. The object will already be available, so there is no need to search in step 18. 23. The results should look like those in Figure 9.3. Click OK to save the chart settings.
Cob) Strte - DC I Ptffcrrrnnce Chut 1—• Chwk Qfffl
(m
State
Rite
1 1
i v « « w % P f « « » f Tn*Tc*4lJ
[rutJfKe
ObtKt
Indulte Wird?**
te
i"
... ...
CbtnLtra
C
tfritf*
Wwkwiüpfrahnql- <M
¿J A A
fctjaag |ccj - ' ' :
[
••>.'•* * '
I
I
ckal
<• ' . v . • fob I^HugtARed
a
itytfr
Id'i.twmäj
w
FIGURE 9 . 3
J
':*'<•
I
A
Performance chart settings.
24. Click Run to view the report. The report should look similar to Figure 9.4. The Performance report not only graphs the three selected counters, but also gives a statistical analysis of the data, including the sample count (that is, how many data points were collected in the report period), minimum value, maximum value, average value, and standard deviation from the average. To have the report delivered on a scheduled basis, complete the following steps: 1. With the generated report still on the page, select File, Schedule. 2. In t h e Description field, enter 0PSMGR
Performance
Report.
3. In the Delivery Method field, select Email. 4. In the To field, enter the SMTP address of the recipient. 5. In t h e S u b j e c t field, replace @ R e p o r t N a m e w i t h 0PSMGR Performance
Report. T h e
variable name is unfortunately very long and ugly, so it's best to replace it.
Generating and Scheduling Reports
503
System Center
Operations Manager2007 rz
Perfoimance Report • c k o n pLa zqn t o a ful description for thsieport Resort Tffie
t 1/1Q/201Q 10; 35 AM
Data Aggregator
: l-kxrfy
Repwt IXrabon
i From 1/3/3010 IZ'OOAM to l/lO/SOlO 12:00 AM
histogram
: No
OPSMGft Performance Chart
A — ^ W A A w i
t/5/7010 7:00.00 AM
1/3/2010 13:00:00 A
Rule, Instance. Cbject Processor % Processor Tme Total 2003
1/0/7010 6 00:00 AM
1/7/7010 -4:00.00 A
Average Value i Standard Deviation
Mr. Value
Max Value
1
1043
7,89
43.18
11,97
1
* *
54.3
55.92
54,93
336
15-9
21.64
18.79
Scale
I SanrleCwjnt
4.054
Objects (1) Memory % Comm tted Bytes In Use 2003 Objects { l | Page Hie Percentage Use 2008 Objects (1)
FIGURE 9 . 4
I
r
i
..1.
.
0.3749
Performance report.
6. Click Next. 7. Change the schedule to Daily. 8. Change the time to be the time that the report should be generated on a daily basis, for example 6:00 a.m. Click Next. 9. Because the report was generated and all the parameters were selected initially, no parameters need to be changed. This method ensures that the email report will match expectations. 10. Click Finish to save the scheduled report. The report will now be automatically generated every morning at 6:00 a.m. and delivered via email to the recipients. Additional reports can be created in exactly the same way for the recommended rules and any others that are needed. To review the schedules, go to the Scheduled Reports node in the Reporting space. The schedules can be adjusted as well. This type of report can be created for any counter that is collected by Operations Manager. Although this report provides lots of detail for a specific set of counters for a specific computer, sometimes it's important to find which computers are most heavily utilized or running low on a resource. The Top Performance reports provide this type of analysis and are discussed in the next section, "Top X Performance Reports."
504
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
Top X Performance Reports When managing a number of agents, it can be difficult to pinpoint the problem systems. For example, which systems are the most heavily utilized? A report showing a graph of all the resources would be very messy and difficult to read even in a medium-sized organization with a small number of servers. Operations Manager 2007 R2 has a set of reports that address this specific concern, the Performance Top Objects and Performance Top Instances. These reports take data from performance collection rules, perform some statistical analysis, and list the top systems. For example, Figure 9.5 shows the top five systems with the most processor utilization. It is based on the Processor % Processor Time Total rule. It shows the top five heaviest processor utilization systems for the previous week.
System Center Operations Managerjhxw m
Performance Top Objects Report d i d . a* efts
to set j fuB descrfcupn fa, t h s tcptxt
RepctTme
: lOflnOTO I I V O H M
Report Cu'Btnn
: Fran 9/10/3009 t.
H wscmcnl.. Ji
: tea
Afeyilhni
; TopS
Rule
: ' '
10/5/309
itimcesEar True Total 2ÖÖ8
Object 1 ¿w Wndowt Opera bnfl System; Merer»It Wrdows Server 2008 RZ Enterprise CCQ | OPSWGR.crD.ctin 2 3
f
J
Mn vaue
Max value
Average Value
Standard Deviation
10.13
5.305
790
5,795
70.77
Windows Opera ting System: Mcrosoftr Windows Serverr 2008 Standard CCO I M055f=Ei. cco.com
487
5,556
90.15
8.652
9,202
Windows Operating System: Mcrosoftr Windows Serverr 2008 Standard CCO | oc5r2.cco.aini
1174
5.764
30.73
S. 105
2,691
455
4.793
2S.2
6.991
4.121
570
4,085
20.84
5,745
L632
4 ¿<•1 Windows Operating System; ttfrowftr Windows Serverr 2008 Standard CCO 1MOSSSQL ]. ccD-.com
s
Sample Count
Windows Operating System: Mcrosoftr Windows Serverr 2008 Standard CCO | CRT.ccD.com
1 1
Al dates and tries are shown in QJTC-OSiOD) Pacific Time (US fl. Canada)
FIGURE 9 . 5
Top Five Processor Utilization report.
This report is one of the reports in the Microsoft Generic Report Library and can be used against any performance counter. The report can pick the top (the default) or bottom objects, as well as vary the number of objects to return (the default is five).
Generating and Scheduling Reports
505
The best-practice recommendation is to generate daily reports spanning the previous week for the following rules: • Processor % Processor Time Total • Page File Percentage Use • Memory % Committed Bytes in Use • Network Adapter Bytes Total per Second • % Logical Disk Free Space The Performance Top Objects report for each of these rules gives a good overview of the performance issues (or lack thereof) over the collection of all the monitored systems. These should be delivered on a daily basis in an email or to a share. To schedule a report for email delivery complete the following steps: 1. Launch the Operations Manager 2007 R2 console. 2. Select the Reporting space. 3. Select the Microsoft Generic Report Library node. 4. Right-click the Performance Top Objects report and select Open. 5. In the From field, select Advanced. 6. Change the Offset to - (minus) and the number of days to 7. Click the green check mark (OK) to save the selections. The From field will show "Today -7 day(s)". 7. Change both the From and the To times to 12:00 AM. 8. In the Rule field, click the Browse button. 9. In t h e Rule N a m e field, enter Processor % Processor Time Total a n d click t h e
Search button. 10. In the Available Items pane, select the rule and click OK. 11. Click Run and confirm that the report looks good. 12. Select File, Schedule. 13. In t h e Description field, enter Processor % Processor Time Total Report.
14. In the Delivery Method field, select Email. 15. In the To field, enter the SMTP address of the recipient. 16. In t h e S u b j e c t field, replace @ R e p o r t N a m e with Processor % Processor Time Total
2008 Report. The variable name is unfortunately very long and ugly, so it's best to replace it. 17. Click Next. 18. Change the schedule to Daily. 19. Change the time to be the time that the report should be generated on a daily basis, for example 6:00 a.m. Click Next.
506
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
20. Because the report was generated and all the parameters were selected initially, no parameters need to be changed. This method ensures that the email report will match expectations. 21. Click Finish to save the scheduled report. The report will generate on the scheduled basis, at 6:00 a.m. every morning.
NOTE The performance rules are generally specific to each operating system. Thus, the reports are specific to each operating system. The rules in this section reflect Windows Server 2 0 0 8 and Windows Server 2 0 0 8 R2 performance data. If there are other operating systems such as Windows Server 2 0 0 3 , additional reports using those rules need to be created.
Alert Reports Alert reports can summarize the alerts that have been generated for a specific object or set of objects. This report is useful for summarizing reports for which notifications have been sent and for all alerts, many of which might not have had notifications sent. The reports can show alerts from a single object like a Windows computer or even a database. They can also show alerts from groups of objects like the Exchange Server 2007 Computer Group or SQL Server 2008 DB Engine Group. Multiple objects and groups can be specified in the selection, and custom groups can be created to contain specific sets of monitored objects if needed. The alerts can also be filtered by severity (Information, Warning, and Critical) and by priority (Low, Medium, and High) in any combination. This allows the Alert reports to be tailored very precisely for the target audiences. To create an Alert report that shows the critical Exchange Server 2007 computer alerts from the previous day, complete the following steps: 1. Launch the Operations Manager 2007 R2 console. 2. Select the Reporting space. 3. Select the Microsoft Generic Report Library node. 4. Right-click the Alert report and select Open. 5. In the From field, select Yesterday. 6. Change both the From and the To times to 12:00 AM. 7. Click the Add Group button. 8. In the Group Name field, enter Exchange 2007 and click the Search button. 9. Select t h e Exchange 2007 Computer Group a n d click Add.
10. Click OK to save the selections. 11. In the Severity section, uncheck the Warning and Information severity boxes. 12. Click Run and confirm that the report looks good.
Generating and Scheduling Reports
507
The resulting report shows the critical severity alerts for all the Windows Computer objects in the Exchange 2007 Computer Group. The report is sorted by alert severity though clicking on other columns changes the sort order. The sample report in Figure 9.6 shows the critical severity alerts: A security alert (An Account Failed to Log On) repeated four times, some disk performance alerts (Disk Transfer Latency Is Too High), a couple of DNS Resolution Time Alert errors, and a Logon Failure alert. i t * - S n t n n C n i t er Opera Um» Manner ZOOJ H3 - Repart - CCQ
FH P
' Fl
I^B
* £ T' System Center Manager i x t i O j xeíatora nb
Alcrl Report 0 »kOftf*«*gntö* P#pçrtTlw frrprat Cv^ie g] CtwrtM
: 1/133)1011:3] AH : Finn 1/11/2010 I S « H lo i/lîfl(H01î:{10AH : HbWitî rKWed n Hi ; Crtxal : Low, Hrfuri, rttfi
r E
Alert N*W W
An Attest 1 ààt4 tu L60 Oh CyçntCflVitrt^,
Brf»** IM«
fruniy
4
frStHlàitdOti
8 ^ 5ÎTWT : VAnfe*30Cwt)Cv«nlH>.3»v«r
S
l / l 1/30104: tSAH
0
^ Ctfc ti.wnín (rfatH tfii W totWty « Ii» >r}h
1
lew
-J VWndjwí írtvff «06 LforVr.ri' e-
E
(Ä tiensftr W w w y
1
Lew
j wntom S*ver OOO U-xJCfe*- í:
E
hfl; transfer (reads trd twite*) W latency Btoolptfi
4
LOW
•j Wrrkrn i o y f i rWXl L6¡KeJ0Hk O;
l/IL/SOlOS;» PH
E
A Cel. t i « t i n freaih tr>3m te») w WatCy Btwlp^i
1
lew
-| VMnAnw
i/ii/aiojüfiptu
E
^ E*C SX» ft WC*J0W Tmo Alert
Î
lew
E
A Lc-?yi 1 Ihg UfCf Htf Ntf w Ewn •jvt.rí The Requeued
1
Mrfufi
FIGURE 9 . 6
end
LnorVr.ri' Ci
wmtinüéarlíVCvtraf.iav»
lilipOlD8:30m lilißOlÖÜÜSW 1/1 1/ÎOlO WS #M
j j j j t«S Server: N5.CTO.«« Serví* :
L-HtRarfidori
1/11/2010 9:£l fw Iil(ß0l03!lftf« I/11/»10Ï:«#M
1/11/20109:1/ AM
1/1 1/20101 ! AM
Critical Severity Alert report for the Exchange 2 0 0 7 Computer Group.
Different groups and objects can be selected to tailor the report to the target audience.
NOTE If the report shows no data, it could be because there were no alerts generated for the selected objects during the time period. It could also be that the wrong object or group was selected. Confirm that there have been alerts generated and expand the time range of the report to test if the report does return the alerts. Once the report is confirmed, put the time range back to the desired time range.
The Alert report can be scheduled to be delivered on a daily or weekly basis to administrators or application owners using the steps in the previous section. To have the report delivered on a scheduled basis, use the following steps: 1. With the generated Alert report still on the page, select File, Schedule. 2. In t h e Description field, enter Exchange 2007 Computers Critical Alert Report.
508
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
3. In the Delivery Method field, select Email. 4. In the To field, enter the SMTP address of the recipient. 5. In t h e S u b j e c t field, replace @ R e p o r t N a m e w i t h Exchange 2007 Computers Critical
Alert Report. The variable name is unfortunately very long and ugly, so it's best to replace it. 6. Click Next. 7. Change the schedule to Daily. 8. Change the time to be the time that the report should be generated on a daily basis, for example 6:00 a.m. Click Next. 9. Because the report was generated and all the parameters were selected initially, no parameters need to be changed. This method ensures that the email report will match expectations. 10. Click Finish to save the scheduled report. The Critical Alerts report will now be automatically generated every morning at 6:00 a.m. and delivered via email to the recipients.
TIP One way to leverage the Alert report is to create a report that summarizes all alerts generated after hours and deliver it first thing every morning. For example, if an IT organization has a support policy that dictates that support is provided from 6 : 0 0 a.m. to 8 : 0 0 p.m., no notifications are sent to pagers during the 8 : 0 0 p.m. to 6 : 0 0 a.m. offhours period. To ensure that IT support can respond to any issues that occurred during the off-hours, generate an Alert report every morning at 6 : 0 0 a.m. that includes alerts that were raised from 8 : 0 0 p.m. to 6 : 0 0 a.m.
Availability Reports The bane of every IT manager and executive is not knowing when systems and services were available and unavailable. They are typically at the mercy of the IT technical staff in faithfully reporting when systems are down. Famously, when the CEO or business unit managers are asked about IT reliability, they report far more outages than the IT technical staff reported. Operations Manager solves this dilemma by providing Availability reports that can be delivered automatically to the Inboxes of IT managers and executives. This includes the availability of servers, services, applications, and even specific objects like databases. Availability reports can be generated for any object in Operations Manager. The report determines the availability on the basis of the following six categories of state: • Unplanned Maintenance (default)—This is essentially a critical state (red) outside of a maintenance window. Any time in this state is counted against the availability. • Warning—This option can be selected if the Warning state should count against the availability.
Generating and Scheduling Reports
509
• Monitoring Unavailable—This option counts the lack of a state to be downtime. • Planned Maintenance—Planned Maintenance is the time in which the object is placed in Maintenance mode. Normally, objects are placed in Maintenance mode specifically to prevent the state from impacting the availability. • Monitor Disabled—This option counts the disabled monitoring as unavailability. • Unmonitored—Finally, Unmonitored is the state before an object has been discovered or if the underlying monitoring rules are disabled. In most cases, the default of Unplanned Maintenance is sufficient. This means that if the object is in a critical state, it is considered unavailable. The Availability Summary report shows downtime as a percentage bar (not by time) colorcoded to show the state. The color codes are as follows: • Uptime (Green) • Downtime (Red) • Warning (Yellow) • Planned Maintenance (Blue) • Unplanned Maintenance (Black) • Unmonitored (White) • Monitor Disabled (Light Gray) • Monitoring Unavailable (Dark Gray) The horizontal bar displays the percentage availability and multiple objects can be selected to present a summary of availability. This report shows the availability in terms of a percentage bar and stats such as Uptime and Downtime in both percentages and in hours:minutes:seconds format. The report also contains links such as the Availability Tracker link, which can be used to drill into the availability of an object per aggregation period (daily or hourly). In fact, the Drill-Down Availability report (reached by clicking on the Availability Tracker link) is often a much more useful presentation of the availability. The following links are available on the Availability Summary report: • Availability Tracker report—This report shows the percentage availability per time period. • Downtime report—This report shows the downtime on a horizontal timeline. • Monitor Availability report—This report shows the monitor's time in state. Particularly interesting is the Expand Monitor Hierarchy option, which shows the time in state for the monitor hierarchy. • Configuration Changes report—This report shows any configuration changes that are captured.
510
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
Each of these linked reports can be scheduled or exported as with any other report in Operations Manager. The best way to get the Availability report is to find the application, server, or object in the Operations Console and then generate the Availability report from there. That ensures that the correct object is selected without having to search for it in the report interface. To get an Availability report for the Exchange 2007 Service, complete the following steps: 1. Launch the Operations Manager console. 2. Select the Monitoring space. 3. Select the Distributed Application folder. 4. Select the Exchange 2007 Service. 5. Select the Actions menu, Exchange 2007 Service Reports, and then the Availability report.
NOTE The Availability report is a generic report that can be generated for any object in Operations Manager. This includes distributed applications, servers, databases, or even a network interface card.
6. In the From field, select Advanced. 7. Change the Offset to - (minus) and the number of days to 7. Click the green check mark (OK) to save the selections. The From field will show "Today -7 day(s)". 8. Change both the From and the To times to 12:00 AM.
NOTE There is a check box for Use Business Hours. This option is particularly useful for the Availability report. If the application has an availability requirement of certain core hours, such as 6:00 a.m. to 6:00 p.m. Monday through Friday, then it would be incorrect to generate an Availability report that covers the hours outside of the core hours. Checking the Use Business Hours check box and then configuring the Business Hours provides a more accurate representation of the availability of the application from a business perspective.
9. The Exchange 2007 Service object is already selected in the Objects section and doesn't need to be changed. 10. The Down Time section has Unplanned Maintenance selected. Change if needed. 11. Click Run to generate the report. The resulting report is shown in Figure 9.7. 12. In the body of the report, click the Availability Tracker hyperlink to drill into the Availability report by time period, which in this case is seven days. There will be a
Generating and Scheduling Reports
511
report with a vertical availability bar for each day and a graph charting the availability. T h e report is shown in Figure 9.8.
FIGURE 9 . 7
Availability Summary report for the Exchange 2007 Service.
AvatobMr Time - System Outer DperaUum Manager 2007 RZ - Report - CCD
I -
lllllll 1/V»10
I/i/Mli
1/7/WLO
1/1/241«
1A/2010
J/lWMtO
1/11/»!«
Al i f n r.l lama w* sJxjwn «|U!v-Mi« j PkDc Tim [US h Caurtl)
FIGURE 9 . 8
Availability Tracker report for the Exchange 2007 Service.
512
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
13. In the menu bar, click the small blue left-pointing arrow, which is the Back to Parent Report control. This takes the browser back to the previous report, the Availability Summary report. 14. Click the plus symbol (+) in the first column next to the object name. This expands to show additional links within the report. 15. Click the Object Monitor Availability Detail to launch the report. 16. In the resulting report, click the Expand Monitor Hierarchy link above the table. After a bit of time, the report regenerates with an availability bar for each monitor in the health hierarchy of the Exchange 2007 Service.
NOTE The resulting report can be quite long due to the number of monitors in the hierarchy. For a simple environment, this could be seven pages long. This would be shorter for less-complicated, distributed applications than the Exchange 2 0 0 7 Service.
17. Click the Back to Parent Report control twice to get back to the Availability Summary report. These Availability reports allow application owners and administrators to see the availability of any monitored object or group of objects. This information can be in summary form, by time period, or even monitor by monitor. Any of the reports or linked reports can be generated ad hoc or scheduled using the techniques shown earlier in this section.
OpsMgr Scheduled Reports Don't Show Charts Sometimes there is a problem where the OpsMgr scheduled reports run and display the correct text and numeric data, but no charts. The Reporting Server generates the following error at the same time: Log Name: Application Source: Report Server Windows Service (MSSQLSERVER) Date: 4/10/2010 6:00:11 AM Event ID: 108 Task Category: Extension Level: Error Keywords: Classic User: N/A Computer:
This is caused by a problem with the loading of the charting extension. To resolve this problem, add the following information to the ReportingServicesService.exe.config
OpsMgr 2 0 0 7 R2 Maintenance Reports
513
file in the %Program Files%\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services \ ReportServer \bin \ directory: <dependentAssembly>
name="Microsoft.ReportingServices.ProcessingCore"
publicKeyToken="89845dcd8080cc91" culture="neutral" />
name="Microsoft.ReportingServices.ProcessingCore"
publicKeyToken="89845dcd8080cc91" culture="neutral" />
Just paste in the text below the existing <dependentAssembly> entries. The SQL Reporting Services service will need to be restarted for the changes to take effect. After this, the charts will generate properly in the emails.
OpsMgr 2007 R2 Maintenance Reports There are also reports on Operations Manager 2007 R2 that should be generated to ensure that the health and performance of the infrastructure is good. The reports to generate are as follows: • Most Common Alerts report—This report is useful for determining what alerts are the noisiest and might be spamming the Inboxes of notification subscribers. The report shows which alerts are most common and gives additional statistical analysis. • Alert Logging Latency report—This report is useful for determining the health of the OpsMgr infrastructure, as measured by the time an event occurs on a managed computer to the time an alert is raised. If this is too long (that is, greater than 30 seconds), it indicates that there is a problem. • Send Queue % Used Top 10 report—This report tells you if agents are having trouble uploading their data to the management servers. These queues should be less than 1%. • Daily Alert report—This report gives you a complete list of all the alerts that were generated. This is very detailed, but is good for chasing down problems uncovered in other checks. • SQL Database Space report—This report shows the database space and growth of SQL databases. This is generated against the OpsMgr databases to monitor the growth. These reports should be generated on a weekly basis (for example, Monday at 6:00 a.m.) spanning the previous week and be sent to the Operations Manager administrators.
514
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
Most Common Alerts Report This report analyzes the most common alerts that were generated and is good for identifying alert-tuning opportunities. The Most Common Alerts report is based on the management packs that are installed. By default, the report selects all the installed management packs and shows the top five most common alerts. To schedule the Most Common Alerts report, execute the following steps: 1. Launch the Operations Manager 2007 R2 console. 2. Select the Reporting space. 3. Select the Microsoft Generic Report Library node. 4. Right-click the Most Common Alerts report and select Open. 5. In the From field, select Advanced. 6. Change the Offset to Minus and the number of days to 7. Click the green check mark (OK) to save the selections. The From field will show "Today -7 day(s)". 7. Change both the From and the To times to 12:00 AM. 8. Click Run and confirm that the report looks good.
NOTE The report is generated for all the installed management packs by default. This report can also be generated against a single or group of management packs, such as Exchange or Active Directory, by unselecting all but those management packs. This allows the alerts from a particular management pack to be evaluated.
9. Select File, Schedule. 10. In t h e Description field, enter Most Common Alerts Report.
11. In the Delivery Method field, select Email. 12. In the To field, enter the SMTP address of the recipient. 13. In t h e S u b j e c t field, replace @ R e p o r t N a m e with Most Common Alerts Report.
14. Click Next. 15. Change the schedule to Weekly and ensure that only Mon is checked. 16. Change the time to be the time that the report should be generated on a daily basis, for example 6:00 a.m. Click Next. 17. Because the report was generated and all the parameters were selected initially, no parameters need to be changed. This method ensures that the email report will match expectations. 18. Click Finish to save the scheduled report.
OpsMgr 2 0 0 7 R2 Maintenance Reports
515
Figure 9.9 shows an example of the Most Common Alerts report. The most common alert for the previous week was the Disk Transfer Latency (Reads and Writes) Is Too High, with 41.67% of alerts. This alert could be tuned to reduce the volume of alerts or the problem resolved.
McoBtr
System Center
Operations Manager 2007® Most Common Alerts Report Qdt on ptjs sgn to see a IUI dewj iplion for this report Report Tinte Report Duration Management Padcsfc) Alert Threshold
: 1/11/2010 6:59 PM r From 1/4/2010 12:00 AM to 1/11/2010 12i00AM : 156 management packs nduded in this report : 5
M » t Common Alerts Across Selected Objects
Most Common Alerts Across Selected Objects AtertNan-e
FIGURE 9 . 9
AJert Count
Activity tí
1 Oak transfer (reads a r d . utei) laterxy s too high
60
41.67 %
2 DNS 200$ Resolution Tme Alert
13
12,50 %
3 ConfigVgr 3007 Component Health: 5MS.W5US .SYNC JWNAGBt state
16
11.11%
4 Scrpt or Executable Fatted to run
14
9.72%
5 WIMI Probe Module Fated Execution
12
B.33%
1
Most Common Alerts report.
Alert Logging Latency Report This report tells you the length of time between an event being raised on a managed computer to an alert being generated in the Operations Console. This should be under 30 seconds in a healthy OpsMgr environment.
NOTE If the alert logging latency is too high, it means that problems can occur and alerts will not be generated fast enough for IT to be notified in advance of user notification mechanisms to kick in. The user notification mechanisms are those users calling in to the help desk to complain about systems being down. You never want to be the IT professional who is the last to hear about an outage.
516
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
The Alert Logging Latency report is based on the objects selected. The report does not include any objects by default, so the objects must be selected. It is a best practice to select the groups of agents, agentless, and agent watchers objects. To schedule the Alert Logging Latency report, execute the following steps: 1. Launch the Operations Manager 2007 R2 console. 2. Select the Reporting space. 3. Select the Microsoft Generic Report Library node. 4. Right-click the Alert Logging Latency report and select Open. 5. In the From field, select Advanced. 6. Change the Offset to Minus and the number of days to 7. Click the green check mark (OK) to save the selections. The From field will show "Today -7 day(s)". 7. Change both the From and the To times to T2:00 AM. 8. Click the Add Group button. 9. In the Group Name field, enter agent and click the Search button. 10. Select the Agent Managed Computer Group, the Agentless Managed Computer Group, and the Microsoft.SystemCenter.AgentWatchersGroup and click Add. 11. Click OK to save the selections. 12. Click Run and confirm that the report looks good. The report should look similar to Figure 9.TO. 13. Select File, Schedule. 1 4 . In t h e Description field, enter Alert Logging Latency Report.
15. In the Delivery Method field, select Email. 16. In the To field, enter the SMTP address of the recipient. 1 7 . In t h e S u b j e c t field, replace @ R e p o r t N a m e with Alert
Logging
Latency Report.
18. Click Next. 19. Change the schedule to Weekly and ensure that only Mon is checked. 20. Change the time to be the time that the report should be generated on a daily basis, for example 6:00 a.m. Click Next. 21. Because the report was generated and all the parameters were selected initially, no parameters need to be changed. This method ensures that the email report will match expectations. 22. Click Finish to save the scheduled report. The Alert Logging Latency report will now generate on a weekly basis and be emailed to the recipients. The report has two pages with lots of statistical analysis of the alert latency. It is one of the more complicated reports in the OpsMgr library of reports.
OpsMgr 2 0 0 7 R2 Maintenance Reports
517
System C e n t e r
C ^ e r a t i o n s M a n a g e r »07 ra Alert I oggîng I atency Report rb k m ] è is vyn In MT a Ml r i m i filinn fci [ I n ir%xt Report Time
I/10/2010 7 5 7 PM
IlIIIII
Report Duration Obiectfs)
Horn 1/3/2010 lZiTOAM to 1/10/2010 ItJOU AM 3 objects nduded in this report
9 9 . 5 4 % urater 30 second(s)
% of Alerts under 30 second^) A l u r l i Under Cl
#
W
Ldlcnty
L/J/2010
1/4/2010
1/5/2010
AIpiK ilvr» rlin%ni[ Alnvy
1/6/2010
1/7/2010
1/6/2010
HH AIpiIn Hurler ClitJ%rn 1 n! rmy
Ovpiflll A l p r t I a t p n r y
Alerts Under 3D second! s} 1750 Alert3(M.5i V.) "
PJcrls Over 30 accondfa)
nit-. sad tmrv rme •Jiimn in (lfTr-Ofl:flfl) Prf ific Tnnr (IK S f rtnnilrf)
FIGURE 9 . 1 0
Alert Logging Latency report.
Send Queue % Used Top 10 Report This report tells you if agents are having trouble uploading their data to the management servers. These queues should be less than 1%. To schedule a report for email delivery complete the following steps: 1. Launch the Operations Manager 2007 R2 console. 2. Select the Reporting space.
518
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
3. Select the Microsoft Generic Report Library node. 4. Right-click the Performance Top Objects report and select Open. 5. In the From field, select Advanced. 6. Change the Offset to - (minus) and the number of days to 7. Click the green check mark (OK) to save the selections. The From field will show "Today -7 day(s)". 7. Change both the From and the To times to 12:00 AM. 8. Change the N field from 5 to f 0 to return the Top fO.
NOTE In larger organizations, it might be better to use a higher number such as the top 20. For smaller organizations, it might be better to use a smaller value like the top 5.
9. In the Rule field, click the Browse button. 10. In the Rule Name field, enter Send Queue % Used and click the Search button. 11. In t h e Available Items pane, select t h e Collect
Health Service
Management
Group\Send Queue % Used rule a n d click OK.
12. Click Run and confirm that the report looks good. 13. Select File, Schedule. 14. In t h e Description field, enter Send Queue % Used Top 10 Report.
15. In the Delivery Method field, select Email. 16. In the To field, enter the SMTP address of the recipient. 17. In t h e S u b j e c t field, replace @ R e p o r t N a m e with Send Queue % Used Top 10 Report.
18. Click Next. 19. Change the schedule to Daily. 20. Change the time to be the time that the report should be generated on a daily basis, for example 6:00 a.m. Click Next. 21. Because the report was generated and all the parameters were selected initially, no parameters need to be changed. This method ensures that the email report will match expectations. 22. Click Finish to save the scheduled report. The report generates on the scheduled basis, 6:00 a.m. every morning. If any of the send queue percentages get too high, this is cause for immediate investigation. See the sample report in Figure 9.11. This report shows that the Health Service for vmf.cco.com had a max value of 69.f 5%, which indicates that the agent had problems, although they seem to have been temporary as the average value over the week was only f ,92f%. All the other top f 0 agents had values less than 1%.
OpsMgr 2 0 0 7 R2 Maintenance Reports
519
System Center
Opera tions Ma nager aw? *q Performance Top Objects Report Ctek on J*JS sign to see a ftJI descrpoon for tfrs report Rtixwl Tirnr
1/10/J010 7:46 PM
Report Duration
Trom 1/3/2010 to 1/10/2010
cco
Management Croup Ajgonlhm
lop 10
Ruk-
Ciftt 1 hW-rtltli Sn v i r Mflnflgrmrnl firenip\Sn-nl Qunir % IhrrJ
Actions 15 10
I
(Aject
Max Value
AuMrtlJIVafcie
Starlit* il Deviation
1
Health Service: vml.cco.com CCO | vml.cco.com
35
0
69.15
1.971
11.57
2
1 lealth Service: M055SQL Lcco.com L'_u | MOSSSgLl.cco.com
331
0
1.933
0.717
0.4641
3 ¿i Health Sendee: dcl.cco.com CCO | dcLccD.com
333
0
2.123
0,5812
0.1514
-1 ..¿ig Health Scrvicci mo33sd2.ccQ.com CCO | moissij 2. ccd.com
334
0.7&5
0.4443
0.33W
0.03157
s
1 ¡ealtn Service; webserver.cco.com CCO | webserver.cco.com
335
0.211
0.4646
0.324
0.04421
6
Hedllii S«a viuf: uumun.Lui.ujin CCO | ocsmon.cco.com
336
0
0.3(08
0.244
0.05774
7 dL Hea th Serucc: OCSEDCE CCO I OCSEDGE
715
0
l.ßfifl
O.TOSI
0.4091
0 ^ «J1 lealth Service; MHISCRVCR3.cco.com LCU 1 fttHS0iVtR3.cco.com
336
0.1016
0.2991
0.1923
0.03946
Hf rtllii Sn viit r: n w7.nn.ccm CCO I ocsr2.cco.com
333
0
¿(Mi
O.lMfii
Ü.23W
Health Service: alhcna.cico.com CCO | athena.cco.com
318
0
1.399
0.1555
0.1fi33
10
FIGURE 9 . 1 1
Send Queue % Used report.
Daily Alert Report This report gives you a complete list of all the alerts that were generated. This is very detailed, but is good for chasing down problems uncovered in other checks. To create an Alert report that shows all the agent alerts from the previous day complete the following steps: 1. Launch the Operations Manager 2007 R2 console. 2. Select the Reporting space. 3. Select the Microsoft Generic Report Library node. 4. Right-click the Alert report and select Open. 5. In the From field, select Yesterday.
520
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
6. Change both the From and the To times to 12:00 AM. 7. Click the Add Group button. In the Group Name field, enter
8.
agent
and click the Search button.
9. Select the Agent Managed Computer Group, the Agentless Managed Computer Group, and the Microsoft.SystemCenter.AgentWatchersGroup, and click Add. 10. Click OK to save the selections. 11. In the Severity section, uncheck the Warning and Information severity boxes. 12. Click Run and confirm that the report looks good. The resulting report shows the critical severity alerts for all the agent objects in the management group. The report is sorted by alert severity, though clicking on other columns changes the sort order. The sample report in Figure 9.12 shows the Critical Severity Alert report. There are three pages to the report. The report can be sorted by last raised by clicking on the Last Raised On column heading. WAIcrl > - Symtaii Center Dpcraliuin Mmsuer ZOO 7 HZ -Revurt - CCD rts
Vrm
£d(
rap *
H B O
Hefc 0 J Ö f T ™
G
i
t
rSystem Center O&fr-JtiOfilMJiWOCr.'iC'?*}
Alert R e p o r t H
>•«'1 tWflrty
^
t
J 0*Ml i U^u, M«
íl«a t r
a
w
i IWilV.MW .
P*wrtTnt« »««rtQvW. g tfctK<0
Qj
HwfmHMUilliii
Mo-ruton Cw!
^
r™*,
*
F « P «*d On £
L«l ' K i d On 0
Sara« i
ifnficio 11,11 cm
I/Ht/Mrt in*!««
$4
/lVSOlfl lS:||fM
V W " iOi>i CH
ñ
í*>j»ti ÍWÍ
1 4M> -ímKt IrvídUJ «JMI
M a
^ rhw
El
CT* Uvflhr ifiMh uwi wi*tsi W lMACy r.lWhi^-.
•
W
ra
j"i«>
CcV Ii velar (made r r i im4kJ ihnty HlooKfK
tali IrjrrJtr (nnk Jrd W 1 **Kt n 1«
R
^ IIM
irv/Jk-i
FIGURE 9 . 1 2
'
1
"TL S+tsrt* S Í Í M ! « » !
1 i
Sw»«r i « t w^íÚ fük: 0= W»
7--.« im Lc.fcJ <*k: Lew
Stoj*i
HDfíQW
l / l i f i t l i ) Í:t4 PH
M»1
l/l l/»U) «: 1? ttll
jiwd^WWlayJW:!::
1 1
lAMMttiMFM
l/i r/.UlD ll:*l PTfl
i:-U CM
t/tifi«H t i l l FW
£*>WI
6:« PM l/U.ttlO Sill PM
Daily Critical Alert report.
The Alert report can be scheduled to be delivered on a daily or weekly basis to administrators or application owners using the steps in the previous section. To have the report delivered on a scheduled basis, use the following steps: 1. With the generated alert report still on the page, select File, Schedule. 2. In the Description field, enter
Daily
Critical Alert
3. In the Delivery Method field, select Email.
Report.
OpsMgr 2 0 0 7 R2 Maintenance Reports
521
4. In the To field, enter the SMTP address of the recipient. 5. In the Subject field, replace @ReportName with Critical Daily Critical Alert Report. The variable name is unfortunately very long and ugly, so it's best to replace it. 6. Click Next. 7. Change the schedule to Daily. 8. Change the time to be the time that the report should be generated on a daily basis, for example 6:00 a.m. Click Next. 9. Because the report was generated and all the parameters were selected initially, no parameters need to be changed. This method ensures that the email report will match expectations. 10. Click Finish to save the scheduled report. The Alert report will now be automatically generated every morning at 6:00 a.m. and delivered via email to the recipients.
SQL Database Space Report Finally, the SQL Database Space report is based on the database objects. This report does not have any objects selected by default, so the Operations Manager database objects will need to be selected. To schedule the SQL Database Space report, complete the following steps: 1. Launch the Operations Manager 2007 R2 console. 2. Select the Reporting space. 3. Select the SQL Server 2008 (Monitoring) node. 4. Right-click the SQL Database Space report and select Open. 5. In the From field, select Advanced. 6. Change the Offset to - (minus) and the number of days to 7. Click the green check mark (OK) to save the selections. The From field will show "Today -7 day(s)". 7. Change both the From and the To times to 12:00 AM. 8. Click the Add Object button.
NOTE When the Add Object window opens, note that there is a caution triangle with the text "Filter Options Have Been Applied." The objects returned will only be those that match the report criteria, in the case of SQL database objects. This is new to Operations Manager 2 0 0 7 R2. Before this, all object classes would be returned and it was difficult to ensure that the correct objects were included in the report. Many times, reports would be returned without any data at all due to the incorrect objects being selected. This is a huge improvement in OpsMgr 2 0 0 7 R2.
522
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
9. In the Object Name field, enter Operations and click the Search button. 10. Select all the OperationsManager databases and click Add. 11. Click OK to save the selections. 12. Click Run and confirm that the report looks good. 13. Select File, Schedule. 14. In t h e Description field, enter Operations Manager Database Space Report.
15. In the Delivery Method field, select Email. 16. In the To field, enter the SMTP address of the recipient. 1 7 . In t h e S u b j e c t field, replace @ R e p o r t N a m e with Operations Manager Database Space Report.
18. Click Next. 19. Change the schedule to Weekly and ensure that only Mon is checked. 20. Change the time to be the time that the report should be generated on a daily basis, for example 6:00 a.m. Click Next. 21. Because the report was generated and all the parameters were selected initially, no parameters need to be changed. This method ensures that the email report will match expectations. 22. Click Finish to save the scheduled report. The SQL Database Space report will be delivered every week on Monday at 6:00 a.m. These five reports help ensure that the Operations Manager 2007 R2 infrastructure is healthy and performing well.
Audit Collection Services Reporting Audit Collection Services doesn't generate any security alerts or even store any of its data in the OperationsManager database, so the data cannot be viewed from within the monitoring space of the Operations Console. The ACS data is stored in the OperationsManagerAC database. The only way to access the data is using the ACS reports. The ACS reports are somewhat rudimentary. For example, they don't include the capability of using relative dates, which makes it difficult to schedule them. In this section, a workaround to this problem is presented, which is to create a duplicate custom report and schedule that. The ACS Report Model was installed in Chapter 7, "Operations Manager Implementation and Administration." This section assumes that this has been completed successfully.
Reports in the ACS Report Model The ACS reports are somewhat different from the other Operations Manager reports. They all generate by default, rather than prompting for parameters the way the standard OpsMgr reports do. The date ranges they span are usually two days, though this can be adjusted.
Audit Collection Services Reporting
523
The reports are organized into several categories, as follows: • Access Violation • Account Management • Forensic • Planning • Policy • System Integrity • Usage The report-naming conventions and format in ACS leaves quite a bit to be desired. The naming convention uses underscores and dashes as separators, which results in a very ugly name for the reports. The Access Violation reports look for failed logons. The Access Violation reports consist of the following: • Access Violation - Account Locked—This report details all account lockout events. This shows potential password guessing attempts. • Access Violation - Unsuccessful Logon Attempts—This report details all failed logons. The report can be quite long, but shows potential password-cracking attempts. The Account Management reports show the account management events, such as user creation, password resets, and administrator changes. The Account Management ACS reports consist of the following: • Account Management - Domain and Built-in Administrators Changes—This report shows the changes in membership to domain admins and the built-in administrators groups. • Account Management - Password Change Attempts by Non-owner—This report shows password resets by administrators. • Account Management - User Accounts Created—This report lists the user accounts created. • Account Management - User Accounts Deleted—This report lists the user accounts deleted. The Forensic reports provide a more comprehensive view of all events for a user, a computer, or a specific event ID. These are useful when trying to understand everything that was done. The Forensic reports consist of the following: •
Forensic_-_All_Events_For_Specified_Computer
•
Forensic_-_All_Events_For_Specified_User
•
Forensic_-_All_Events_With_Specified_Event_ID
524
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
The Planning reports allow the administrator to understand the flow of events, which can be quite large. The ACS Planning reports consist of the following: • Planning - Event Counts—This report shows a count of all events generated in the past day. It shows the specific event IDs, the number of those events, and the percentage of the total, both numerically and graphically. • Planning - Event Counts by Computer—This report shows the count of events by computer. It shows the specific event IDs, the number of those events, and the percentage of the total, both numerically and graphically. • Planning - Hourly Event Distribution—This report shows the count of events by hour. It shows the specific event IDs, the number of those events, and the percentage of the total, both numerically and graphically. • Planning - Logon Counts of Privileged Users—This report shows the number of times that privileged users have logged on. The Policy reports consist of the following: •
Policy_-_Account_Policy_Changed
•
Policy_-_Audit_Policy_Changed
•
Policy_-_Object_Permissions_Changed
•
Policy_-_Privilege_Added_Or_Removed
The System Integrity reports consist of the following: • System Integrity - Audit Failure—This report lists the times that systems failed to log security events due to a lack of resources. • System Integrity - Audit Log Cleared—This report shows audit log cleared events. The Usage reports consist of the following: • Usage - Object Access—This report shows all object access-related audit events. • Usage - Privileged logon—This report shows the logon counts of privileged users. • Usage - Sensitive Security Groups Changes—This report lists all the sensitive security group changes. • Usage - User Logon—This report shows the logons by specified user. These reports provide a comprehensive view of the security events being collected by the Audit Collection Services.
Generating ACS Reports Generating reports from the ACS database (OperationsManagerAC) is straightforward for ad hoc reports. The report parameters have none of the complexity associated with the standard OpsMgr reports and instead only have Start Date and End Date parameters.
Audit Collection Services Reporting
525
By way of example, suppose an administrator has been requested to show all password resets that have been done in the past week. This would be those password changes done by an administrator on behalf of a user. Unauthorized password resets are an abuse of privilege and can be used to stage an elevation of privilege attack, so it is important to monitor these events. To generate the Password Change Attempts report for the previous two weeks, complete the following steps: 1. Launch the Operations Console. 2. Select the Reporting space. 3. Select the Audit Reports folder. 4. Select the Account_Management_-_Password_Change_Attempts_by_Non-owner report. 5. Select Open to launch the report. 6. The report generates, but only for the current day (12:00 a.m. yesterday to 12:00 a.m. tomorrow). 7. Click the Parameters icon to show the Start Date and End Date. 8. Change the Start Date to two weeks earlier and then click Run.
NOTE The date that was selected was an actual date and there was no option to select a relative date like "Yesterday" or "Previous Week." This is a serious limitation of the built-in ACS reports as it prevents them from being run on a schedule.
9. A list of all the password reset events is displayed, as shown in Figure 9.13. Clearly, there was a rash of password changes on 1/7/10. This is a common pattern with all the ACS reports, in that they generate for the previous day by default and have to be changed.
Creating Custom ACS Reports Although it is fine to generate reports on an ad hoc basis when requested, one of the strengths of the Operations Manager platform is to automate routine events to reduce the administrative burden. In the previous example, it would be better to schedule the Password Change Attempts by Non-Owner report to be delivered automatically on a weekly basis. Unfortunately, the ACS reports do not facilitate this. The parameters control only allows fixed dates. When scheduling the report, the Report Parameters Section does not have any relative scheduling options.
526
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
cf
y ,i t e m C e r n e r
d p perations Manage rjfw I
Password Change Attempts by Non-owner On Wriiliiws Srrvet 700Q A 7MW, rvwit fiTT rirliiiilr^ |iii.viwib
I Computer
Domain
User Account
I Changed By
1/13/2010 9:29 AM
AT>€NA
cco
a*ra
CCO\Admtrtstrator
1/7/7010 ?:4fi PM
AThFNA
!«•>
tl«k
rrO\Arlmnx%lrrttc*
1/7/2010 2:22 PM
ATICNA
cco
duck
CCOVVdmiristrotar
1/7/2010 2:15 PM
ATHENA
cco
Jon
CCOVWmiristratar
ao
LHMAdmtn
tLOYand
1/J/3010 9:30 AAihfcNA H
|
I (Hal rows: t
FIGURE 9 . 1 3
Password Change Attempts by Non-Owner report.
To schedule the Password Change Attempts by Non-Owner report for delivery via email every week, a new custom report needs to be created. In Windows Server 2003, event 628 corresponds to password resets by another user. In Windows Server 2008, that event is 4724. The report needs to show these events. The Reporting Service Report Builder 1.0 can be used to create a new ACS report. This is a very flexible report builder and ACS includes a model to facilitate creating new reports. To create a new custom report for Password Resets, complete the following steps: 1. Launch the Operations Manager 2007 console. 2. Select the Reporting workspace. 3. Click the Design a New Report link in the Actions pane. 4. Provide credentials if needed. 5. Select Audit as the source, leave the default Table report layout, and click OK. 6. Select t h e Click to Add Title field a n d enter Password Resets in Last 2 Weeks Report.
7. From the Fields list, drag and drop Logon Time, Computer, Target User, Target Domain, Client User, and Client Domain to the table. The report should look like the report design in Figure 9.14.
Audit Collection Services Reporting
527
I f c l ll.'IU H N W ' i l —
I
Fit
E*
vnw
J J bJ "J
Qwf t
FLHMt
U-C-
FIGURE 9 . 1 4
•—.*>•
H* .::....•
r
y.-
Custom ACS report design.
NOTE The fields automatically align as they are placed in the table. Also, after placing the first field, subsequent fields can be placed simply by double-clicking them.
8. Click Filter on the Report menu. 9. In the Filter Data window, from the Fields list, drag and drop Event ID to the Dv Alls With box. Select event ID 628 in the drop-down menu. 10. In the Filter Data window, from the Fields list, drag and drop Event ID to the Dv Alls With box. Click the "and" option between the Event Id fields and select "or". Select event ID 4724 in the drop-down menu.
NOTE If the event is not in the database, it will not be in the pull-down list of events. The event number can be typed into the field as well.
528
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
11. In the Filter Data window, from the Fields list, drag and drop Logon Time to the Dv Alls With box. Click the "equals" option, select Relative Dates, select Last (n), and select Days (including today). Enter 14 into the Days field. 12. The end result of the additions to the Filter Data window should look like Figure 9.15. Click OK when you are finished.
Audit D a t a A n y nf:
! I *DvAli
SI
»
Id
11
Event Id
Event Id
equals ¡020
J
Event Id
equals ¡4724
É
Logon Time
in last [ n j
^ days (including today)
* SeqUHI C? Nu a sfr- 1 Category
2 5
Logon Time S l c o f e c t j o n lime Computer J
Event Machine
a 5ocrce 3 Header Sid a
I leader User
& Header Domain a Primary Security ID 3 Prinuw I kf!r
F w h e n addriQ a new condition,, apçiy to ail data m my report
Help
FIGURE 9 . 1 5
Custom ACS report Filter Data window.
13. Click Run Report to see what the report will look like. 14. Click File, Save to save the report to the report server. 15. Enter Password Resets in Last 2 Weeks for t h e N a m e a n d click Save.
16. Select File, Exit to exit the Report Designer. 17. In the Operations Console, select the Reporting space and then the Audit Reports folder. 18. The new report should be listed. If not, refresh the view. 19. Select the Password Resets in Last 2 Weeks report and select Open. The report should look like the built-in ACS report, as shown in Figure 9.16. The report can be scheduled like any other report and will use relative dates when generating. Creating custom ACS reports overcomes the limitations of the built-in reports, allowing relative dates, changing the format, adding columns, or just adding a corporate logo.
Service Level Tracking
529
Password Resets in Last 2 Weeks Report
1 aqan Tlr™>
g
rvpni id
1/13/2010
.. 17
comfHifpr
g
«3e COOW1CNM
1/3/20»
c
w
w
t
Target 1 Her
Tflrrfftl rroniuki
g
npfir u w r
ü < '
i H p n l nnmaln
r r t
cco
AdnrMmb
CCO
ctvcfc
exo
• . : - 1 I'.'j.IU'
cco cco
1OBan
( S 0GCWBH4
cKidi
MO
AdmHsïfltîr
V7BHD
f2B O t X W t B M
Jjn
cco
>:-Mtatef
cco
i/ra>ii>
638 c i » ™ «
( KMAc inrt
cco
rand
cco
•. .
Filter. CVAii. ni Hi. ¿N or (¿JV of (Event Id = t.:t EvltH Id = 4724). Loflon Time In last 14 days (liwrudiny today))
FIGURE 9 . 1 6
Custom ACS report.
Service Level Tracking Many IT organizations establish service-level agreements (SLAs) with the executives or business units that specify availability of a variety of IT systems. This might include availability measurements along the lines of the ubiquitous "nines," as in "five nines of availability." This is the percentage of time that a service is available. Some common values for this percentage and the associated downtime are shown in Table 9.1. TABLE 9 . 1
The Nines and Downtime Per Year
Availability Percentage
Nines Terminology
Downtime Per Year
90%
8 7 6 hours
95%
4 3 8 hours
99%
87.6 hours
99.9%
Three nines
8.76 hours
99.99%
Four nines
52.56 minutes
99.999%
Five nines
5.256 minutes
99.9999%
3 1 . 5 3 6 seconds
530
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
Or the metric might be in terms of response time of the messaging system or of the Active Directory infrastructure. However, even with these SLAs in place, most IT organizations have no real way of measuring these SLAs in any objective fashion. Until Operations Manager 2007 R2, that is. OpsMgr is already gathering key availability and performance information via the management packs. Now, OpsMgr 2007 R2 includes a feature named Service Level Tracking (SLT) that can measure availability against agreed-upon SLAs.
Service Level Objectives Service Level Objectives (SLOs) match monitored objects with service-level goals, such as availability or performance metrics. For example, an OpsMgr administrator might want to define a Service Level Tracking for the Exchange Server 2007 Service. This is a distributed application created by the Exchange Server 2007 management pack that shows the availability of the Exchange Server 2007 messaging system as a holistic service. In the example, the administrator configures Service Level Tracking (SLT) objectives to define the availability and performance goals for Exchange Server 2007. This includes an Availability Monitor SLO that is based on availability (99.0% uptime) and defines two Collection Rule SLOs that are based on a performance rule (Local Mail Flow Latency less than 50 seconds and OWA Average Response Time less than 50 seconds). These SLOs are created in the Service Level Tracking (SLT) objectives mechanism. To define the Exchange Server 2007 Service Level Objective, execute the following steps: 1. In the Operations Console, from the Authoring view, click Management Pack Objects and then click Service Level Tracking in the Authoring navigation tree. 2. In the Actions pane, click Create. 3. Type a name for the service level that you are defining, which in this example is Exchange 2007 Services SLT. Optionally, provide a description. Click Next.
4. Under Targeted Class, click Select to specify the class for the service level, such as Distributed Application. You can search for a class by typing it into the Look For field. Select the Exchange 2007 Service distributed application for the service level and click OK. 5. Optionally, change the scope for the service level by targeting all objects in a class or by targeting a specific group. In most cases, the application will have a distributed application and no group targeting is needed. 6. Select the management pack where this service level will be saved. You can use an existing management pack or create a new one.
NOTE By default, Operations Manager saves the setting to the Default Management Pack. As a best practice, you should never use the Default Management Pack.
Service Level Tracking
531
7. Click Next. 8. On the Service Level Objectives page, click Add, and then click Monitor State SLO to create a new monitor. This monitor tracks the availability of the application. 9. Type a name for the Service Level Objective. For this scenario, type Availability. 10. Under Monitor, choose the specific monitor that you want to use to measure the objective. For this scenario, choose Availability. 11. For the Service Level Objective goal, provide the numerical measure for your objective. For example, select 99.0 to indicate that your goal is 99.0% availability. 12. By default, only critical states impact availability. You can refine what the monitor tracks as available by selecting or clearing any of the following state criteria: • Unplanned Maintenance • Unmonitored • Monitoring Unavailable • Monitor Disabled • Planned Maintenance • Warning 13. Click OK. 14. On the Service Level Objectives page, click Add, and then click Collection Rule SLO to create a new collection rule. This rule tracks the performance of the application. 15. Define the performance collection rule. 16. Type a name for the Service Level Objective. For this scenario, type Local Mailf low. 17. Specify the target class for the rule. For this scenario, select Mail Flow Local Connectivity.
NOTE This class must be contained in the distributed application, that is, the master class chosen for the Service Level Tracking object.
18. Specify the performance collection rule to use. For this scenario, choose Exchange 2007 Test Local Mail Flow Collection. 19. Choose one of the following aggregation methods: • Average • Min • Max In this example, the Average is chosen.
532
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
20. Define the Service Level Objective goal by choosing either Less Than or More Than and entering a value. For this scenario, choose Less Than and 50. This indicates that the performance goal is to never exceed 50 seconds. Click OK.
NOTE Unfortunately, there is no easy way to tell what the units of measure are for the rule in this interface. It is important to research the rules that will be needed in advance to set the SLOs properly.
21. On the Service Level Objectives page, click Add, and then click Collection Rule SLO to create a new collection rule. 22. Type a name for the service level objective. For this scenario, type OWA Response. 23. Specify the target class for the rule. For this scenario, select Exchange 2007 Client Access Role. 24. Specify the performance collection rule to use. For this scenario, choose Collect: MSExchange OWA: Average Response Time. 25. Choose the Average aggregation method. 26. Choose Less Than and 50. This indicates that the performance goal for the average OWA response is to never exceed 50 seconds. Click OK. 27. On the Service Level Objectives page, click Next. 28. Review the summary, and click Finish. 29. When the Completion page opens, click Close. This SLT is now available for reporting and for dashboards.
NOTE If looking at daily aggregations on a recently created SLT in either a report or a Service Level Dashboard, the information is not displayed until one day after the SLT is created. The report or the dashboard gives an error indicating the information in not available. The hourly aggregation works fine.
Service Level Tracking Reports Once Service Level Objectives are defined, Service Level Tracking reports can be generated against those SLOs. This provides a measurement of the performance of the application, service, or server against the desired goals. The results are shown starkly in red and green, indicating failure to meet objectives (red) or success in meeting the objectives (green).
Service Level Tracking
533
To generate a Service Level Tracking report against the Exchange 2007 Service SLT defined in the previous section, complete the following steps: 1. Launch the Operations Manager console. 2. Select the Reporting space. 3. Select the Microsoft Service Level Report Library folder.
NOTE Although the folder is called a "Library," there is really only one report in the folder.
4. Select the Service Level Tracking Summary Report and click Open. 5. In the From field, select Advanced. 6. Change the Offset to Minus and the number of days to 7. Click the green check mark (OK) to save the selections. The From field will show "Today -7 day(s)". 7. Change both the From and the To times to 12:00 AM. 8. In the Service Levels section, click Add. 9. Click the Search button in the Add Service Levels window. 10. Select the appropriate Service Level Objective, in this example Exchange 2007 Service SLT. 11. Click Add and then click OK to save the selection. 12. In the Additional Time Intervals section, uncheck the Report Duration. Check the Last 24 Hours, Last 7 Days, and Last 30 Days. 13. Click Run to generate the report. 14. Click the plus symbol (+) next to the name of the SLT to view the details. The results can be seen in Figure 9.17, with each of the chosen time intervals shown in a separate column. Unfortunately, the Exchange 2007 Service is not meeting the Service Level Objectives, specifically due to the OWA response time of 52.619047619 seconds not meeting the defined SLO of under 50 seconds in the last 7 days. However, looking at the 30-day interval, the Exchange 2007 Service is meeting the SLOs. The Service Level Tracking Summary report provides a good view of the overall performance of the Service Level Tracking object, which includes one or more Service Level Objectives. There is also a drill-down view, which shows the Service Level Objective Detail report. After generating the Service Level Tracking report, click one of the hyperlinks for the Service Level Objectives. In this example, the failing OWA response time will be drilled into. For each of the time frames selected and the individual Service Level Objectives, there is a hyperlink that will drill into that SLO for that time period.
534
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
I ^ S e r v i L e L e v e l T r c u k i i i u !s u m m a r y R e p u r l - S y s l e i n C e n t e r O p e r d l i u n s M d i m u e r 2 0 0 7 R2 - R e p u r t - CCO J
file
Eifil
[1 -
View
PS
H R P
Help
^
Servicc Level Tracking Summary Report [+| C w j u U I I I Report 1 ime
: l / l l / 2 u i u y : u y MM
DdLd AugieucAiui
: Huurly
Report Duration
: f-rcro l / 4 / A i l u 12:UU AM to l / l l / j u i u LZ:UU AM
[4] 5ei vi.e Levels)
: 1 Serviur Levct iiJuded i n U c i c p u i l
S c t v k c Level
Goal
5 '
e x c h a n g e 2G07 S e r v i c e SLD
*
Exchange 2007 Service Exchange 2007 Service
s
U.Ü 4-J
Local Mailt low
m
Dcchenoe £007 Service OWA R H « M K
JL
Avg <
©
sn
1 .fi7759fifi?1fift
Ma l Flow 1 nr*J r n v w r t t v i r y Avadahkty
El
Exchange 2007 d e n t Access Role
Report IXrotkxi
Lost 24 Hours
o ® lÜfiWßfMTü
Last 7 Days
0
Last 30 Days
@
©
0
L.fi77!W«V7]fffl
?.?174?fi774i>4
CJYIJ >
0
©
©
©
99,000%
100.000%
100.000%
100.000%
99.900 %
50
52.619017610
<3
A
<3 64.5
o
0
52.610047619
40.1030555556
Al dates and tines ore îhown h (UTC-00;00) Poafic Time (US & Canada)
2J
FIGURE 9 . 1 7
Service Level Tracking Summary report.
In the sample report generated in Figure 9.17, clicking on the Last 7 Days OWA Response hyperlink generates the SLO detail report for the OWA Response for the Last 7 Days, as shown in Figure 9.18. The report has a cool graph for the time frame (showing that the OWA response time spikes to close to 400), a thermometer type indicator, and a speedometer showing where the average falls (in this case on the 52-second mark). The graph also includes a black line that marks the SLO. These reports can be scheduled for automatic delivery, as shown earlier in the chapter.
Service Level Dashboards The previous section presented Service Level Tracking and Service Level Tracking reports. These reports are useful, but are unfortunately static. Once a report is generated, there is no way to scale out the timeline to see how the systems are performing at different times. With the interactive Service Level Dashboards (SLD) version 2.0, this Service Level Tracking information can be presented in a Windows SharePoint 3.0 website and allow end users to interact with the Service Level Tracking information. Multiple SLTs can be presented in a single page and the Service Level Objectives (SLOs) can be presented in graphical form as dials and graphs.
Service Level Dashboards
535
w Servfee level Mijetlira Detail Report - System Center OpCraUf M Maiuyer 2007 92 - Revoit - CCO
S y s t c m Center Qperrati ram Manager x
SszœÊz^m
S e r v i c e I e v e l Objec t i v e D e t a i l Trrfc" ; HftrV : Fr»a 1/4/2010 I M » «
r,ctvny :a)7 î*rvw a i l
SsvMl«« 3.0 Target JL'JKi*-
twtwng* iCO? Ckrt *cc«Î igte lufcti ; Hit'd.sor Cl*A; Avnsje H N B M II
S O Value
S2.619017619
S2.619047619
FIGURE 9 . 1 8
400 s»
Service Level Objective Detail report.
To leverage these two new features, the following objects need to be defined: • Service Level Objectives • Service Level Dashboards These objects leverage the information that is already being collected by Operations Manager, but present it in a new way.
Service Level Dashboard Architecture There is a new version of the Service Level Dashboard (SLD) for Operations Manager 2007 R2. The Service Level Dashboard 2.0 is a Solution Accelerator that leverages the new Service Level Tracking feature of OpsMgr 2007 R2. Rather than presenting a static report as was shown in the Service Level Tracking reports in the previous section, the SLD gives the same information in an interactive and flexible web page. Multiple SLTs can be displayed on a single dashboard with multiple SLOs. The dashboard presents a clever dial and graph of the service level, as well as clear indicators for meeting the Service Level Objectives (green) or failing to meet the Service Level Objectives (red). The Service Level Dashboards are built on Windows SharePoint Service 3.0 and access the performance data in the Reporting data warehouse (as shown in Figure 9.19). In this regard, the Service Level Dashboards are basically interactive reports as they rely on the reporting data. The Service Level Dashboards (SLDs) present the Service Level Tracking (SLTs) objects and the Service Level Objectives (SLOs) that are defined with the Operations Console.
536
CHAPTER 9
FIGURE 9 . 1 9
Using Operations Manager for Operations and Security Reporting
Service Level Dashboard architecture.
The Service Level Dashboard is a dedicated SharePoint site with its own port combination. The SLD consists of SharePoint Gauge Controls, a custom site template, and a number of SharePoint web parts for configuration and display. These web parts include the following: • Service Levels Web Part • Selected Service Level SLOs Web Part • Service Level Objective Web Part • Worst Performing SLO Instance Over Time Web Part • Parameters Web Part • Configuration Web Part (not visible to users) The SLDs summarize the current status and health of the SLTs per the SLOs, as well as show key metrics like mean time between failures (MTBF) and mean time to repair (MTTR). These two measures give a sense of how often the application is failing and how long it stays failed. The SLO is also displayed graphically over the reporting period. The dashboard in Figure 9.20 shows four Service Level Tracking objects for the Exchange 2007 roles (CAS, Edge, Hub, and Mailbox) and one for the Exchange service as a whole. The CAS role is out of the SLO for the OWA response time, which is targeted at being under an average of 50, but is averaging about 54 per the dial. The graph at the bottom of the dashboard shows the performance of the OWA response time SLO over time. The Availability of the Exchange CAS is at 100%. The other Exchange role SLTs are green, meaning they are within their respective SLOs.
Service Level Dashboards
Solution
System Center
Crbfrraitans Ma nager .TO? V
-
537
Act F-niter
-
Response Time 1 T o t a l (1) - Tailed (1) W o n t Performing ln*t»nce CNnt * « « » (VU MATE) IKAHCATE « ILO Target: F.iiUnjP JIM? C ient Roi» Coil: Av« under 50.000
A v a i l a b i l i t y | Total (1) - Tailed (0) Wdrtt Perform! "lirn[ A
UtÉÉÉÉdiÉÉiMkaaaaM
4020VTOT10 U W i O «
1,42010 1 3 0 0 » « *
1«01CH2COWA«
IrtOOTO 12 WOO AM
1/11OT0 U « K » AM
nöytrt I FTrtwtri f*>ij: Cff
FIGURE 9 . 2 0
, - + IÖW,
SCOM 2007 R2 Service Level Dashboard.
The duration of the dashboard can be adjusted from the last 60 minutes to the last year, or even a custom range can be set. The default is the last 24 hours. The data aggregation can be hourly or daily, but for longer durations the daily aggregation should be used to reduce the load on the data warehouse.
Installing Service Level Dashboard Site The Service Level Dashboard requires a functioning OpsMgr 2007 R2 infrastructure with Reporting Services installed. It fundamentally just displays the data that is stored in the OperationsManagerDW database. The requirements for installing SLD 2.0 on a machine running Microsoft SharePoint 3.0 Server are as follows: • Windows SharePoint Service 3.0 Service Pack 1 • SQL Server 2005 Service Pack 2 or SQL Server 2008 • Microsoft .NET Framework 3.5
NOTE SDL 2.0 will not work with SQL Server Embedded Edition or MSDE.
538
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
To install the Service Level Dashboard 2.0, complete the following steps: 1. Download and unpack the .zip file Service Level Dashboard 2.0.zip from http://www.microsoft.com/sld. 2. Copy the management pack to the Operations Manager Root Management Server.
NOTE The management pack must be installed prior to installing the SLD site.
3. In the Operations Manager Operations Console, select the Administration space and select the Management Pack node. 4. Right-click the Management Pack node and choose Import Management Pack. 5. Import the Microsoft.EnterpriseServiceMonitoring.ServiceLevelDashboard.R2.MP. 6. C o p y t h e ServiceLevelDashboardV2_x86.msi or ServiceLevelDashboardV2_x64.msi
file to the Windows SharePoint server. 7. Run the .msi file to begin the installation process. 8. Accept the license agreement and click Next. 9. Enter the Operations Manager Username and Password. 10. Enter the Operations Manager Data Warehouse Server Name. 11. Enter the Operations Manager Data Warehouse Database Name, which is usually OperationsManagerDW. 12. Click Next. 13. Enter the intended Site Owner's Login Name. This is the user account for the SharePoint dashboard site administrator. 14. Enter the Site Owner's E-mail Address. 15. Enter the SharePoint Database Server Name. 16. Leave the SharePoint Session Database Name as the default SLDSessionDB. 17. Leave the default Service Level Dashboard SharePoint Site URL.
NOTE It is important to remember this URL, which is the URL that will be used to access the top level of the SLD site. The default URL is h t t p : / / < s h a r e p o i n t s e r v e r > : 5 1 9 1 8 .
18. Click Next. 19. Click Next. 20. Click Install to begin the installation.
Service Level Dashboards
539
21. When you receive a message that indicates the Gauge Controls, site template, and web parts are installed successfully, click Close. The SLD will now be installed and ready to use. However, only the top-level site will have been created and it will be empty. The next section covers adding objects to the dashboard and creating new dashboards.
Creating Service Level Dashboards After creating the dashboard, Service Level Tracking objects need to be added to it. In addition, new subordinate dashboard sites can be created to contain similar SLTs and assign individual rights to the dashboards. To create a dashboard view (that is, a dashboard subordinate site), complete the following steps: 1. Launch Internet Explorer. 2. Enter the URL http://<sharepointserver>:51918. 3. If the account does not have administrator rights to the site, click the Sign In as a Different User link. Enter the credentials of a site administrator. 4. In the upper-right corner, click the Site Actions link and select Create to create a new dashboard site off the main site. 5. Click the Sites and Workspaces link. 6. Enter a short Title for the dashboard, such as MyApplication. This will be embedded into the tab for the dashboard. 7. Enter a URL Name for the dashboard link, such as MyApplication. This is the link that will be used to access the dashboard and must be unique. 8. In the Select a Template section, click the Custom tab and ensure that the ServiceLevelDashboard template is selected. 9. In the User Permissions section, select Use Unique Permissions. 10. In the Use the Top Link Bar from the Parent Site section, select No. 11. Click the Create button to create the new dashboard site. 12. In the Set Up Groups for This Site section, add the appropriate members and owners of the site. This would be a good use of the Role Security Group if that was created. 13. Click OK to save the permissions and create the dashboard. The dashboard will be created, but will not have any Service Level Trackings (SLTs) defined in it. To add SLTs to the dashboard, complete the following steps: 1. Launch Internet Explorer. 2. Enter the URL of the dashboard, which was http://<sharepointserver>:51918/ MyApplication in the previous example. 3. If the account does not have administrator rights to the site, click the Sign In as a Different User link. Enter the credentials of a site administrator.
540
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
4. In the upper-right corner, click the Site Actions link and select Edit Page to add a Service Level Tracking. 5. In the Service Level Tracking section, check the appropriate SLT objects. Select a maximum of six. 6. Change the default Dashboard Refresh and Aggregation to Last 7 Days and Daily.
NOTE It is important to change the default aggregation to Daily. Dashboard users have the ability to change the duration of the dashboard. If the hourly aggregation is left as the default, then when a long duration is chosen, it creates an excessive impact on the data warehouse server.
7. Click Apply Filter to save the changes. 8. Click the Exit Edit Mode link in the upper-right corner. The dashboard is now ready for use.
Securing Service Level Dashboards For most organizations, permissions need to be set on each Service Level Dashboard to control access. The permissions model for the SLDs allows administrators to have users share all the sites or dedicate sites to specific users or groups of users. The security rights are assigned to Active Directory objects, either users or groups. The Service Level Dashboard uses two of the three default groups available in SharePoint: • Visitors, with Read permissions • Owners, with Full Control permissions The Site Administrators have Full Control, whereas all other users have Read permissions. To create groups for a site, complete the following steps: 1. On the site home page, on the Site Actions menu, click Site Settings. 2. On the Site Settings page, click People and Groups. 3. On the People and Groups page, on the Quick Launch toolbar, click Groups. 4. On the People and Groups: All Groups page, on the Settings menu, click Set Up Groups. 5. On the Set Up Groups menu, select Create a New Group to assign a set of users to a custom group.
Best Practices
541
To add users to a group, complete the following steps: 1. On the site home page, on the Site Actions menu, click Site Settings. 2. On the Site Settings page, click People and Groups. 3. On the People and Groups page, on the Quick Launch toolbar, click Groups. 4. Click the name of the group to add users into. 5. On the People and Groups: Group Name page, on the New menu, click Add Users. 6. On the Add Users page, type the account names to add, or browse to find users. 7. In the Give Permission section, be sure that Add Users to a SharePoint Group is selected. 8. Click OK. Now the selected users have access to the dashboard. If they only have rights to this specific dashboard rather than the top-level site, they need to be provided a link directly to their site.
Summary The information collected by Operations Manager 2007 R2 is extensive and can best be displayed using scheduled reports and dashboards. This allows the information to get to the targeted end users automatically in the case of scheduled reports and ensures that the summarized data is presented to them and that the users don't have to take action to see the information on a normal basis. Service Level Dashboards, on the other hand, allow end users to interact with the information collected. They can scale to the past few hours, the past few weeks, or even the past year. This information is presented with context in the form of performance and availability against service levels, making it easy to see at a glance how systems are measuring up. These features make Operations Manager 2007 R2 the best platform for capturing and presenting operational data in a business-friendly format.
Best Practices The following are best practices from this chapter: • Use scheduled reports to automatically distribute operational reports to administrators, application owners, managers, and executives. • Use the scheduled Windows file share distribution to post reports to directories that link to web pages. Use the Overwrite option to have the web pages update automatically.
542
CHAPTER 9
Using Operations Manager for Operations and Security Reporting
• Always generate reports in the format and time period ad hoc first, and then schedule the report. This ensures that the reports are targeted at the correct objects, return the appropriate data, and are formatted as expected. • Locate objects in the Monitoring space of the Operations Console, and then select the reports to generate from there. This ensures that the correct objects and reports are matched, as the reports will only show in the user interface if they work with those objects. • Use SQL Server Reporting Services to produce custom ACS reports using OpsMgr's Reporting feature. • Duplicate the existing ACS reports with custom reports to be able to schedule the reports with relative dates. • Schedule the OpsMgr Maintenance reports for weekly delivery to easily monitor the health and performance of Operations Manager. • Leverage the reporting database to store and report on data over a long period. • When tuning, use the Most Common Alerts report to see which alerts are the most valuable targets for tuning. • Use Service Level Dashboards instead of the Operations Console or Web console as a way of presenting Operations Manager data to a wider audience without impacting the performance of the alerting. • Change the Service Level Dashboard default aggregation to Daily to prevent undue load being placed on the data warehouse.
CHAPTER 1 0
Data Protection Manager 2010 Design, Planning, Implementation, and Administration W h e n we think about the many different widgets that are employed to protect IT infrastructure, backup systems are probably the most important. Being both loved and hated, they are a definitive requirement for any adequate data protection scheme. Once deployed correctly, they typically sit in the background sucking up data, which can then be easily retrieved if some future calamity causes the real data to be lost. However, if they are not deployed correctly and some type of backup failure occurs, the ramifications associated with this failure can be huge. After all, data is a very important asset to any organization. Although the physical aspects of IT infrastructure can be easily replaced, data is either irreplaceable or very hard to reproduce. Sadly, despite being a very important part of disaster recovery, many backup systems are often ill planned or not deployed at all. The primary reason for this is the amount of effort (both human and infrastructure) that is required to maintain them. To try and negate or meet some of these challenges, Microsoft developed System Center Data Protection Manager (DPM), which can be used to manage disk-based and tape-based data protection and recovery for machines across an entire organization.
IN T H I S C H A P T E R •
What Is System Center Data Protection Manager?
•
Data Protection Manager Background
•
Data Protection Manager Prerequisites
•
Planning a Data Protection Manager Deployment
•
Deploying Data Protection Manager
•
Administrating Data Protection Manager
544
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
What Is System Center Data Protection Manager? Microsoft's System Center Data Protection Manager (DPM) is part of the System Center line of products that is designed to help organizations manage their IT infrastructure. DPM itself is a hybrid data replication and archival solution that utilizes features commonly found in everyday backup solutions to provide centralized data protection management for a variety of Microsoft-based application servers, file servers, and end-user workstations, including, but not limited to, the following: • Exchange Server 2003 SP2, Exchange Server 2007, and Exchange Server 2010 • SQL Server 2000 SP4, SQL Server 2005 SP1 or later, and SQL Server 2008 • SharePoint Portal Server 2003, SharePoint Server 2007, SharePoint Server 2010, and Windows SharePoint Services • Windows-based PCs (from Windows XP to Windows 7 versions) • Files and application data on regular or clustered servers • System State for protected file and application servers • Hyper-V (including support for both guest-based and host-based protection) However, DPM is different from most solutions today, which tend to only provide a purely tape-based protection scheme in that it uses a disk-to-disk, disk-to-tape, or disk-to-disk-tocloud data backup and recovery process. Additionally, these processes are coupled with the concept of Continuous Data Protection (CDP), which is the automatic process of saving a copy of every change made to a protected data set. To better understand the advantages associated with using DPM, the following sections outline today's data recovery needs and how it can be used to address those needs.
Understanding Modern Data Recovery Needs Businesses today operate in an environment that is drastically different from even just 10 years ago. In the past, information systems and the data that they held were important to business operations. However, the how and when that information had to be available tended to not be as critical to the overall productivity of an organization. Fast-forward to the present day, and most organizations now operate under the now pretense in which information must be readily accessible at all times regardless of the time of day. This, combined with the fact that businesses are under constant pressure to lower costs, improve efficiency, and do more with less, has introduced a number of new data recovery needs that IT professionals must contend with. Consider the following: • Quick recovery from system outages—In today's 24/7 business environment, any type of nonproductivity equates to direct financial lost. Coupled with the fact that many organizations now heavily depend on their information systems for operations, IT professionals must increasingly ensure that the recovery time from system outages is as short as possible.
What Is System Center Data Protection Manager?
545
• Shrinking backup and restore windows—Like the shrinking time frames for dealing with system outages, the time frames for backup and restore operations are also shrinking. This means that data protection activities might not have the luxury of executing within a defined window of time. Instead, IT professionals must employ a solution that can quickly complete backups or on-demand restores. • Data protection in branch and remote offices—Data in an organization is not always centralized. For example, each branch or remote office might have its own unique data repository that needs to be protected. However, these remote locations also tend to lack the needed IT infrastructure and personnel resources needed to host and manage a traditional dedicated tape-based backup solution. Therefore, any data protection solution that is employed must be able to handle remote locations by either working "over the wire" or requiring as little dedicated resources as possible. • Tape-based reliability and resource requirements—Sadly, tape-based backup options are not always reliable. In fact, there is a direct correlation to the reliability of a tape-based solution and the amount of resources needed to manage that solution. For example, dedicated resources are often needed for storing and recovering tapes, ensuring software backup catalogs are not corrupt, routinely testing backup devices to confirm media is readable, and so on. Given that most organizations tend to be very resource constrained, any backup and recovery solution that is deployed should limit the amount of resources that need to be dedicated to it. • Cost reduction—Controlling costs is always a primary requirement for the deployment of any IT solution. When this is combined with today's economic challenges, the need to do more with less is even more paramount. This means that any data protection solution that is deployed should remove complexity from the environment, be simple to manage, and be affordable to use.
How Data Protection Manager Meets Today's Data Recovery Needs For most organizations, the primary means for backing up systems and data is to use magnetic tape. This choice is often made because tape-based data protection solutions offer two distinct advantages over other solutions. First, the media cost (combined with long-term storage costs) tends to be very low. Second, tape-based technologies are very mature, which means there is a large number of different tape-based data protection solutions and a large number of IT professionals who understand those solutions. Although tape-based solutions have been proven as an effective means to protect data for well over 50 years, the underlying technology associated with magnetic wire recording solutions has not drastically changed since it was first developed. Therefore, tape as a near-term backup and recovery medium suffers from a number of different constraints: • Tape-based solutions tend to be slow—When compared with the speed and I/O bandwidth of disk-based data protection solutions, tape-based solutions have a huge speed disadvantage. This speed weakness is only further exacerbated by the need to locate and mount tapes and building indexes when performing restores.
546
CHAPTER 10 Data Protection Manager 2 0 1 0 Design, Planning, Implementation, and Administration
• Tape-based solutions tend to be complex—More moving parts are needed to move a tape than a solid-based storage solution. Coupled with the fact that the usability of tapes is subject to physical wear and damage due to incorrect environmental storage conditions, the chances that some aspects of a tape-based data protection solution will experience failure are far greater than that of a disk-based solution. • Tape-based solutions tend to lack effective centralization—Tape-based data protection solutions tend to lack any type of effective means for the centralization of backup and restore processes. Additionally, when the centralization deficit is addressed, the tape-based solution either requires a large amount of bandwidth between a remote site and the central backup site or a local tape drive must be deployed into the remote site, which introduces its own set of management challenges. • Tape-based solutions tend to lack disk-based backup integration—In the past, tape-based data protection solutions tended to lack any type of integration with disk-based solutions. Therefore, IT organizations had to manage several different vendors if they wanted a complete data protection solution that combined the benefits of a disk-based solution with that of a tape-based solution. To address the issues found with tape-based data protection solutions, DPM employs a combination of disk-based, tape-based, and cloud-based storage processes, which are interlaced with the concept of Continuous Data Protection (CDP) for Windows application and file servers. The following subsections explain how these various components of the DPM architecture are used to protect data. Disk-Based Storage Also called disk-to-disk or D2D for short, disk-based storage is a backup where data from one computer is duplicated and stored on the hard disk of another computer. The primary advantage of using this type of backup is the potential time savings associated with backing up and restoring data. Instead of having to locate a specific tape, loading the tape, and positioning the tape to the correct starting point, with a D2D recovery job, you just need to identify the data, and DPM locates the data and retrieves it. Other benefits of using D2D include the lower failure rate of disk drives when compared with tapes. Additionally, using a D2D protection strategy allows for incremental data replication versus all-at-once backups/restores, which reduces the impact of network-based backup and restore operations. Tape-Based Backup and Archive Also called disk-to-tape or D2T for short, tape-based backup and archive is the traditional method of backing up data from one computer to storage media such as tape. As before, the usage of magnetic tape still provides the same inexpensive and portable form of data protection, which is very convenient for long-term storage. However, the real benefit of D2T support in DPM becomes evident when it is combined with D2D. In this configuration, called disk-to-disk-to-tape (D2D2T), you have the rapid recovery and replication benefits of disk-based storage in addition to the long-term ability to archive data using a medium that can be kept offsite.
What Is System Center Data Protection Manager?
547
Cloud-Based Storage Also called disk-to-disk-to-cloud or D2D2C for short, cloud-based storage is a new storage feature that was first introduced in DPM 2007 SP1. When using D2D2C, you still protect data using D2D, but you can then also store that data in the cloud for longer-term protection using either Microsoft's Azure or third-party cloud services that support this DPM feature. Continuous Data Protection (CDP) CDP is a data protection concept that is used to describe a continuous backup or real-time backup of data in which every change that is made to a data set is replicated to a separate storage location (typically over the network). This differs from a traditional backup scheme in that the copies of data are not based on a single point in time when a backup was taken. Instead, when CDP is used, logical objects, such as files, mailboxes, messages, database files, logs, and so on, can be recovered from any point in time based on the replicated data. Based on the CDP concept, DPM protects Windows application and file servers by continuously capturing data changes with application-aware, byte-level agents (installed on protected servers). When data is modified on a data source, these agents create a replica, or copy, of the data. These data replicas are then stored in the storage pool (a set of disks) or custom volumes on the DPM server. As further changes are made to the data source, the agent tracks the changes and then updates the replica by synchronizing the changes to the DPM server at regular defined intervals, which can be used to create a recovery point. In DPM, replicas of data are divided into protection groups. A protection group is a collection of data sources that share the same protection configuration, such as the following: • A volume, share, or folder on a desktop computer, file server, or server cluster • A storage group on an Exchange server or server cluster • A database of an instance of SQL Server or server cluster • A SharePoint farm • A group of workstations A separate replica is kept for each member of a protection group. Because members have the same protection configuration, they also share the same settings that are common to a protection group (protection policy, disk allocations, replica creation method, and so on). To track changes on a data source, a DPM protection agent continuously watches for block-level changes using the volume filter. This filter is just a bitmap that lives in paged pool memory and includes one bit for every block on the protected volume. As blocks are modified in the volume, a bit is flipped in the bitmap. If the data source is file data, the protection agent uses the volume filter in conjunction with the operating system change journal to track which files have changed (modifications, creations, and deletions) since the last synchronization job (by default, every 15 minutes). If a file has changed, the agent transfers only the changed blocks of data to the DPM server, which are then synchronized with the replica.
548
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
If the data source is considered application data (Exchange, SQL Server, SharePoint, and so forth), the protection agent either performs an express full backup or an incremental synchronization (if the application supports it). When the protection agent performs an express full backup (typically once a day), the following process is followed: 1. The volume filter is used to generate a bitmap related to the application data files. 2. Next, the VSS writer is instructed to create a VSS snapshot (basically a frozen set of blocks). 3. Then, the resulting VSS Snapshot is compared with the previous (since the initial replica creation or the last express full backup) volume filter bitmap to identify the data that has been modified. 4. The protection agent then synchronizes all of the changed blocks to the DPM server, the VSS snapshot is released, and a recovery point is created on the DPM server. For transactional-based applications (like SQL Server and Exchange), the protection agent also does an incremental synchronization (by default, every 15 minutes). However, the method by which an incremental synchronization is performed depends on the application that is being protected (the protection agent is application aware), for example: • With Exchange, an incremental VSS snapshot is created using the Exchange VSS writer. The protection agent then uses the incremental snapshot to copy committed, sequential transaction logs to the DPM server. • With SQL Server, the protection agent just copies closed transaction logs to the DPM server.
Data Protection Manager Background Data Protection Manager is in its third major edition with the 2010 release of the product. Additionally, two intermediate service packs have introduced new functionality. Details about each major release and the intermediate service pack releases are as follows.
Data Protection Manager 2006 Data Protection Manager was released September 27, 2005. This first version introduced the world to Microsoft's vision of continuous data protection for application and file servers using seamlessly integrated disk and tape media. However, with this release, functionality was limited to only protecting file servers residing in the same Active Directory domain.
Data Protection Manager 2006 SP1 In October 2006, Microsoft released SP1 for Data Protection Manager 2006. Some of the new features included in this service pack include the following: • Support for 64-bit protection • Support for Windows Server 2003 R2
Data Protection Manager Background
549
• Support for clustered servers • Protection for SIS-enabled servers • Microsoft Update opt-in support • Changes to the disk allocation formula
Data Protection Manager 2007 Released in October 2007, Data Protection Manager 2007 drastically improved the capabilities of the DPM product line. Most notable of the new features in this release was the added support for Exchange Server, SQL Server, and SharePoint. In addition, DPM 2007 also introduced native support for tape backups and the concept of zero data loss application recovery. Some of the new features or changes included in this release are as follows: • Built-in support for tape-based backup and archive • Protection of: • Exchange Server 2003 SP2 and Exchange Server 2007 (includes Cluster Continuous Replication [CCR] and Local Continuous Replication [LCR] clusters). • SQL Server 2000 SP4 and SQL Server 2005 SP1 or greater (includes 2005-based mirrored clusters) • Office SharePoint Server 2007 and WSS 3.0 • Virtual Server 2005 R2 SP1 and its virtual machines • Windows Server 2008 • Files on Windows-based PCs (Windows XP Professional SP2 and all Windows Vista Editions except the Home Edition) • Files and application data on clustered servers • System State for protected file and application servers • Introduction of zero data loss restoration for application data • Support for protection across domains • Disaster recovery support (DPM protecting a DPM server) • Introduction of the DPM Management Shell (based on PowerShell) • Support for end-user-based recoveries • Support for bare metal recoveries • Functionality changes from DPM 2006: • Synchronization frequency was increased from hourly to every 15 minutes. • Administrators had to be members of the administrators group to access the DPM Administrator Console.
550
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
• No support is available for protecting file servers running Windows 2000 Server. • DPM 2007 supported RAID using the new custom volumes feature. NOTE When protecting workstations or laptops using DPM 2 0 0 7 , these machines not only had to be domain members, but they also had to be consistently connected to the corporate network at all times through a reliable network connection.
Data Protection Manager 2007 SP1 In January 2009, Microsoft released SP1 for Data Protection Manager 2007. Some of the new features included in this service pack are as follows: • Support for SharePoint Server 2003 and WSS 2.0 • Enhancements to how Office SharePoint Server and WSS are protected (includes index protection, significant catalog optimization, and support for mirrored content databases) • Support for both Hyper-V guest-based and host-based protection • Support for Exchange Server Standby Continuous Replication • Support for SQL Server 2008 (includes support for parallel backups of databases within a single instance and the ability to move data from SQL Server 2005 to SQL Server 2008 for migration scenarios) • Introduction of local data source protection (DPM can now protect its own file services and virtualization hosting.) • Support for cross-forest data protection • Support for third-party vaulting partners via the cloud (SaaS) NOTE In addition to the server pack, Microsoft also released a DPM management pack, which allowed System Center Operations Manager 2007 to monitor and manage DPM deployments.
Data Protection Manager 2010 The next major version, Data Protection Manager 2010, was released during the first half of 2010. This release contains a number of improvements over the 2007 SP1 release of DPM. For example, DPM 2010 has improved client protection, which can take place while the machines are online or offline. In addition, this version can protect virtual machines that are moved across Cluster Shared Volumes on Windows Server 2008 R2 Hyper-V using the Live Migration feature. Some of the other new features or changes included in this release are as follows.
Data Protection Manager Background
551
Continuous Data Protection of Windows application and file servers: • Windows Server from 2003 through 2008 R2 • SQL Server 2000 through 2008 • Exchange Server 2003 through 2010 • SharePoint Server 2003 through 2010 • Dynamics AX 2009 • Essential Business Server 2008 and Small Business Server 2008 • SAP running on SQL Server New protection and recovery capabilities: • For SQL Server, a single DPM server can protect up to 2,000 databases. Authorized DBAs can restore data themselves using the new self-service restore capability. Also, entire instances of SQL Server can be protected where all new databases are automatically protected. • For SharePoint, all new content databases are automatically protected. Additionally, for SharePoint 2010 servers, a recovery farm is no longer needed to do individual item recovery. • The ability to protect machines that are in a workgroup or in an untrusted domain. Protection and recovery support for the following Microsoft virtualization environments: • Microsoft Virtual Server 2005 R2 • Windows Server 2008 through R2 with Hyper-V • Protection of Live Migration-enabled servers running on CSV in Hyper-V R2 • Protection of virtual machines from Windows guests or from the hypervisor host • Ability to restore virtual machines to an alternate host Windows client protection: • Protection of Windows XP through Windows 7 • Centralized policy management from DPM 2010; backups can occur while laptops are online or offline • Ability to perform restores while online or offline • Improved intelligent and customizable filtering to ensure relevant data is protected Scalability, reliability, and manageability: • Ability for a single DPM server to protect up to 100 servers, 1,000 laptops, or 2,000 databases
552
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
• Improved autoprotection, autohealing, and reduced alerting for a more "fire-andforget" experience • Enhanced disaster recovery options
Data Protection Manager Prerequisites This section describes the hardware, operating system, and software requirements that must be met before installing and using System Center Data Protection Manager 2010.
Hardware Requirements Table 10.1 shows the minimum and recommended hardware requirements for Data Protection Manager 2010. TABLE 1 0 . 1
DPM 2010 Hardware Requirements
Component
Requirement
Processor speed
Minimum: 1GHz Recommended: 2.33GHz quad-core
Memory
Minimum: 512MB Recommended: 4GB
Disk space
System volume: 1GB DPM installation: 1.2GB Database files drive: 900MB
Supported Operating Systems The following operating systems are supported by Data Protection Manager 2010: • Windows Server 2008, Standard and Enterprise Editions • Windows Server 2008 R2, Standard and Enterprise Editions
Remote SQL Instance Requirements Data Protection Manager 2010 supports the following versions of SQL Server: • SQL Server 2008, Standard or Enterprise Editions
Software Requirements The following software requirements must be met before installing Data Protection Manager 2010:
Planning a Data Protection Manager Deployment
553
• Microsoft PowerShell 2.0 • Microsoft .NET Framework 3.5 Service Pack 1 • Windows Installer (MSI) 4.5 • Windows Single Instance Store (SIS) NOTE To install Data Protection Manager, the computer must be a member of a domain, it cannot be a Microsoft System Center Operations Manager management server or an Active Directory domain controller, and cluster services must not be enabled. Additionally, you must have administrative privileges.
Planning a Data Protection Manager Deployment Deploying any information system can be a very challenging task. Unfortunately DPM is no exception as there are many different factors, both business and technical related, that need to be considered when planning a DPM deployment. Compounding this task is the reality that any DPM deployment plan needs to be well thought out to be successful. Although Microsoft has attempted to make DPM as easy as possible to deploy and use, this also happens to be its Achilles' heel. It is very easy for an IT professional to get DPM up and working and very quickly get to a point where the storage sizing, DPM server performance, protection groups, and so on were all afterthoughts, thus causing administration issues or, worse, resulting in data loss. This section describes the steps that should be taken to plan a Data Protection Manager deployment. The steps that are provided include step-by-step instructions and best-practice design advice with the goal of helping IT professionals avoid planning mistakes that can prove to be costly and difficult to correct.
Step One: Understand the Environment The first step of the DPM planning process is to understand the environment that the deployment will take place in. To complete this step, you should review the architecture for information systems in your organization by reviewing their relevant design documents, performing discovery sessions with the owners of systems, and reviewing the status of the systems in real time. Items that you should pay particular attention to during this phase of the design include the following: • The current Active Directory forest design • The current network topology and available bandwidth • A thorough understanding of any existing data protection solutions
554
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
• A thorough understanding of any planned/pending organizational changes (business acquisitions or diversifications) • Awareness of applications that will be retired, replaced, or upgraded • Awareness of any new applications that will be introduced into the environment
Step Two: Define the Project Scope The next step of the DPM planning process is to define the scope of the DPM deployment project. While completing this task, it is important to ensure that the goals of the project are aligned to the business requirements for data protection, business continuity, and disaster recovery. To begin this process, use the information gathered from the first step of the planning process to identify the information systems that should be protected using DPM. Once you have completed that task, you should then meet with the owners of those systems and determine the business requirements for protecting data. At this stage of the planning process, the requirements that you should be gathering for each system include the following: • Data loss tolerance—What is the acceptable amount of data loss that can be tolerated by the information system? The value for this parameter should be specified in a unit of time (minutes, hours, or days). • Retention range—How long should the protected data be stored? The value for this parameter should be specified in a unit of time and based on what the recovery requirements are for the data that is being protected. For example, in some cases, regulatory and compliance requirements might require the data to be retained for years. • Data recovery speed—What is the acceptable data recovery speed? Again, the value for this parameter should be specified in a unit of time. However, to accurately represent this parameter, you need to take into consideration the difference between a system being restored to a serviceable level and the recovery of that system's data. In some cases, these might be two different recovery objectives. • End-user recovery—Is there a requirement to allow end users to recover their data? • Disaster recovery—Is DPM being deployed as part of a business continuity plan (BCP) or disaster recovery plan (DRP)? This is very important to understand because the information contained in a BCP or DRP will help determine when a system needs to be operational again, where recovery data should be stored, and if DPM itself will need to be protected. • Protected data—Last, but not least, work with the system owners to develop a very clear understanding for the data that must be protected and its location. After all, DPM is not a general-purpose backup tool. As such, you need to be able to map the capabilities of DPM into the data protection needs of the information system you are trying to protect.
Planning a Data Protection Manager Deployment
555
Step Three: Design the Protection Groups The third step in the DPM planning process is to map out a logical design for the membership and configuration of the protection groups. To complete this step, the first task you need to complete is to take the data sources that DPM will be protecting (identified in step two) and then group them together (protection groups), for example: • The System State for a certain collection of servers • A collection of ERP databases that resides on a SQL Server 2008 cluster • An Exchange Server 2010 DAG • File data that resides on a collection of Windows 7 and Windows Vista machines • File data that resides in a DFS namespace • An Office SharePoint 2010 farm Once you have outlined your protection groups, your next task is to determine what the recovery goals should be for each group. Keep in mind that not every data source has the same requirements for backup and recovery. Therefore, the level of protection for each protection group should be based on realistic recovery goals that were determined based on the business needs for protection of that data. NOTE The remaining planning steps in this section imply that disk-to-disk-to-tape (D2D2T) data protection is being used. Although it is perfectly feasible to use a disk-to-tape-totape (D2T2T) data protection, most enterprise data protection scenarios are better served using short-term, disk-based protection.
For example, based on the information that was collected during the second step of the DPM design process, you might have the following requirements for Exchange data: • A data loss tolerance of only 30 minutes • A data retention requirement of 5 years • A system recovery requirement with some data of one day Based on this information, you need to define your short-term disk recovery goals in terms of retention range, synchronization frequency, and recovery point schedule: • Retention range—The value for this parameter should be specified as a unit of time, which controls how long a recovery point should be retained by the DPM server. Once the age of a recovery point has exceeded the specified retention range, it is deleted from the storage pool.
556
CHAPTER 10 Data Protection Manager 2 0 1 0 Design, Planning, Implementation, and Administration
• Synchronization frequency—The value for this parameter should be specified as a unit of time, which controls how often the protection agent will send the block-level updates to the DPM server. Synchronization for a protection group can occur as frequently as every 15 minutes or much longer depending on the stated data loss tolerance requirement for the data that is being protected. • Recovery point schedule—The value for this parameter should be specified as a unit of time, which controls how often recovery points are created. Recovery points for a protection group can be created as frequently as every 15 minutes or much longer depending on the stated data loss tolerance requirement for the data that is being protected. It is important to remember, as discussed in the "What Is System Center Data Protection Manager?" section, that the synchronization process and the resulting recovery point schedule differ slightly in DPM depending on the type of data that is being protected. Additionally, DPM tries to guide you through the process of defining these values, both based on what is technically possible and what makes sense. For example, there are certain VSS limitations that help shape what the retention range, synchronization frequency, and recovery point schedule can be. With VSS, there can only be up to 512 snapshots that simultaneously exist for the same volume. Of these 512 snapshots, a maximum of 64 snapshots can be used for the shadow copies for the Shared Folders feature. So the total number of recovery points is limited to 512 for application servers and 64 for file servers. Additionally, of the 512 snapshots available to applications, DPM reserves the ability to use 64 snapshots for any file protection that might occur in a storage group that is being used to protect application data. Therefore, recovery goal options for short-term disk protection are limited to the values shown in Table 10.2. TABLE 1 0 . 2
Short-Term Disk Recovery Options
Protection Method
Recovery Goals
Retention range
1 - 4 4 8 days
Synchronization frequency
Between 15 minutes and 24 hours, or just before a recovery point
Recovery points
For files, recovery points are created based on the defined schedule and for applications they are created after each synchronization
Next, you need to define the long-term recovery goals in terms of retention range, frequency of backup, and recovery point schedule: • Retention range—The value for this parameter should be specified as a unit of time (between 1 day and 99 years), which controls how long a recovery point should be retained on a tape. • Frequency of backup—The value for this parameter should be specified as a unit of time, which controls how often full backups are performed. If the retention range is
Planning a Data Protection Manager Deployment
557
1-99 years, backups can occur daily, weekly, biweekly, monthly, quarterly, halfyearly, or yearly. For a retention range between 1-11 months, backups can occur daily, weekly, biweekly, or monthly. And, for a retention range of 1-4 weeks, backups can occur daily or weekly. • Recovery point schedule—Depending on the retention range and backup frequency, DPM recommends a recovery point schedule. If needed, you can further customize the recovery point schedule to meet your needs. The last step in planning your protection groups is to describe their configuration using a logical format based on the information that you have gathered so far. For example, you might want to use a form, as shown in Table 10.3. TABLE 1 0 . 3
Protection Group Planning Checklist
Parameter
Value
Protection group name
The name for the protection group
Machines/Resources
A list of machine or resource names that hold the data that will be protected by this protection group
Type of data
Application data or file data
Approximate size
An estimate of the current size of the data
Rate of change
An estimate of how often the data changes
Protection method
D2D2T or D2T2T
Short-term retention range
The predetermined short-term retention range value
Short-term synchronization frequency
The predetermined short-term synchronization frequency value
Short-term recovery point schedule
The predetermined short-term recovery point schedule value
Long-term retention range
The predetermined long-term retention range value
Long-term frequency of backup
The predetermined long-term frequency of backup
Replica creation method
Automatic or Manual
Custom volume requirement
True or False
Step Four: Calculate the Storage Requirements The fourth step in the DPM planning process is to calculate the storage requirement for the DPM deployment. Unfortunately, correctly calculating the exact amount of storage that DPM will require happens to be a bit of a dark art. To help administrators through this very difficult process with Data Protection Manager 2007, the DPM product team
558
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
provided a set of storage calculators and a volume sizing tool. However, with Data Protection Manager 2010, a number of underlying changes have been designed to increase the scalability of a single DPM server, for example: • Support for growth of storage volumes as required • Support for 100 servers, 1,000 laptops, and 2,000 databases per DPM server • Support for up to 80TB per DPM server • An overall increased ability to fan-in a large number of data sources Therefore, the current storage calculators and volume sizing tool that were created for Data Protection Manager 2007 are no longer valid. Luckily, the DPM product team has already created the next generation of tools that can be used to calculate DPM storage requirements. You can download the storage calculators for DPM 2010 (Hyper-V, SharePoint, and Exchange environments) here: http://www.microsoft.com/downloads/ details.aspx?displaylang=en&FamilyID=cl36c66c-bd4a-4fbl-8088-f610cd02dc51. NOTE DPM can be deployed onto a virtual machine. However, when a virtual machine is used, the storage pool must be connected by using pass-through disks or ¡SCSI.
Step Five: Design the DPM Server The last step in the DPM planning process is to design the DPM server. To complete this step, you must first determine how many DPM servers are required and where they should be physically located in relation to the data they are protecting. The best method to calculate the number of servers needed is to again use the DPM 2010 storage calculators. These calculators are Excel spreadsheets where you can enter information about the application data you are protecting and they will then provide recommendations such as the following: • The recommended number of DPM servers needed • The recommended number of processor cores/DPM server needed to support DPM • The recommended RAM configuration/DPM server needed to support the DPM activities • The recommended virtual memory configuration/DPM server need to support DPM activities • The total storage capacity needed When using these storage calculators, remember that they are application specific. Therefore, the recommendations that they make only apply to protecting the application data that the storage calculator was created for. For example, the Exchange storage
Deploying Data Protection Manager
559
calculator only provides recommendations about protecting Exchange data, the SharePoint storage calculator only provides recommendations for SharePoint data, and so on. With this in mind, the data taken from these storage calculators should be combined to determine a base set of requirements for your DPM servers. These requirements should then be modified to include other considerations such as the following: • Operating system limitations • Nonsupported installation scenarios: • Domain controllers • Exchange servers • Operations Manager management or Gateway servers • The criticality of the data that a DPM server will be protecting • Performance bottleneck and load distribution associated with synchronization frequencies and restoration activities • Legal or compliance reasons for data separation • Proximity to data sources and storage systems • Ease of administration • Any disaster recovery requirements
Deploying Data Protection Manager This section covers the steps needed to perform a basic Data Protection Manager 2010 deployment. Once you have completed this section, you will understand how to meet any software requirements, install the DPM application software, deploy the protection agent, configure the storage pool, and complete other required DPM configuration tasks for a basic deployment.
Preparing the Data Protection Manager Server Before the DPM installation can be started, the base Windows operating system needs to be installed. With the Data Protection Manager 2010 release, the preferred server operating system is Windows Server 2008 R2. However, as noted in the "Supported Operating Systems" section earlier in this chapter, Data Protection Manager 2010 can also be installed on Windows Server 2008. After the base server operating system has been installed and the latest updates have been applied, the next task is to join the server to the domain and then ensure all of the software requirements are met, as noted in the "Software Requirements" section earlier in this chapter.
560
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
NOTE The DPM installation wizard will install the Windows Single Instance Store (SIS), Microsoft .NET Framework 3.5 Service Pack 1, and Visual C++ Redistributable 2008 if any of these components are not installed beforehand.
Preparing the Remote SQL Instance If you plan to use a remote SQL instance for your DPM installation, you need to ensure that the following features are installed: • Database Engine services (both subsections) • Reporting Services • Management Tools—Basic • Management Tools—Complete • SQL Client connectivity SDK Once the remote SQL instance has been installed, you also need to ensure the following: • Reporting Services is configured and linked to the remote SQL instance. • The SQL Agent service is running. • A Windows Firewall exception is created for S Q L S e r v e r . e x e . • The Named Pipes protocol is enabled. • The DPM SQLPrepInstaller package has been installed.
Running the Data Protection Manager Installation After meeting all of the hardware, operating system, and software requirements, the next step in your deployment is to execute the DPM Setup Wizard to complete a basic DPM installation. To start the installation, log on to the DPM server using a domain user account that is a member of the local administrators group. Then execute the DPM Setup Wizard ( s e t u p . e x e ) from the installation media or an ISO file, or use a copy of the setup files from a shared network location. Once the wizard has started, use the following steps to complete the installation: 1. In the Data Protection Manager 2010 window, as shown in Figure 10.1, select the Install Data Protection Manager option. 2. When prompted with the Microsoft Software License Terms dialog box, select the I Accept the License Terms and Conditions check box, and then click OK. This starts the DPM Setup Wizard. 3. On the Welcome page, click Next.
Deploying Data Protection Manager
561
" ^ a ^ s Microsoft*
r System Center
Data Protection Managemio Release Candidate
Install Data Protection Manaqer
Reed Setup Help
Install DPM Management Shell
Review License Terms
Review System Requirements
Visit DPM Web Site
View Release Motes
Exit
E »09 WcTtacft Ccrpranr, AD r^ta rar wd.
FIGURE 1 0 . 1
Starting the DPM Setup Wizard.
4. On the Prerequisites Check page, the DPM Setup Wizard completes a prerequisites check for all required hardware and software. Once the check has finished, the Setup Wizard either permits the installation to continue by displaying a confirmation and allowing you to click Next to continue, or if one or more requirements or recommendations have not been met, the Setup Wizard displays a warning or error message. If this occurs, you are either allowed to continue the installation by clicking Next, or you are prevented from continuing until any noted requirements have been met. An example of this behavior is shown in Figure 10.2. NOTE If the DPM Setup Wizard installs any prerequisite software and a restart is required, restart the DPM server and then start the DPM Setup Wizard again.
5. On the Product Registration page, enter the product registration information for your organization, and then click Next. 6. On the Installation Settings page, you can either use the default folder location or modify the installation path to meet your needs. If you plan to use the built-in instance of SQL Server, use the default SQL Server option. However, if you plan to use a remote SQL instance, select the Use an Existing Instance of SQL Server 2008 option, and then click Next. 7. On the SQL Settings page, provide the name for the remote SQL instance and the user credentials that will be used to connect to that instance, and then click Next.
562
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
2d
Diilri Pnil t*t lioti Mrtrirtye*r Sflup Wi/rtnl
Prerequisites Check Piease wat whJe the wiiard checks for requred hardware and software
é V/olcomc j
Prerequisites check
<# Prerequisites Installation
Basic components Required hardware System attribues
yheck Pgain
|
This corrpjier meets the software and hardware requirements for DPM Hawever, we strongly rccommcnd that you review the details beiow before procccdinq wj(l the installation
I nPM .Srti ip tas defft-ffld that the Single Instanra ftnm (SIS) conpon«rt ts net Indnled S«i ip w I install this as pod of UFM installation Vou must restart the computer rftcr insiafabon ia complete
FIGURE 1 0 . 2
The Prerequisites Check page.
8. On the Security Settings page, provide a strong password for the DPMR$
9. On the Microsoft Update Opt-In page, select the desired Microsoft Update service option, and then click Next. 10. On the Customer Experience Improvement Program page, select the desired Customer Experience Improvement Program option, and then click Next. 11. On the Summary of Settings page, review the summary of installation settings, and then click Install. 12. Once the installation has completed, the Installation page is shown. Click Close, and then restart the DPM server to complete the installation.
Deploying Data Protection Manager
563
Completing Required Configuration Tasks Before DPM can be used to protect data in your environment, you must complete the following required configuration tasks. Adding Disks to the Storage Pool As mentioned previously in this chapter, DPM stores replicas and recovery points of protected data using a storage pool (a set of disks). When adding a new storage pool, keep the following requirements in mind: • A USB/1394 disk cannot be used. • The disk cannot have the DPM installation on it. • The disk can only use space on volumes that are created for the storage pool. Use the following steps to add a new disk to the storage pool using the DPM 2010 Administrator Console: 1. Log on to the DPM server using a domain user account that is a member of the local administrators group. 2. Next, open the DPM 2010 Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, on the navigation bar, click Management, and then select the Disks tab. 4. In the Actions pane, click Add. 5. Once the Add Disks to Storage Pool dialog box opens, select the desired disk, click Add, and then click OK. 6. The disk is then added as the DPM storage pool, as shown in Figure 10.3. You can also add a new disk to the storage pool using the DPM Management Shell: 1. Log on to the DPM server using a domain user account that is a member of the local administrators group. 2. Next, open the DPM 2010 Management Shell using either the desktop or Start menu icon. 3. Now execute the following command: Get-DPMDisk 4.
-DPMServerName
Using the N t D i s k I D value from the desired disk object that is returned from the DPMDisk cmdlet, execute the following command: Get-DPMDisk -DPMServerName
Get -
¡ where { $ _ . N T D i s k I D -eq
¡ Add-DPMDisk
5. Lastly, verify that the disk has been added to the storage pool using the following command: Get-DPMDisk -DPMServerName
¡
s e l e c t Name,
NtDiskID,
¡ where { $ _ . N T D i s k I D -eq
IsInStoragePool
564
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
• LsrtipKe.DDlGB [~] LfS«a«
TrWcae«*)' H*MGB
MU4 — 1— Ci-llStoauePtollSiktCTùtrtî) ^
1 TrfJCsjfcU
T] r i,--.- ¿mHW % >dccaj II
&ÏC J [fstt »'«Tt» DiskKH^S* De^Hi'
Msft » iU Dit sea Dst Dem tftedsp&cei IMkwBtcdsDKC
FIGURE 1 0 . 3
B.jlCS LK99GÎ
Adding a disk to the DPM storage pool.
NOTE If you plan to only use disk-to-tape protection or custom volumes to protect data, adding a disk to the storage pool is not a requirement.
Configuring Tape Libraries If you plan to use tape libraries or standalone tape drives for short-term and long-term data protection on tape, you need to physically attach the tape devices to the DPM server. Next, complete the following steps to add the tape library or standalone tape drives using the DPM 2010 Administrator Console: 1. Log on to the DPM server using a domain user account that is a member of the local administrators group. 2. Next, open the DPM 2010 Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, on the navigation bar, click Management, and then select the Libraries tab. 4. In the Actions pane, click Rescan. The rescan operation might take a couple of minutes; let the scan complete. During a rescan, DPM examines the attached tape devices and updates the information that is displayed on the Libraries tab in the DPM Administrator Console, as shown in Figure 10.4. If at any point you add or remove a tape device, the rescan operation will need to be rerun.
Deploying Data Protection Manager
FIGURE 1 0 . 4
565
Scanned tape library.
Deploying the Protection Agent Before data from a data source (machine) can be protected, you must first install a protection agent. These agents are responsible for identifying data that can be protected, tracking changes to that data, and transferring the changes from the protected data source to the DPM server. To deploy the protection agent, you must first ensure that the intended computer meets the following set of prerequisites: • The computer must have a supported version of Windows for the protection agent, as noted in the "Data Protection Manager Background" section earlier in this chapter. • Protected volumes must be formatted as NTFS and be at least 1GB. • A protected computer's fully qualified domain name (FQDN) should not have more than 400 characters. • For Windows Server 2003 and Windows XP machines, you might need to apply KB940349 ("Availability of a Volume Shadow Copy Service (VSS)") update rollup package for Windows Server 2003 to resolve some VSS snapshot issues. • Also for Windows Server 2003 and Windows XP machines, you might need to install the Shadow Copy Client ( S h a d o w C o p y C l i e n t . m s i ) . After meeting the prerequisites, you can deploy the protection agent to computers using two different methods. The steps for the first method, using the DPM 2010 Administrator Console, are as follows:
566
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
1. Log on to the DPM server using a domain user account that is a member of the local administrators group. 2. Next, open the DPM 2010 Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, on the navigation bar, click Management, and then select the Agents tab. 4. In the Actions pane, click Install. This starts the Protection Agent Installation Wizard. 5. On the Select Agent Deployment Method page, you are given two options, as shown in Figure 10.5. The Install Agents option is used to completely install the protection agent on a computer. The Attach Agents option is used to just add a protected computer's object to the DPM server. This option is useful for scenarios that require the agent to be installed manually. For the purpose of this procedure, select the Install Agents option and click Next. ¡¿I
^ Protection Agent Installation Wizard
Select Ay eut Deployment Meihud Sdcc) agent depioymert method Steps iM FWn J nyni rfrqikiyninJ method # JMk1 raimpi iters
C IrstriD ngrrts Retju'nut? i-Jeil ftn CumputaS that die cut bdirid fnewalls w ujnuuters Llirf fwve Lite ituured ejttcyliuns cheated in the firewail Selecting this option wil metal protection agent in the computers Click help For more rfonnotion
# brier credertids # Oiowe restart method # Summary # Irstalation
f* Attach aqents Hecommended lor - cnmpiiHî hchinri firswal computers on which agent is already mat died - rtnipiins mi wtit J i nrjra t nil lir iiislrtllril nlrarbiDy Selecting this option wll odd the protected computers to the DPM server If you hove no! already installed the agent, then you must manually rut31 it on the prelected computer by executing the DPMnoerthstaflei CSck heJp for more infoimotion
f* Computer on an NAne Drcdoiy doman i Ceiii^hi!« in wtikymnp or ininatni dcntuui
I
FIGURE 1 0 . 5
Next >
]
Caned
|
Help
Protection Agent Installation Wizard.
6. On the Select Computers page, you can either select one or more computers from the Computer Name list (50 maximum) or type the name of the computer in the Computer Name box and click Add. Once you have added all of the desired computer names to the Selected Computers list, click Next.
Deploying Data Protection Manager
567
NOTE To find a computer from a different domain, you must use the fully qualified domain name (FQDN).
7. On the Enter Credentials page, provide the credentials for a domain user account that has local administrator rights on all the computers being added, and then click Next. 8. If you selected a node in a server cluster, DPM detects the additional nodes in the cluster and displays the Select Cluster Nodes page. On this page, select the option that you want DPM to use for selecting the remaining nodes in the cluster, and then click Next. 9. On the Choose Restart Method page, select the option you want DPM to use to restart the computers after the protection agent is installed, and click Next. All computers (except a DPM server) must be restarted when the protection agent is installed. A restart is required so that the DPM volume filter can be loaded. Until this filter is loaded, you cannot start protecting data on a computer. NOTE DPM will not restart servers that belong to a cluster. For these servers, you must manually restart them after installing the protection agent.
10. On the Summary page, click Install to begin the installation. 11. On the Installation page, the status of the protection agent installation is shown. At any time during the agent installation, you can click Close and continue to monitor the installation progress on the Agents tab. Additionally, if an error is encountered during the installation, you can either review the error message on the Installation page or in the Monitoring task area on the Alerts tab in the DPM Administrator Console. The second method for deploying the protection agent is through a manual installation. Manual installations are typically done when a machine is behind a firewall, the agent is being incorporated into a server image, or the remote installation of the agent using the DPM Administrator Console is not possible. An example of such a scenario is shown in Figure 10.6. In Figure 10.6, the protection agent installation failed on Filel because Windows Firewall is enabled without the needed rules to allow the remote installation to proceed. To work around this issue, you can either modify the Windows Firewall settings on Filel or
568
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration ^
Protection A g e n t I n s t a l l a t i o n w i z a r d I riütölEaliuu Uric or more agent natilaticns toiled
j
v4rtd iiyni
ilci)mn t
method
Sftarf ranpufera
*
bller credertiafs
*
Oioose restart method
*
Summary Instalation
Tasks
& Error* |
Irwîal praecüon agen: on FILEI.c0mp3nyatK.c0m Faled: brw SOU: The protection agent operation lofled bccouse it could not commincale wih Fil Ft nnr^irtriyrtlii: crrnn biTor (Jetais I he HFC server • unavailable |Lb
Mnir j^xiii) rill« i iiisljilLd km trims
FIGURE 1 0 . 6
Remote protection agent installation failure.
perform a manual installation. To complete a manual installation of the protection agent, use the following steps: 1. Copy the protection agent installer ( D P M A g e n t I n s t a l l e r . e x e or D P M A g e n t I n s t a l l e r . e x e _ x 6 4 ) from the Agents folder in the DPM 2010 installation media to the intended machine (in this case, Filel). 2. Next, open a command prompt and execute the installer using the following command: D P M A g e n t I n s t a l l e r . e x e or D P M A g e n t I n s t a l l e r . e x e _ x 6 4
s e r v e r name>
NOTE Performing a manual installation of the protection agent does the following: •
Installs the protection agent prerequisites and the DPM protection agent
•
Configures the target computer to be managed from the specified DPM server name
•
Makes any needed Windows Firewall changes to allow outbound and inbound communications with the DPM server
Once the protection agent has finished installing, you then need to attach the computer to the DPM server. You can either complete this task using the DPM Administrator
Deploying Data Protection Manager
569
Console or by using the DPM Management Shell. Use the following steps to complete this task using the DPM Administrator Console: 1. Log on to the DPM server using a domain user account that is a member of the local administrators group. 2. Next, open the DPM 2010 Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, on the navigation bar, click Management, and then select the Agents tab. 4. In the Actions pane, click Install. This starts the Protection Agent Installation Wizard. 5. On the Select Agent Deployment Method page, select the Attach Agents option, ensure the Computer on an Active Directory Domain option is selected, and then click Next. NOTE If the machine you are adding is in a workgroup or in an untrusted domain, use the Computer in Workgroup or Untrusted Domain option. This option can be used to protect workgroup machines and machines in untrusted domains within your intranet for the following scenarios: •
File servers
•
System state
•
SQL Server
•
Exchange Server
•
Hyper-V
•
Small Business Server
You cannot use this option for the following scenarios: •
Clustered servers (except for Exchange Server 2010)
•
Mirrored servers
•
SharePoint
•
Laptops
•
Bare-metal restores
•
End-user recovery
6. On the Select Computers page, you can either select one or more computers from the Computer Name list (50 maximum) or type the name of the computer in the Computer Name box and click Add. Once you have added all of the desired computer names to the Selected Computers list, click Next. 7. On the Enter Credentials page, provide the credentials for a domain user account that has local administrator rights on all the computers being added, and then click Next.
570
CHAPTER 10 Data Protection Manager 2 0 1 0 Design, Planning, Implementation, and Administration
8. On the Summary page, click Attach to complete the attachment process. 9. On the Installation page, the status of the protection agent attachment is shown. At any time during the agent attachment, you can click Close and continue to monitor the attachment progress on the Agents tab. Additionally, if an error is encountered during the attachment process, you can either review the error message on the Installation page or in the details section for protected computer objects in the DPM 2010 Administrator Console. The other method to attach a computer to the DPM server is to use the DPM Management Shell and the A t t a c h - P r o d u c t i o n S e r v e r . p s I script, as described in the following process: 1. Log on to the DPM server using a domain user account that is a member of the local administrators group. 2. Next, open the DPM 2010 Management Shell using either the desktop or Start menu icon. 3. Now execute the following command: Attach-ProductionServer.psI
< u s e r name> <password> <domain>
4. When prompted, provided the password for the user credentials being used. Creating Protection Groups As mentioned previously in this chapter, a protection group is a collection of data sources that share the same protection configuration. Before data can be protected by DPM, you must create at least one protection group. To complete this task, you need to use the Create New Protection Group Wizard, which guides you through the process of setting up a new protection group. The steps involved with using this wizard are as follows: 1. Log on to the DPM server using a domain user account that is a member of the local administrators group. 2. Next, open the DPM 2010 Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, on the navigation bar, click Protection, and then in the Actions pane, click Create Protection Group. 4. The Create New Protection Group Wizard starts, as shown in Figure 10.7. On the Welcome to the New Protection Group Wizard page, click Next. 5. On the Select Protection Group Type page, you are given the option of creating two different kinds of protection groups. For the purpose of these steps, select the Servers option and then click Next. NOTE Specific steps for creating protection groups for Exchange Server, SQL Server, SharePoint, clients, and so on are provided in Chapter 11, "Using Data Protection Manager 2010 to Protect File Systems, Exchange, SQL, and SharePoint." For the purpose of these steps, a protection group is being created for a generic file server.
Deploying Data Protection Manager
»
^ Create Hew Protection Group
©
W e l c o m e i u lite N e w Piuleciion G i u u p Wlcaid f his wizard helps you crcatc a new protection group that DP M vnl use 1o prated data.
Steps:
A protection grotp
Welcome #
571
ScJcct protestan group t>pc
#
Select group members
#
Specify protection rules
#
5Mnd ilrfrt finirtiHBi method
#
Seîect short-temt gsals
#
Uiodsc consistency chock
#
Summary
#
Status
1 low doto protection works: 1. DPM creates a replk» of the selected data sources on the DPM server. 2. DPM synchronizes the repica with the data sources and creates recovery ports on a rccxrnnq schediíe. 3. [lockups ore performed as follows: Qskbosed and tape-based protection. DPM stores the repica of the data on disks and periodic ful backups are created en tape from the recovery potrts on dsk. lapebasedcotecfcon. UHM performs periodic incremental and uD backups of the protected data on tapes.
V Do not show this Welcome poce again
j
FIGURE 1 0 . 7
ffcxf >
~|
Cancel
|
Help
Create New Protection Group Wizard.
6. On the Select Group Members page, use the interface to add members into the protection group. To do this, expand the desired server node to expose its data sources. Next, select each data source that you want to add into the protection group by placing a check mark in the b o x next to it. An example of this process is shown in Figure 10.8. NOTE When adding members to a protection group, the following considerations or recommendations should be noted: •
Data sources already added to another protection group are displayed but cannot be selected.
•
For data that is on a system volume, it is recommended that the individual folders or shares be protected instead of the entire volume.
•
SQL Server database snapshots cannot be protected.
•
SharePoint databases cannot be protected as a SQL Server data source. Instead, they should be included as part of a SharePoint protection group.
•
A separate individual tape is required for each protection group as they cannot share.
572
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration ^ Create Hew Protection Group
£
S e l e c t G i o u p Mt>niU>iv. ^ J
Sdcd Ihc data that you want to protect
Steps:
To choose the data to protect, select the check boxes r. the AvafaMe merrfcers section. To exclude a fo'der, expand the drectory structure, and dear the chcck bo* of the loldw.
*
Welcome
*
Sdcct protect sri group t>pc
*
Se*ect group membere
Select short term goals
bl L J companyabc.com
L+! ä 001 a ^ DPMI U I , EW31
Elected f^emben
1 Compter
\\frlr 1J
f.l«11 J unni/inyfll •• -t c
- Q
I ¿Jl Shares • j| MTATemp StoreS 13 J Shared * • 3 All VoJunvM + n a System State & SOLI
flenvjye | Fiiiidprl foldtn Exduded file types
Coned
FIGURE 1 0 . 8
|
Hdp
Adding members to a protection group.
7. Once you have finished selecting the desired data sources, click Next. 8. On the Select Data Protection Method page, type a new name for the protection group in the Protection Group Name box, and then choose the desired protection methods using the following options: • I want short-term protection using—Use this option to enable short-term protection and select the desired media. • I want long-term protection using tape—If you have a tape device attached, use this option to enable long-term tape protection. 9. After you have selected the desired protection methods, click Next. 10. On the Specify Short-Term Goals page, specify your desired short-term protection goals using the following options or sections: • Retention range—Use this option to specify the duration of time (between 1 and 64 days) that you want the data to be available for recovery using shortterm, disk-based protection. • Synchronization frequency—Use this option to define how often the protection agent synchronizes the replica on your DPM server with data changes from a data source. By default, this option is configured to perform the synchronization every 15 minutes. You can either keep the default setting or increase the frequency up to 24 hours. Additionally, you can configure the
Deploying Data Protection Manager
573
synchronization frequency to synchronize the data just before a scheduled recovery point. • Recovery points—Use this section to define the recovery point schedule by clicking Modify. NOTE For the purpose of these steps, a protection group is using disk-based, short-term protection. When you use tape-based, short-term protection, the steps in the wizard are slightly different to handle the scheduling options for the tape backup jobs. More information about these differences is provided later in this section.
11. After you have specified the desired short-term protection goals, click Next. 12. On the Review Disk Allocation page, review the disk allocations that DPM recommends for the protection group. If you need to make any modifications to these allocations, click Modify. 13. After you have reviewed the disk allocations and made any needed changes, click Next. 14. If you have a tape device attached, the Specify Long-Term Protection page is shown. Use this page to specify your long-term protection goals using tape backups based on the following sections: • Recovery goals—Use this section to specify the retention range and backup frequency. The settings you define here determine the long-term recovery point schedule. If needed, you can also create a custom schedule by clicking Customize. • Backup schedule—Use this section to customize the long-term full backup schedule by clicking Modify. The scheduling options that are shown in this section depend on the retention range and backup frequency settings that have been defined in the Recovery Goals section. 15. After you have specified the desired long-term protection goals, click Next. 16. If you have a tape device attached, the Select Library and Tape Details page is also shown. Use this page to specify the library and configuration options for the backup tapes based on the following options: • Library—This option is used to select the tape library that will be used. • Drives allocated—This option is used to define how many drives are allocated for the tape backups. • Copy library—This option is used to select the library you want to use for multiple backup copies. • Tape options for long-term protection—This option is used to define if the tape data should be compressed or encrypted.
574
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
NOTE To encrypt data on tape for long-term protection, a valid encryption certificate must be imported into the DPMBackupStore.
17. After you specified the desired library and tape details, click Next. 18. On the Choose Replica Creation Method page, use the Replica in DPM Server section to define how the initial replica of the protected data should be created. A replica can either be created over the network by immediately copying the data or scheduling the initial copy to some later time. Or, you can manually create a replica using some form of removable media (like tape). However, when creating the replica manually, it is critical that aspects of the data like directory structure, time stamps, security permissions, and so on are retained from the protected data. 19. After you have specified the desired replica creation method, click Next. 20. On the Consistency Check Options page, specify the desired option for how the consistency check for the protection group will be handled, and then click Next. 21. On the Summary page, review the information about the protection group and then click Create Group. 22. Next, the status and results of the protection group creation process are shown on the Status page, as shown in Figure 10.9. Once the protection group has been created, click Close to exit the wizard.
»
Create Hew Protection Group
Steps *
Welcome
4 Sdcct protection qn>up type *
Select group members
losks 1 Task
1 Resuis
Create protection group; Share Filel Data
Success
Allocate Replica ForC \
Success
4 bc'cct data protection J Select short term goals *
Review dak allocation
4 Specify long-term goals Select kbrary and tape deCale *
Choasninnitteantim method
(¿J DPM does not protect reparse pants found in file systems if you have selected vdumes or folders in this protection group, all da*a except reparse poirtfs is protected Head 'Sdcct (iroup Members' page ot UFM 201D KcJp lor more details on unsupported data
d flntoiMixisslerE^ <Jm k options *
Summary Status
I Uose ~| FIGURE 1 0 . 9
Protection group creation status.
Administrating Data Protection Manager
575
Using Tape both for Short- and Long-Term Protection When creating a new protection group, you have the option of choosing tape both for short-term and long-term protection methods. If this choice is made, the steps in the Create New Protection Group Wizard differ slightly in that you need to define the full backup schedule for the short-term protection goal on tape. It is recommended that the short-term, tape-based, full backups be executed just prior to the long-term backups. The reason is that DPM creates copies of the latest short-term, tape-based, full backup to generate the long-term backup. By scheduling the short-term, tape-based, full backup just before the long-term backup, you ensure that the latest version of the protected data is protected.
Administrating Data Protection Manager Administrating any type of information system can often be a very broad topic. Unfortunately, Data Protection Manager is not the exception. In fact, there are a number of tasks related to the day-to-day operations that can be written about and discussed in this chapter. For example, DPM administrators have to monitor performance, manage tapes, monitor the DPM server operations, perform recoveries, diagnose agent communication issues, and so on. However, because administrating DPM is such a broad scope, this section (in keeping with the theme of this book) focuses on DPM administration topics that are either critical to DPM operations or in need of greater explanation due to the lack of available information. For example, items covered in this section include the DPM management interfaces, how to use custom volumes, and recovering data.
DPM Administrator Console The DPM Administrator Console is a Microsoft Management Console (MMC) snap-in that is used to manage a DPM server. By default, this console is installed on a DPM server when you install Data Protection Manager. To access it, you must be interactively logged on to the DPM server using a domain account that has local administrator privileges. The only method to remotely access the console is to use a Remote Desktop connection. In the DPM Administrator Console, management tasks are logically grouped together based on related functionality within the navigation bar. These groupings or task areas are Monitoring, Protection, Recovery, Reporting, and Management, as shown in Figure 10.10. Each task area, except Recovery, consists of three panes: the display pane (unlabeled), Details pane, and Actions pane. The Actions pane shows the different management activities that can be completed with the currently selected task or item selected in the display pane. To better understand this relationship, a breakdown of each task area and its associated management activities is shown in Table 10.4.
576
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
FIGURE 1 0 . 1 0
DPM Administrator Console.
TABLE 1 0 . 4
DPM Administrator Console Tasks
Task Area
Usage
Monitoring
The Monitoring task area is used to monitor the status of data protection, data recovery, and other related DPM operations. In this task area, there are two tabs:
Protection
Recovery
•
Alerts—Shows errors, warnings, and informational messages.
•
Jobs—Shows the status of jobs and their associated tasks.
The Protection task area is used to manage protection groups. Using this task area, you can: •
Create, modify, and manage protection groups.
•
Manage online protection.
•
Modify disk allocations and perform consistency checks.
•
Manage recovery points.
•
Optimize performance.
The Recovery task area is used to recover data from recovery points. In this task area, there are two tabs: •
Browse—Used to browse for recoverable data by protected computer and date.
•
Search—Used to search for recoverable data by data type, location, origin, and recovery point date.
Administrating Data Protection Manager
577
TABLE 1 0 . 4
DPM Administrator Console Tasks
Task Area
Usage
Reporting
The Reporting task area is used to manage and review DPM reports. Using this task area, you can: •
Management
Schedule reports.
•
Edit reports.
•
Generate and view reports.
•
Manage report subscriptions.
The Management task area is used to manage protection agents, storage pool disks, and tape libraries. In this task area, there are three tabs: •
Agents—Used to manage, deploy, remove, and update the protection agents and agent licenses.
•
Disks—Used to manage, add, and remove disks in the storage pool.
•
Libraries—Used to manage tape libraries, tape devices, and tapes in the library.
DPM Management Shell The DPM Management Shell is a command-line management interface for Data Protection Manager. This management shell is built using Windows PowerShell, which is a .NET Framework-based, object-oriented, command-line shell and associated scripting language. Using the DPM Management Shell, you have access to DPM-related commands, also known as cmdlets, which can be used as an alternative interface to the DPM Administrator Console to perform data protection management tasks, as shown in Figure 10.11. In fact, any task that you can perform using the DPM Administrator Console can be completed using the DPM Management Shell and in some scenarios, the shell provides additional features that the MMC-based console does not. Additionally, unlike the DPM Administrator Console, which can only be accessed directly from the DPM server, the DPM Management Shell can be installed on computers other than the DPM server. This means that you can use the management shell to remotely manage multiple DPM servers. Lastly, because the management shell is based on PowerShell, you can automate routine management tasks using the PowerShell scripting language. NOTE Being able to automate DPM tasks is a very key concept to understand. By using the DPM Management Shell, you can integrate data protection and recovery tasks with the rest of the System Center Enterprise Suite applications.
578
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
nr
, 1!x! Get P r o t e c t i o n J o h S t a r t T i n e I . . Gat-Recouerablelten [-Racoue., Get-RecoueryPoint ( - D a t a s o u r . , Get-RecoueryPaintLncatinn I-.. Got-RaplicaCroationHethod [ - . . Gist-Tape C - D P f l L i b r a r y 1 i t i b r . . Get-TapeBackupOptIan i - P r o t e . . Get-TapeDriye l-DPNLibrnryl .. Get-TapeSlot L-DiULibraryl <-Lock-LPflLlbraryDoor [-DPflLih. . L o c k - D P H b i b r n r y l E P o r t I DPMI... Mau-DPflReeouaryTarget [ - T y p e . . Neu DPMRole . 1-DPflScruerHamr ] . . New—ProtecfcianGroup L - D P W S e r . . Movi-RcccucryMotification f - « , . Neu R e c o v e r y O p t i o n [ T a r g e t s . . New-ReceweryPoint i - D a t a s o u r . . Ncw-SenrchOption r-ProniReco«. . Hacuuer R e c o v e r a b l e t t e r n L"lîc . » Ronouo-BackupNetuorkAddross ,. Renoue-GbildDatasource [ F r a . Roneue-Data&oureeRepliea [ - D . . Renoue-DPKDir.k f-BPHDi-ikl < D . . Rtariuue—DPttfiecuuery I t e n £ — Dpn. . Ronowo-DPffflecovorylargpt f - D , . Renoue-BPHHole I DpnHole 1 < D . . Renuye-DPttSecurityGroup [-Dp. . Rennue-HecoueryFoint l - R e c o u . . Ranoue-Tape E-DPttLibrary1 < L . . Rcnaiwî-DPWLibriiry ( - D P N L i b r n . . Rename-DPHMd le I DpnHti le I < D . . Ron¿u»ií—ProtoctiuiiGruup [ - P r o . . Set-Auto Protect Intent I-Prot.. Sat-DatasotirceDitiknlloeation.. Set-DntftsouriicFrntectionOpti.. SetDPI1G l o b a l P r o p e r t y t - B P N S . . S o t - D P Î I R o l c [ - D p n R o l c l <SpmR. . Set—MaintenanceJofaEtartTime .. S e t - P e r i ' a r m a n c e O p t i n i z a t ion . . S c t - P o 1 i c yObJcc t J vc [ - P r o t e o , . Set-PolicySchedule [-Protect.» Set-ProtectionGroup [-Protoc,, Set-ProtectionGroup Set Protec tionJohStartTine I . . S e t P r o t e c t ion J o b S t a r t T i n e Set-Protectionlype [-Protect.. Set—Pro t e c t i o i 11ype S e t H e p I i c f l C r e d t innMethod [ - , . S e t Bepl i c . i C r r . i t innMethod S e t - T a p e 1 Tupe 1
i F i l e s S f l i c r o s o F t DPflSDPHNbin Î
FIGURE 1 0 . 1 1
0
LU
DPM Management Shell.
To discover the supported cmdlets in the DPM Management Shell, open the management shell and execute the Get-DPMCommand cmdlet. This cmdlet produces a command list that shows only the cmdlets belonging to DPM. For each cmdlet, Help documentation can be accessed by using the Get-Help or help cmdlet, as shown in the following example: G e t - H e l p
name>
If more information is needed about a cmdlet, you can use the parameters for the Get-Help cmdlet. For example: G e t - H e l p Get-DPMVolume
-Full
or
-Detailed
-Detailed
Like the DPM Administrator Console, the DPM cmdlets are technically logically divided into task areas. However, the division is not necessarily very apparent. To help administrators with this, the DPM product team published a management shell quick reference help guide for Data Protection Manager 2007 SP1 on their TechNet blog: http://blogs.technet. com/dpm/archive/2008/06/30/dpm-cli-quick-reference-help.aspx. A similar guide will most likely be created for Data Protection Manager 2010.
Administrating Data Protection Manager
579
Using Custom Volumes In certain cases, you might want to store protected data using a location outside of the DPM storage pool. For example: • Regulatory requirements specify that data needs to be partitioned off and isolated. • Data criticality requires it to be separated onto a high-performance LUN. • Performance limitations can only be solved by separating the IO-intensive DPM workloads across multiple spindles. To handle these situations, and others, you can assign a custom volume to a protection group member (data source) in place of the DPM storage pool. A custom volume is any volume that is attached to the DPM server that doesn't contain system and program files. To use a custom volume for a protection group member, two custom volumes must be available for use. One volume is used to store the replica, whereas the other stores recovery points. Use the following steps to assign a custom volume when creating a new protection group: 1. Log on to the DPM server using a domain user account that is a member of the local administrators group. 2. Using Disk Management, create two volumes of the desired size and name. 3. Next, open the DPM 2010 Administrator Console using either the desktop or Start menu icon. 4. Once the console has loaded, on the navigation bar, click Protection, and then in the Actions pane, click Create Protection Group. 5. On the Welcome to the New Protection Group Wizard page, click Next. 6. On the Select Protection Group Type page, choose the desired protection group type, and then click Next. 7. On the Select Group Members page, select the desired protection group members, and then click Next. 8. On the Select Data Protection Method page, ensure that the data protection method is selected, and then click Next. 9. On the Specify Short-Term Goals page, specify your desired short-term protection goals, and then click Next. 10. On the Review Disk Allocation page, click Modify. 11. In the Modify Disk Allocation dialog box, change the storage type to Custom Volume on the desired data source, then define the replica volume, recovery volume, and format option. NOTE If the custom volume is used in a storage network, do not choose to format the volume.
580
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
12. When you are finished defining the custom volumes, click OK and then click Next. 13. Complete the Create New Protection Group Wizard and on the Summary page, click Create Group. When using custom volumes, it is important to understand that the selection of a storage pool or custom volume for a protection group member cannot be modified after the group is created. To change the storage location for a group member, that member must first be removed from a protection group and then added back to the protection group as a new member. Therefore, as a general rule, you can only specify the usage of a custom volume for new members that are being added to the protection group.
Recovering Data One of the main features of DPM, when short-term disk protection is used, is the ease at which administrators can find and recover data. This section explains the steps that are used to find and recover data: 1. Log on to the DPM server using a domain user account that is a member of the local administrators group. 2. Next, open the DPM 2010 Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, on the navigation bar, click Recovery. 4. Using either the Browse or Search tabs, find the recovery item that needs to be recovered, as shown in Figure 10.12.
J B Ci i
^ Sutdi I Pteiwy tarti ftr C." <••
6
I
|öwü» 3 fän® 3
nnpr^on e Q fiL£i iM f* 3 I H Ft«irt Vs
Jruary M 20"-6
; m r «QJ
tOQPM
Ii I» a M 23 21 I
fat,
j 1 . « upd*. JniuJtK*
J/V2DLJ :«• <[• 1W2CU 12i»HC lwmli UVJtlJ
W2DU 1216 Www DamHif« (Do rut rsKidOCT L"WtU D i l !« l/V»l* Iftïfcî' Lufltti lilfc:*. _j CLci &n«jö"j y^ïDU 12:16.i-1 Q Rüd Ntdoci J [teyon'ïi ilijirtiîBisDpbi J Sin m hiatapt _J S Didf* 20»-2Û:C'.ppt
FIGURE 1 0 . 1 2
Lf& l U 12 Ii >
Irtïtl J »:)»•;1WMU limits« lW»LJ li:!6
H44He UJÛMS 22.« ME
Finding protected data to recover.
Administrating Data Protection Manager
581
5. Once you have selected the recovery item to recover, click Recover in the Actions pane. 6. After the Recovery Wizard has started, the Review Recovery Selection page is shown. Review the recovery selections and then click Next. 7. On the Select Recovery Type page, select the Recover to the Original Location option, and then click Next. Alternatively, you can also recover a recovery item to an alternate location or copy the data to tape. These options are useful if you need to verify or analyze the data that is being recovered. NOTE If you use the Copy to Tape option, the entire volume will be copied to tape and more data than what was selected will be restored.
8. On the Specify Recovery Options page, ensure that the Overwrite and the Apply Security Settings of the Destination Computer options are selected. By choosing these two options, any existing items will be overwritten and then inherit the security settings from the target or parent folder. 9. Once you have finished choosing the specific recovery options, click Next. 10. On the Summary page, review the recovery settings, and then click Recover. 11. Next, the status and results of the recovery process are shown on the Recovery Status page, as shown in Figure 10.13. Once the recovery process has been completed, click Close to exit the wizard. I ^ Recovery Wizard
a
Recovery Status Steps:
Rflfïiv«y statuS
rf Rmrinw inïnmy sHrtlian
Start tme.
1/9/2010 3:53:39 AW
J
End time
1/3/2010 3:53:40 AW
flrttrt lim i -Jrjrnd
0 0 6 MR
J
bdcct recovery type 1« jiy iH3:ivny <3 rfim
ÜKTÄBfli
4 Summary <1 Rra Eiyny rdsdia
O
[ FIGURE 1 0 . 1 3
Recovery Status page.
Uoae
I
582
CHAPTER 10
Data Protection Manager 2 0 1 0 Design, Planning, Implementation,
and Administration
Summary This chapter, dedicated to Data Protection Manager 2010, hopefully provided you with an advanced understanding of the DPM solution. Everything from DPM's background, to planning a deployment, to installing the solution, to basic administration tasks was covered. After reading this chapter, you should now also understand that DPM is an extremely powerful tool that is designed to simplify the backup and recovery of data for Microsoft applications and servers. In doing so, DPM attempts to ensure your data is continuously protected regardless of the organization's size and complexity.
Best Practices The following are best practices from this chapter: • Do not install DPM on domain controllers, Exchange servers, or Operations Manager Management or Gateway servers. • For most enterprise deployments, the recommended protection method is to use disk-to-disk-to-tape (D2D2T) or disk-to-disk-to-cloud (D2D2C). • DPM can be deployed onto a virtual machine. However, when a virtual machine is used, the storage pool must be connected by using pass-through disks or iSCSI. • Although the DPM Installation Wizard attempts to install prerequisite software, it is always a best practice to understand what requirements need to be met before installing a server application. • Spend time mapping out your DPM deployment. Failure to fully understand the business requirements and then designing a DPM installation to meet those requirements might result in data loss or worse. • If you plan to only use tape-based protection, you do not need to plan out the DPM disk storage requirements. • When creating a storage group and adding members, it is recommended that you plan out the selection of a storage pool or custom volume. These attributes of a data source cannot be modified once it is a member of a storage group. • For data that is on a system volume, it is recommended that the individual folders or shares be protected instead of the entire volume. • SharePoint databases cannot be protected as a SQL Server data source. Instead, they should be included as part of a SharePoint protection group. • A separate individual tape needs to be used for each protection group. • When planning to encrypt tape data, ensure that the proper encryption certificate has been imported and you are managing the life cycle of that certificate. • Being able to automate DPM tasks is a very key concept to understand. By using the DPM Management Shell, you can integrate data protection and recovery tasks with the rest of the System Center Enterprise Suite applications. • If the custom volume is used in a storage network, do not choose to format the volume. • Protected volumes must be NTFS with a minimal partition size of at least 1GB.
CHAPTER 1 1
Using Data Protection Manager 2010 to Protect File Systems, Exchange, SQL, and SharePoint
IN T H I S C H A P T E R Protecting File Servers Protecting System State Protecting Exchange Servers Protecting SQL Servers Protecting SharePoint Farms Protecting Virtualized Environments Integrating Data Protection Manager with Operations Manager
F o r most Microsoft operating systems and server applications, the act of managing backup and restore processes can prove challenging for an IT administrator. It's not that solutions such as SharePoint are hard to back up and restore. Instead, each solution from Microsoft tends to have its own quirks, gotchas, and processes that need to be taken into account when trying to protect its data. As such, the need to customize backup and restoration processes for each solution is what makes protecting them more difficult than it should be. In Chapter 10, "Data Protection Manager 2010 Design, Planning, Implementation, and Administration," you were introduced to Data Protection Manager (DPM), how it protects data, and how to install and manage it. With this chapter, the focus now shifts toward how DPM can be used to effectively protect Microsoft solutions such as the Windows file system, Exchange Server, SQL Server, and SharePoint farms. As you learn in this chapter, for each of these solutions, DPM has been tailored to meet their data protection needs, from being able to protect Exchange Server 2010 Database Availability Groups (DAG) to performing full-farm SharePoint recoveries. DPM is a very powerful data protection tool when it comes to protecting Microsoft solutions. By using DPM, you can significantly improve your backup and recovery processes in a Microsoft-centric environment and hopefully reduce the headaches that you might now be experiencing.
584
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
Protecting File Servers As discussed in Chapter 10, DPM has supported replication and data protection for file server data since the initial DPM 2006 release of the product. In fact, with that release of DPM, file server data was pretty much all it protected. With the DPM 2010 release, the number of different Microsoft technologies that DPM can protect has vastly increased, but at its core, DPM still offers file server data protection for Windows Server from 2003 through 2008 R2. The primary benefit of using DPM to protect file server data is its support for file versioning based on previous VSS snapshots taken from various points in time. Obviously, this differs from most backup solutions that rely on versions of data based on a single point in time (typically once a day or once a week). Also, as expected, when using DPM to protect file server data, you are not just limited to protecting individual files. You can, in fact, protect and recover entire volumes, shares, and folders. To illustrate this, a matrix between the allowed file server data sources and the data that can be recovered from them is shown in Table 11.1. TABLE 1 1 . 1
File Server Data Sources and Recoverable Data
Allowed Data Sources
Recoverable Data
Volume
Volume
Share
Share
Folder
Folder File data (versions)
When adding a data source as a member of a protection group, any child objects (data sources) under that data source are then also automatically selected. This is a key concept to understand when protecting file data because it means you can just select a top-level data source to protect entire volumes and folder hierarchies. Additionally, you can also specify exclusions by either unselecting child data sources under a top-level data source or defining file exclusions, as shown in Figure 11.1.
To exclude file types from protection, enter the file extensions below. Fie types to exclude:
A
i d , jnp3, .avi
•
1 • sepa*ate multiple tpfi types, use comma. Har example mp3 jnpcg, .avi
OK
FIGURE 1 1 . 1
|
Cancel
|
Help
Defining file type exclusions.
Protecting Exchange Servers 585
If you use exclusions, it simply tells the DPM protection agent not to synchronize the data you have excluded. However, it is important to remember that when items are excluded they cannot be protected by DPM at all. This is because once a data source is a member of a protection group, that data source will then be unavailable for selection into additional protection groups. By design, data sources can only be members of one protection group at a time. However, this doesn't preclude placing different data sources on the same file server into different protection groups. NOTE A computer that is protected by DPM can have multiple protection groups protecting data sources. However, all these protection groups must be from one DPM server. In other words, a protected computer can only be protected by a single DPM server regardless of how many DPM servers have been deployed.
In addition to file server data that you can manually exclude from a data source, the DPM protection agent also automatically excludes the following: • Recycle Bin, paging files, System Volume Information folder • Volumes that are not formatted with NTFS • Encrypted files and unencrypted files within encrypted folders • Reparse points, including DFS links, Single Instance Store (SIS) files, and junction points • NTFS hard links DPM can also be used to protect file server data located on clusters, in DFS namespaces, and on mount points. The details about these supported scenarios and how they are protected are as follows.
Data in a DFS Namespace When protecting data in a DFS namespace, you cannot protect file shares through their DFS namespace paths. Instead, DPM can only protect data located in a DFS namespace by using server-specific local paths. This is because DFS is designed to provide location transparency and redundancy by allowing shares in multiple different locations to be logically grouped under one folder. In other words, the data that is located in a DFS namespace is somewhat redundant because if a server fails, a Windows client will transparently select a different server to use and the data is replicated between the different servers that are hosting the data. Therefore, if DPM were DFS aware, and it attempted to protect each target under the same root or link, there might be the possibility of synchronization issues and a huge increase in the amount of storage needed to protect DFS-based data. Instead, the recommended approach to protecting data in a DFS namespace is to only protect a single "copy" of the data located on a server-specific local path.
586
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
Data on a File Server Cluster Because DPM is cluster aware, you can also protect data that is located on file servers that have been clustered using Microsoft Cluster Service (MSCS) or the Failover Clustering feature on Windows Server 2008. To do this, you need to ensure that the protection agent is installed on each node in the cluster that owns the file data resources that you intend to protect. Once this requirement has been met, DPM will be able to continue protecting the data even if a failover happens in the cluster. NOTE DPM cannot be used to protect a cluster's quorum disk.
Data on Mount Points Mount points are a subset of NTFS5 reparse point functionality, which allows you to connect a volume at a mount point directory within a parent volume without having to assign a drive letter to that volume. As a result, you can consolidate multiple volumes under one drive letter. A typical use for mount points is in very large Exchange Server deployments that call for fast recovery times. In these deployments, it is common practice to place each database and transaction log pair on its own set of LUNs. For example, with an Exchange Server 2007 mailbox server, there can be a maximum of 50 storage groups and each storage group would have its own transaction log LUN and database LUN. In these cases, the number of available drive letters would be quickly exhausted and mount points would have to be used to handle the number of LUNs. Luckily, DPM can protect data that is located on a mount point. However, DPM will not protect the mount point metadata. This means that to recover data that is located on a mount point, you must first manually re-create the mount point hierarchy before you can attempt to recover the data. NOTE DPM does not support the protection of mount points within mount points (nested mount points).
Protecting System State The System State is a collection of system-specific data that is maintained by Windows and can be backed up as a single unit. This data includes, but is not limited to, items such as the Registry, COM+ Class Registration database, boot files (including the system files), and system files that are under Windows File Protection. A System State backup is not an entire system backup. Instead, a System State backup is designed to return a computer to a known state should the need arise.
Protecting System State
587
If a computer already has the protection agent installed, DPM can be used to protect its System State. Just like file server data, a protected computer's System State is shown as a data source, which can be added as a member of a protection group. An example of this is shown in Figure 11.2. »
Create Hew Protection Group S e l e c t Gioup Members. ^ J
Select the dato that you want to protect
Steps: # Welcome J
Selcct protccfcon qtolc type
*
Se*ect group membere
Select short term goals (IHMBR ruTHisJeriiy dr
To choo« the data io pro:eel, select the check boxes r the Avalab'e »nerrfaers section. To exclude a fcider, expand the directotv structure, and dear the chcck box of the loldw. y-aiE H d DCI + • j AJI Shares - • 3 All Volum« - 0 T " i DPMI
Selected f/enben friiupul PI
i? cit 1 .t cinijifliiy «Sir J nm
CumpuLei\5yiLeniS.ijt.e
fïlel-LunnjdnysLii.c.uin
y 5 F,LEl
a
l+j ¿J AJI Shares 1*1 -a AJI Volume* * 0 ä System State SQL I
Fuiidrd Weiras Exdbded file type«:
0 0
Exdude Ffes
Caned
FIGURE 1 1 . 2
|
Hefc
Adding System State data sources.
To back up the System State, DPM leverages Windows Backup to generate a System State backup and a resulting (.bkf) file. This file is then copied to the DPM server and saved to the specified medium defined by the protection group. Depending on if the computer is just a workstation or a server that has different server roles, the resulting System State backup will include different data, as shown in Table 11.2. Lastly, it is generally recommended that System State backups be placed in their own protection groups. This recommendation is made because System State data tends not to change very often. As such, it might be more efficient to have a less-frequent backup schedule for System State backups when compared with backups of file and application data. However, in certain recovery scenarios, it might make more sense to protect a computer's System State data in the same protection group with the rest of its data. Doing so guarantees that the entire server can be reliably restored to a known state along with its data should the need arise.
588
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint TABLE 1 1 . 2
System State Data
Computer Type or Role
System State Data
Base Server or Workstation
•
Boot files
•
The C0M+ Class Registration database
•
Registry hives
•
Active Directory (NTDS) files
•
The system volume (SYSVOL)
Active Directory Certificate Services
•
Certificate Services database
Cluster Node
•
Cluster Service metadata
Active Directory Domain Services
Protecting Exchange Servers One of the hardest aspects of managing any Exchange Server environment is ensuring that the related data is always protected and recoverable. It is not that the act of protecting or recovering Exchange data is necessarily difficult. Instead, because the Exchange Server database architecture is transaction based, any backup and recovery solution that is being used needs to be tailored toward Exchange itself. Although many solutions have been used over the years to handle protecting Exchange data, the previous norm has mostly been to rely on bulky brick-level backups, complex recovery processes, and large data gaps and to expect a lack of backup and restore granularity. When compounded with Exchange's often notorious reputation for suffering from "database inconsistencies during a disaster," there was a huge void that needed to be filled to help administrators take better control of protecting their Exchange data. Therefore, it seems only logical, as with protecting System State and file server data, that DPM can also be used to protect Exchange Server 2003 through 2010. By using DPM, you can utilize its lossless recovery abilities to ensure that recoverable data includes not only last night's backup, but also the most recent transactions. To do this, a protection agent performs a full backup (typically once a day) and uses the resulting VSS snapshot to identify what data has changed. Then, the agent synchronizes all of the changed blocks to the DPM server. Next, to ensure that administrators can recover Exchange data using DPM up to the latest recovery point (as often as 15 minutes), the protection agent performs an incremental VSS snapshot to copy committed sequential transaction logs to the DPM server. Lastly, during a recovery operation, DPM also has the ability to play back any other surviving Exchange transaction logs, thus ensuring as little data is lost as possible. In addition to DPM's lossless abilities, its feature set also tackles the need to conduct single mailbox restores. In the past, if an individual mailbox had to be restored, either the entire database had to be restored, or administrators had to use third-party solutions. With DPM, administrators can select an individual mailbox and restore it to a recovery database (or
Protecting Exchange Servers
589
recovery storage group depending on the version of Exchange Server being protected) and then use native Exchange tools to move the mailbox data back to a production database. To better illustrate DPM's ability to granularly recover Exchange data, a matrix of allowed data sources and the data that can be recovered is shown in Table 11.3. TABLE 1 1 . 3
Exchange Server Data Sources and Recoverable Data
Exchange Server Version
Allowed Data Sources
Recoverable Data
Exchange Server 2003 (SP2)
Storage group
Storage group Database
Exchange Server 2007 Exchange Server 2010
Mailbox DAG/database
Database
Database
Mailbox
How to Protect Exchange Databases The steps used to protect Exchange Server 2010 databases using DPM are almost identical regardless of whether you are trying to only protect databases on a standalone mailbox server or an entire DAG. For the purposes of this example, the following steps describe how to protect a DAG: 1. While logged on to the DPM server as a domain user account that is a member of the local administrators group, open the DPM 2010 Administrator Console. 2. Next, ensure that all members of the DAG have the protection agent installed and the agent is reachable with a normal status. NOTE With DPM 2010, you can split the protection of DAG nodes between DPM servers. In other words, within a DAG that has five nodes, you can have one DPM server protect two nodes, and then have the other DPM server protect the other three nodes. However, for the purposes of these steps, all the nodes of the DAG are being protected by a single DPM server.
3. Now, click Protection on the navigation bar, and then click Create Protection Group in the Actions pane. 4. Once the Create New Protection Group Wizard has started, click past the Welcome page, select the Servers Protection Group Type option, and then click Next. 5. On the Select Group Members page, use the interface to add the database copies that you want to protect into the protection group, as shown in Figure 11.3.
590
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint »
^ Create Hew Protection Group ^ J
S e l e c t G i u u p Members. Selcd Ihc dato Ihat you want to protect
Steps: # Welcome
To choose the data to protect, select the check boxes r the AvaiaMe merrfcers section To exclude a fo'der, expand the directory structure, and dear the chcck bo* of the loldw
J ScJcct protect an group t>pc *
Se*ect group members
Selected Members i=i • J/ DAG1-OBI
El i EX1
# SeSect short term goals
i 0 A
FXt t 11 iri| l iuiy
DAG1-DB2
EXLiuinp any abuui m
• bq - • Jf DAG1-DB2
¿-ä E ft» S j E j E ,j 0 3 E j E j E j E ä E ¡jj E
•
EX' j EX2 Matoox Database 0721867322 Maibox Database 113S997414
Hi Kl UFM1 fcXl ÜQ fcX3 HLfcl HVU1 H VLB SF51 5P52 SUL1 SUL2
flenvjve | Fniilrd h&r» Exduded file types
j
FIGURE 1 1 . 3
I Computer
OAS 1-OBI
Med >
~|
Coned
|
Hcfc
Adding database copies.
NOTE In this example, you should notice that each of the two mailbox servers that are part of the DAG named DAG1 are hosting a copy of the databases DAG1-DB1 and DAG1-DB2. However, only one copy of each database is being added into the protection group. Technically, this is all you need because individual databases in Exchange Server 2010 are not tied to a particular Exchange server. Therefore, you can recover a database by using backups from different database copies on different servers in the same DAG. Or, you can also add additional copies of the database into the protection group. Ultimately, the choice is yours as to how many protected copies you want of the same database and associated log files.
6. Once you have finished selecting the desired database copies, click Next. 7. On the Select Data Protection Method page, type a new name for the protection group in the Protection Group Name box, choose the desired protection methods, and then click Next. 8. On the Specify Exchange Protection Options page, choose if you want DPM to run the Exchange Server Database Utilities ( E s e u t i l . e x e ) tool to check the integrity for both a database and its log files or just for its log files. For DAG servers, it is recommended that the ESEUTIL tool only be run for the log files.
Protecting Exchange Servers
591
Before configuring the Eseutil integrity check option, you must first copy the E s e u t i l . exe and the supporting DLL (ese. d l l ) from an Exchange server to the DPM server (c: \ Prog ram F i l e s \ M i c r o s o f t Data P r o t e c t i o n Manager\DPM\bin). Additionally, the E s e u t i l . e x e and e s e . d l l versions must be from the most recent edition of Exchange Server. If these files are updated on an Exchange server (either through an upgrade or by installing an update), you must then update these files on the DPM server as well.
9. Once you have finished selecting the desired Eseutil integrity check option, click Next. 10. On the Specify Exchange DAG Protection page, specify which database copies should be selected for a full backup and which copies should be selected for a copy backup. If you have selected multiple copies of a database to be protected by DPM, only one copy should be selected for full backup, as shown in Figure 11.4. »
Create Hew Protection Group
¡Ci
i ï p e c i f y f x c h n n g e DAG Protection
Steps: *
Welcome
J Select protection qrrajp type *
Select group member*
J
Specify exchange protection
J
Specify fcx change UPÉi protection
#
Select short term goals
#
Review risk ailocation
#
Specify long term gaols
—
Select kbrary and tape detais
Full bactap con orir be pe*fonr>ed From one copy of the dotabo« dje So federated log truncation. AI other copies trust be se'ected for copy backup. i rmitple cop-es cf a database are selected For backup, ensure that only one of them are selected for tuB backup Diabase copres selected for Full Backup
Database copies selected for Copy Backup
# n KMBK I R f l k n r v ú Kill method m Q muse Lcnsistenuy tiwdv # Summary *
Status
FIGURE 1 1 . 4
Specifying Exchange DAG protection.
11. Once you have finished configuring the desired DAG protection, click Next. 12. On the Specify Short-Term Goals page, specify your desired short-term protection goals, and then click Next. 13. On the Review Disk Allocation page, review the disk allocations that DPM recommends for the protection group, and then click Next.
592
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
14. If you have a tape device attached, the Specify Long-Term Protection page is shown. Use this page to specify your long-term protection goals, and then click Next. 15. Next, if you have a tape device attached, the Select Library and Tape Details page is also shown. Use this page to specify the library and configuration options for the backup tapes, and then click Next. 16. On the Choose Replica Creation Method page, use the Replica in DPM Server section to define how the initial replica of the protected data should be created, and then click Next. 17. On the Consistency Check Options page, specify the desired option for how the consistency check for the protection group will be handled, and then click Next. 18. On the Summary page, review the information about the protection group and then click Create Group. 19. Next, the status and results of the protection group creation process are shown on the Status page. Once the protection group has been created, click Close to exit the wizard.
NOTE As a general rule, Exchange Server databases should not be configured to use circular logging when being protected by DPM. When using a VSS-enabled backup utility such as DPM in conjunction with circular logging, you can encounter backup and recovery issues.
How to Restore an Exchange Database The steps used to recover an Exchange Server 2010 database using DPM differ depending on if you are trying to restore the database to the original location or to an alternate location. Use the following steps to restore a database to the original location: 1. While logged on to a computer as a domain user account that is a member of the Exchange Organization Management and Server Management groups, open the Exchange Management Shell (EMS). 2. Next, execute the following command against the targeted database to allow restoring a database from a backup: Get-MailboxDatabase -AllowFileRestore
- I d e n t i t y < d a t a b a s e name>
¡
Set-MailboxDatabase
$True
3. Next, open the DPM 2010 Administrator Console. 4. Once the console has loaded, click Recovery on the navigation bar. 5. Using either the Browse or Search tabs, find the most recent recovery point for the database that needs to be recovered, as shown in Figure 11.5. 6. Once you have selected the database to recover, click Recover in the Actions pane. 7. After the Recovery Wizard has started, the Review Recovery Selection page is shown. Review the recovery selections and then click Next.
Protecting Exchange Servers
FIGURE 1 1 . 5
593
Choosing which Exchange database to recover.
8. On the Select Recovery Type page, the Recover to Original Exchange Server Location option is already selected (as it is the only available option if the latest recovery point has been chosen); click Next to continue. 9. On the Specify Recovery Options page, ensure that the Mount the Databases After They Are Recovered option is selected, and then click Next. 10. On the Summary page, review the recovery settings, and then click Recover. 11. Next, the status and results of the recovery process are shown on the Recovery Status page, as shown in Figure 11.6. Once the recovery process has been completed, click Close to exit the wizard. 12. Finally, execute the following EMS command against the recovered database to set the A l l o w F i l e R e s t o r e property to F a l s e : Get-MailboxDatabase -AllowFileRestore
- I d e n t i t y < d a t a b a s e name>
\
Set-MailboxDatabase
$False
In addition to being able to restore a database to its original location, you can also restore a database to any of the following alternate location options: • Recover to Another Database on an Exchange Server—Use this option to recover the database to another Exchange server. This option might be used in scenarios where restoring to the original Exchange server is not feasible. • Recover to a Recovery Database—Use this option to recover the database to a recovery database. Once recovered, you can then mount the database and extract data as part of a recovery operation to restore individual mailboxes or individual items in a mailbox.
594
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint I
M
Recovery Wizard
Recovery Status Steps:
R«ïïV«y SMI S
rf Rmrinw ipi:nvtry wdmiian
Start tme.
1/1S/20 ID 5 33 59 AM
J
End time
1/15/2010 5 39 27 AM
firfi n liiii udrurr*
7\
Sdcct recovay type
ri Sjmify inrrivny rçtarn
ÜKTÄBfli
OMR
4 Summary <1 Rra itvny rdsdia
[ FIGURE 1 1 . 6
Uoae
I
Exchange database recovery status.
• Copy to a Network Folder—Use this option to recover the database and its log files to a network location. This option is useful if you are trying to recover the database into a lab environment, if you are recovering to another Exchange server and want to bring the database to a clean shutdown, or if you are planning to do some form of forensic analysis on the database. However, keep in mind that the recovery destinations (network locations) available for this option can only be volumes or shares that are protected by DPM. • Copy to Tape—Use this option to recover the database to a tape. This option is useful if you need to recover the database to a medium that can be shipped offsite. NOTE The alternate location options are not available if you use the latest recovery point to recover from. Instead, you must either choose an earlier recovery point or a database copy that is only being protected using a copy backup.
How to Restore a Mailbox To recover a mailbox, the process is the same regardless of whether you are trying to recover a mailbox that is located in a DAG or in a single mailbox database. To complete such a recovery, complete the following steps:
Protecting Exchange Servers
595
1. While logged on to a computer as a domain user account that is a member of the Exchange Organization Management and Server Management groups, open the Exchange Management Shell (EMS). 2. Next, execute the following command to create a recovery database: New-MailboxDatabase
-Recovery
-Name
-Server
<Exchange S e r v e r Name>
3. Now, open the DPM 2010 Administrator Console. 4. Once the console has loaded, click Recovery on the navigation bar. 5. Using either the Browse or Search tabs, find the mailbox that needs to be recovered, as shown in Figure 11.7.
Ffe «no
ft*
nop
J Brew* ' -I Ï ' • I
FIGURE 1 1 . 7
:• •
i
Choosing which mailbox to recover.
6. Once you have selected the mailbox to recover, click Recover in the Actions pane. 7. After the Recovery Wizard has started, the Review Recovery Selection page is shown. Review the recovery selections and then click Next. 8. On the Select Recovery Type page, select the Recover Mailbox to an Exchange Server Database option, and then click Next to continue. NOTE If needed, you can also choose to recover the mailbox to either a network folder or to a tape.
596
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
9. On the Specify Destination page, browse to the Exchange server that has the intended recovery database and then provide the recovery database name that was created in step 2, as shown in Figure 11.8. ^
Recovery Wizard
_ "f
*
Specify where you would Ike to locate the database file«.
S1eps:
Specfr tnc [j:cJ-jnqe mw L". E: VOU vnouy use id recover the nwitKLi.
ri Rhvihiiv MI i ivhiy ndr^ din i
TXCHMGE BWYCT
| EX1 .oompaf abc.CFINI
J
ücäcct racavHy type
J
SIrt" ][y lrL"niri.::.i
SpeefytheiieeovHyMaJboxDtfahawiRDBi T i n s h o j d n o t be a normal M DB.
*
üpecity [KMvay optKms
DalabnK name:
4
Kecovciy alELjs
|RCD1t
t Hodi
FIGURE 1 1 . 8
If
Hod >
I
tjKd
I
Hc^
Specifying the recovery database information.
10. Once you have provided the recovery database information, click Next. 11. On the Specify Recovery Options page, click Next. 12. On the Summary page, review the recovery settings, and then click Recover. 13. Next, the status and results of the recovery process are shown on the Recovery Status page. Once the recovery process has been completed, click Close to exit the wizard. 14. Once the mailbox has been restored, use the following EMS commands to complete the recovery process: Mount-Database Restore-Mailbox
-Name < r e c o v e r y d a t a b a s e name> - I d e n t i t y <mailbox name>
-RecoveryDatabase
name>
Exchange High-Availability Caveats Although DPM is a cluster-aware data protection solution and will continue protecting Exchange data even if an unplanned failover happens or if resources are shifted between cluster nodes, there are some caveats in relation to the different Exchange high-availability configurations and how DPM protects Exchange data. Administrators should take the following into consideration when planning their protection groups:
Protecting Exchange Servers
597
• Exchange Server 2003 failover clusters and Exchange Server 2007 Single Copy Cluster (SCC)—With these types of clusters, all nodes should have the protection agent installed on them. If a failover occurs, DPM automatically detects the change in status and continues to protect and perform restores only from the active node. • Exchange Server 2007 Cluster Continuous Replication (CCR)—With this twonode type of cluster, each node should have the protection agent installed on them. If a failover occurs, DPM automatically detects the change in status and performs restore operations against the active node. However, when configuring protection, administrators have the choice of protecting data on either node depending on the needs of their environment. • Exchange Server 2007 Local Continuous Replication (LCR)—With this type of high-availability scenario, log shipping is used to create a second copy of databases and storage groups on the same physical server. If the primary copy of the data becomes corrupted, Exchange automatically switches to using the secondary copy or administrators can also perform a manual failover. In either case, DPM automatically continues to protect the data using the active copy. • Exchange Server 2007 Standby Continuous Replication (SCR)—With DPM, you can protect Exchange mailbox storage group replicas on SCR target nodes. However, as a general recommendation, protection of SCR target nodes should be done using a DPM server located within the same recovery site as the target. • Exchange Server 2010 DAG—When protecting a DAG, the Create New Protection Group Wizard does not indicate which database copy is the active copy. Instead, administrators must know which database copy is the active one before creating or modifying a protection group. Once the protection group has been created, changing the active database copy has no impact as DPM still continues protecting data using a passive database copy. However, changing the active database copy does affect the recovery process as DPM cannot perform database recoveries against a passive database copy. Lastly, the recovery process to an active database is the same as recovering to a standalone database. Then once the database has been recovered, the passive copies need to be synchronized with the recovered active database using the Resume-MailboxDatabaseCopy cmdlet.
Additional Considerations Lastly, when using DPM to protect Exchange Server data, administrators should be aware of the following considerations: • Creating new storage groups or databases—If you create a new database within an already protected storage group, DPM automatically updates the protection group and protects the new database. However, if you create a new storage group or a new database (with Exchange Server 2010), you need to manually update the protection group or create a new protection group to protect these new data sources.
598
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
• Changing storage group or database file paths—After changing the file paths for a storage group or database, you need to run a consistency check on the protection group or replica to resume protection. • Dismounted databases—While a database is dismounted, protection jobs for that database will fail. • Renaming storage groups or databases—Storage groups and databases can be renamed without any additional steps that need to be taken. • Moving databases—You can move databases between storage groups; however, if the storage group is not protected, the database becomes unprotected. Additionally, if you are moving from an unprotected storage group to a protected storage group, the database becomes protected after a consistency check has been performed. Lastly, if you move a database between Exchange servers, that database is no longer protected and the protection group needs to be updated to reflect the change.
Protecting SQL Servers Traditionally, there have been several different methods for protecting SQL Server databases. The first method is to ensure that no transactions can occur by taking the database offline and then backing up the database files. The second method is to use SQL Server's native backup tool, which relies on VSS and the SQL Server VSS writer to perform an online backup. Lastly, you could also use a third-party backup tool that might or might not employ VSS to perform a SQL Server backup. In either case, most of the solutions that are designed to protect SQL Server databases all rely on single-point-in-time backups. However, like Exchange Server, SQL Server is a transaction-based application. Therefore, the data that is contained in a SQL Server database is constantly being updated and modified. Further complicating matters is the fact that SQL Server databases tend to host applications and data that are mission critical for organizations. In other words, there is a strong need to ensure that the data within these databases is continuously protected and can be recovered at any given time; the need for protecting SQL Server databases is a gap that DPM can easily fill thanks to its Continuous Data Protection features. NOTE Before you can start protecting data on a SQL Server 2005 SP1 instance, you must first enable and then start the SQL Server VSS Writer Service.
How to Protect SQL Server Databases The steps used to protect SQL Server databases using DPM are almost identical regardless of whether you are trying to only protect databases on a standalone SQL Server instance or on a SQL Server cluster. For the purposes of this example, the following steps describe how to protect a database located on a standalone SQL Server instance:
Protecting Exchange Servers 599
1. While logged on to the DPM server as a domain user account that is a member of the local administrators group, open the DPM 2010 Administrator Console. 2. Next, ensure that the SQL Server has the protection agent installed and the agent is reachable with a normal status. NOTE When protecting a SQL Server cluster, all nodes of the cluster should have the DPM protection agent installed on them.
3. Now, click Protection on the navigation bar, and then click Create Protection Group in the Actions pane. 4. Once the Create New Protection Group Wizard has started, click past the Welcome page, select the Servers Protection Group Type option, and then click Next. 5. On the Select Group Members page, use the interface to add the database, databases, or entire SQL Server instances that you want to protect into the protection group, as shown in Figure 11.9.
»
Modify Group - Adventure Works S e l e c l Group Members. ^ J
Select the dato that you want to protect
Steps: Select group members
4 Select data protection method 4 Select short term goals • •
Specify long-term goals Select Ibrory and tope detota
4 Uboste corwietency check options
4
Summary
•
Status
To choose the data to protect, select the check boxes n the AvaCaUe metrfcere section To exclude a folder, expand the directory structure, ond dear the chock box of the tolder a
¿3 &
'à DAG I à d CCI
Selected Members SQI ?\Arlvfnlur*Wmkar
DPMI a EX1 EX2 EX3 FILE» tii SOLI H G ! SQL2
ad ad d ¿1 d
¿Jl Shares Li] • EH iuL All SCJL Servers 3 • i SÜL2 AdvertureWorke Advert ureWork*ÜW J AdvcrturcWorksüW2UU8 J Overture WorksL I J Adverture WorfcsL 12008 /ppicntion Registry Servir Udc Service UfcJ StoctlbH J Mor>ogcd Metadata Servk I master
i
11
FIGURE 1 1 . 9
Mjl?-< unnirtnynhi.rriui
5QL2\AdvenLuteWuika... iul2xurtipaiiyabt..Luni
à
Adding SQL databases.
S
flenvjve | FKABJuI h&ns Exduded file types
600
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
NOTE For databases that are located in a SQL Server cluster, DPM represents the databases as part of the cluster in the Create New Protection Group Wizard.
6. Once you have finished selecting the desired database(s) or SQL Server instances, click Next. 7. On the Select Data Protection Method page, type a new name for the protection group in the Protection Group Name box, choose the desired protection methods, and then click Next. 8. On the Specify Short-Term Goals page, specify your desired short-term protection goals, and then click Next. 9. On the Review Disk Allocation page, review the disk allocations that DPM recommends for the protection group, and then click Next. 10. If you have a tape device attached, the Specify Long-Term Protection page is shown. Use this page to specify your long-term protection goals, and then click Next. 11. Next, if you have a tape device attached, the Select Library and Tape Details page is also shown. Use this page to specify the library and configuration options for the backup tapes, and then click Next. 12. On the Choose Replica Creation Method page, use the Replica in DPM Server section to define how the initial replica of the protected data should be created, and then click Next. 13. On the Consistency Check Options page, specify the desired option for how the consistency check for the protection group will be handled, and then click Next. 14. On the Summary page, review the information about the protection group and then click Create Group. 15. Next, the status and results of the protection group creation process are shown on the Status page. Once the protection group has been created, click Close to exit the wizard.
NOTE Being able to protect an entire SQL Server instance is a new feature in DPM 2010. If you choose to protect an entire SQL Server instance, all new databases added to that instance are automatically protected.
How to Restore a SQL Server Database The steps used to recover a SQL Server database using DPM differ slightly depending on if you are trying to restore the database to its original instance of SQL Server or to an alternate location. Use the following steps to restore a database to its original instance of SQL Server:
Protecting Exchange Servers 601
1. While logged on to the DPM server as a domain user account that is a member of the local administrators group, open the DPM 2010 Administrator Console. 2. Once the console has loaded, click Recovery on the navigation bar. 3. Using either the Browse or Search tabs, find the database that needs to be recovered, as shown in Figure 11.10.
FIGURE 1 1 . 1 0
Choosing which SQL database to recover.
4. Once you have selected the database to recover, click Recover in the Actions pane. 5. After the Recovery Wizard has started, the Review Recovery Selection page is shown. Review the recovery selections and then click Next. 6. On the Select Recovery Type page, select the Recover to Original Instance of SQL Server (Overwrite Database) option, and then click Next to continue.
When you recover a SQL database to its original instance of SQL Server, the original database is overwritten using the replica that was chosen to recover the database with. If you are trying to attempt a lossless recovery, you then need to restore the database using the latest recovery point, and have DPM replay any residual live transactions from the SQL Server log files (LDF).
602
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
7. On the Specify Database State page, select either the Leave Database Operational option or Leave Database Non-Operational But Able to Restore Additional Transaction Logs, and then click Next to continue. • Leave Database Operational—When you use this option, DPM recovers the database using the selected recovery point, replays necessary transaction logs, and then remounts the database. • Leave Database Non-Operational But Able to Restore Additional Transaction Logs—When you use this option, DPM recovers the database using the selected recovery point, replays necessary transaction logs, but does not remount the database so that you can replay additional transaction logs (if you have them). 8. On the Specify Recovery Options page, click Next. 9. On the Summary page, review the recovery settings, and then click Recover. 10. Next, the status and results of the recovery process are shown on the Recovery Status page. Once the recovery process has been completed, click Close to exit the wizard. In addition to being able to restore a database to its original SQL Server instance, you can also restore a database to any of the following alternate location options: • Recover to Any Instance of SQL Server—Use this option to recover the database to another instance of SQL Server. This option is particularly useful if you need to test recovery procedures, want to create a lab environment, or are trying to migrate the database to a new instance of SQL Server. However, keep in mind that when you recover a database to a different instance of SQL Server, DPM will not be able to perform a lossless recovery by replaying the transaction logs. • Copy to a Network Folder—Use this option to recover the database and its log files to a network location. This option is useful if you need physical access to the database and log files. • Copy to Tape—Use this option to recover the database to a tape. This option is useful if you need to recover the database to a medium that can be shipped offsite.
How to Conduct a Self-Service Restore In DPM 2010, a new feature called SQL End User Recovery allows authorized SQL Server database owners to perform self-service database recoveries without the need of intervention by a DPM administrator. To configure this feature, the DPM administrator must first create a DPM role, which grants authorized SQL Server database owners the needed DPM rights to perform recovery operations for databases that they own. To create the DPM role, complete the following steps: 1. While logged on to the DPM server as a domain user account that is a member of the local administrators group, open the DPM Management Shell.
Protecting Exchange Servers 603
2. Next, execute the following command to create the DPM role: $ R o l e = New-DPMRole
-name
"
-description
"
-DPMServerName
3. Now, add a domain security group to the role, which should have the ability to recover databases: Add-DPMSecurityGroup
-DpmRole $ R o l e
-SecurityGroups
"
Name>\<Security Group Name>"
4. Next, use the following commands to identify the databases that the SQL administrators can recover and then add them to the role: $DatabasesForEndUserRecovery = $null $ L i s t O f P G s = G e t - P r o t e c t i o n G r o u p -DPMServerName
\
ForEach-Object { i f
{$PG = $_ ;
($_.FriendlyName
-eq
' ^ P r o t e c t i o n Group
break}}
$ D a t a s o u r c e s I n P G = G e t - D a t a s o u r c e $PG $DatasourcesInPG Name>")
\
ForEach-Object { i f
($_.LogicalPath
{ $ D a t a b a s e s F o r E n d U s e r R e c o v e r y +=
Add-DPMRecoveryltem
-eq
"
,$_}}
-DPMRole $ R o l e
- t y p e SQLDatabase
-Datasources $Databases-
-DPMRole $ R o l e
- t y p e SQLINSTANCE
-Sqllnstances
ForEndUserRecovery Add-DPMRecoveryltem Server
"<SQL
I n s t a n c e Name>"
5. Lastly, save the role using the following command: Set-DPMRole
-DpmRole
$Role
NOTE Alternatively, DPM roles can be created and managed using the Self-Service Recovery Configuration Tool for SQL Server in the DPM Administrator Console.
After you have created the DPM role, SQL administrators can now use the SQL Server EUR Client to perform recoveries of SQL Server databases that are protected by a DPM server. Use the following steps to use the SQL Server EUR Client to complete a database recovery: 1. Have the SQL administrator install the SQL Server EUR Client. By default, the installation packages are located in the %ProgramFiles%\Microsoft DPM \ DPM \ DPMSqlEURInstaller folder. 2. Once the SQL Server EUR Client has been installed, have the SQL administrator open the SQL EUR Console. This console can be used to list recovery jobs for SQL Server databases and start recoveries, rerun recoveries, or stop recoveries, as shown in Figure 11.11. 3. After the console has opened, click Connect to Server, provide the DPM server name, and then click Connect.
604
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint ^ DPM Seif Service Recovery Tool Hie
Act»ns
Help
You con use this toot to re-cover SQLdatobos« becked up by DPM. Recovery jota for SQL dutefew« cw/>yijred for you ore Istedbetow. DPM Server:
Abtoorrwdcd
I Connect to Server ~|
You must be connected to a DFM server to marvxje rccovcry jobs
FIGURE 1 1 . 1 1
The SQL EUR Console.
4. Next, click New Recovery Job. This opens the Recovery Wizard, as shown in Figure 11.12, and SQL administrators can then complete the database recovery as already described earlier in this section. Recovery Wizard
ZJ
S p e c i f y DnlulïHHH D e l n i l s Specify detals about the database you want 1o recover and where rt reside i.
Steps: Specfy the delaês c' the database you wan) to recover. #
bpcoty database detail
SQL Server Instance Name:
I -
Sjiredfy nirnvray [xitrl
#
Sdcct recovery type
«
f ^ m i f y tbirtlinsr s W r
#
Specify recovery opbsns
Database Name:
/^dvcnti/eV/orks
< bock
FIGURE 1 1 . 1 2
|P
Hod>
I
Cancel
[
Help
Completing a database recovery using the SQL EUR Console.
Protecting SharePoint Farms
605
The SQL End User Recovery feature uses TCP port 11313 to communicate with the DPM server. To use this feature, you need to ensure that Windows Firewall has been configured to allow incoming connections on this port.
Protecting SharePoint Farms Unfortunately, certain components in a SharePoint farm rely on other components for the farm to function. For example, the configuration database and the Central Administration content database of a SharePoint farm must be in sync. Naturally, keeping these two databases in perfect sync tends to add a certain amount of complexity when it comes to backup and recovery procedures. That is why until DPM introduced the ability to protect an entire SharePoint farm, the options for SharePoint data protection were a bit limited. In the past, you could use the tools included with SharePoint to back up and restore a SharePoint farm. For example, the Central Administration website contains a Ul-based tool to perform backup and recovery processes. Or, if you were more command-line inclined, you could also use the Stsadm tool to do the same thing. When combined with Windows Scheduler, the Stsadm could be used to schedule regular backups giving you an almost complete backup solution. Additionally, you could also rely on SQL Server tools to back up the SharePoint databases or also turn to third-party backup solutions. Sadly, the issue with all of the aforementioned data protection solutions (except possibly third-party solutions that have done their homework to integrate with SharePoint and Windows Server Volume Shadow Copy Service) is that they fail to provide end-to-end protection from an entire farm down to a single item. In a sense, they all lack a single streamlined approach, which is a gap that DPM fills by being able to provide data protection for not only a SharePoint farm, but also its related content databases, search data, sites, and files or lists. To illustrate this, a matrix between the allowed SharePoint data sources and the data that can be recovered from them is shown in Table 11.4. TABLE 1 1 . 4
SharePoint Data Sources and Recoverable Data
Allowed Data Sources Farm
Recoverable Data Farm Database Search data Site File or list
606
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
Preparing SharePoint for Protection The first step in preparing SharePoint for protection by DPM is to ensure that the protection agent has been installed on all servers that have content you intend to protect. For example, in a simple SharePoint farm that consists of two Web Front End (WFE) servers, one index server, and a two-node clustered SQL Server instance, you would install the protection agent on both nodes in the SQL Server cluster, on the index server (if you are planning on protecting search content), and only one of the WFE servers. NOTE WFE servers do not host content. Therefore, technically only one Web Front End server needs to have the protection agent installed in a SharePoint farm. However, at least one WFE does need the protection agent installed as it needs to serve as an entry point for DPM to protect the SharePoint farm and contains any customizations that have been made to SharePoint, which should be protected as part of the farm.
After installing the protection agent, the next step is to configure the SharePoint farm for DPM protection using the ConfigureSharePoint.exe utility. This utility is used to configure the WSS Writer Service and the WSSCmdletsWrapper with the correct credentials needed to access the farm to perform backups and recoveries. Use the following steps to configure a SharePoint farm for protection: 1. Log on to the WFE on which you have installed the protection agent as a SharePoint farm administrator and local administrator. 2. Next, open PowerShell command console and CD to c: \Program Files\ Microsoft Data Protection Manager\DPM\bin.
3. Now, execute the following command to configure the SharePoint farm for protection: .\ConfigureSharepoint.exe
-EnableSharePointProtection
4. When prompted, provide the correct credentials required to access the SharePoint farm for backup and recovery purposes. NOTE In addition, the Conf i g u r e S h a r e P o i n t . exe utility can also be used to enable protection for Search and configure a temp folder location for recoveries by using the E n a b l e S P S e a r c h P r o t e c t i o n and SetTempPath parameters.
By executing the ConfigureSharePoint.exe utility, the Windows SharePoint Services VSS Writer service is configured to use the specified credentials and then is started. Additionally, the utility configures the WSSCmdletsWrapper process with the needed credentials to access the SharePoint farm using the SharePoint Object Model. The WSSCmdletsWrapper is a DCOM application that runs on the WFE and is used as a bridge between the data in the SharePoint farm and the DPM replication agent (DPMRA) service.
Protecting SharePoint Farms
607
Next, if you are planning to use DPM's built-in, item-level recovery support for SharePoint, you need to create the DPMRecoveryWebApplication. Use the following steps to complete this task: 1. Open the SharePoint 3.0 Central Administration console as a SharePoint farm administrator. 2. After the SharePoint 3.0 Central Administration console has loaded, click the Application Management sidebar tab. 3. Next, click the Manage Web Applications link. 4. On the Web Applications Management page, verify that the DPMRecoveryWebApplication web application does not already exist and then click the Web Applications tab. 5. Using the SharePoint 2010 Ribbon, select the New option. 6. Once the Create New Web Application form has loaded, complete the form using the following information: • Choose the Create a New IIS Web Site option and name it DPMRecoveryWebApplication.
• In the Port field, give the new web application a unique port that is not shared by any other internal applications. • Under the Select a Security Account for This Application Pool section, select the Configurable option button and choose a managed account to use for the new web application. • Lastly, in the Database Name box, enter DPMRecoveryWebApplication. 7. Once you have completed the Create New Web Application form, click OK to create the DPMRecoveryWebApplication web application.
How to Protect a SharePoint Farm The steps used to protect SharePoint data using DPM are almost identical regardless of whether you are trying to only protect Windows SharePoint Services or an entire SharePoint farm. For the purposes of this example, the following steps describe how to protect a SharePoint farm: 1. While logged on to the DPM server as a domain user account that is a member of the local administrators group, open the DPM 2010 Administrator Console. 2. Next, click Protection on the navigation bar, and then click Create Protection Group in the Actions pane. 3. Once the Create New Protection Group Wizard has started, click past the Welcome page, select the Servers Protection Group Type option, and then click Next. 4. On the Select Group Members page, use the interface to locate the WFE server object, expand the WFE server object, and you will then see a SharePoint object. Expand this object and you will see the SharePoint farm represented in the name format: «database server name>\
608
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint ^ Create Hew Protection Group ^ J
£
S e l e c t G r o u p Members. Select Ihc dato that you want to protect
To choose she data to pnKect, select the check boxes rs the AvalaUe metrfcere section To exclude a folder, expand the directory structure, and dear the chock box of the loldw. H i'¡J companyabc.com i+| 2 DAG I |±j j DCI & DPMI !+! t i EX' ffi i J EX2 a IJ EX3 & J FILE! fcb (J SPS I U |jj SPS2 141 n, S All Shares ^ • 3 Ail Volumes Shareport sql/'ihareHcintJJontig
Selected Members
E jßjj •Kg
± • Syitam State ffl SUL1 in [j SULZ
FiiiihIMI TiJ lns
< bnA
FIGURE 1 1 . 1 3
[|
~|
üaned
|
Hcfc
Adding a SharePoint farm.
5. Once you have finished selecting the desired SharePoint farm, click Next. 6. On the Select Data Protection Method page, type a new name for the protection group in the Protection Group Name box, choose the desired protection methods, and then click Next. 7. On the Specify Short-Term Goals page, specify your desired short-term protection goals, and then click Next. 8. On the Review Disk Allocation page, review the disk allocations that DPM recommends for the protection group, and then click Next. 9. If you have a tape device attached, the Specify Long-Term Protection page is shown. Use this page to specify your long-term protection goals, and then click Next. 10. Next, if you have a tape device attached, the Select Library and Tape Details page is also shown. Use this page to specify the library and configuration options for the backup tapes, and then click Next. 11. On the Choose Replica Creation Method page, use the Replica in DPM Server section to define how the initial replica of the protected data should be created, and then click Next. 12. On the Consistency Check Options page, specify the desired option for how the consistency check for the protection group will be handled, and then click Next. 13. On the Summary page, review the information about the protection group and then click Create Group.
Protecting SharePoint Farms
609
14. Next, the status and results of the protection group creation process are shown on the Status page. Once the protection group has been created, click Close to exit the wizard.
How to Recover a SharePoint Farm Recovering SharePoint data using DPM can be broken down into the following scenarios: • Recovering an entire SharePoint farm • Recovering a content database • Recovering a Shared Services Provider (SSP) and its search data or recovering Office SharePoint Server Search data • Recovering item-level objects, such as sites, lists, and items • Restoring customizations and configuration settings outside of SharePoint databases Depending on the SharePoint recovery scenario you are attempting to execute, the processes that you should follow are different and each has their own supportability implications and prerequisites. For example, if you are planning to restore the SharePoint farm configuration database and associated Central Administration website content database, this can only be done, as in supported, by completing a full-farm recovery. In other words, these databases must be recovered in conjunction with all other databases in the SharePoint farm to the same point in time. Luckily, thanks to DPM's usage of VSS, you can accomplish a full-farm recovery using a point-in-time snapshot of all the databases in a SharePoint farm. To perform a full SharePoint farm recovery while the farm is still available, complete the following steps: 1. First, ensure that the following are true: • All WFE servers are configured as they were when the recovery point was created. If the configuration is different, the recovery operation will fail. • The SQL Server instances must be configured with the same names that were in place when the recovery point was created. If the instance names are different, the recovery operation will fail. 2. Next, while logged on to the DPM server as a domain user account that is a member of the local administrators group, open the DPM 2010 Administrator Console. 3. Once the console has loaded, click Recovery on the navigation bar. 4. On the Browse tab under the Recoverable Data section, expand the SharePoint server that contains the SharePoint farm to be recovered. Then under the server name, select the All Protected SharePoint Data object. This displays the farm name in the lower-right pane, as shown in Figure 11.14. 5. Now, in the calendar display, select the date and time the recovery point was created and then select the SharePoint farm object to be recovered under the Recoverable Item field.
610
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
Ffe fcöon WH
lefl
V -/ —
ii Bö
SB»
J(rv«V J1Ü3SD
a 13 *
Erfw JWiMi
laoofM
3
at Ii Fiiei
.. 3
¡Ü0 M
Dw
Pöl \n R(IM*f 9 w t f t H 0M
3ES
FIGURE 1 1 . 1 4
Selecting a SharePoint farm for recovery.
6. Once you have selected the SharePoint farm, click Recover in the Actions pane. 7. After the Recovery Wizard has started, the Review Recovery Selection page is shown. Review the recovery selections and then click Next. 8. On the Select Recovery Type page, select the Recover All SharePoint Content and Components to perform a full SharePoint farm recovery. If you need to restore the farm for auditing or other purposes, select the Copy All SharePoint Content and Components to a Network Folder. Additionally, you can choose the Copy the Windows SharePoint Services Farm to Tape option to restore the related farm data to tape. 9. After making the recovery type selection, click Next to continue. 10. On the Specify Recovery Options page, click Next. 11. On the Summary page, review the recovery settings, and then click Recover. 12. Next, the status and results of the recovery process are shown on the Recovery Status page. Once the recovery process has been completed, click Close to exit the wizard. Once the recovery operation has been completed, it will take about 15-30 minutes (depending on the size of the SharePoint farm) before search services become available. However, users are able to access the SharePoint farm and its content immediately after the completion of a recovery operation. In the event that you need to perform a SharePoint farm recovery and the farm is not available because of some catastrophic failure, the steps are slightly different from a recovery when the farm is available, as follows:
Protecting SharePoint Farms
611
1. Ensure that any new hardware (WFE servers and SQL Server instances) have the same name as the servers that existed when the recovery point was created. 2. Next, install any necessary prerequisite software and the DPM protection agent. 3. Now, ensure that the DPM protection agent is communicating with the DPM server and then use the ConfigureSharePoint.exe utility to configure the WSS Writer Service and the WSSCmdletsWrapper. 4. From within the DPM Administrator Console, complete a recovery of the SharePoint farm using the DPM Recovery Wizard. 5. After the recovery operation has completed, run the SharePoint Products and Technologies Configuration Wizard and disconnect all of the front-end web servers from the farm. 6. Next, on each WFE server in the SharePoint farm, use the Internet Information Services (IIS) Manager console to delete all website and application pool entries for the farm being restored. Then run the SharePoint Products and Technologies Configuration Wizard and select the option to connect to an existing SharePoint farm. When prompted, provide the server name and database name used at the start of this process (these names must be the same as when the recovery point was created). 7. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Advanced Settings, and then click Next. 8. Then on the Advanced Settings page, select the option Use This Machine to Host the Web Site, and complete the wizard.
How to Recover a Content Database Despite being protected as part of the SharePoint farm, content databases can be recovered individually just like any other SQL Server database. The only difference from a SQL Server database recovery is that the content database recovery object needs to be selected from under t h e «database server name>\
sent the SharePoint farm within the DPM Administrator Console, as shown in Figure 11.15.
NOTE After completing a content database recovery operation, be sure to detach and reattach the database using the Central Administration website to force an update to the sitemap table in the SharePoint farm configuration database.
How to Recover Sites, Lists, and Items The term for recovering SharePoint sites, lists, and items using DPM is called item-level recovery. In relation to SharePoint object hierarchy, item-level objects are objects that are stored within a SharePoint content database. Therefore, recovering these objects is only supported by using the SharePoint Object Model. Failure to use the object model, for example, if you attempted to perform a direct extraction, can lead to corruption of the database and the items/data in the database.
612
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
J n™,» I A
"3
H
jwei-oei ¡J PU61 J Si« ',} H Pntrtiti j h n P w i Cw» fjt »tfJS^Pert.tHi
i
3
1 i 5 t 7 i 0 L « 11 « '1 « " IT i 30 21 22 0
tan
hdrjri
r~ . . . 1. *' ; HSlifAlH-jHm
FIGURE 1 1 . 1 5
]»i5
Cl*.
I
Sm
Selecting a content database for recovery.
This is why item-level data protection has always been a very difficult task to accomplish in relation to protecting a SharePoint farm. To help farm administrators overcome this challenge, the DPM product team introduced the ability to perform SharePoint item-level recovery in DPM 2007 SP1. Although the introduction of item-level recovery support was a step forward in easing the difficulties associated with protecting SharePoint data, making this feature work required the use of a SharePoint recovery farm to host a recovered version of the content database, which would hold the SharePoint object being recovered. From there, the object could be exported and imported using the SharePoint Object Model back into the production SharePoint farm. Needless to say, although the support of item-level recovery was a great leap forward in SharePoint data protection, the need for a recovery farm placed an additional burden on SharePoint administrators just trying to recover single items, thus slowing down the entire recovery process for potentially critical data. Thankfully, this issue is addressed in DPM 2010 with the ability to perform item-level recovery without the use of a SharePoint recovery farm. Use the following steps to perform an item-level recovery operation: 1. While logged on to the DPM server as a domain user account that is a member of the local administrators group, open the DPM 2010 Administrator Console. 2. Once the console has loaded, click Recovery on the navigation bar. 3. On the Search tab under the Search Parameters section, complete the following, as shown in Figure 11.16:
Protecting SharePoint Farms
613
• Change the Search drop-down parameter to SharePoint. • In the SharePoint Search section, choose either the Search Site or Search Documents option. • Then provide the search string of the site or document you are trying to recover for the Name parameter. • Lastly, in the Recovery Points section, define the recovery point range within which your search should be performed.
1 Utroip
It.
I:
D
I]
3
n^ni
FIGURE 1 1 . 1 6
i
Defining SharePoint recovery search parameters.
4. Once you have defined the search parameters, click Search. 5. After the search results are displayed in the Search Results panel, locate the recoverable item that you want to recover, select it, and then click Recover. 6. After the Recovery Wizard has started, the Review Recovery Selection page is shown. Review the recovery selections and then click Next. 7. On the Select Recovery Type page, select the Recover to Original Site option. Additionally, you can also Recover to an Alternate Site or choose the Copy the Windows SharePoint Services Farm to Tape option. 8. After making the recovery type selection, click Next to continue. 9. On the Select Recovery Process page, select the Recover Without Using a Recovery Farm option, as shown in Figure 11.17, and then click Next. Additionally, you can also choose the Recover Using a Recovery Farm option. The difference between these two options is as follows:
614
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
• Recover Without Using a Recovery Farm—This option requires that the version of SharePoint be the same as when the selected recovery point was created. By using this option, the content database that the selected item is located in is temporarily restored and attached to a SQL Server instance and the item is then directly restored to the targeted SharePoint farm. This is called an unattached database recovery. When this type of recovery is performed, the content database is not upgraded to match the same version as the production farm version. Therefore, if there is a version mismatch, a recovery operation might cause corruption. • Recover Using a Recovery Farm—This option should be used if the SharePoint farm has been updated since the selected recovery point was created. By using this option, the content database is temporarily restored and attached to a temporary SharePoint recovery farm. From there, the selected items are extracted and restored to the targeted SharePoint farm. Recovery Wizard
»
ShIhi:I RnnivHiy Piikihss tj
Select the procès* of recover
Steps; rf RnviffW JKlMWïy Mentirai J ScJcct rccovay type 4
S i i s d mrrivny (bth j ' j j .
4 Speedy temporary saver # S|ii"*ify sitvjflHj linLrilmn *
Specify recovery options
Recover w thout using a recovery farm Srcul litis option if the vetsui t uf Itie Idiyet SI>arcPun 11 farm is some ds ct Hie lime 'J uediurt of lire selected recover/ pornt. With th* option, the ccrre^pondrg content database wil be temporar-ly attached to a SQL instance and then the required item Vidl be directly restored to the torpet form. Recover u&ng a recovery tarm Defect this option if "he toTjet SharePoint form has charged snce the time o( creation erf sdeded recovery pornt. Here, the content database '«II first be restored and attached to a temporary ShorePoint recovery Farm and then the required item wi be extracted and restored to the target farm.
4 Recovery status
< Back
FIGURE 1 1 . 1 7
|P
P.'cMt>
I
Cancel
[
Help
Selecting the item-level recovery process.
NOTE To perform an item-level restore without the use of a recovery farm is only possible with a SharePoint 2010 farm. The concept of unattached database recovery is a new feature in SharePoint 2010, which is required to perform an item-level recovery without the use of a SharePoint recovery farm.
Protecting Virtualized Environments
615
10. On the Specify Temporary Server page, define a SQL Server instance to temporarily stage the content database prior to recovery. Then define a file location where the database files can be copied to (these are deleted after the recovery operation has been completed), and then click Next. 11. On the Specify Staging Location page, define a temporary file location on the WFE were DPM can extract the files from the recovered database and then import them into the production database, and then click Next. 12. On the Specify Recovery Options page, click Next. 13. On the Summary page, review the recovery settings, and then click Recover. 14. Next, the status and results of the recovery process are shown on the Recovery Status page. Once the recovery process has been completed, click Close to exit the wizard.
Protecting Virtualized Environments Like Exchange and SQL Server, DPM can also be used to protect Virtual Server 2005 R2 and Hyper-V virtualized environments. When protecting a virtualized environment, DPM uses VSS to take a complete snapshot for each protected virtual machine and its associated configuration information. For virtual machines whose operating systems (like Windows NT 4.0, Windows 2000 Server, and Linux) do not support VSS, DPM performs what is called an offline backup. With this type of backup, the DPM protection agent pauses the virtual machine, takes a snapshot, unpauses the virtual machine, and then backs up the snapshot. For virtual machines whose operating systems do support VSS, DPM performs an online backup. When performing this type of backup, the protection agent uses VSS to quiesce (make inactive) application activity and produces a snapshot of the virtual machine and its data in a stable and usable state. Needless to say, this is one of the main benefits of using DPM to protect virtualized environments over other data protection methods. With DPM 2010, protection for Hyper-V environments can be performed for a various number of deployment scenarios, for example: • Cluster Shared Volumes (CSV) • Highly available virtual machines on a failover cluster • Standalone hosts • Windows Server/Server Core and Microsoft Hyper-V Server and Local Data Source Protection
How to Protect Hyper-V Virtual Machines The steps used to protect Hyper-V virtual machines using DPM are almost identical regardless of whether you are trying to only protect virtual machines on a standalone Hyper-V host or virtual machines located on a high-availability deployment using Cluster Shared
616
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
Volumes (CSV) or a failover cluster. For the purposes of this example, the following steps describe how to protect virtual machines located on a standalone Hyper-V host: 1. While logged on to the DPM server as a domain user account that is a member of the local administrators group, open the DPM 2010 Administrator Console. 2. Next, ensure that the Hyper-V host has the protection agent installed and the agent is reachable with a normal status. 3. Now, click Protection on the navigation bar, and then click Create Protection Group in the Actions pane. 4. Once the Create New Protection Group Wizard has started, click past the Welcome page, select the Servers Protection Group Type option, and then click Next. 5. On the Select Group Members page, find the Hyper-V server that hosts the virtual machines you intended to protect and expand its object out. Next, expand the HyperV node to see a list of virtual machines that can be protected. Using this list, select the virtual machines that are to be protected, as shown in Figure 11.18. ^ Create Hew Protection Group ^ J
£
S e l e c t G l o u p Members. Selcd the dato that you want to protect
Steps: # Welcome
To choose the data to protect, select the check boxes r. the Avalab'e merrfaers section. To exclude a fo'der, expand the directory structure, and dear the check bo* of the loldw.
J Select protccfcon croup type *
Se*ect group members
a
¡+j ¿j & L+J ttl a
# Select short term goals
i+!
Selected f^cmbera ] Computer \HFII kuji I King Chili I Pa hvQI .c ri infinity
¿j DAG I J DC! DPMI [ i EXI ¡ j EX2 j J EX3 J
\BfliAupUiinu Child Pa hvOl.(.ump0i[ydbi.Lum \Dotfcup Using Saved 5. hv01.compGnyabc.com
n L E l
H |j HVQI L* n, J All Shares * O p Volume« Ei • ,'; HyperV £ • & Backup Using Child Partition i + 0 ¿j Backup Using Child Partition S * 0 ¿2 :-•_;• .- : :- : i Q r Backup Using Saved Stated • 0 ¿j Backup Using Saved State'1 . I 3 • £i hitial Store E D j ^ System State 0 ^ HVU2 a 3 spsi H d SPS2
I
I
flenvjve
,
iM
Fxi iltlR.1 M t ! « *
Exduded file types:
Caned
FIGURE 1 1 . 1 8
Adding virtual machines.
|
Hcfc
|
Protecting Virtualized Environments
617
NOTE In Figure 11.18, notice that some of the virtual machines state "Backup Using Saved State." This status indicates the virtual machine will be backed up using an offline backup. If a virtual machine supports an online backup, its status message would be "Backup Using Child Partition." However, if the virtual machine is off or in a saved state at the time you are modifying a protection group's members, the state of the virtual machine will be "Backup Using Saved State."
6. Once you have finished selecting the desired virtual machines, click Next. 7. On the Select Data Protection Method page, type a new name for the protection group in the Protection Group Name box, choose the desired protection methods, and then click Next. 8. On the Specify Short-Term Goals page, specify your desired short-term protection goals, and then click Next. 9. On the Review Disk Allocation page, review the disk allocations that DPM recommends for the protection group, and then click Next. 10. If you have a tape device attached, the Specify Long-Term Protection page is shown. Use this page to specify your long-term protection goals, and then click Next. 11. If you have a tape device attached, the Select Library and Tape Details page is also shown. Use this page to specify the library and configuration options for the backup tapes, and then click Next. 12. On the Choose Replica Creation Method page, use the Replica in DPM Server section to define how the initial replica of the protected data should be created, and then click Next. 13. On the Consistency Check Options page, specify the desired option for how the consistency check for the protection group will be handled, and then click Next. 14. On the Summary page, review the information about the protection group and then click Create Group. 15. Next, the status and results of the protection group creation process are shown on the Status page. Once the protection group has been created, click Close to exit the wizard.
How to Automatically Protect New Virtual Machines In most virtualized environments, new virtual machines are consistently being added. Although you can protect all of the virtual machines on a Hyper-V host using DPM, if new virtual machines are added to the host, the protection group protecting those virtual machines must be manually updated to include the new virtual machines. Needless to say, this is a bit of a pain point for DPM administrators. Luckily, the DPM product team created a set of scripts that allows administrators to automate the task of adding new virtual machines protected by a DPM server into an existing
618
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
protection group. The first script, named AddNewClusteredVM. ps1, is used to perform an inquiry on a specified cluster, and then execute a parallel inquiry for each resource group and obtain a list of unprotected virtual machines. These virtual machines in the list are then added to the specified protection group. The second script, named AddNewStandAloneVM. ps1, is used to perform an inquiry against a specified Hyper-V host and obtain a list of unprotected virtual machines. These virtual machines are then added to the specified protection group. To download these scripts, use the following link: http://www.microsoft.com/downloads/ details.aspx?FamilyID=46d51b5a-5827-43f6-84f5-ce33f4a8e6c3&displaylang=en
How to Recover Hyper-V Virtual Machines The steps used to recover a virtual machine using DPM are almost identical regardless of whether you are trying to only recover the virtual machine to a standalone Hyper-V host or to high-availability deployment using Cluster Shared Volumes (CSV) or a failover cluster. For the purposes of this example, the following steps describe how to recover a virtual machine located on a standalone Hyper-V host: 1. While logged on to the DPM server as a domain user account that is a member of the local administrators group, open the DPM 2010 Administrator Console. 2. Once the console has loaded, click Recovery on the navigation bar. 3. Using either the Browse or Search tabs, find the virtual machine that needs to be recovered, as shown in Figure 11.19.
FIGURE 1 1 . 1 9
Choosing which virtual machine to recover.
Protecting Virtualized Environments
619
NOTE Be sure to select the All DPM Protected Data node and then choose the virtual machine in the Recoverable Item list to recover. If you select the virtual machine object under Recoverable Data, the Recoverable Item list then shows a list of VHDs. At this point, if you selected the VHD to do a recovery, you would be recovering just the VHD and not the virtual machine.
4. Once you have selected the virtual machine to recover, click Recover in the Action pane. 5. After the Recovery Wizard has started, the Review Recovery Selection page is shown. Review the recovery selections and then click Next. 6. On the Select Recovery Type page, select the Recover to Original Instance option, and then click Next to continue. Additionally, you can also choose to perform a recovery using either of the Recover to an Alternate Location, Copy to a Network Folder, or Copy to Tape options. A breakdown for all of the options on this page is as follows: • Recover to Original Instance—This option restores the virtual machine onto the original Hyper-V host or cluster. The source virtual machine is overwritten with the virtual machine from the recovery point when this recovery option is used. • Recover to an Alternate Location—This option, called alternate location recovery or ALR, is new to DPM 2010 and allows you to recover the virtual machine to an alternate Hyper-V host or cluster. When using this option, the virtual machine is automatically registered and configured with the targeted Hyper-V host or cluster. • Copy to a Network Folder—Similar to an ALR recovery, however, only the virtual machine files are restored to the alternate host. If you target a Hyper-V host or cluster, DPM does not register and configure the virtual machine. Instead, this task must be done manually or through some automated procedure. • Copy to Tape—Use this option to recover a virtual machine to a tape. This option is useful if you need to recover the virtual machine to media that can be taken offsite. 7. On the Specify Recovery Options page, click Next. 8. On the Summary page, review the recovery settings, and then click Recover. 9. Next, the status and results of the recovery process are shown on the Recovery Status page. Once the recovery process has been completed, click Close to exit the wizard.
620
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
Performing item-Level Recovery on Virtual Machines With DPM 2007, you could protect both a Hyper-V host and its guests by performing a host-level backup. However, when it came to meeting more granular data protection needs, administrators had to resort to installing the protection agent directly on a virtual machine. In some cases, like protecting Exchange data, installing the protection agent directly on a virtual machine made sense. But, when it came to just protecting files, folder, volumes, and so forth, many administrators wished that just a host-level backup would suffice. Well, in DPM 2010, you can now perform host-level backups and then from those backups, perform item-level recovery (ILR) for things such as files, folders, volumes, and virtual hard disks (VHDs). Although this is a great feature, a couple of limitations need to be taken into consideration when using ILR: • Items can only be restored to a network share or a volume on a DPM-protected server. • The Hyper-V role must be enabled on the DPM server to perform item-level recoveries. This is a requirement because DPM has to mount the VHDs of the protected virtual machines to extract the data from them. • You cannot use ILR to recover an item to its original location. Table 11.5 describes the supported and unsupported recovery scenarios that can be used for ILR. TABLE 1 1 . 5
Hyper-V ILR Recovery Scenarios
Scenario
Volumes or Files/Folders Recovery
Virtual Hard Disk (VHD) Recovery
From a virtual machine that has snapshots
Yes (Only to Windows Server 2008 R2)
Yes
From a secondary DPM server
Yes
Yes
From tape backup
Yes
Yes
From NTFS volumes
Yes
NA
From non-NTFS volumes
No
Entire VHD only
From a VHD that is partitioned using dynamic disk partitioning
No
Entire VHD only
Integrating Data Protection Manager with Operations Manager Being part of the System Center Enterprise Suite, DPM is just part of a suite of products that can be used to manage your information technology infrastructure. As such, DPM is not a standalone application. You can, in fact, use DPM in conjunction with other
Integrating Data Protection Manager with Operations Manager
621
solutions in the System Center Enterprise Suite. This section describes how you can use DPM and Operations Manager in unison to dynamically protect critical infrastructures. To accomplish this task, a simple scenario is used to illustrate the interaction between the two solutions. For this scenario, companyabc.com has a business-critical website named sap.companyabc.com that needs to be both monitored and protected. In the past, companyabc.com has had issues with this website being deleted. As such, IT management has stated that the requirement for protection and monitoring is to have Operations Manager continuously monitor the availability of sap.companyabc.com. In cases that the website is not available, they want DPM to automatically restore the website using the last known good recovery point. To meet the needs of IT management, the task is to create a DPM protection group and protect the website data. Use the following steps to complete this task: 1. First share out the website directory on the web server. For example, a share is being used to make identifying the recoverable item a little easier when using the DPM Management Shell. In other words, this is not a requirement, but a step to make to things a little clearer. 2. Next, use the DPM Administrator Console to create a protection group to protect the website. After creating the protection group, the next task is to create an Operations Manager synthetic transaction to monitor the website. Synthetic transactions are actions, run in real time, that are performed on monitored objects. Use the following steps to create and configure the synthetic transaction: 1. Open the Operations Manager 2007 R2 Operations Console. 2. Using the toolbar, select Go, Authoring. 3. Next, select the Add Monitoring Wizard option. 4. The Add Monitoring Wizard launches. On the Select Monitoring Type page, select the Web Application monitoring type, as shown in Figure 11.20, and then click Next. 5. On the Web Application Name and Description page, provide a name for the synthetic transaction, and then click Next. Additionally, you need to select a different destination management pack. 6. On the Test Web Address page, provide the URL that should be monitored, and then click Next. 7. On the Choose Watcher Nodes page, select one or more agent managed computers to act as watcher nodes for the website. Next, change the Run This Query Every Parameter to 1 minute and then click Next. 8. On the Web Application Monitoring Settings Summary page, click Create to finish the wizard. The resulting synthetic transaction is shown in Figure 11.21.
622
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint W Add Monitoring Wizard
3
K f l Monitoring Type
W; Help
Gencidl Piupalies
Sckct the monitoring type
WebAddnaa Vv'atcher Node
ni F DR Data Saun» h u e r a Mortlnmg TCP Port J UrtxAmtÄ LogRle & Ünct/Ura« Service Web Application Windows Service
Siarirtrny
UocipiWi "This terrptate aflswE you to create rnorjtomg for a emple Web ipplicatan. You can use ihe Web ¿eptaobon Recorder et the end of (his Wiiatd to record a browser sesson as we5 as edi edstino rwnüonng for your Web Appècaùon.
-M-viuir, (I
FIGURE 1 1 . 2 0
W Syitem Center Oprr He tdl V*n Ha
»«I j
Maiugn ÏM7 RI - c jnipairyabs Mart Tosh >*to
m
fjHit:rl
J
H n r i ß
1 « «ocrtTC 1 j © Lii fAy\'f.cri VATtrd ' Knd N4n
1 r<*P<
M«n»çe^n£i'»çfc Hi™«nttt*
OvMcd fw*
WfiW" ^ up.compartyjbi.eom HciMortna imW9)9U3$m Mmsanybt Kr-jj pnen"
FIGURE 1 1 . 2 1
J
Choosing the Web Application monitoring type.
1 ^Lûtcfor; 1
CrWMdi MJnaaemtrt
J
Resulting synthetic transaction.
-
Integrating Data Protection Manager with Operations Manager
623
After the synthetic transaction has been created, the next step is to add some diagnostic and recovery tasks. Use the following steps to complete this task: 1. Using the Operations Console, right-click the synthetic transaction and then select View Management Pack Object, Monitors. 2. Next, on the Monitors page, expand the sap.companyabc.com Monitoring node, expand the Entity Health node, right-click the Availability node and select Properties. 3. In the Availability Properties dialog box, click the Diagnostic and Recovery tab. NOTE The remaining steps in this section assume the DPM Management Shell has been installed on the watcher node(s).
4. Within the Configure Recovery Tasks section, click Add and select the Recovery for Critical Health State. This opens the Create Recovery Task Wizard. 5. On the Select Recovery Task Type page, select the Run Command type of recovery task, as shown in Figure 11.22, change the management pack if needed, and then click Next. I Create Recovery Task Wizard S d e t L Recovery Task Type
Diagnostic Task Type Select the type of recovery task to create Command Line
Management park Select destination management pack: I comparyobc Management Hack
FIGURE 1 1 . 2 2
Choosing the Run Command recovery task type.
624
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
6. On the Recovery Task Name and Description page, specify the Recovery Name as Recover Web Site Files, enable the Recalculate Monitor State After Recovery Finishes option, and then click Next. 7. On the Configure Command Line Execution Settings page, define the parameters as follows: • Full path to file = c:\Windows\System32\WindowsPowerShell\vl.0\ powershell.exe • Parameters = -Command C:\Scripts\Recovery.psl • Timeout = 1 2 0 8. After defining the command-line execution parameters, click Create. To perform the recovery task, the synthetic transaction is using a script that is called Recovery. ps1. This script is a simple DPM recovery script that is used to recover a shared folder using the latest recovery point. The sample code for the script is as follows: $DPMServerName = "DPMI" $ProtectionGroupName = "Web Site Data" $DatasourceName = "C:\" $ShareName = "wwwroot" $DestinationServerName = "Filel" $DestinationLocation = "C:\" Add -PSSnapin Microsoft.DataProtectionManager.PowerShell $PG = Get-ProtectionGroup -DPMServerName $DPMServerName \ where {$_.FriendlyName -eq $ProtectionGroupName} $DS = Get-Datasource $PG \ where {$_.Name -eq $DatasourceName} $RP = (Get-RecoveryPoint $DS \ sort -Property RepresentedPointlnTime -Descending)[0] $RI = Get-Recoverableltem -RecoveryPointForShares $RP \ where {$_.UserFriendlyName -eq $ShareName} $R0 = New-RecoveryOption -TargetServer $DestinationServerName -RecoveryLocation copytofolder -AlternateLocation $DestinationLocation -FileSystem -OverwriteType overwrite -RestoreSecurity -RecoveryType Restore $Recovery = Recover-Recoverableltem -Recoverableltem $RI -RecoveryOption $R0 while(!$Recovery.HasCompleted) { Write-Host "." -NoNewLine sleep 3 }
Best Practices
625
Summary This chapter focused on how System Center Data Protection Manager 2010 can be used to protect Microsoft operating systems and server applications. As shown in this chapter, DPM can be used to protect a wide number of Microsoft solutions, including but not limited to, Exchange Server, SQL Server, and SharePoint farms. Based on the information provided in this chapter, you should now have a better understanding as to how these solutions each have their own special data protection needs. For example, when protecting a SharePoint farm, the only supportable method for recovering the configuration database and the Central Administration content database is to perform a full-farm recovery. As you have seen with SharePoint, and the rest of the Microsoft solutions discussed in this chapter, DPM has been tailored to meet each of their needs, thus making it a very compelling data protection solution for a Microsoft-centric environment.
Best Practices The following are best practices from this chapter: • A computer that is protected by DPM can have multiple protection groups protecting data sources. However, all these protection groups must be from one DPM server. • When protecting data in a DFS namespace, use DPM to only protect a single "copy" of the data located on a server-specific local path. • Do not use DPM to protect a cluster's quorum disk. • Because System State data tends not to change very often, System State backups should be placed in their own protection groups. • Always ensure that the Eseutil.exe and ese.dll versions on the DPM server are from the most recent edition of Exchange Server. • Exchange Server databases should not be configured to use circular logging when being protected by DPM. • After recovering an Exchange database that is in a DAG, the passive copies need to be synchronized with the recovered active database using the ResumeMailboxDatabaseCopy c m d l e t .
• Before you can start protecting data on a SQL Server 2005 SP1 instance, you must first enable and then start the SQL Server VSS Writer Service. • When protecting a SQL Server cluster, all nodes of the cluster should have the DPM protection agent installed on them. • When using DPM 2010, you can choose to protect an entire SQL Server instance, and all new databases added to that instance will be automatically protected.
626
CHAPTER 11
Using Data Protection Manager 2 0 1 0 to Protect File Systems,
Exchange, SQL, and SharePoint
• When you recover a SQL database to its original instance of SQL Server, the original database is overwritten using the replica that was chosen to recover the database with. If you are trying to attempt a lossless recovery, you then need to restore the database using the latest recovery point, and have DPM replay any residual live transactions from the SQL Server log files (LDF). • The SQL End User Recovery feature uses TCP port 11313 to communicate to the DPM server. To use this feature, you need to ensure that Windows Firewall has been configured to allow incoming connections on this port. • WFE servers do not host content. Therefore, technically only one Web Front End server needs to have the protection agent installed in a SharePoint farm. • The Conf igureSharePoint. exe utility can also be used to enable protection for Search and configure a temp folder location for recoveries by using the EnableSPSearchProtection a n d SetTempPath parameters.
• After completing a content database recovery operation, be sure to detach and reattach the database using the Central Administration website to force an update to the sitemap table in the SharePoint farm configuration database. • To perform an item-level restore without the use of a recovery farm is only possible with a SharePoint 2010 farm.
CHAPTER
12
Virtual Machine Manager 2008 R2 Design, Planning, and Implementation O n c e an organization understands and adopts the value of system virtualization, IT administrators will naturally look for improved ways to deploy control, and administer their virtual infrastructure. To help fill this gap, administrators can turn to Microsoft's System Center Virtual Machine Manager 2008 R2 (VMM). VMM provides a System Center common management interface for the virtualized data center that allows increased server utilization and dynamic resource allocation. It also works across multiple virtualization platforms, including those from Microsoft and VMware. Third-party add-ons for XenSource, XenWorks, and others will be available in the near future. VMM also takes a holistic approach to managing the virtual infrastructure by examining and rating the virtualization hosts. It compares these hosts against a set of criteria and rates the suitability of the virtual machine (VM) to be deployed on the hosts where it can be deployed. This is important because a single physical host server can host tens of virtual machines.
What Is Virtual Machine Manager? The VMM product line provides administrators with the ability to centrally administer and manage their virtual infrastructure. By using VMM, organizations can further increase physical server utilization, rapidly provision new virtual machines, and delegate management of these virtual
IN T H I S C H A P T E R •
What Is Virtual Machine Manager?
•
Virtual Machine Manager Background
•
Virtual Machine Manager Prerequisites
•
Planning a Virtual Machine Manager Deployment
•
Deploying Virtual Machine Manager
628
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
machines to authorized self-service end users. The topics in this section provide you with an overview of VMM features and functionality.
The Value VMM Brings to the Enterprise VMM greatly enhances the administration and management capabilities of virtual guest sessions over the built-in Hyper-V management console that comes with Hyper-V. This solution also allows organizations to more easily manage centralized servers and organize them in a manner that helps administrators delegate access and administration rights to those that need access to specific servers or groups of servers. These benefits to an enterprise and more are described in the following list: • Centralized management—VMM offers a centralized management solution for the entire virtual enterprise. Using one tool, the administrator can manage, create, deploy, move, copy, or delete any virtual machine in the enterprise. It makes no difference whether the host or virtual machine is running Microsoft Hyper-V or VMware ESX. • Decreased server sprawl—VMM prevents virtual machine server sprawl by managing all the host servers in the enterprise. Due to the ease of virtual machine deployment, virtual server sprawl can be a real issue. Virtual machines can be deployed to the wrong host servers, and precious network resources can be squandered. VMM provides a way to take control of the virtual infrastructure and deploy virtual machines in the best way, based on resource and performance needs. • Integration with System Center Operations Manager 2007 R2—Tight integration with System Center Operations Manager 2007 R2 (SCOM) provides the capability to monitor and manage the virtual network like never before. SCOM offers VMM and Hyper-V management packs to provide real-time monitoring of host and virtual servers. It provides both alerting and built-in knowledge that aids the administrator in troubleshooting and recovery. In addition, administrators also gain access to PRO (Performance and Resource Optimization), which is an enhanced monitoring and management feature that is enabled when VMM is paired with SCOM. It helps guide administrators by outlining ways to more efficiently deploy and run both physical and virtual resources. PRO can even move a virtual machine from a problem host to another or perform a specified action on a virtual machine or host in response to an error condition. • Profiles and templates that make provisioning easier—VMM provides the administrator with the most complete, yet simple, server provisioning tools available. Multiple hardware and operating system profiles can be stored in the VMM library. Hundreds of virtual machine templates can be stored and grouped together for easy deployment. Templates also aid in server standardization, an important aspect in any environment. Troubleshooting is minimized when the administrator can be sure that each virtual machine based on the same template will be configured the same way. • Self-service provisioning—Self-Service Users can deploy the virtual machines they have access to without the need to understand the underlying physical infrastructure. By using the Self-Service Portal, these users can automatically deploy both
Planning a Virtual Machine Manager Deployment 629
VMware and Hyper-V virtual machines to the most suitable server, based on the criteria set by the administrator. For developers, this makes building or rebuilding test servers extremely easy, thus allowing them to spend more time writing code and less time worrying about the infrastructure to test that code. • Disaster recovery and business continuity—One of the most important promises of virtualization is the increased ability to perform disaster recovery operations. To make this promise a reality, VMM offers several features that increase server uptime and provide business-continuity protection. Because VMM is cluster aware, it can automatically move highly available (HA) virtual machines from one cluster node to another, without an administrator having to worry about which host is appropriate for that particular virtual machine. The administrator can also define the suitability criteria of each host to help guide other administrators or Self-Service Users to use the correct host. • Optimized resource allocation—By knowing and understanding the resource requirements and constraints of each physical host and virtual machine server, VMM can make the best use of the hardware available. With this knowledge, more virtual machines can be placed on existing host servers, realizing an even greater value from the virtual environment. • Physical and virtual server conversions—VMM provides both physical-to-virtual (P2V) and virtual-to-virtual (V2V) conversion capabilities. The P2V process is used to rapidly convert a physical server to a Hyper-V or VMware virtual server, preserving the existing operating system, applications, and data. This is useful when the administrator needs to virtualize an existing physical server, but the configuration is too complex or the application software is no longer available. In some instances, this conversion can even occur while the server is online, reducing downtime during the conversion process. • Role-based access control—The VMM RBAC model, along with administrator delegation, allows VMM Administrators to provide more autonomy and less administrative overhead in managing and working with the virtual infrastructure. Using this feature, department and regional VMM Administrators can be granted the appropriate rights to manage and deploy the virtual machines needed, without the need to engage a higher administrator.
Technical Problems Addressed by VMM VMM offers many advanced virtual machine management features, while emphasizing ease of use and automation. The three management interfaces (the Administrator Console, the command shell, and the Self-Service Portal) offer a variety of ways for VMM Administrators and users to create, deploy, and manage their virtual machines. Therefore, VMM can be used to address the following technical problems in an IT organization: • Delegated administration—IT environments with delegated administration/permissions models require a flexible and granular management solution to manage and control their virtual environment. VMM offers this flexibility via its RBAC model, which provides better control and granularity in administration and user delegation.
630
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
• Meeting ITIL requirements—Enterprises that utilize Information Technology Infrastructure Library (ITIL) concepts and techniques will benefit from the servicebased management that VMM provides. For example, a VMM Administrator can provide a higher level of service to other departments and users thanks to VMM. Additionally, the Self-Service Portal can be used to provide a controlled way for users to deploy their own virtual machines without having to worry about the infrastructure needed to support those virtual machines. • Disaster recovery and business continuity—Any IT environment with a need for server disaster recovery or line-of-business continuity will appreciate the high-availability features built in to VMM. For example, thanks to VMM's native awareness of Windows and VMware clusters, it is an ideal management solution that can automatically move HA virtual machines from one host cluster node to another when the situation warrants. • Dynamically changing environments—Every IT environment has finite resources. VMM provides dynamic virtual server placement based on physical constraints. Administrators define scores for physical hosts that define the suitability of a virtual machine for each host. VMM then displays the score of each potential host in an easy-to-understand five-star rating. As resources change on these hosts, the rating changes, thus providing for the most optimal virtual machine placement based on the current resources available within the virtual infrastructure. • Highly leveraged virtual infrastructure—Enterprises with a need for rapid deployment and virtualization can take full advantage of the tremendous cost savings that virtualization provides. For organizations beginning to incorporate Hyper-V servers into their VMware environment, VMM provides the perfect management platform for managing both environments. For organizations just starting down the virtualization path, VMM provides the advanced management capabilities that ensure rapid, controlled deployment of virtual machines into their IT environment. • Meeting virtual machine conversion requirements—IT environments that require physical or virtual server conversions will enjoy VMM conversion capabilities. VMM can convert physical servers to virtual servers (P2V) and VMware ESX virtual servers to Microsoft Hyper-V virtual servers (V2V). P2V conversions allow organizations to get rid of old hardware running on legacy systems, which provides a way to rapidly virtualize physical infrastructure, whereas V2V conversions allow organizations to rapidly convert potentially expensive-to-license VMware ESX virtual machines to Hyper-V-based virtual machines. • Dealing with heterogeneous environments—Current VMware ESX and VirtualCenter customers who want to use Hyper-V can use VMM 2008 to manage both environments. This heterogeneous management solution reduces administrative overhead and complexity. VMM provides the same functionality as VMware VirtualCenter and VMotion for both VMware and Hyper-V environments, all in the same virtual machine management solution.
Planning a Virtual Machine Manager Deployment 631
Components of VMM Virtual Machine Manager is a series of components that includes Windows Server, SQL Server, a locally installed agent, an administrative console, and an optional self-service console. The components that make up VMM include the following: • A Windows Server 2003 SP1 or later server on which the VMM service (Server component) is installed. • A SQL Server 2005 SP2 or later instance to host the VMM database and its related data. • A collection of servers on which the VMM Agent is installed. These servers act as hosts on which to deploy virtual machines using VMM. • A server or servers on which the VMM Agent is installed that act as VMM library servers. Library servers store resources for the VMM environment. • A collection of computers on which the VMM Administrator Console is installed. These computers or servers provide the administrative GUI and command shell to manage the physical and virtual infrastructure. • Web servers that act as Self-Service Portals, which allow designated users to create/manage their own virtual machines.
NOTE VMM components can be combined on the same server or split among many different servers and workstations depending on the needs of the deployment.
VMM Server The VMM server primarily consists of the Virtual Machine Manager service (VMMService), but it can also include the VMM database and the VMM library depending on how you are deploying VMM. The VMMService service provides the needed interfaces to run and manage VMM. It communicates with and stores its configuration in the SQL database. This service also monitors the health of virtual machines and hosts. When necessary, it moves virtual machines between host servers to ensure the availability of virtual machines that are being managed by VMM. VMM Administrator Console The Administrator Console is a Microsoft Management Console (MMC) that is built upon Windows PowerShell. This console provides an administrative interface to the VMM server and it offers complete management of the virtual environment, including creating, managing, and deploying virtual machines and virtual local area networks (VLANs); managing host servers; configuring user roles; and so forth. VMM Administrators can manage all virtual machines and the VMM organizational settings using this console, whereas VMM Delegated Administrators can manage only the virtual machines that have been delegated to them.
632
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
VMM Self-Service Portal The VMM Self-Service Portal provides a web-based interface that allows Self-Service Users to provision virtual machines from the VMM library. It also allows Self-Service Users to store virtual machines in the library if they have sufficient rights. The most common use of the Self-Service Portal is to provide an environment for developers and testers to create and manage their own virtual labs. Depending on an organization's needs, multiple types of Self-Service User roles can be provisioned by a VMM Administrator to facilitate the deployment and management of virtual machines using the Self-Service Portal. VMM Agent The VMM Agent is the agent software that allows VMM to monitor and manage Windows Server 2008 and Windows Server 2008 R2 Hyper-V host servers. It can be installed remotely using the VMM Administrator Console or manually using the VMM software media. All Windows host servers must also be joined to a domain. This can either be the same domain as the VMM server or in a different domain that is either trusted or nontrusted. VMM Library The VMM library is a centralized repository for all Windows-based and VMware-based virtual machine-related objects. These objects are the building blocks of the virtual machines that will be created and include the following: hardware profiles, guest OS profiles, templates, virtual hard disks (VHDs), CD-ROM images (ISOs), and so on. • Hardware profiles—These profiles make up the virtual hardware components of a virtual machine. BIOS boot order (CD-ROM, hard drive, floppy, and so on), CPU count and type, physical RAM, floppy drive, and serial (COM) ports are all part of the hardware profile. IDE and SCSI adapters and virtual DVD drives are part of the bus configuration. One or more network adapters can be added and the network type (external, internal, or private) or VLAN can be specified. • Guest OS profiles—These profiles are used to configure the name, administrator password, Windows product key, time zone, and Windows operating system type of the virtual machine. Networking allows the administrator to choose which Windows workgroup or domain to join. To join a domain, the virtual machine must have at least one virtual network adapter attached to a virtual network. The guest OS profile can also include a Sysprep answer file or GUIRunOnce commands. A Sysprep answer file is used to configure additional settings in the virtual machine not specified in the guest OS profile, such as assigning regional settings or languages. Sysprep scripts must be stored on a VMM library share. • Disk images and ISO image files—The VMM library also stores Hyper-V and Virtual Server virtual hard disks (VHD files) and VMware virtual hard disks (VMDK files). Virtual disks can be either blank or contain data, such as a preconfigured operating system or generic data used by applications. Additionally, the VMM library can be used to store CD-ROM and DVD-ROM disks. This is achieved by creating a single file image (ISO image) of the optical disk and copying it to the VMM library share.
Planning a Virtual Machine Manager Deployment 633
ISOs can then be mounted by virtual machines either during the virtual machine creation or at any time after the virtual machine is deployed. ISOs can also be configured to run directly from the VMM library or copied to the local virtual machine folder on the host. • VM templates—Templates are used to create new virtual machines. They usually consist of a VHD (one that is either stored in the library or from a virtual machine currently located on a host), a hardware profile, and an OS profile. After a VM template has been created, it can be deployed to a host server that is either a standalone server for non-HA virtual machines or a host cluster for HA virtual machines.
PowerShell Support Like Microsoft Exchange Server 2007, VMM is written completely on top of Windows PowerShell. Any task that can be completed using the Administrator Console or the SelfService Portal user interfaces can also be completed using PowerShell. As a matter of fact, each task that is performed using these consoles is actually completed using PowerShell. In other words, when an administrator performs an action from a console, that action or command, shown in Figure 12.1, is passed down to PowerShell for execution. 1 jTj tmpSSFD.tmp - Notepad rfc Edt rormot View Heb Stredentlal - qet-credent1al SVMMostQroup - Get-WHostGroup --WWServer Add-wiiiost -VMMserver
^injxi J
l o c a l h o s t 1 vrfiere [5 . P a t h -eq " A l l H o s t s " ]
l o c a l h o s t -ComputerName "hvOl. companyabc.,com" -- D e s c r i p t i o n " " - c r e d e n t
S c r e d e n t i a l - get c r e d e n t i a l SVMHosI G! nup = fifl -VMHnM Group •-VMMScrupr Ii»a1lu)s1 1 wtjHIH { Î . Prfih
"All
Hiislv"}
Arid-VWHost -VKMServer l o c a l h o s t -CnmputprNarne "hvO?. rompanyabr. .rom" -- D p s r r i p r i o n " " - f r p d p n t
A FIGURE 1 2 . 1
PowerShell command sequence.
The commands shown in the figure were generated using the Administrator Console. When an administrator attempts to complete an action using the console, it provides a button; when clicked, this button displays the PowerShell commands that will be executed to complete the action. This allows an administrator to copy, modify, and save the collection of commands, which can then be easily used to automate future tasks either through direct interaction with the command line or via an automation script.
634
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
Heterogeneous VM Management As evident with Microsoft's continued investment in virtualization technologies, it is almost a given that Hyper-V virtualization will be leveraged by IT departments. However, a large number of companies have already invested in VMware virtualization, using VMware ESX server and proprietary VMware VirtualCenter for management. Adding Hyper-V to the virtual landscape can increase the complexity and time required to manage the physical and virtual infrastructure for these companies. Thankfully, Microsoft designed VMM to be a heterogeneous management system that significantly reduces the complexity of managing different physical and virtual systems in the enterprise by providing the ability to manage the following host systems: • Hyper-V hosts—VMM supports hosts running Windows Server 2008 and Windows Server 2008 R2 that have the Hyper-V server role enabled. Additionally, if an administrator adds a Windows Server 2008 and R2 host to VMM and the Hyper-V server role has not been enabled, VMM enables the Hyper-V server role automatically as it adds the server as a host managed by VMM. VMM can also import a Windows Server 2008 or R2 computer that is already configured as a Hyper-V host and will import any Hyper-V virtual machines that are already deployed on that host. • Virtual Server hosts—VMM supports Microsoft Virtual Server 2005 R2 host servers running a Windows Server operating system (typically, Windows Server 2003). This provides the backward compatibility needed by companies that have already deployed Virtual Server 2005. • VMware hosts—VMM supports connecting to a VMware virtualization manager server. It imports its data (including the host servers that it manages and the virtual machines deployed on those hosts) into the VMM library database. VMM then integrates the imported VMware objects into its set of Windows-based objects. From an administrator's point of view, the Windows-based and VMware-based objects are managed in the same way using the same VMM Administrator Console. NOTE VMM supports the following VirtualCenter versions: •
VMware VirtualCenter 2.0
•
VMware VirtualCenter 2.5
Both of these versions of VirtualCenter are capable of managing hosts running VMware ESX Server 3.0 or ESX Server 3.5.
Cluster Support in VMM Clusters are an important resource in the virtual enterprise because they offer a highly available platform to host mission-critical virtual machines. After all, if a single host system is responsible for hosting an enterprise's most critical systems, then that host becomes a single point of failure. To fill this gap, VMM supports both Windows Server
Planning a Virtual Machine Manager Deployment 635
2008 failover clusters and VMware ESX host clusters. Using VMM's native cluster support, administrators can move virtual machines from one physical node of a cluster to another, either manually or automatically. Being able to move virtual machines allows an administrator to patch the active node or bring it down for maintenance without impacting the mission-critical virtual machines hosted on the server. It also provides automatic fault tolerance in the event of an unexpected server failure. Additionally, VMM's cluster support allows administrators to reduce costs by consolidating different clustered host systems into a common managed collection of resources. VMM can manage up to 16 node host clusters that are configured using the Windows Failover Cluster management console. VMM takes advantage of the many cluster management improvements available in Windows Server 2008, making cluster configuration and management much easier for administrators. Because of this tight integration, VMM can automatically detect the addition or removal of a node within the host cluster. Furthermore, if one host in the host cluster becomes unavailable, the virtual machines on that host are automatically moved to another host in the same host cluster. VMM's support for host clusters ensures the virtual machines deployed on hosts in that cluster are highly available. Virtual machines deployed on host clusters are called highly available virtual machines, or HA virtual machines. Configuring a virtual machine as an HA virtual machine can be done using an option in its hardware profile. Once enabled as an HA virtual machine, that virtual machine can then be placed only on an available host cluster, ensuring the high availability of the VM resource. NOTE Virtual machines marked as highly available can only be placed on host clusters. Likewise, VMM does not place virtual machines that are not marked as highly available on host clusters.
Role-Based Access Control Permissions in VMM are based on user roles, which can be scoped to increase or limit the objects that a user role can access, as shown in Figure 12.2. User roles are similar to security groups in Active Directory. They are made up of domain accounts or groups and have a particular set of permissions granted to them. There are three basic user role types in VMM: • VMM Administrator—This user role has complete, unlimited access to VMM and the objects in the VMM library. Members of this role can be Active Directory users or groups. VMM Administrators can add or remove members to this role, but because only one VMM Administrator role exists, they cannot create, delete, or modify the VMM Administrator role. Members of the VMM Administrator role can use the Administrator Console and the command shell, but cannot access the Self-Service Portal unless they are also members of a Self-Service User role.
636
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
"j
Select Scope
General
Sdfla ih# Hen
.'
1=1
0 •
gn irfvch iht ucen' vnial
wfl M dep'ivio
Pioiid >Tr?Lidi Qti^ilVMi
Mnunl Mochrw PorwiuEtB Vhlunl
'Crcobvn
Sflttinp [•tnvy
3n
^jmmarv
ftwlom | |
FIGURE 1 2 . 2
Ncg
|
Caned
|
Creating a user role.
• VMM Delegated Administrator—This user role is scoped to a particular set of VMM objects. Members can be Active Directory users or groups. VMM Delegated Administrators cannot add themselves to the VMM Administrator role or configure global settings across the VMM environment. They can, however, perform all operations on all VMM objects within the specified scope. Scopes are made up of one or more host groups or library servers. Members of a VMM Delegated Administrator role can use the Administrator Console and the command shell, but cannot access the SelfService Portal unless they are also members of a Self-Service User role. • Self-Service User—This user role is made up of Active Directory users or groups who can perform all allowed operations on a specific set of virtual machines deployed on one or more hosts within the specified scope. Scopes are made up of one or more host groups. Users can be granted the right to store their own virtual machines on a VMM library server. Administrators can limit their access to one or more specified library shares on a server. Members can access the Self-Service Portal interface and the command shell, but cannot access the Administrator Console unless they are also a member of at least one of the Administrator roles listed previously. Furthermore, VMM allows Self-Service Users to work with any virtual machine in either Hyper-V or VMware to check out or deploy virtual machines to the proper host, without having to know which host to use. It is completely transparent to the end user. When working with virtual machine permissions in relation to Hyper-V hosts, VMM now preserves changes that are made to role definitions and role members within the root
Virtual Machine Manager Background
637
scope of the Hyper-V authentication store. All other changes to any other scopes are overwritten every half hour by the VMM user role refresher. This process differs from how role processing was handled in VMM 2008. With the previous version of VMM, access to virtual machines, hosts, and resources was determined based only on the rights and permissions associated with VMM user roles. In effect, the VMM 2008 version just ignored the Hyper-V authorization store for hosts and virtual machines that it managed. IO
Virtual Machine Manager Background Although virtual servers and clients have helped organizations minimize the number of physical systems they have, the challenge has been to manage these virtual systems. However, it wasn't until 2007 that Microsoft finally had a product that was dedicated to virtual machine management, which has then led to the current release covered in this book, Virtual Machine Manager 2008 R2.
Early Virtualization Management Techniques In the beginning, virtual machine management was performed by the system administrator using the standard Windows monitoring and management techniques: viewing event logs, performance counters, and system properties of both the virtual machine and the host that runs it. With the proliferation of virtual machines in the data center, there grew a need to centralize virtual machine management, including their placement, and provide disaster-recovery options for these guests.
Virtual Machine Manager 2007 Microsoft's answer to this need was Virtual Machine Manager 2007. With this initial release, VMM was available in three versions: System Center Virtual Machine Manager 2007, System Center Virtual Machine Manager 2007 Workgroup Edition, and System Center Essentials 2007. VMM 2007 provided comprehensive support for consolidating 32-bit physical servers onto virtual infrastructures and the rapid provisioning and deployment of new 32-bit virtual machines. Providing additional support to IT administrators, VMM 2007 also featured a library to centrally manage the building blocks of the virtual data center, including virtual hard drives, VMM templates, and support for P2V conversions.
Virtual Machine Manager 2008 Released in September 2008, Virtual Machine Manager 2008 further improved the capabilities of the VMM product line. It replaced VMM 2007 while adding many new features, including full Hyper-V support, 64-bit virtual machine support, and the ability to manage both Microsoft and VMware virtual infrastructures. Some of the other new features or changes included in this release are as follows: • Extended support for virtual machine hosts to both Hyper-V and VMware hosts • Integrated native support for Windows Server 2008 failover clusters
638
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
• Increased options for securing access to VMM resources using role-based access control (RBAC) • Improved integration with Operations Manager 2007 to optimize physical resources • Enhanced networking support, including VLANs, for virtual networking and isolation • Improved disk and DVD management for VMs • Expanded VMM library functionality Backward Compatibility and Enhancements in VMM 2008 VMM 2008 was backward compatible with the earlier version of Microsoft Virtual Machine Manager, VMM 2007. Command Console Cmdlets The more than 30 VMM 2007 cmdlets were improved to work with Hyper-V, and another 30+ new cmdlets were introduced in VMM 2008. Most of these cmdlet changes provide Hyper-V and role-based access control support.
Virtual Machine Manager 2008 R2 The next major version, Virtual Machine Manager 2008 R2, was released in August of 2009. This release contains a number of improvements over the VMM 2008 release. For example, Windows Server 2008 R2 Hyper-V host support allows VMM Administrators using VMM 2008 R2 to take advantage of the significant feature improvements made to Hyper-V, such as the following: • Live migration between Windows Server 2008 R2 clustered hosts. By using live migration, administrators can migrate a virtual machine between nodes in a Windows Server 2008 R2 failover cluster without any downtime. • Support for both Virtual Machine Queue (VMQ and TCP Chimney Offload features in Windows Server 2008 R2. Using these features, VMM can perform network optimization during virtual machine placement. For example, with the VMQ feature, a unique network queue can be created for each virtual network adapter that is connected directly to the virtual machine's memory. This connection allows packets to be routed directly from the hypervisor to the virtual machine. By using the TCP Chimney Offload feature, the processing of network traffic can be off-loaded from the physical NIC on the host computer, thus reducing CPU load and improving network performance. • Support for the addition and removal of virtual hard disks (VHDs) while a virtual machine is running. • Support for the Windows Server 2008 R2 Cluster Shared Volume (CSV) feature. By using CSV, all hosts in a Windows Server 2008 R2 failover cluster can now have parallel access to the same virtual machine files on a single, shared logical unit number (LUN). In other words, because all nodes in a cluster access a single shared LUN, there can be complete transparency about which node controls each file. CSV support is a key component that allows live migration of virtual machines.
Virtual Machine Manager Background
639
In addition to the enhancements that are based on Windows Server 2008 R2 Hyper-V features, the following sections discuss other new features or changes included in this release. Hosts Can Be Placed in Maintenance Mode Maintenance mode in VMM 2008 R2 is a new feature that allows Windows-based hosts to be placed into a state that allows administrators to perform maintenance tasks on the host, such as applying updates or replacing a physical component. When placing hosts that are nodes in a Windows Server 2008 R2 cluster into Maintenance mode, you can do either of the following for its highly available virtual machines: • When available, use live migration to evacuate all virtual machines to other hosts on the same cluster. • Place all virtual machines on the host into a saved state. For standalone hosts or hosts that are nodes in a Windows Server 2008 R2 cluster which have any non-highly available virtual machines that are placed into Maintenance mode, VMM automatically places these virtual machines into a saved state. When you start Maintenance mode on any host, VMM automatically does the following: • Blocks virtual machine creation operations on the host • Excludes the host from the host ratings during placement • Displays a host status of In Maintenance Mode in Host view of the VMM Administrator Console Then when a host is taken out of Maintenance mode, VMM reverses these changes. However, VMM does not automatically do a live migration to move highly available virtual machines back onto the original host in a Windows Server 2008 R2 cluster, nor does it restart any of the virtual machines on a host. Instead, these tasks must be completed manually by an administrator. Enhanced Support for SAN Transfers The following items are the SAN transfer enhancements that were made in VMM 2008 R2: • SAN Migration Into and Out of Clustered Hosts—Using this feature, you can migrate virtual machines and highly available virtual machines into and out of clustered hosts using a SAN transfer, which automatically configures the cluster nodes to recognize and support the new workload. • Expanded Support for iSCSI SANs—With VMM 2008 R2, administrators can now perform SAN transfer for virtual machines that use initiator-based iSCSI target connections. In previous VMM versions, only one LUN could be bound to a single iSCSI target. Now, LUN masking can be used, which allows for multiple LUNs per iSCSI target. Sanbolic Clustered File System Support In VMM 2008 R2, there is now support for the Sanbolic Clustered File System (CFS). By using this third-party share volume solution, administrators can perform quick migration
640
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
on hosts running Windows Server 2008 with Hyper-V and live migration on hosts running Windows Server 2008 R2 with Hyper-V. Veritas Storage Foundation for Windows Support VMM 2008 R2 also adds support for the Veritas Storage Foundation 5.1 for Windows (SFW), which can be used as an online storage management solution for creating virtual storage devices from physical disks and arrays. During virtual machine placement or migration, an SFW volume that is created as part of a cluster resource group can be selected. However, an SFW volume is limited to one virtual machine. VMware Port Groups for Virtual Switches For virtual machines that are deployed to a VMware ESX Server host, VMM 2008 R2 allows support for using any existing VMware port groups that are available for virtual switches. Windows PowerShell 2.0 VMM 2008 R2 added support for Windows PowerShell 2.0 while continuing support for Windows PowerShell 1.0.
Virtual Machine Manager Prerequisites This section describes the hardware, operating system, and software requirements for each of the VMM components. These requirements must be met before installing and using System Center Virtual Machine Manager 2008 R2.
VMM Server The following are the system requirements for installing the VMM Server component. Hardware Requirements Table 12.1 shows the minimum and recommended hardware requirements for a VMM server that is managing up to 150 hosts. TABLE 1 2 . 1
VMM Server Hardware Requirements
Component
Requirement
Processor speed
Minimum: 1GHz Recommended: Dual-Processor, Dual-Core, 2GHz (x64) or greater
Memory
Minimum: 2GB Recommended: 4GB
Disk space (with remote database)
Minimum: 2GB Recommended: 50GB
Disk space (using built-in SQL Server instance)
Minimum: 10GB Recommended: Database is limited to 4GB
Virtual Machine Manager Prerequisites
641
NOTE If you are also using the VMM server as a library server, the disk space requirements will vary greatly depending on the number and size of virtual machine templates, virtual hard disks, virtual floppy disks, ISO images, scripts, hardware profiles, guest operating system profiles, and stored virtual machines. Additionally, if you are planning to manage more than 150 hosts, you should conduct a VMM sizing operation to ensure that your infrastructure is sized accordingly to support the number of desired hosts.
Supported Operating Systems The following operating systems are supported by the VMM Server component: • Windows Server 2008 x64, Standard and Enterprise Editions • Windows Server 2008 R2 x64, Standard and Enterprise Editions Remote SQL Instance Requirements The VMM Server component supports the following versions of SQL Server: • SQL Server 2005 SP2 or SP3, Express Edition • SQL Server 2005 SP2 or SP3, Standard or Enterprise Editions • SQL Server 2008, Express Edition • SQL Server 2008, Standard or Enterprise Editions NOTE If a SQL Server 2005 instance is being used, you must have the 32-bit version of the SQL Server 2005 tools installed on the VMM server(s). For a SQL Server 2008 instance, both the SQL Server 2008 tools and the 32-bit version of the SQL Server 2005 tools must be installed on the VMM server(s).
Software Requirements The VMM Server component has the following software requirements: • Microsoft .NET Framework 3.0 or 3.0 SP1 • Windows Automated Installation Kit (WAIK) 1.1 • Windows Remote Management (WinRM) 1.1 or 2.0
VMM Administrator Console The VMM Administrator Console can be installed on other computers to remotely access and manage a VMM deployment. However, it is recommended that the Administrator
642
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
Console also be installed on the same machine that is hosting the VMM Server component. In fact, if you are planning to use the VMM Reporting feature, the Administrator Console must be installed on the VMM server. Hardware Requirements Table 12.2 shows the minimum and recommended hardware requirements for the Administrator Console. TABLE 1 2 . 2
VMM Administrator Console Hardware Requirements
Component
Requirement
Processor speed
Minimum: Pentium 4, 550MHz Recommended: Pentium 4, 1GHz or greater
Memory
Minimum: 512MB Recommended: 1GB
Disk space
Minimum: 512MB Recommended: 2GB
NOTE As you manage more hosts with your VMM deployment, the hardware requirements for the Administrator Console will continue to increase.
Supported Operating Systems The following operating systems are supported by the Administrator Console: • Windows Server from 2003 SP2 through 2008 R2 • Windows XP SP2 through Windows 7 Software Requirements The Administrator Console has the following software requirements: • Windows PowerShell 1.0 or 2.0 • Microsoft .NET Framework 2.0
VMM Self-Service Portal The following are the system requirements for installing the VMM Self-Service Portal on a dedicated machine. However, the actual requirements for this VMM component will vary depending on the number of concurrent self-service connections being made on the web server.
Virtual Machine Manager Prerequisites
643
Hardware Requirements Table 12.3 shows the minimum and recommended hardware requirements for the SelfService Portal for maintaining up to 10 concurrent connections. TABLE 1 2 . 3
VMM Self-Service Portal Hardware Requirements
Component
Requirement
Processor speed
Minimum: Pentium 4, 2.8Ghz Recommended: Pentium 4, 2.8GHz or greater
Memory
Minimum: 2GB Recommended: 2GB
Disk space
Minimum: 512MB Recommended: 20GB
NOTE Installation of the Self-Service Portal on a domain controller is not supported.
Supported Operating Systems The following operating systems are supported by the Administrator Console: • Windows Server from 2003 SP2 through 2008 R2 Software Requirements The Administrator Console has the following software requirements: • Windows PowerShell 1.0 or 2.0 • Microsoft .NET Framework 2.0 (for Windows Server 2003 only) • If installed on Windows Server 2003: • Windows Server IIS 6.0 must be added • If installed on Windows Server 2008 or 2008 R2, the Web Server (IIS) role must be installed along with the following server role services: • IIS 6 Metabase Compatibility • IIS 6 WMI Compatibility • Static Content • Default Document • Directory Browsing • HTTP Errors
644
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
• ASP.NET • .NET Extensibility • ISAPI Extensions • ISAPI Filters • Request Filtering
Virtual Machine Hosts The following are the system requirements for virtual machine hosts that can be managed by VMM: • Virtual Server 2005 R2 with SP1 or later • Virtual Server 2005 R2 x64 with SP1 or later • Windows Server with the Hyper-V server role enabled • VMware VirtualCenter 2.01 or 2.5 with the following hosts: • ESX Server 3.5 • ESX Server 3.0.2 • ESX Server 3i
Planning a Virtual Machine Manager Deployment Deploying any information system can be a very challenging task. Like most information systems, VMM is no exception as there are many different things, both business and technical related, that need to be considered when planning a VMM deployment. This section describes the steps that should be taken to plan a Virtual Machine Manager deployment. The steps that are provided include step-by-step instructions and best-practice design advice with the goal of helping IT professionals avoid planning mistakes that can prove to be costly and difficult to correct.
Step One: Understand the Environment The first step of the VMM planning process is to understand the environment that the deployment will take place in. To complete this step, you should review the architecture for information systems in your organization by reviewing their relevant design documents, performing discovery sessions with the owners of systems, and reviewing the status of the systems in real time. Items that you should pay particular attention to during this phase of the design include the following: • The current Active Directory forest design. • The current network topology and available bandwidth.
Planning a Virtual Machine Manager Deployment
645
• A thorough understanding of any existing virtual infrastructure. This includes understanding the locations for already deployed virtual machine hosts and current visualization technologies that are being used. • A thorough understanding of any planned/pending organizational changes (business acquisitions or diversifications). This includes understanding an organization's desired management model (centralized or decentralized). • Awareness of applications that will be retired, replaced, or upgraded. • Awareness for any new applications that will be introduced into the environment.
Step Two: Define the Project Scope The next step of the VMM planning process is to define the scope of the VMM deployment project. While completing this task, it is important to ensure the goals of the project are aligned to the business requirements for virtualization, fault tolerance, capacity, performance, and disaster recovery. To complete this step, use the information gathered from the first step of the planning process to answer the following questions: • What part of the organization is in scope?—To answer this question, you need to determine if VMM is being deployed to manage your organization's entire virtual infrastructure or just a part of it. • What virtualization technology and management solution is currently being used?—This is a very important question as it will help you determine the size and placement for VMM instances, related web servers, and library servers in the organization. To answer this question, you need to understand where virtualization is currently being used, how that virtualization solution is being managed, and the location for any existing virtualization hosts and their related virtual machines. • Is virtualization being used as part of a disaster recovery solution?— Virtualization can be a key component to facilitating a rapid recovery from a disaster. As such, VMM can further enhance the recoverability of a virtualization deployment in response to a disaster. Understanding if this is a business requirement for your VMM deployment will help you determine its criticality to business operations and just how fault tolerant the deployment needs to be. • Will self-service provisioning be used?—Using the Self-Service Portal, users can provision and manage their own virtual machines. To answer this question, you need to determine if self-service provisioning is a requirement and at which locations this requirement must be met. Based on the answer to this question, you will be able to better determine the sizing and placement for VMM-related web servers. • What is the desired management model for virtualization?—Every organization manages their environments differently. When answering this question, you need to determine if the desired virtualization management model is one that consists of a centralized management approach or if management responsibilities should be
646
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
distributed, or delegated, across the organization. Based on how this question is answered, you then use the information to determine the RBAC model for your VMM deployment.
Step Three: Determine Operations Manager Integration The third step in the VMM planning process is to determine if System Center Operations Manager should be integrated with the VMM deployment. For VMM to make intelligent placement recommendations for where virtual machines should be deployed or automatically moved to, the VMM Agent is used to collect performance data from host server(s), which is then sent to the VMM server every 9 minutes. To further enhance VMM's ability to make intelligent decisions about virtual machine placements, you can also deploy Operations Manager Agents to host servers and their virtual machine guests to gather additional performance information using the Operations Manager Server Virtualization Management Pack. When you have deployed Operations Manager in this manner, you can then configure the Administrator Console so that it connects to Operations Manager as a reporting user to access the additional performance information using Operations Manager reports. Once configured in this manner, an Administrator Console user can then seamlessly drill down from Performance views for a host server to further drill down and examine performance data (operating system and applications) for each virtual machine guest running on that host. If you choose to integrate Operations Manager and VMM in this manner, you also need to determine which of the following integration options best suits your VMM deployment: • Create an Operations Manager management group for each VMM instance. • Dedicate a single Operations Manager management group to manage all of the deployed VMM instances. NOTE An Operations Manager management group can manage multiple instances of the version of VMM (either VMM 2008 or VMM 2008 R2). However, each VMM instance can only be managed by one Operations Manager management group.
Step Four: Determine the Number of VMM Instances The fourth step in the VMM planning process is to determine the number of VMM instances that should be deployed. A VMM instance is a single installation of VMM Server, which has the following considerations: • Each VMM instance must have its own separate SQL Server database instance. • Each managed host server can only be managed by a single VMM instance.
Planning a Virtual Machine Manager Deployment
647
• There is no relationship between VMM instances. Therefore, they cannot be integrated nor can they share data. Based on these considerations, you need to use the information that was gathered during the previous steps in this planning process to best answer the following questions to determine if more than one VMM instance is required: • Are there isolated networks?—Sometimes an organization might have isolated networks for various purposes. For example, a lab deployment tends to be isolated from production networks. Therefore, depending on the virtualization needs for those networks, you need to deploy a separate VMM instance. • Is self-service provisioning a requirement?—If you are planning to use self-service provisioning, you choose to deploy different VMM instances to facilitate a clear separation between self-service-related virtual machines and virtual machines that are considered sensitive or secure. Additionally, it is generally recommended that each VMM instance that is using self-service be limited to 1,000 or less virtual machines dedicated for use by Self-Service Users. If there is a requirement to support more than this number of dedicated virtual machines, additional VMM instances should be deployed. • Does the management model call for a centralized or decentralized deployment?—During the scoping step of this planning process, you should have determined the intended management model for your VMM deployment. If you have chosen to follow a decentralized model, a separate VMM instance should be deployed for each location and requires a virtualization management solution. For a centralized model, barring any additional sizing limitations, you can deploy a single VMM instance. • Are there any organizational requirements that must be met?—In certain cases, there might be political or organizational considerations that might require that additional VMM instances be deployed. For example, if there is a clear separation between two different business groups, there might be a requirement that the same separation also exists for the virtual infrastructure. • What number of host servers and virtual machines must the deployment support?—As a general rule of thumb, each VMM instance can only support up to 400 host servers and 8,000 virtual machines. If you need to support more host servers or virtual machines, additional VMM instances need to be added to your deployment.
Step Five: Design the VMM Server The fifth step in the VMM planning process is to determine the VMM server design. By definition, the VMM server is the central hub for what defines a VMM instance and how the various VMM components interact with that instance. As such, the VMM server performs a number of different functions that are critical to the functionality of a VMM deployment. However, despite its key nature, the number of different tasks a VMM server
648
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
has to perform only results in a relativity light workload for the server this component is deployed on. Therefore, the maximum recommended hardware configuration for a VMM server that is supporting up to 8,000 virtual machines and 400 host servers is a dualprocessor or dual-core, 3.6GHz or greater (x64) with 8GB of RAM. NOTE A VMM server is stateless in that all of the data and configuration for a VMM instance is stored in the VMM database. As a result, the VMM server does not support any fault-tolerant configurations. However, if a VMM server does fail, you can easily replace it with a new server without any data loss.
Step Six: Design the Database Server and Database The sixth step in the VMM planning process is to determine the VMM database server and database design. The VMM database is used to store the configuration information for a VMM instance and any performance data that might be collected by VMM. In general, the workload impact to a SQL Server instance that is hosting the VMM database can be relatively light. Therefore, the maximum recommended hardware configuration for a database server that is supporting up to 8,000 virtual machines and 400 host servers is a dual-core machine with 8GB of RAM and 200GB of available disk space. NOTE Unlike the VMM server, the VMM database is stateful and, therefore, the database server that is hosting it can be configured such that it is fault tolerant.
Step Seven: Design the Self-Service Portal Web Server(s) The seventh step in the VMM planning process is to determine the Self-Service Portal web server design. As discussed previously in this chapter, the Self-Service Portal allows users to provision and manage their own virtual machines with administrator intervention. Like other VMM components, the Self-Service Portal is a relatively lightweight application. Therefore, the maximum recommended hardware configuration is a dual-core machine with 2GB of RAM.
Step Eight: Design the Library Servers and Libraries The eighth and final step in the VMM planning process is to determine the library servers and libraries design. As discussed earlier in this chapter, a VMM library is a collection of resources that includes such items as: • VM templates • Disk images and ISO image files
Planning a Virtual Machine Manager Deployment 649
• Guest OS profiles • Hardware profiles A library server is a file server with one or more shares that is used to store the previously listed items. Although each VMM instance must have at least one library server, you can deploy more than one library server depending on the needs of your VMM deployment. NOTE A VMM library server can only be connected to a single VMM instance.
The primary function for a library server is to act as a storage depot, which host servers can then use to retrieve the mentioned items as part of a virtual machine provisioning task. Needless to say some of these items can be fairly large. Therefore, the primary design considerations that should be taken into account for library servers are as follows: • The storage configuration, which will vary depending on the number and size of the items that are stored in the library—A library server can use all forms of direct attached storage (DAS) and supports Fibre Channel or an iSCSI storage area network (SAN). • The amount of network traffic that is generated when items are transferred to a host server during a virtual machine provisioning task—As a general recommendation, library servers should be placed in the same location as the host servers that they will service. • The type of fault tolerance used for library shares—You can either choose to use DFS or a file server cluster to provide fault tolerance for your library shares.
Deploying Virtual Machine Manager This section covers the steps needed to perform a basic Virtual Machine Manager 2008 R2 deployment. After completing this section, you will understand how to meet any software requirements, install the VMM application software, and complete any other required VMM configuration tasks for a basic deployment.
Preparing the Virtual Machine Manager Server Before the VMM installation can be started, the base Windows operating system needs to be installed. After the base server operating system has been installed and the latest updates have been applied, the next task is to join the server to the domain and then ensure all of the software requirements are met, as noted in the VMM Server "Software Requirements" section earlier in this chapter. If need be, VMM can be deployed on a single server that hosts the VMM server, SQL database, and Administrator Console, or these components can be deployed across separate,
650
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
single-purpose servers. The decision about how to deploy VMM in the enterprise depends on the physical and virtual environment and, to a lesser degree, the administration of these environments. NOTE The computer where VMM is installed must be joined to an Active Directory Domain Services (AD DS) domain.
Single-Server Deployment A single-server deployment is often used in small environments where physical resources are tight and the virtual environment is small. In this type of deployment, a single server hosts the VMM server, the SQL Server database (usually using SQL Express), the Administrator Console, and possibly even the Self-Service Portal. A single-server deployment is recommended for a virtual infrastructure environment (both the VMM server and host servers) that doesn't span a wide area network (WAN). Multiple-Server Deployment A multiple-server deployment is usually used in larger, high-performance VMM environments or where the virtual environment spans across a WAN. VMM performance is improved by installing the different components on separate servers and placing these servers closest to the resources they access the most. Typically, this involves using a dedicated (or at least separate) SQL Server database server and placing VMM libraries close to the host servers where the virtual machines will be deployed. Often, the Administrator Console is installed on separate servers or workstations to facilitate administration. The Self-Service console can also be deployed on its own server or on another underutilized web server or it can even be virtualized itself. VMM Database Considerations The VMM Server component uses a SQL Server database to store and read VMM host server and guest virtual machine configuration (hardware profiles, guest OS profiles, VHDs, and so forth). This SQL Server database can be placed on the built-in VMM SQL Server Express instance, on a new SQL Server instance, or on an existing SQL Server instance (local or remote). However, when using the optional SQL Server Express installation that is included with VMM, some technical restrictions should be taken into consideration. These restrictions are as follows: • It has a 4GB database limit (excluding log files). • It can use only one processor, even in multiple-processor configurations. • It can use only up to 1GB of RAM. • VMM Reporting is not available. • The SQL Server Agent service is excluded.
Planning a Virtual Machine Manager Deployment 651
Installing the Virtual Machine Manager Server After meeting all of the hardware, operating system, and software requirements, the next step in your deployment is to execute the VMM Setup Wizard to complete a basic singleserver VMM installation. To start the installation, log on to the VMM server using a domain user account that is a member of the local administrators group. Then execute the VMM Setup Wizard (setup.exe) from the installation media, an ISO file, or a copy of the setup files from a shared network location. Once the Setup Wizard has started, use the following steps to complete the installation: 1. In the Virtual Machine Manager 2008 R2 window, as shown in Figure 12.3, select the VMM Server option. This starts the VMM Setup Wizard.
Microsoft*
System Center
Virtual Machine Manager 2008R2
m
PREPARE Setup Overview VMM Configuration Analyzer R e l e a s e Notes
SETUP VMM S e r v e r VMM Administrator Console VMM Setf-Service Portal Local Agent Configure Operations Manager
RESOURCES
Configure Opera bons Manager
Ucense T e r m s
Run chts on y o u r S y s t e m Center Operations Manager 2007 s e r v e r to eonfigyre interoperability with your Operations Manager s e r v e r to support Performance and Resources Optimization (PRO) and reporting in VMM,
Visit O u r Web Site
Privacy Statement
Exit
FIGURE 1 2 . 3
Starting the VMM Setup Wizard.
2. On the first page of the wizard, License Terms, select the I Accept the Terms of This Agreement, and then click Next. 3. On the Microsoft Update page, select the desired Microsoft Update option, and then click Next. 4. On the Customer Experience Improvement Program page, select the desired Customer Experience Improvement Program (CEIP) option, and then click Next. 5. On the Product Registration page, provide the desired product registration information, and then click Next.
652
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
6. On the Prerequisites Check page, a prerequisites check is automatically performed by the Setup Wizard. After the prerequisites check has completed, review any alerts or warnings about hardware that does not meet the minimum or recommended requirements, or missing software prerequisites, and then click Next. NOTE You can continue the installation if you receive warnings, but you must resolve all alerts before you can proceed with the installation.
7. On the Installation Location page, you can either use the default folder location or modify the installation path to meet your needs. After choosing the desired installation location, click Next. 8. On the SQL Server Settings page, provide the server name for the remote SQL instance and the user credentials that will be used to connect to that instance (if needed). Next, either select the desired SQL Server instance or enter its name and then select the Create a New Database check box, as shown in Figure 12.4. After you have finished defining the desired SQL Server settings, click Next. !T Virtual M i d l i n e Manager Server Setup
License Terms Microsoft Upöaie Custom« F ir+nmctt Impiovçnwnit Prcqrain
Do you want to use an existing instance ot SQL Server oc instaJI Microsott SQL Server 2Ö05 Express Fdüinn SP3*> r hctafl$0L Server 2GO5Exiroc<E
Product Registration Prêt equsi*» Check InalflllhtKtfi EœniiMi SQL Server Se&ngs Lib*ory Shore Sellings
Server name:
|wTT
f~ Us* the fcfcwnç cmdft-tjiii
Installation Sellings Summary of Settings
"3 ~3
¡MSSQLSERVER Sèfed et trier n cWflhiw
jVrtuaMoraBcrDB I*" Oedte a new dal abase
Previous
FIGURE 1 2 . 4
Defining the SQL Server Settings.
I I
NeB
[
Cancel
|
Planning a Virtual Machine Manager Deployment 653
NOTE When using a SQL Server instance and database, the SQL Server 2 0 0 8 Management Tools - Basic or Command Line Utilities must be preinstalled on the intended VMM server.
9. On the Library Share Settings page, choose the option to either create a new default library share on the VMM server or use an existing share on the VMM server as a library share. If you choose to create a new library share, the default share name is MSSCVMMLibrary a n d its folder is located at %SYSTEMDRIVE%\ProgramData\Virtual Machine Manager Library Files. O n c e y o u h a v e c h o s e n or defined t h e desired
library share settings, click Next. NOTE You can always add other library shares to the default library server or other library servers on different computers. However, neither the default library server nor its library share can be removed or relocated.
10. On the Installation Settings page, it is recommended that the default port settings are used for the VMM server installation. For the VMM service account, you can either choose to use the LocalSystem account or define and use a domain account. When using a domain account, that account should be an account that is specifically designated to be used for VMM (failure to do so might cause unexpected results or result in the VMM installation being less secure). After you have defined the desired installation settings, click Next. NOTE If you plan to use shared ISO images with Hyper-V virtual machines or if VMM is being installed into an environment with a disjointed namespace, a domain account must be used as the VMM service account. When using a domain account, that account must also be a member of the VMM server's local administrators group.
11. On the Summary of Settings page, review the summary of installation settings, and then click Install. 12. On the Installation page, the Setup Wizard installs any missing software prerequisites if necessary, and then installs the VMM Server component, as shown in Figure 12.5. The installation might take several minutes, depending on the options that were selected. Once the installation has finished, click Close.
654
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation «i
H* Virtual Midline Manager &erver Setup
•jj
0
Installation
Liccrac Tenro
Microerô Update
y SOI Serrer fcrewOusJynstaW}
Custom« £ i j w i r m Irnpnmrrnerit Picgram
^ NET fnjrwwûrfc 30 fcwivMuSty ruSéfcd)
SQL SenwTwittoravteucV rotated)
Pf o&jci Registration
Window» AAwnaied ^natation ft
fterequs tes Check
Vrfual MacNra Manaoer Sever
InV-nKntmn 1 caiiico
SQL Server Setenas Liblar/ Share Sellings
Plea« WH whte VuVkSowi derated Irttalau« Kt 11 it added
1
Installation Sct&nga
Summary of Settings Ifdiallfttkxi
1
FIGURE 1 2 . 5
Cancel
1
VMM Server installation progress.
Installing the VMM Administrator Console After installing the VMM Server component, the next step of the VMM deployment is to install the VMM Administrator Console. As a best practice, it is recommended that the Administrator Console be installed on the same computer as the VMM server. However, you may also install additional Administrator Console instances on other computers as needed. To complete this task, use the following steps while logged on to the VMM server as a local administrator: 1. Execute the VMM Setup Wizard (setup.exe) from the installation media, an ISO file, or a copy of the setup files from a shared network location. 2. In the Virtual Machine Manager 2008 R2 window, select the VMM Administrator Console option. This starts the VMM Setup Wizard. 3. On the first page of the wizard, License Terms, select the I Accept the Terms of This Agreement, and then click Next. 4. On the Customer Experience Improvement Program page, click Next. 5. On the Prerequisites Check page, a prerequisites check is automatically performed by the setup wizard. After the prerequisites check has completed, review any alerts or warnings about hardware that does not meet the minimum or recommended requirements, or missing software prerequisites, and then click Next.
Planning a Virtual Machine Manager Deployment 655
6. On the Installation Location page, you can either use the default folder location or modify the installation path to meet your needs. After choosing the desired installation location, click Next. 7. On the Port Assignment page, it is recommended that the default port settings are used for the Administrator Console installation. After you have defined the desired port assignment, click Next. 8. On the Summary of Settings page, review the summary of installation settings, and then click Install. 9. On the Installation page, the Setup Wizard installs any missing software prerequisites if necessary, and then installs the Administrator Console, as shown in Figure 12.6. The installation might take several minutes, depending on the options that were selected. Once the installation has finished, click Close.
LiCtfrrK Terrra CuslOAKtf TxpniMiui bnprovamcnl Progrom
y
'"'rereqinsiles Chedt
y
NET Framework 30 fc*evtotflftrrijlate
y Wr>Í3M "cwerSheJ (yeYious)-/ muM) Vitua! I k l n - Man«))« U r m i i a U « Cotlreto
VisfaHabon Location Port Assignment fummMy of fitting*
Vrfua) K«i«ne Manager iMmririraSor Cwwstç intUMfen h » 1
P
Checft for t í « laie* Vrtuai Wasfro MvU?« uudtfle
R Open Ihe VMM MmririrBtw Csnuíe when ¡ha wmtI dssat
Í
FIGURE 1 2 . 6
Ow*
I
Administrator Console installation progress.
The first time you launch the Administrator Console, you will be prompted with the Connect to Server dialog box. If you installed the Administrator Console on the same computer as the VMM server, just click Connect. For installations where the Administrator Console has been installed on a different computer, type the name of the VMM server followed by a colon and the connection port that you assigned during the installation of that VMM server.
656
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
NOTE The default port for the Administrator Console to communicate with the VMM server is 8 1 0 0 .
Installing the Self-Service Portal The VMM Self-Service Portal is an optional component that can be installed to allow users to create and manage their own virtual machines. If you are planning to use this component, the next step in the VMM deployment process is to install the Self-Service Portal. To complete this task, perform the following steps while logged on to the VMM server as a local administrator: 1. Execute the VMM Setup Wizard (setup.exe) from the installation media, an ISO file, or a copy of the setup files from a shared network location. 2. In the Virtual Machine Manager 2008 R2 window, select the VMM Self-Service Portal option. This starts the VMM Setup Wizard. 3. On the first page of the wizard, License Terms, select the I Accept the Terms of This Agreement, and then click Next. 4. On the Prerequisites Check page, a prerequisites check is automatically performed by the Setup Wizard. After the prerequisites check has completed, review any alerts or warnings about hardware that does not meet the minimum or recommended requirements, or missing software prerequisites, and then click Next. 5. On the Installation Location page, you can either use the default folder location or modify the installation path to meet your needs. After choosing the desired installation location, click Next. 6. On the Web Server Settings page, specify the name of the VMM server you want the VMM Self-Service Portal to connect to, and the port that you want the VMM SelfService Portal to use for communications with that server. Once you have specified the desired web server settings, click Next. NOTE If you plan to install the Self-Service Portal on the VMM server, you need to either specify a different TCP port (other than 80) or define a host header for the portal.
7. On the Summary of Settings page, review the summary of installation settings, and then click Install. 8. On the Installation page, the Setup Wizard installs any missing software prerequisites if necessary, and then installs the Self-Service Portal. The installation might take several minutes, depending on the options that were selected. Once the installation has finished, click Close.
Planning a Virtual Machine Manager Deployment 657
Securing the Self-Service Portal After you complete the base installation of the Self-Service Portal, you should complete some additional tasks to ensure that the portal is secure. These tasks are as follows. Configure SSL for the Self-Service Portal As a best practice, you should always configure SSL on the Self-Service Portal. Depending on how you are using the portal, the SSL certificate can either be issued by a publicly trusted certificate authority or from a certificate authority that is part of your organization's internal Public Key Infrastructure (PKI). Enable Integrated Windows Authentication By default, the Self-Service Portal uses forms-based authentication (FBA) to control access to the website. When logging on to the portal using FBA, users have a cached credentials option called "Store my credentials." If this option is selected, VMM securely caches the credentials on the web server for the duration of the session. These cached credentials are then used for remote virtual machine connections, which are initialized from inside the portal. To reduce the risk associated with cached credentials and the confusion this option might cause for users who are not aware of it, you can enable Integrated Windows Authentication on the portal. By enabling this method of authentication, users will no longer be prompted for their credentials when they access the Self-Service Portal. Instead, when a user attempts to access the portal, their current Windows credentials are used and they are only prompted for credentials if additional authorization is needed. NOTE If the Self-Service Portal has been deployed on a different computer from the VMM server and Integrated Windows Authentication has been enabled, you also need to configure Kerberos constrained delegation for the VMM service account.
Installing the VMM Agent After installing the required VMM components, the next step in the VMM deployment process is to install the VMM Agent on the host servers. For host servers that are members of a domain, you can "push" the agent to them using the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, in the Actions pane, click Add Host. This starts the Add Hosts Wizard, as shown in Figure 12.7.
658
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
Select Host LkYjwi Select Host Servera
Select the host location and then enter the required credentials. f1 Windows Server based ho* on an Ädiveßreitoiydomori f Wndows S e r a based host on a peflmeterneîw»ik
Host Prcecrtes
<" VMware ESX Sever ho* (any locafeon)
Wîndûwa Server based hosl on on Activo Directory domain Erter ihe crederfcaft for ««necüTfl !o the he>R
r
User isöme. fäd^mrirfllö*
Demnin
JiliMHANYAii:
& Host is h « Imsted domain dearths oo&w i the host dees not have a two way bust rdatonshp wih the dcflwi cf Ihe V
FIGURE 1 2 . 7
Add Hosts Wizard.
4. On the first page of the wizard, Select Host Location, select the Windows Serverbased Host on an Active Directory Domain option, provide the credentials that will be used to connect to the host, and then click Next. 5. On the Select Host Servers page, provide the name of the host server in the Computer Name field and then click Add, as shown in Figure 12.8. Additionally, you can click Search to open the Computer Search dialog box to find the host server or servers that you want to add. 6. On the Configuration Settings page, select the desired host group and host reassociation options, and then click Next. 7. On the Host Properties page, leave the default settings and then click Next. 8. On the Summary page, review the information for the host servers that will be added, and then click Add Hosts. Additionally, you can click View Script to see the commands that will be executed by the Administrator Console to add the selected host servers. NOTE VMM not only installs the VMM Agent, but, if needed, it also installs or enables the required virtualization software and creates a Windows Firewall exception.
9. Next, the Jobs dialog box is displayed showing the agent installation progress, as shown in Figure 12.9.
659 Planning a Virtual Machine Manager Deployment
Select Heat location Select Host Servers
Compjtername | i- Skp rcbve Dreclory ru f you use this opbcn, ç Drees ay
Host Prcecrtes
e that you cCTT*-ter name erÈr/ is a registered host Service Pmdpal Nor« {SPN) in Active 1
Seadr
I
Add
I Vtaualiaocn Software Window* Server 2008 R2 Datacenter
Maosaft Hyper-V
(I J
If y o u select imJlipie c o m p u t a s lp o d d o s h e s l s . l h e c j e d a t a h j w u provide must be fer a di adnnstratrre o n a l d i e s e l e c t e d c a i f j u t e r s , arid a l tlie f m t s m í s h a r e ttie s a m e I n s t port, and virtual mactwe défaut paths. M e m b e r s o f V M M user r a l e s m a y n o t l i a r e r e m o t e « . c e s s l o virtud! m a t ) trie» Huí. a l e « J y e n s i o n d i e selected H y p e r - V JL hoBi T o reeorerenffle access f o r thoie uien.yournuB H o p , shut d o w n , o r save date far the virtual machrw and then teBart the virtual machine*
FIGURE 1 2 . 8
Select Host Servers page.
-IBE) « 0
T
•
I Start Time »
| Result N'arne
Owner
|
Add virtual mac... Add virtual mac..
66 Z 2/6/2010 6:16:...
hvGJl .companya...
ÜÜMKANYAHCV..
% Add virtuol mochirve ho3t Stotus:
Ruining
Command:
Add-VW Ho«
RfHI krirtlnf
hv0?rjnn»rtfivfilii: rum
Silted:
2/6/2010 6:16:12 AM
Duraban
00:01:13
Owner
COMrANYAOC'-odrrmislni
jNrtne ® 0
i,
Ù I ®
SWur
Add virtual... • •
1
1
hb % ¿jb/AlI
install Virtu... UK) %
2/b/3)l
fiable Hyp..,
¿fbfXJ l-
u»%
«efrech host |
0% I f b ß J l
JL 5immary Detaib f^
Qiatiye Tracking
S I l U H l l lis i w i d ö r r w h e t i n e w u U e t t s o t e u e a í c d
FIGURE 1 2 . 9
Jobs dialog box.
Report Job |
Cencel Job |
I
[
660
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
Manually Installing the VMM Agent For host servers that are within the DMZ or if there was some issue with the agent push, you can opt to perform a manual installation of the VMM Agent. To manually install the VMM Agent, complete the following steps: 1. Execute the VMM Setup Wizard (setup.exe) from the installation media, an ISO file, or a copy of the setup files from a shared network location. 2. In the Virtual Machine Manager 2008 R2 window, select the Local Agent option. This starts the VMM Agent Setup Wizard. 3. On the first page of the wizard, License Terms, select the I Accept the Terms of This Agreement, and then click Next. 4. On the Destination Folder page, you can either use the default folder location or modify the installation path to meet your needs, and then click Next. 5. On the Configuration Settings page, use the default port settings, and then click Next. 6. On the Security File Folder page, if the host server is on a perimeter network, enable the This Host Is on a Perimeter Network option and define the following values: • Security file encryption key—Provide a string that will be used as the encryption key to create the security file. Be sure to note the string that you use as the encryption key. That string will need to be entered again when you are adding the host using the Administrator Console. • Export security file to—If needed, click Change to modify the folder path where the security file will be exported to. • Use a CA signed certificate for encrypting communications—By default, the VMM Agent Setup Wizard generates a self-signed certificate that is used to encrypt communications between the host server and the VMM server. If you want to use a certificate that has been signed by a trusted CA, enable this option and provide the thumbprint of the certificate. 7. Once you have defined the desired Security File Folder settings, click Next. 8. On the Host Network Name page, either choose to have the VMM server communicate with the host server using the local computer name or choose an IP address for the communications, and then click Next. 9. On the Ready to Install page, click Install. 10. After the agent has finished installing, navigate to the folder where the security file is stored (by default, t h a t l o c a t i o n is c:\Program Files\Microsoft System Center Virtual Machine Manager 2008 R 2 a n d t h e n a m e o f t h e f i l e i s S e c u r i t y F i l e . t x t ) .
11. Next, copy the SecurityFile.txt file to the VMM server. 12. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 13. Next, open the Administrator Console using either the desktop or Start menu icon. 14. Once the console has loaded, in the Actions pane, click Add Host. This starts the Add Hosts Wizard.
Summary
661
15. On the first page of the wizard, Select Host Location, select the Windows Serverbased Host on a Perimeter Network option, and then click Next. 16. On the Select Host Servers page, for each host server that you are adding to VMM, provide the host server name or IP address, the encryption key, and the path to the SecurityFile.txt, as shown in Figure 12.10. After providing these details, click Add. Once you have finished selecting all of the host servers that you plan to add into VMM, click Next.
I f i * Add Host» 0
f]jt Select Host Servers Select Host location Select Hoet Servers
Compter rtime or IP address. jerrote+ivJ
CanhgurntMti iirthnga Host Properties
Encrrcton Key:
]••*•
Cxfwm «reiyptian key
]••••
Secuty fie pah
| C A l W « * ™ *tutor.COMPANYABC^DesktopVSecuiyfae W
Browse
|
Add Selected hosts j
rrmotf+ivt
Remove
Hw 19 »M 9 he« sfi a ffWwttrnflvw*
Prevous
FIGURE 1 2 . 1 0
| |
to!
|
Cancel
|
|
Selecting host servers to add to VMM.
17. On the Configuration Settings page, select the desired host group and host reassociation options, and then click Next. 18. On the Host Properties page, leave the default settings and then click Next. 19. On the Summary page, review the information for the host servers that will be added, and then click Add Hosts.
Summary This chapter, dedicated to Virtual Machine Manager 2008 R2, hopefully provided you with an advanced understanding of the overall VMM solution offering. Everything from VMM's background, planning a deployment, and installing the solution were covered. After
662
CHAPTER 12
Virtual Machine Manager 2 0 0 8 R2 Design, Planning,
and Implementation
reading this chapter, you should now also understand that VMM is an extremely powerful addition to Microsoft's virtualization offerings. By using VMM, organizations have the ability to manage virtual machines across multiple hosts and to delegate the administration and management of the virtual machines on the same host or on other virtual hosts in the organization. However, VMM not only supports the management of Microsoftbased virtualization platforms, but it also provides connectivity and support for management of virtual machines running on other platforms such as VMware.
Best Practices The following are best practices from this chapter: • Organizations using Hyper-V should use VMM 2008 R2 and not VMM 2007. • VMM 2008 R2 can only be installed on Windows Server 2008 x64, Standard and Enterprise Editions or Windows Server 2008 R2 x64, Standard and Enterprise Editions. • Ensure the system that VMM is being installed on is attached to a Windows domain. • For most deployments, VMM can be installed on the same system as the SQL Server instance that hosts the VMM database. • Use the Self-Service Portal to allow end users or developers to create and manage their virtual machines. • Use the Administrator Console to manage Microsoft Hyper-V, VMware ESX, and Microsoft Virtual Server hosts. • Add Hyper-V, VMware, and Virtual Server physical hosts to the Administrator Console to manage them with VMM. • For organizations where the VMM components are installed on separate servers, VMM libraries should be on separate servers, too. • VMM libraries should be placed on clustered file servers where fault tolerance of the library is required. • Multiple VMM library servers should be configured for organizations with multiple host servers in different locations. • Create hardware profiles to define the hardware used in common virtual machines (for example, a dual-processor server with 2GB of RAM and a DVD-ROM). • Create guest OS profiles to define the operating system profile used in common virtual machines (for example, Windows Server 2008 x64 Standard Edition). • Use VMM to reduce the complexity of managing multiple virtualization platforms. • Learn the VMM Command Shell cmdlets for command-line management of the virtual environment. • Use host clusters to host mission-critical virtual machines to provide a higher level of fault tolerance.
Best Practices
663
• Store common CD images (ISOs) in the VMM library for easy access from the VMM Administrator Console. • Ensure that only highly available virtual machines are marked as such in the VM's settings. Doing so ensures that the virtual machine can only be placed on host clusters. • The VMM Administrator role cannot be limited. Therefore, create additional administrative roles to further delegate VMM administrative rights. • Use a single-server deployment for VMM and SQL Server Express 2005 for a relatively simple environment; split the VMM components for a large, enterprise environment.
CHAPTER
13
Managing a Hyper-V Environment with Virtual Machine Manager 2008 R2 F o r the most part, there has always been something lacking with Microsoft virtualization technologies when it came to management and automation. For example, out of the box, Virtual Server was pretty much a standalone product that didn't have any connections with a Microsoft-based management solution. Although somewhat better—thanks to PowerShell—Hyper-V also suffers from the same out-ofthe-box limitations as Virtual Server did. Although the underlying virtualization technologies might be very good, an administrator might only deploy those technologies in a very limited fashion when faced with the possibility of supporting those technologies without an effective management solution. In Chapter 12, "Virtual Machine Manager 2008 R2 Design, Planning, and Implementation," you were introduced to Virtual Machine Manager (VMM), how it is structured, and how to install it. In this chapter, the focus now shifts toward understanding the VMM management interfaces and how they can be used to manage a Hyper-V environment. This chapter discusses how VMM can be used to perform virtual machine (VM) conversions, how VMM management rights can be delegated, how to deploy virtual machines, and how to migrate those virtual machines between host servers or storage locations. As you learn in this chapter, VMM is a very effective management tool for your virtual infrastructure. By using VMM, you can significantly improve your management capabilities over Microsoft- and VMware-centric virtual infrastructure while enabling rapid provisioning of new virtual machines by VMM Administrators or authorized Self-Service Users.
IN T H I S C H A P T E R •
Using the VMM Management Interfaces
•
Understanding Virtual Machine Conversions
•
Managing VMM User Roles
•
Deploying Virtual Machines
•
Migrating Virtual Machines
666
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
Using the VMM Management Interfaces Administrating any type of information system can often be a very broad topic. Virtual Machine Manager provides an interface to manage virtual guest sessions through an Administrator Console, through command-line interfaces, or through Self-Service Portals providing flexibility in the access method to managing virtual systems.
VMM Administrator Console As discussed in Chapter 12, the Administrator Console is a Microsoft Management Console (MMC) that is built upon Windows PowerShell and can be used to complete the following tasks: • Adding hosts • Creating host groups • Managing hosts • Managing host clusters • Configuring the VMM library • Creating VMs • Deploying and migrating VMs • Managing VMs • Configuring the Self-Service Portal • Monitoring and reporting • Administering and managing roles You can either install the Administrator Console on the same computer as the VMM server or on a number of different computers. An Administrator Console installation also installs the VMM command shell, which allows you to manage the VMM environment from the command line. The Administrator Console, shown in Figure 13.1, consists of the view buttons on the lower left, the view area above the view buttons, the Results pane in the top middle, the Details pane below the Results pane, and the Actions pane on the right. Creating Host Groups Host groups allow the administrator to group together collections of similar hosts, such as perimeter hosts, domain hosts, or other important grouping types. To create a host group, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon.
Using the VMM Management Interfaces
667
3. Once the console has loaded, go to the Hosts view by clicking the Hosts button, and then select All Hosts. The hosts managed by this VMM server display in the Results pane. 4. To add a new host group, click New Host Group in the Actions pane. A new host group appears under All Hosts in the Hosts view. Rename the group as required.
Host groups can also be moved or deleted using the Actions pane from the Hosts view.
I H AfWfti mm Cflàjww i lot» r j m n T f c n Mösts
A l l H o s t s na«»»)
Artions
Husl C3ioop> *
/ Oyhvww , AJHMJ
[n«t*
lîtstLs
J,.
IJobSntus
... <*
[CMAve-w
§.. hMH.corwany-ibc c.- CK
1%
• ^ i r — I
4.73at
«çmerr
a
Vu tu J Madiin-c Mdnd^er
—
J Ntw vlrtuli nWCtwSi
LH 08
f Con»trt vlrtuil HKfMni *.l£ i i r i o ' t"<e> 2 AdÖhSSJ A^VMwircVlrwrfCíW tm-f 0 HcJp Host
*
í* Ho*t tí hot t QrOUp FflnrN
Z MilWh
Oejr
Staiji
»
Opening uyatfrm
*
X fl(ni4T* hott f. hvÇC tcivpoíryabc cura Statut:
CK
í'Wtfc
y WrtiHl Hictuncf Ç
*
Ô DM^Weie
PrôteBor:
(+)¿15&HS nut
MfWirr:
i.SÏÛSttl^, l l i í B r t r í i t r v e , *72«âv«toôe
m w x a o - x * . »0.66« i » « « * ÛpetOng n m m : Khresoft Wnftowï Spvcr itî A u b o t n i s i A w i r c ! WssssftHwef -V (ÍÍBSJSÍU? tn-d)«]
R*1 nuiri»n«r<* mod» i VLÇW n«tMrkln0
,
AJI H m b
*
' Níwhflítflroifl Prep«!«
tAurv
Ü AdnuntttnUon ¡ítmnry
FIGURE 1 3 . 1
NeiWitane «nd Staust
Lamí i*
VMM Administrator Console.
Managing Hosts After installing the VMM Agent on a host server and then adding it to the VMM server (as discussed in Chapter 12), it can then be managed from the Hosts view in the Administrator Console. To manage host servers, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Hosts view by clicking the Hosts button, and then select All Hosts. The hosts managed by this VMM server display in the Results pane.
668
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
4. Right-click the host to manage; a shortcut menu appears with a choice of actions. The administrator can move the host to a host group, refresh the host in the Details pane, remove the host from the VMM server, or access the host properties.
NOTE The Properties page allows the administrator to view or configure the host summary, host status, VM status, hardware reserves (for example, CPU and RAM), hardware, networking, VM placement path, remote connections, security settings, and more.
Managing Host Clusters Host clusters are Windows cluster or VMware ESX cluster hosts that provide high availability and fault tolerance. The actions for host clusters allow the administrator to move a Hyper-V host cluster to a different host group, delete a host cluster from VMM, monitor host clusters, and modify the host cluster properties. To manage host clusters, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Hosts view by clicking the Hosts button, and then select All Hosts. The hosts managed by this VMM server display in the Results pane. 4. Select the host cluster to manage in the Results pane. The actions available for managing the host cluster are listed in the Actions pane. When a node is added to a failover cluster outside of VMM, the new node is automatically discovered and added to the host cluster within VMM. However, until you add the node to VMM as a host, the new node displays in the Hosts view with a Pending status. If a highly available virtual machine fails over to the pending host, that virtual machine will then have a Missing status in VMM. To prevent this from happening, add the host into VMM by clicking on the host with a Pending status and then, in the Actions pane, click Add to Host Cluster. In addition, VMM also detects when a node has been evicted from a failover cluster. When this happens, VMM then sets the Clustered property of the node to False and begins managing the host server as a regular, nonclustered host. To stop managing the host and remove it from VMM, use the Remove Host action to remove the host from VMM. Configuring the VMM Library The VMM library is a Windows share that hosts the resources used by VMM to create virtual machines. The library contains files (VHDs, ISOs, and so on). To add or remove libraries from VMM, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon.
Using the VMM Management Interfaces
669
3. Once the console has loaded, go to the Library view by clicking the Library button, and then select the Library Server in the View pane. The library contents display in the Results pane. 4. Additional VMM libraries can be added to the Administrator Console by clicking the Add Library Server action in the Actions pane. A library can be removed by rightclicking the library and selecting Remove. If Windows PowerShell scripts are stored in the VMM library, they can be viewed, edited, removed, and even executed from the Library view. In addition, entire virtual machines can be stored in VMM library. From here, they can be cloned, deployed, and removed. VMware virtual machines stored in the library can be converted to a VMM virtual machine. However, the VMware virtual machine's configuration files must be stored in the library before you can convert it using this method.
NOTE VMM libraries can be stored on Windows clusters to increase the availability and fault tolerance of the library resources.
Managing VMs Virtual machines managed by VMM can be fully managed within the VMM Administrator Console. To manage virtual machines, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Virtual Machines view by clicking the Virtual Machines button, and then select the host in the View pane. The VMs hosted on that host display in the Results pane. Using the Administrator Console, you can start, pause, stop, save the state, shut down, or connect to any managed virtual machines. Other actions include migrating the virtual machine, creating and managing checkpoints, repairing the virtual machine, installing guest services, cloning the virtual machine, storing it in a VMM library, removing the virtual machine, and configuring its properties. Monitoring and Reporting VMM has advance monitoring and reporting capabilities. VMM operates using jobs, which can be managed. Advanced reporting capabilities are achieved when using System Center Operations Manager 2007 (SCOM 2007) and the Server Virtualization Management Pack (as discussed in Chapter 12). The reports generated by SCOM can be opened directly in the Reporting view of the Administrator Console. Jobs can be managed from the Jobs view in the Administrator Console. In the Results pane, the administrator can view all the jobs run by VMM. Running jobs can be canceled by right-clicking the job and selecting Cancel. If a job fails, it can usually be restarted by rightclicking the job and choosing Restart. The job will begin again where the operation failed.
670
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
Administering and Managing VMM The entire VM infrastructure can be administered from the VMM Administrator Console or by using the VMM command shell. VMM administration includes managing user roles, managing agents on managed servers, adding non-Microsoft virtualization managers to VMM, and configuring VMM settings. To manage VMM, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Administration view by clicking the Administration button, and then select the administrative operation in the View pane. From within the Administration view, you have the following options for administering and managing VMM: • The General settings allow the administrator to configure global settings in VMM, such as CEIP settings, the database connection, library settings, placement settings, remote control, and the self-service administrator email address. • Managed Computers returns a list of the hosts managed by this VMM server, their status, version, and role. • Networking allows the administrator to configure a static range of MAC addresses VMM should use when creating new virtual network devices. • User Roles allows the administrator to manage user roles and create new user roles, such as delegated administrator groups and Self-Service Users. Each of these roles can be scoped to a particular set of virtual machines, libraries, and so on. Self-Service Users can be permitted to perform only certain actions, as configured by the VMM Administrator. • The System Center setting provides a way for the administrator to configure SCOM reporting and the SCOM connection to enable PRO functionality. Physical Resource Optimization (PRO) provides workload- and application-aware resource optimization for Hyper-V host clusters. • Virtualization Managers displays the name, status, version, managed hosts, and managed VMs of non-Windows virtualization managers.
VMM Command Shell The VMM command shell is built on Microsoft Windows PowerShell, an administratorfocused interactive command-line shell and scripting platform that is integrated into the Windows platform. The VMM command shell is installed with the VMM Administrator Console. Administrators can use the VMM command shell as an alternative to (or in addition to) the Administrator Console for centralized management of the physical and virtual system infrastructure. Anything that can be done in the Administrator Console can be done using the VMM command shell. The Administrator Console even enables
Understanding Virtual Machine Conversions
671
you to view the command shell commands that the console will run before actually executing them. The command shell provides commands (called cmdlets, shown in Figure 13.2) that administrators can use alone to perform simple administrative tasks or in combination with other cmdlets or command-line elements to perform more complex tasks. yT Administrator Windows PowerShell - Virtual Machine Manager Pt! ( i : \ U i n d D U 3 \ 3 V 3 t e n J Ü > set—unmnanatfcdcomputcr iri g
sclcct
nanc,rolc3ti"intf.s t a t c 3 t i
Harne
Ro1bString
StäteString
]iY0i . c o n p í i n i í a b c . com unm t - r n n p a n y a h n . m m hy02.conpanyabc.com
Host Library Hoct
Responding Responding Responding
0
0 CO
PS C : \ W - l n r i n u R \ R y R t f i n 3 2 }
zi FIGURE 1 3 . 2
VMM command shell.
In fact, any task that you can perform using the Administrator Console can be completed using the command shell and in some scenarios the shell provides additional features that the MMC-based console does not. Additionally, because the management shell is based on PowerShell, you can automate routine management tasks using the PowerShell scripting language. To discover the supported cmdlets in the VMM Management Shell, open the command shell and execute the Get-Command *-vmm* command. This command produces a command list that shows only the cmdlets belonging to VMM. For each cmdlet, help documentation can be accessed by using the Get-Help or help cmdlet, as shown in the following example: Get-Help
If more information is needed about a cmdlet, you can use the -Full or -Detailed parameters for the Get-Help cmdlet. For example: Get-Help Get-VMMManagedComputer -Detailed
Understanding Virtual Machine Conversions Using VMM, administrators can convert existing physical computers into virtual machines (VMs). This process is known as a physical-to-virtual, or P2V, conversion. Additionally, VMM can also be used to convert virtual machines from other virtualization platforms, such as VMware ESX and Microsoft Virtual Server to Windows Hyper-V. This process is known as virtual-to-virtual, or V2V, conversion. Details about each of these types of conversion processes are provided in the following sections.
672
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
Working with P2V Conversions There are two methods for converting physical computers to virtual machines. The first method, called an online P2V conversion, is performed using the Volume Shadow Copy Service (VSS) to copy data while the server continues to service user requests. During this type of conversion, the operations of the source computer are not interrupted, which might cause data consistency issues depending on what that computer is being used for. The second conversion method, called an offline P2V conversion, is performed by restarting the source computer into the Windows Preinstallation Environment (Windows PE) and VMM then clones the physical disk or disks to Virtual Hard Disk (VHD) format. Once the cloning process is complete, the source computer is then restarted and returned to operations. Unlike an online P2V conversion, an offline P2V conversion does not suffer from data consistency issues and should be used depending on the type of source computer you plan on converting. To perform a P2V conversion, the source computer must meet the following requirements: • Must have at least 512MB of RAM • Cannot have any volumes larger than 2040GB • Must have an Advanced Configuration and Power Interface (ACPI) BIOS; Vista WinPE will not install on a non-ACPI BIOS • Must be accessible by VMM and by the host computer Table 13.1 shows the supported operating systems that VMM can convert using the P2V process. TABLE 1 3 . 1
Supported Operating Systems for P2V Conversion
Operating System
P2V Online
P2V Offline
Windows Server 2008 with Hyper-V
No
No
Windows Server 2008
Yes
Yes
Windows Server 2008 x64
Yes
Yes
Windows Server 2008 R2 x64
Yes
Yes
Windows Web Server 2008 R2
Yes
Yes
Windows Server 2003 SP2 or later
Yes
Yes
Windows Server 2003 x64 SP2 or later
Yes
Yes
Windows 2 0 0 0 SP4 or later
No
Yes
Windows XP SP2 or later
Yes
Yes
Windows XP x64 SP2 or later
Yes
Yes
Windows Vista SP1 or later
Yes
Yes
Windows Vista x64 SP1 or later
Yes
Yes
Windows 7 all versions
Yes
Yes
Understanding Virtual Machine Conversions
673
NOTE VMM does not support P2V conversion of Windows NT Server 4.0 source computers. These computers can be migrated using the Microsoft Virtual Server 2005 Migration Toolkit (VSMT) or third-party solutions.
Performing a P2V Online Conversion To simplify the P2V conversion process, VMM provides a task-based wizard. Additionally, the P2V process can be completely scripted so that you can perform large-scale P2V conversions using the Windows PowerShell command line. To complete a P2V online conversion using the Convert Physical Server Wizard, complete the following steps: 1. Ensure that the source computer meets the operating system and additional requirements listed earlier in this section for P2V conversions. 2. Next, log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 3. Next, open the Administrator Console using either the desktop or Start menu icon. 4. Once the console has loaded, click Convert Physical Server in the Actions pane. This starts the Convert Physical Server Wizard, as shown in Figure 13.3. 13
H 1 Convert Phy «irai S i f v r r (P
Select Source Viituaf M a d m e Identity Syatofl Information
VM Cwifiíjuraíiwi
S í l e d Itie p h y s i c a l c o m p u t e r t h a i y o u w a n t t o c o n v e r t t o a v i r t u a l m a c h i n e . Coroner nwr-4 v IP ï ^ ï w
1
V t WX J
Specfy the odmrwtrabve account to uK to connect to the ctiyKai computer
'iriocJ Host Select Path Select Networks Add tional Properties Conversion Informaban
l&dmratrator ¡'flsrwonl
1
Ctemain or compter ftame: |CQMPANYABC I.J i f the k u i ï i r a f r i e b net In ft domain, sfmJy Ihe n u n mod wie ríeme or IP Address
Reauremenla fora P2V convereon
1 FIGURE 1 3 . 3
Convert Physical Server (P2V) Wizard.
674
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
5. Once the Convert Physical Server Wizard has started, define the following variables on the Select Source page: • Computer Name—Enter the name of the physical computer or click the Browse button to locate the computer object to convert in Active Directory. • User Name—Enter a username of an account with local administrator rights on the source computer. • Password—Enter the password for the local administrator user account. • Domain—Enter the domain of the local administrator user account if it is not already populated.
NOTE You should perform a disk defragmentation on the source computer's hard drives to help minimize the time required for the cloning process. Also, ensure that a fast network connection exists between the source and the VMM server.
6. Once you have finished defining the desired source information, click Next. 7. On the Virtual Machine Identity page, define the following variables: • Virtual Machine Name—Enter a new name for the virtual machine or accept the default name, which is the same as the source computer if an Active Directory-based computer was selected. Renaming the virtual machine name only renames the virtual machine as it appears in the Administrator Console. It does not rename the actual computer account in Active Directory. • Owner—Accept the prepopulated <domain>\<username> value, enter a new <domain>\<username> value, or click Browse to choose a new value. The owner account for the new virtual machine must be a member of Active Directory. This account is only used to identify the owner of the new virtual machine. It does not assign any rights to the virtual machine itself. • Description—This optional field is used to describe the virtual machine. 8. Once you have finished defining the desired virtual machine identity information,
click Next. 9. On the Gather System Information page, click the Scan System button. By doing so,
you begin a survey of the physical source computer and display a list of operating system, hardware, and software components installed, as shown in Figure 13.4. It also identifies any missing components that are required for the P2V conversion to run. To complete the scan, the wizard installs agent software on the source computer to gather this information and removes it when the conversion is complete.
Understanding Virtual Machine Conversions
S d M t Source
675
I o g a t h e r s y s t e m i n f o r m a t i o n V M M t e m p o r a r i l y installs a V M M a g e n t o n the s o u r c e
Virtual MbcI-»iw «entity
m a c h i n e . C l i c k S c a n S y s t e m t o install the a g e n t a n d begin gathering s y s t e m i n f o r m a t i o n .
SyMdf t Information Wore aboU ohvjcal
SAbrtHosI
If thíi scurry m/tchnu has m c r f l i n i vokmfts. nr. cflW» P?VconvH3icn mçfr r m W t h r sysÍM uriKjotaWe We lagty recommend tliat you rot curve*', a scuce medwie ijiot hai encrypted
Select Path Sdeei Networks AcJditionflJ Propel bea Convariion Information
System information Operativa Syitem OS V w i o n : Memecft* Wndow* Sen/«« 200B StanSand, Servi« Pack 1 Court-1 Hart Dnvea Voíime C 74.53 GB Heswork Adapter Local Ajea Connection (Broadcom We )4ierne Ggabt Bfiemet)
FIGURE 1 3 . 4
Gather System Information page.
NOTE If the scan fails, ensure that the winmgmt (Windows Management Instrumentation) service is running on the source computer and that a firewall is not blocking HTTP and WMI traffic to the VMM server. A firewall exception will be created for the remote administration service (RemoteAdmin) if a firewall is installed on the source computer. The administrator can remove this exception after the conversion operation is complete.
10. Once the scan has completed and the System Information Results window displays the operating system, hard drives, and network adapter information gathered from the survey, click Next. 11. On the Volume Configuration page, review the list of disk volumes detected and make changes, if required: • Deselect volumes that should not be included in the new virtual machine. • Increase the size of the VHD for each volume. The size of a VHD can be increased, but not decreased. The minimum size is determined by the size of actual data on the volume.
CO
676
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
• Choose to configure the VHD type to be dynamic (the default) or fixed. Dynamic VHDs automatically grow as more data is saved to the disk. Fixed VHDs are created with the full allocated disk space as configured by the administrator. • Configure the channel that the VHD will use. Options include up to 2 IDE channels and up to 62 SCSI channels each on 4 virtual SCSI buses (providing up to 250 separate channels total). Click Next to continue. 12. Once you have finished defining the desired volume configuration settings, click Next. 13. On the Virtual Machine Configuration page, select the number of processors and RAM to use on the new virtual machine. The number of processors available for selection is limited by the number of physical processors available in the source computer. The default amount of memory specified by the wizard is equal to the amount of physical RAM in the source computer. 14. Once you have finished defining the desired virtual machine configuration settings, click Next. 15. On the Select Host page, select the most suitable host server to deploy the new virtual machine to, as shown in Figure 13.5. Each host has a star rating (from zero to five stars) indicating its suitability to host the new virtual machine. • The Details tab displays the status, operating system, virtualization software platform, virtualization software status, and names of the virtual machines running on the selected host. • The Rating Explanation tab explains what the star rating means for the selected host and tells what requirements are met for the virtual machine by this host. • The SAN Explanation tab describes the suitability of the host to connect to a SAN for virtual machine storage. Items listed here include Fibre Channel host bus adapters (HBAs) installed and iSCSI initiators installed.
NOTE If a large number of hosts are listed, the administrator can use the Host Group, Look For, or Group By fields to display a smaller set of possible hosts. Additionally, the ratings can be customized using the Customize Ratings button. Here, the administrator can select multiple criteria and assign weights of importance for each component, such as processor load, memory used, network utilization, and so forth.
16. Once you have finished selecting the desired host server, click Next. 17. On the Select Path page, select the folder where the files associated with the new virtual machine should be placed. Either accept the default location or click Browse to select a different path. After selecting the desired path, click Next.
Understanding Virtual Machine Conversions
677
6
Select a host for the virtual machine. Syalöfl Informal) on
Hies are rated bated cn the virtual mactYte f nequrerre^ii and trtfaJt placeman epucni To change placeman spüonf for thtt virtual m a d * » . cfcfc Cuctom» Raima*
Vnlump CoifiguiiltKn VW C«ififlura&on iiHecl Host
• Raüno •
J
*****
Select Path
KDB #
h.Ol cmrpanyabc.tom
§
h v 0 2 [OfrcMrtyobccof i
* |jii Hess | Transfer Type . Network
1 Network
~t Network
Select Networks AJcEliuriaf Prupetbea
CO
Cony anion Information v/hse do t h ? » njtnoi
V ücfaJj [»Mb
£ Haling
in
|
CuSomue Rsurgs
( i S A N E m a n a t i o n
Pestnpbon Status Qperatng
OK system
Microsoft Wndon* Sei ver
Mr tueiuabon software Wrtuatuatan
software
V r t u a l ma fwws
2M8 «3 Datotertter
,
Microsoft Hyper V sabjs
Up to date dent, hgranger PC Companyl23 org, hpolter PC Company 123 Org, «weasfey PC Company 123 Org, TS
Ned
FIGURE 1 3 . 5
I
Cancel
|
Selecting the virtual machine host server.
18. On the Select Networks page, the Virtual Network drop-down menu displays all the current networks available on the selected host server. Select Not Connected or the appropriate virtual network for the virtual machine to use. After selecting the desired virtual network connection, click Next. 19. On the Additional Properties page, configure the following: • Automatic Start Action—Select the action to perform for this virtual machine when the physical host starts. Available actions are as follows: Never automatically turn on the virtual machine, Always automatically turn on the virtual machine, or Automatically turn on the virtual machine if it was running when the physical server stopped. • Automatic Stop Action—Select the action to perform for this virtual machine when the physical host server stops. Available actions are as follows: Save state, Turn off virtual machine, or Shut down guest OS. 20. On the Conversion Information page, any issues that were encountered while checking the source computer for P2V conversion suitability are displayed. If no issues were detected, click Next. Otherwise, review the issues that were detected by the wizard. These issues must be resolved before the P2V conversion can succeed. Each issue listed is accompanied by a solution that explains how to resolve it. After all issues have been resolved, click the Check Again button to rerun the survey until no issues are found.
678
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
21. The Summary page displays a summary of the settings selected in the Convert Physical Server Wizard. Carefully review these settings and click Create to proceed with the P2V conversion or click Previous to go back and change the configuration. • An optional check box can be selected to start the virtual machine immediately after deploying it to the host. • As with many actions performed from the VMM Administrator Console, the Convert Physical Server Wizard offers a View Script button. This option enables the administrator to view, modify, and save the PowerShell commands that the wizard will execute to perform the P2V conversion, as shown in Figure 13.6. QtmpSBOD.tmp - Notepad
^iDJüJ
rfc Edt rormot # Convert P h y s i c a l Server (P2v) w i z a r d S c r i p t # # S c r i p t generated on F r i d a y , February 1 2 , 2010 7 : 0 3 : 2 4 am by v i r t u a l Machine Manager #
fr Tor a d d i t i o n a l h e l p on cmdlet usage, t y p e get h e l p
#
—
irrpHential
=
» • » — «
» » —
geT-credpntial
New-MachineConfig -VMMServer l o c a l h o s t - Sour cecontputer Name " 1 0 , 1 2 . 0 . 2 2 " - C r e d e n t i a l Scredent SvHHOst = Get-VMHOst - w w s e r ver l o c a l h o s t | where { $ _ . warns -eq "hu02. companyabc. c o n " } SMachineContig - Get-MachineContig -VMMServer l o c a l h o s t I where 15_.Name -eq " 1 0 . 1 2 . 0 . 2 2 " ! Hew P2v
vwMServer
SVMHost - Get VMHost ^ M a r h i n p r n n f ig
=
localhost
VMHost SVMHost
RunAsynchronously
VMMServer l o c a l h o s t | where {S_. Name
iiPT-MarhineConfig
-VMMSprvpr
loralhnsT
|
JobCroup 1"0tl82d0 t6d5 4bc7
eq "hvUii, company abc. c o n " }
viherp
{ t _ - Name
-pq
" 1 0 . 1 ?. 0. ? ? " }
fiew-P2v -VMMServer l o c a l h o s t -VMHost SVMHost -RunAsynchronously -DobGroup f 0 f l 8 2 d 9 - f G d 5 - 4 b c 7 Scredential - get-credential $VMHosL = GKl-VMHuil -VMMServer l u c d l h o i t | where {$_- Name -eq "hv02. companydbc. m m " } SMachineContig - Get-MachineContig -VMMServer l o c a l h o s t I where i5_.Name -eq " 1 0 . 1 2 . 0 . 2 2 " ! New P.iV
Credential ¿Credential
FIGURE 1 3 . 6
VMMServer l o c a l h o s t
VMHost SWHost
Path "C:\ProgramData\M
Convert physical server script.
22. Once you click Create, the Jobs dialog box opens showing the progress of the P2V conversion process, as shown in Figure 13.7. Use this dialog box to monitor the progress of the P2V conversion and confirm that the virtual machine is created successfully. If the job fails, read the error message in the Details pane for information about the cause of the failure and the recommended course of action to resolve the issue. Be patient; the conversion process takes several minutes or longer and consists of the following steps: • Collect the machine configuration information. • Add the source machine agent. • Create the virtual machine.
Understanding Virtual Machine Conversions
679
• Copy the hard disk. • Deploy the file (using the Background Intelligent Transfer Service, BITS). • Make the operating system virtualizable. • Start the virtual machine. • Install the virtual machine components. • Stop the virtual machine. • Remove the source machine agent. CO
r 1
Name
n
o Ö 0 Q
I StsRus
Physical to yîrtu...
g
I Start Time 1 42 X
*
I Result Name
[ Owner
2 / 1 2 / 2 Ü 1 U bJ£¿... S u p e r HH System
CUMPANYAÍJCA
Perform prereqaisit,. Com pie ted
2/11/2010 11:05:0...
10.12.0.2
CCWPANYABC\ad...
Perform prerequtsit, • Completed
2/11/2010 10:23:5...
10.12.0.22
CCWPANYABC\ad...
Loiect machr» co...
Completed
2/11/2010 10:0S:!>...
10.12.0.22
CUW/VWYAfclCtyj...
Hemove source ma.,.
completed
2/11/2010 U>:Oï:J...
10.12.0.22
CUWAHYAbL\ad,..
Loiect madine co...
completed
2/11/2010 9 : » : 10...
10.12.0.22
COMPANY ABC ^ d . . .
Ei.* Phy3¡col lo virtual convera ¡an Strtus
Rumina
Command:
New-P2V
Rrüuik rifun«
Si «in HR SvjJon
btstcd:
2/12/201Ub:22:3UPM
Duration: COMPANYAOCadnvustrnt or
Owner
Primary
Details
® O
0 0
®
Tnir^.
NlWIf!
a » i
•
Physical-t... M
4 2 % 2/12/20U
Colectma... 1.LL
2/12/2011
Add sourc.r.
U»%
1.2
Create vir...
1L*J %
1.3
Copy hard...
1
2/12/20 U— 2/12/20U 1 0 % 2/12/2011
!
G laiyc Trucking
f^ SI luw ti os window whet i new oUetts die ueaîed
FIGURE 1 3 . 7
Report Job |
Coned Job |
Jobs dialog box.
NOTE You can also access information about the current job that is being executed or past jobs by clicking the Jobs button in the Administrator Console.
Working with V2V Conversions During a V2V conversion, an existing VMware ESX or Microsoft Virtual Server virtual machine configuration file and its associated virtual disk files are converted to Hyper-Vrelated formats. When conducting this type of conversion, VMM Administrators do not need administrative rights on the VMware virtual machine to complete the process because the V2V conversion is just converting files to another type of virtual machine file.
680
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
Instead, the VMware virtual machine is simply turned off, and the files are copied to the VMM library for the conversion.
Performing a V2V Conversion To simplify the V2V conversion process, VMM provides a task-based wizard. Additionally, the V2V process can be completely scripted so that you can perform large-scale V2V conversions using the Windows PowerShell command line. To complete a V2V conversion using VMware files that have been copied to a library share, complete the following steps: 1. Copy the VMX and VMDK files of the VMware virtual machine that you intend to convert to the library share on the appropriate VMM library server. 2. Next, log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 3. Next, open the Administrator Console using either the desktop or Start menu icon. 4. Once the console has loaded, go to the Library view by clicking the Library button, select the Library Server in the View pane, and then navigate to and select the library share where the VMware files were copied. 5. In the Actions pane, and under Library Share, click Refresh.
NOTE By clicking Refresh, all the files on the share are immediately indexed by VMM and are added to the Library view. Conversely, you can also wait for the library refresher to automatically complete a full reindex of the file-based resources on all library shares. By default, the library refresher completes a reindex every hour.
6. Next, click Convert Virtual Machine in the Actions pane. This starts the Convert Virtual Server Wizard. 7. Once the Convert Virtual Machine Wizard has started, click the Browse button on the Select Source page; this opens the Select Virtual Machine Source dialog box, as shown in Figure 13.8. 8. Use the Select Virtual Machine Source dialog box to find the virtual machine that you intend to convert, then select the virtual machine and click OK. 9. Once you have selected the desired source virtual machine, click Next. 10. On the Virtual Machine Identity page, define the following variables: • Virtual Machine Name—Enter a new name for the virtual machine or accept the default name, which is the display name of the source files added to the library share. Renaming the virtual machine name only renames the virtual machine as it appears in the Administrator Console. It does not rename the actual computer account in Active Directory.
Understanding Virtual Machine Conversions
681
J£
I Select Virtual Machine Source Select the virtual machine that you m x i d Ike lo convert. Scorcfi
J
Nome
I Owner
z
Z]
M 1 Operating System
|TïPc
1 Vrluakabon Plerf... I Desoiotion
zi
L Type; V i r t u a l Machine ChromejOS
Unknown
Urfmawn
VMware ESX Server
wndows Sm'pr 7003 SP? Fntw...
t rtmown
lirfcmwn
VMrtare FSX Sprwr
1
FIGURE 1 3 . 8
OK
1
Caned
|
Select Virtual Machine Source dialog box.
• Owner—Accept the prepopulated <domain>\<username> value, enter a new <domain>\<username> value, or click Browse to choose a new value. The owner account for the new virtual machine must be a member of Active Directory. This account is only used to identify the owner of the new virtual machine. It does not assign any rights to the virtual machine itself. • Description—This optional field is used to describe the virtual machine. 11. Once you have finished defining the desired virtual machine identity information, click Next. 12. On the Virtual Machine Configuration page, select the number of processors and RAM to use on the new virtual machine. Both settings are configured based on the configuration of the source virtual machine that was added to the library share. 13. Once you have finished defining the desired virtual machine configuration settings, click Next. 14. On the Select Host page, select the most suitable host server to host the virtual machine on. Each host has a star rating (from zero to five stars) indicating its suitability to host the virtual machine. • The Details tab displays the status, operating system, virtualization software platform, virtualization software status, and names of the virtual machines running on the selected host. • The Rating Explanation tab explains what the star rating means for the selected host and tells what requirements are met for the virtual machine by this host.
682
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
• The SAN Explanation tab describes the suitability of the host to connect to a SAN for virtual machine storage. Items listed here include Fibre Channel host bus adapters (HBAs) installed and iSCSI initiators installed.
NOTE If a large number of hosts are listed, the administrator can use the Host Group, Look For, or Group By fields to display a smaller set of possible hosts. Additionally, the ratings can be customized using the Customize Ratings button. Here, the administrator can select multiple criteria and assign weights of importance for each component, such as processor load, memory used, network utilization, and so forth.
15. Once you have finished selecting the desired host server, click Next. 16. On the Select Path page, select the folder where the files associated with the new virtual machine should be placed. Either accept the default location or click Browse to select a different path. After selecting the desired path, click Next. 17. On the Select Networks page, the Virtual Network drop-down menu displays all the current networks available on the selected host server. Select Not Connected or the appropriate virtual network for the virtual machine to use. After selecting the desired virtual network connection, click Next. 18. On the Additional Properties page, configure the following: • Automatic Start Action—Select the action to perform for this virtual machine when the physical host starts. Available actions are as follows: Never automatically turn on the virtual machine, Always automatically turn on the virtual machine, or Automatically turn on the virtual machine if it was running when the physical server stopped. • Automatic Stop Action—Select the action to perform for this virtual machine when the physical host server stops. Available actions are as follows: Save state, Turn off virtual machine, or Shut down guest OS. 19. The Summary page displays a summary of the settings selected in the Convert Virtual Machine Wizard. Carefully review these settings and click Create to proceed with the V2V conversion or click Previous to go back and change the configuration. • An optional check box can be selected to start the virtual machine immediately after deploying it to the host. • As with many actions performed from the VMM Administrator Console, the Convert Virtual Machine Wizard offers a View Script button. This option enables the administrator to view, modify, and save the PowerShell commands that the wizard will execute to perform the V2V conversion, as shown in Figure 13.9.
Understanding Virtual Machine Conversions
[J t m p F A J S . t m p - N o t e p a d Hie
Cdt
rormot
K
- [ Q U I
Heb
7
683
T
7
"3
7
# Convert V i r t u a l Machine Wizard S c r i p t
#
# S c r i p t generated on Saturday, February 13. 2010 5:59:02 am by v i r t u a l Machine Manager #
# Tor a d d i t i o n a l help on cmdlet usage, type get help
— .
1 vw = Get-VM -VMMServpr l o r a l h o s t -Namp "f hronip_os" | whprp I i hrarySprvpr. Namp -pq imi. company abc. com"} | where {$_. Location -eq "\\vmna. companyabc. com\MSSCWMLibrary' SvMhost = Get-VMHost -VMMServer l o c a l h o s t | where {S .Name -eq "hv02.companyabc.com"} New-v2v -vm Svw -vWHost Svwuost -Path "c:\Progra1nData\Microsoft\window5\Hyper-v" -Name "chrome_üb" - D e s c r i p t i o n "" -owner "cumvanyabcA a d m i n i s t r â t o r " -itunAsynchronously -joburoup 3d3c7473-8da6-42bb-b89a-2de63d9a5479 - T r i g g e r -CPUCount 1 -MemoryWD 1000 -RunAsSystem -
SLar LAcL i o n
NuvtsrAiiLUTUrnOnVM
-SLopAiLSum
SaveVM
CO
FIGURE 1 3 . 9
Convert virtual server script.
20. Once you click Create, the Jobs dialog box opens showing the progress of the V2V conversion process. Use this dialog box to monitor the progress of the V2V conversion and confirm that the virtual machine is created successfully. If the job fails, read the error message in the Details pane for information about the cause of the failure and the recommended course of action to resolve the issue. Be patient; the conversion process takes several minutes and consists of the following steps: • Collect the machine configuration information from the VMX file. • Create the virtual machine. • Convert the VMDK file to a VHD file. • Deploy the file (using LAN). • Make the operating system virtualizable. • Start the virtual machine. • Install the virtual machine components. • Stop the virtual machine. • Remove the source VMX machine configuration.
684
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
Managing VMM User Roles As discussed in Chapter 12, VMM implements a role-based access control (RBAC) model for managing administrative permissions. Using this model, each VMM Administrator and Self-Service User is assigned a role. Each role consists of an administrative profile that determines which actions a role member can perform and the scope for which virtual infrastructure objects these rights are applicable. Three types of user roles are available in VMM, as follows: • Administrator Role—Members of the Administrator role have full rights to the virtual infrastructure and can perform all actions in the VMM Administrator Console. These administrators can create new Delegated Administrator and SelfService User roles. Only members of this role can add additional members to the Administrator role. The Administrator role is created when VMM is installed for the first time in the domain. The user who installs VMM is automatically added to the Administrator user role during installation. There is only one Administrator user role in each domain. • Delegated Administrator—Members of a Delegated Administrator role can perform all actions in the VMM Administrator Console that apply, or are scoped, to them. The scope of objects is defined during the creation of the role. The Delegated Administrator user role does not exist by default. There can be zero or more Delegated Administrator roles in each domain. Delegated Administrator roles are created by users who are members of the Administrator user role. Members of this user role can create new Delegated Administrator and Self-Service User roles, but only within the scope of objects that apply to them. • Self-Service User—Members of a Self-Service User role can be granted rights to operate, create, manage, store, create checkpoints for, and connect to virtual machines (VMs) in their scope using the Self-Service Portal. This role is scoped by a member of the Administrator or Delegate Administrator role to pertain to a specific set of virtual infrastructure objects. Members of this role cannot manage their role or any other role in VMM. They also cannot create new user roles.
NOTE Members of the Administrator or a Delegated Administrator role cannot access the Self-Service Portal unless they are members of one or more Self-Service User roles.
Managing the Administrator User Role To manage the Administrator user role, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role.
Managing VMM User Roles
685
2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Administration view by clicking the Administration button, and then select User Roles from the view area. 4. Select the Administrator user role in the Results pane. The current members of the Administrator user role are displayed in the Results pane. 5. In the Actions pane, click Properties to display the properties of the role. 6. The User Role Properties dialog box opens. If desired, you can use the General tab to modify the description for the Administrator user role. 7. Click the Members tab. The current members are listed, as shown in Figure 13.10. «
S General
M
ixj $
Members
Iber role membcra: Administrator
CCMPANYADC
COMP ANYADC \VMM 1$
COMP AW ADC
Domain Admins
CCMPANYADC COMP ANYADC
Super VMM Adhm Dude
COMPANYABC
OK
FIGURE 1 3 . 1 0
Caned
Managing members of the Administrator user role.
8. To remove members from the Administrator user role, select the user to remove and click the Remove button.
NOTE There must be at least one member in the Administrator user role at all times. VMM does not allow you to remove all members of the Administrator user role.
686
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
9. To add members to the Administrator user role, click Add and enter the name or names of the users or security groups to add. Click the Check Names button to resolve the users or groups. Members must be users or security groups in the Active Directory where the VMM server is a member or in a domain where a full two-way trust exists. 10. Click OK to close the Administrator Properties window.
Creating a Delegated Administrator User Role To create a Delegated Administrator user role, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Administration view by clicking the Administration button, and then select User Roles from the view area. 4. In the Actions pane, click New User Role. This starts the Create User Role Wizard, as shown in Figure 13.11. 211 e
FIGURE 1 3 . 1 1
Create User Role Wizard.
Managing VMM User Roles
687
5. Once the Create User Role Wizard has started, define the following variables on the General page: • User Role Name—Enter the name for the new user role. • Description—Enter a useful description for the new user role. • Profile—This should be defined as Delegated Administrator. 6. Once you have defined the desired general information for the new role, click Next. 7. On the Add Members page, click Add to add new members to the role. Enter the name or names of the users or security groups to add. Click the Check Names button to resolve the users or groups. Members must be users or security groups in the Active Directory where the VMM server is a member or in a domain where a full two-way trust exists.
NOTE You may also choose to not populate the members of the new Delegated Administrator user role at this time. Members may be populated after the role is created.
8. Once you have finished adding the desired members to the new Delegated Administrator user role, click Next. 9. On the Select Scope page, as shown in Figure 13.12, select the objects that members of the new user role can manage. This process is called scoping; when scoping your virtual infrastructure, Delegated Administrators will not be able to view or monitor objects from the Administrator Console that are not selected on this page. 10. After you have finished scoping the objects for the new Delegated Administrator user role, click Next. 11. On the Summary page, carefully review the settings and click Create to proceed with the creation of the Delegated Administrator role or click Previous to go back and change the configuration.
Creating a Self-Service User Role To create a Self-Service User role, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Administration view by clicking the Administration button, and then select User Roles from the view area. 4. In the Actions pane, click New User Role. This starts the Create User Role Wizard, as shown previously in Figure 13.11.
688
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
m a m m Jr
e
Select Scope Sclcct the hast q»ouc-i end IfcfOfv ocivcio Ihti uicr role con manage.
n eees
Pdd Members
0 •
-
tumrrory
0
3 UG Hosts
' Pn^™J Al Libiaiieo PI ~ VMMl.corrpanvafcc.corn
Pieviou?
FIGURE 1 3 . 1 2
I J^^Nevt^^J
Cancel
|
Scoping the objects for the Delegated Administrator user role.
5. Once the Create User Role Wizard has started, define the following variables on the General page: • User Role Name—Enter the name for the new user role. • Description—Enter a useful description for the new user role. • Profile—This should be defined as Self-Service User. 6. Once you have defined the desired general information for the new role, click Next. 7. On the Add Members page, click Add to add new members to the role. Enter the name or names of the users or security groups to add. Click the Check Names button to resolve the users or groups. Members must be users or security groups in the Active Directory where the VMM server is a member or in a domain where a full two-way trust exists.
NOTE You may also choose to not populate the members of the new Self-Service User role at this time. Members may be populated after the role is created.
Managing VMM User Roles
689
8. Once you have finished adding the desired members to the new Self-Service User role, click Next. 9. On the Select Scope page, select the objects that members of the new user role can manage, and then click Next. 10. On the Virtual Machine Permission page, configure one of the following: • Select All Actions to permit this Self-Service User role to perform all VMM tasks, as shown in Figure 13.13.
CO Orare Pemeewne M d Members
bpeafv the actisns that merrbera wü be aKe to pcrlorm on their virtual machines: <*
Virtual Machine Permissions Virtual MachineCreaticn Se Kings
t'
Al Adiar« Onfy leíected ocbons
Apiruved ¿diera. Task p]
Library Share
0
'
Descrpfcon Star*
j : Stop
P] n 1 Pauac Dt>d rearme
Summary
[3
Checkpoiit
Kart virtual machares Stop virtual machnes P ü u k Dfxí rcsjnc vrtuaf mochín» Create and marage rttual machine checkpoirts
F1 A Hcmeve
Hemovc virtual machines
0
Grants locai adirinítraiorflghts on vnual machine;
P1
' ¡ Loca Adirtmtralor Hemote c o m c d i o n SI iu! duwri
Hemolcly oonnect to virtud mochines SI ilí! duwn irátual irisd ir íes
Previous
FIGURE 1 3 . 1 3
| |
Next
~|
Cancel
|
Defining virtual machine permissions.
• Select Only Selected Actions. Table 13.2 lists all the actions available for the Self-Service User to run. Use the tasks in this list to scope the rights that SelfService users have to their virtual machines. 11. Once you have finished defining the desired virtual machine permissions, click Next. 12. On the Virtual Machine Creation Settings page, if needed, enable the Allow Users to Create New Virtual Machines option to grant members of the Self-Service User role the rights needed to create their own virtual machines. When this option is enabled, you must specify the virtual machine templates Self-Service Users are allowed to use: • In the Templates pane, click Add to add a new template that the Self-Service User can deploy
690
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
• Optionally, you can also set a quota for deploying virtual machines. Quotas are used to limit the number of VMs the users can deploy. TABLE 1 3 . 2
Self-Service User Virtual Machine Tasks
Task
Description
Start
Allows the user to start processing of a virtual machine.
Stop
Allows the user to stop processing of a virtual machine.
Pause & resume
Allows the user to pause processing of a virtual machine and resume processing after the virtual machine has been paused.
Checkpoint
Allows the user to manage checkpoints on a virtual machine.
Remove
Allows the user to delete and discontinue management of a virtual machine from VMM.
Local Administrator
Grants the user local administrator permission on virtual machines they create.
Remote connection
Allows the user to connect to and control the virtual machine remotely. This is also known as Virtual Machine Remote Control (VMRC) access.
Shut down
Allows the user to shut down the virtual machine.
13. Once you have defined the desired virtual machine creation settings, click Next. 14. On the Library Share page, if needed, enable the Allow Users to Store Virtual Machines in a Library option to grant members of the Self-Service User role with the rights needed to store their own virtual machines on a library share. When this option is enabled, you must choose a library server to use and the library path that should be used to store users' virtual machines, as shown in Figure 13.14. 15. On the Summary page, carefully review the settings and click Create to proceed with the creation of the Self-Service User role or click Previous to go back and change the configuration.
Modifying User Roles To modify user roles, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Administration view by clicking the Administration button, and then select User Roles from the view area.
Managing VMM User Roles
691
211 e
l*- Mom i a n s la ricnr viiltud iiKwd MM Bi n l iifSiy 5Mnd Ihr léiiíay sravra rtrirl ttnvay îdiiir Ihrtl wfl sJiïpî ii
N' vnh ir4 nimlinn-ji «ici .ivrtlriiJr
Search Virtual Machine Permissions
^ J ¡None
Ltarary Server
d
[Deicttptl«!
vmm 1,corroonyobc.com
Virtual Mac tine Manager server as Iferary server
Virtual Machine Création Serines Library Share Summary
I itiry pnlh
|
• '
'; ..••• .'
•
Orw
Prevtous
FIGURE 1 3 . 1 4
| |
Next
|
Buwsk
Cancel
|
Defining the library share settings.
4. In the Results pane, select the user role that you want to modify, and then click Properties in the Actions pane to display the properties of the role. 5. The User Role Properties dialog box opens. Using the following tabs, you can define the various settings for the user role: • General—Use this tab to modify any of the general settings for the user role. • Members—Use this tab to add or remove members as needed. • Scope—Use this tab to define which objects this role has rights to. This is only valid for Delegated Administrator and Self-Service User roles. • VM Permissions—Use this tab to define what virtual machine permissions members of this role will have. This is only valid for Self-Service User roles. • Create VM—Use this tab to allow members of this role to create virtual machines. This is only valid for Self-Service User roles. • Store VM—Use this tab to allow members of this role to store virtual machines in a library. This is only valid for Self-Service User roles. 6. Once you have finished defining desired user role settings, click OK.
692
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
Removing User Roles To remove a user role, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Administration view by clicking the Administration button, and then select User Roles from the view area. 4. In the Results pane, select the user role that you want to remove, and then click Remove in the Actions pane. 5. When the confirmation prompt is displayed, click Yes to remove the user role.
Deploying Virtual Machines This section describes how to deploy virtual machines on managed hosts using VMM. In this section, the process of virtual machine placement is discussed, you learn how to customize host ratings during placement, and you examine the procedures for deploying and migrating virtual machines to another host.
Virtual Machine Placement The process of selecting the most suitable host upon which to deploy a virtual machine is called virtual machine placement. When you attempt to deploy a virtual machine using VMM, a list is created of all the managed host servers where the virtual machine can be placed. Each host is given a star rating, from zero to five stars, indicating its suitability for the given virtual machine. This star rating is based on the VM's hardware and resource requirements and each host's ability to fulfill these requirements. Host ratings also take resource maximization, fault tolerance, and load balancing into consideration.
NOTE If a virtual machine has been configured using the Make This VM Highly Available option, it can only be placed on Hyper-V host clusters. Hosts that are not clusters cannot host highly available virtual machines (HA VMs).
Automatic Placement For certain situations when a user or administrator attempts to deploy a virtual machine, VMM automatically determines which host server is the most suitable to be used for the deployment. This feature is called Automatic Placement and applies for the following scenarios:
Deploying Virtual Machines
693
• When virtual machines are deployed by Self-Service Users from the Self-Service Portal, the virtual machine is automatically deployed to the most suitable host server in the specified host group. • When the drag-and-drop method of migration within the Administrator Console is used, the virtual machine is automatically deployed to the most suitable host server in the target group.
NOTE For Automatic Placement to succeed, a virtual machine path must be configured on the host's VMM volume using the Placement tab of the host Property dialog box.
Customizing Host Ratings If needed, you can also customize the default global criteria used to create host ratings using the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Administration view by clicking the Administration button, and then select General from the view area. 4. Select Placement Settings in the Results pane and then click Modify in the Actions pane. 5. In the Placement Settings dialog box, as shown in Figure 13.15, select the placement goal for determining the most suitable host servers for a virtual machine from one of the following choices: • Load Balancing—Hosts with the most free resources receive the highest rating. This setting ensures the best virtual machine performance. • Resource Maximization—Hosts that meet the virtual machine's required resources and have the least free resources receive the highest rating. This setting provides the highest virtual machine density on host servers. • Resource Importance—Use the sliding scales in this section to select the relative importance of the following resources to virtual machines, from not important to very important for the following: CPU Usage, Memory Free, Disk I/O, and Network Utilization.
NOTE By default, CPU Usage and Memory Free are given more importance than Disk I/O and Network Utilization.
694
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
A 8
Placement Settings
Confiture settinqs that determine how hosts are rased di/iraq virtual machine
placement. You c a n c u s i o m i i e host ratings for Individual virtual machines during placement. More about placement defaults Placement goal f*
Load bfdaTKjny Hosts w i h the most free resources receive higher ratings.
C Kesource maximization Hosts that me« the virtual machine's requirement with the least free resources receive higher raímos Resource importance Not Important
Very Important
CPU ueage
Mflmntytnw Disk MO: Network uWizaton:
Nsjtote U e t a u l i
FIGURE 1 3 . 1 5
Placement Settings dialog box.
6. Once you have finished modifying the Placement Settings, click OK to save your changes. Customizing Host Ratings for a Virtual Machine You can also customize the host ratings when executing specific VMM wizards that affect the state of a virtual machine. When doing this, you override the global criteria used to create host ratings for the virtual machine-related action that is being performed. The VMM wizards where this behavior applies are as follows: • New Virtual Machine Wizard • Convert Physical Server (P2V) Wizard • Convert Virtual Machine Wizard • Deploy Virtual Machine Wizard • Migrate Virtual Machine Wizard To override the placement settings for a virtual machine, follow these steps on the Select Host page of the listed wizards: 1. Click the Customizable Ratings button. 2. Select the appropriate Placement Goal for this virtual machine from either Load Balancing (most free resources available) or Resource Maximization (least free resources available).
Deploying Virtual Machines
695
3. Use the slider controls to adjust the importance of CPU Usage, Memory Free, Disk I/O, and Network Utilization. 4. On the VM Load tab, refine the workload characterization of the virtual machine using the following settings: • CPU:Expected CPU utilization • Disk:Required physical disk space (GB) • Disk:Expected disk I/O per second (IOPS) • Network:Expected utilization (megabits per second) 5. Click OK to continue the wizard.
Deploying Virtual Machines Using the Administrator Console To deploy a virtual machine that's stored in the library using the VMM Administrator console, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Library view by clicking the Library button. 4. In the Navigation pane, expand the Library Servers node and the appropriate library server that holds the virtual machine that you want to deploy. 5. Next, select the VMs and Templates node to display the available virtual machines, as shown in Figure 13.16. 6. In the Results pane, select the virtual machine that you want to deploy. 7. In the Actions pane, click Deploy. This starts the Deploy Virtual Machine Wizard. 8. On the Select Host page, select the most suitable host server to deploy the new virtual machine to. Each host has a star rating (from zero to five stars) indicating its suitability to host the new virtual machine. • The Details tab displays the status, operating system, virtualization software platform, virtualization software status, and names of the virtual machines running on the selected host. • The Rating Explanation tab explains what the star rating means for the selected host and tells what requirements are met for the virtual machine by this host. • The SAN Explanation tab describes the suitability of the host to connect to a SAN for virtual machine storage. Items listed here include Fibre Channel host bus adapters (HBAs) installed and iSCSI initiators installed.
696
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2 !T Virtual Mithin* Manager - vinml,ti»ii)>anyalK.tuni He
Wn
Atta»
I b a » « « • CAmftä
a Jtfci GJfftOTpifO) ^Ne iMSfiano z r e w n & m föHcto
Library
VMs and Templates
Resources -frOnnvm i s u*»y5*N*$
W
zl 1"°™
1 I t r l f i j g w I 'y6t~ f OptrWBi... I QWW k*-iaJ Kj.fhnf Urimotm
- - i M5SCVJMLfcr*y
£.
M m l a i n 1003 SPlErttep...
vnrit.CBn»..
WUIMKhne
Wawi
Actions
1
X
Pvew virtual mthln« 35 Csnve't ptytiul »mir " CanvnC ir "Ljtl ffiMttM | § Addlibrftytcn«
ca vhDi PmdwaXYZUb
I* Add huit f* A«VM».»rtVirtgi»IC
«us
t ihrjry flrtton* {g HtwtcnplM hwdavt p«ilU Ei ftfw gu«t 05 prnMe UbWYMtfngi VkUul Mdthme 3* C*$Kv
f Cflrvtrt Hflml m«)wH ^ Optn file lotfOon ® Curt*
Virtuel Mathiiw-»
X fti^-flve frpppü«
AdmlnMtntKM)
FIGURE 1 3 . 1 6
Examining available VMs and templates.
NOTE If a large number of hosts are listed, the administrator can use the Host Group, Look For, or Group By fields to display a smaller set of possible hosts. Additionally, the ratings can be customized using the Customize Ratings button. Here, the administrator can select multiple criteria and assign weights of importance for each component, such as processor load, memory used, network utilization, and so forth.
9. Once you have finished selecting the desired host server, click Next. 10. On the Select Path page, select the folder where the files associated with the new virtual machine should be placed. Either accept the default location or click Browse to select a different path. After selecting the desired path, click Next. 11. On the Select Networks page, the Virtual Network drop-down menu displays all the current networks available on the selected host server. Select Not Connected or the appropriate virtual network for the virtual machine to use. After selecting the desired virtual network connection, click Next. 12. On the Additional Properties page, configure the following: • Automatic Start Action—Select the action to perform for this virtual machine when the physical host starts. Available actions are as follows: Never automatically turn on the virtual machine, Always automatically turn on the virtual machine, or Automatically turn on the virtual machine if it was running when the physical server stopped.
Deploying Virtual Machines
697
• Automatic Stop Action—Select the action to perform for this virtual machine when the physical host server stops. Available actions are as follows: Save state, Turn off virtual machine, or Shut down guest OS. 13. The Summary page displays a summary of the settings selected in the Deploy Virtual Machine Wizard. Carefully review these settings and click Deploy to proceed with the virtual machine deployment or click Previous to go back and change the configuration. • An optional check box can be selected to start the virtual machine immediately after deploying it to the host. • As with many actions performed from the VMM Administrator Console, the Deploy Virtual Machine Wizard offers a View Script button. This option enables the administrator to view, modify, and save the PowerShell commands that the wizard will execute to perform the virtual machine deployment. 14. Once you click Deploy, the Jobs dialog box opens showing the progress of the virtual machine deployment. Use this dialog box to monitor the progress of the deployment and confirm that the virtual machine is deployed successfully. If the job fails, read the error message in the Details pane for information about the cause of the failure and the recommended course of action to resolve the issue.
Creating a Virtual Machine Using the Self-Service Portal To create a new virtual machine using the Self-Service Portal, complete the following steps: 1. The Self-Service User opens the Self-Service Portal by entering the following URL in Internet Explorer: • If the Self-Service Portal website is using a dedicated port, type http: / / followed by the computer name of the web server, a colon (:), and then the port number (for example, http://vmm2008:8000). • If the Self-Service Portal is configured to use host headers, type http:// followed by the host header name. 2. When prompted, enter a valid Self-Service User <domain>\<username> and password, and click the Log On button. The Self-Service Portal displays in the browser, as shown in Figure 13.17. 3. Once the portal has loaded, click New Computer in the Actions pane. This opens the New Virtual Machine window. 4. Select the correct Self-Service User role to use from the Role drop-down menu at the top of the New Virtual Machine window, as shown in Figure 13.18. 5. In the Creation Source section, select the template from which to create the new Virtual Machine.
698
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2 ¿JfiJxj ^
i'iM'.tailwu HKttorlri.aan
w |e
zJ **
p•
* |fc>
- «í
M Ad m.n iluda
System Center
C^üiít
• POST - SdM
mintMraí nr ••—(,
È ùg OÊ
I
Virtual Machine Manager K x j g m
• ¿J List Vir«
•
a
& vrutf K t d n Mffwçe S«í*S• M M U
Thumbnail V i m
VM l.in-if-
Status
Own«
Memory
Disk
&aic Di-pJoyi-d
My First Cher" 01 My SitCond TkI Übrnt
Running Cí«Birtg
CQMRAHYABC\Sui*rVMM CQMPANYABO$up«VMM
1GB 10S
7 GS 7 GS
2/14^010 &I4J2O10
Créai* 1
t
Now Computer
i Shut Down 1
Checkpoints
• Connect to VW Rwiwtc Desktop
*ÏL Lot* HMntt I «*0«ítaJ Mtft: Off
FIGURE 1 3 . 1 7
f
The VMM Self-Service Portal.
Hew Virtual Machine - Windows Internet Explorer
^
m
Role
|Froducl XYL Lab Sefl-Swvtcw U s w & ^ J
Creation Source
Melee! a te mplafe Irom wfiieii ta oeale the virtual machine
Duücii|AiDn
N«m Hase Windows / Dasic Client ^
Operating System
Windows / 6-1 bit edition of Windows 7
MIC
1 1
Murnary
Disk
Quota points
1074 OGH 1 512 MB 0 GD 1
System Configuration
Apply pro HHÜes Id lilis computar
Name:
My Second Test Cfient
Description
Computer name: d
Admin pa&swui d
d
Product K e r
[elinnHJ?
conform pas.s ward
T o l d (Unlimited)
t f Quota Points
j-
1 y Used (1) • Available (Unlimited)
Cancel
FIGURE 1 3 . 1 8
The New Virtual Machine window.
Deploying Virtual Machines
699
6. In the System Configuration section, define the following variables: • Name—Type a friendly name for the new virtual machine (for example, Windows Server 2008 x64 Accounting Server).
• Description—Type a description for the new virtual machine. • Computer Name—Type the computer name of the new virtual machine (for e x a m p l e , SF-ACCT03).
• Administrator Password/Confirm Password—Enter and confirm the local administrator password for the new virtual machine. • OS Product Key—Type the Microsoft product key for the new virtual machine.
NOTE The number of quota points, if any, is displayed at the bottom of the New Virtual Machine window. This indicates how many quota points the user has available. If the user does not have enough quota points available for this virtual machine, the user will be unable to deploy it.
7. After clicking the Create button, the new virtual machine is created and deployed. The Self-Service Portal updates to show the status of the deployment of the new virtual machine. The deployment might take a few minutes as files are copied to the host server and the virtual machine needs to be configured.
NOTE Details about the progress of the virtual machine deployment can be monitored by selecting the virtual machine in the Self-Service Portal, clicking Properties in the Actions pane, and then selecting the Latest Job tab.
Migrating Virtual Machines VMM provides the capability to move, or migrate, virtual machines quickly and easily between host servers. These migrations are performed using methods that are split into two categories. The first category is called a virtual machine migration, in which the virtual machine is moved from one host server to the other, or between cluster nodes. Details about the supported virtual machine migration technologies in VMM are shown in Table 13.3.
700
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2 TABLE 1 3 . 3
Supported Virtual Machine Migration Technologies
Migration Type
Technologies Used
Live Migration
Quick Migration
SAN Migration
Network Migration
•
Windows Server 2008 R2 Hyper-V
•
Windows Server 2008 Failover Cluster
•
ESX 3.0, 3.5 with VMotion
•
Windows Server 2008 Hyper-V or greater
•
Windows Server 2008 Failover Cluster
•
Windows Server 2008 Hyper-V or greater
•
Virtual Server 2 0 0 5 R2
•
Virtual Disk Service (VDS) Hardware Providers
•
N-Port Identification Virtualization (NPIV) on Emulex and QLogic Fibre Channel HBAs
•
¡SCSI on EMC, HP Hitachi, NetApp, EquiLogic arrays
•
Windows Server 2008 Hyper-V or greater
•
Virtual Server 2 0 0 5 R2
•
BITS for Virtual Server and Hyper-V
•
ESX 3.0, 3.5
•
sFTP for ESX
Migration Time None
Under a minute (Virtual machine is placed into a saved state while being moved between cluster nodes.)
Under a minute (Virtual machine is placed into a saved state while being moved between hosts using unmasking and masking operations at the SAN level.)
Minutes 2008 or machine state for
or hours (For Windows Server Virtual Server hosts, the virtual needs to be stopped or in a saved the entire duration of transfer.)
Under a minute (For Windows Server 2008 R2 Hyper-V host, the virtual machine remains in a running state during the transfer of its virtual disks. However, to move the virtual machine's memory state and associated differencing disks, it is placed into a saved state.)
The second category is called a storage migration; when performing this type of migration, a virtual machine's files are moved to a different storage location on the same host server. Details about the supported storage migration technologies in VMM are show in Table 13.4.
Deploying Virtual Machines
TABLE 1 3 . 4
Migration Type
701
Supported Storage Migration Technologies
Technologies Used
Migration Time
Storage VMotion
•
ESX 3.5 with Storage VMotion
None
Quick Storage Migration
•
Windows Server 2 0 0 8 R2 Hyper-V
Under a minute (The virtual machine remains in a
•
BITS for Hyper-V
running state during the transfer of its virtual disks. However, to move the virtual machine's memory state and associated differencing disks, it is placed into a saved state.)
Using the Migrate Action The Migrate Virtual Machine Wizard enables the administrator to migrate a virtual machine to another host using a VMM wizard, as follows: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Virtual Machines view by clicking the Virtual Machines button. 4. In the Results pane, select the virtual machine to migrate and click Migrate in the Actions pane. This starts the Migrate Virtual Machine Wizard.
NOTE If the selected virtual machine is currently running, VMM displays a pop-up dialog box warning the administrator that migrating the virtual machine will cause the virtual machine to be stopped, resulting in a temporary loss of service to all users of the machine. The virtual machine is not stopped until the migration actually begins. Click Yes to continue or No to quit.
5. On the Select Host page, select the most suitable host server to migrate the virtual machine to. Each host has a star rating (from zero to five stars) indicating its suitability to host the virtual machine. • The Details tab displays the status, operating system, virtualization software platform, virtualization software status, and names of the virtual machines running on the selected host.
702
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
• The Rating Explanation tab explains what the star rating means for the selected host and tells what requirements are met for the virtual machine by this host. • The SAN Explanation tab describes the suitability of the host to connect to a SAN for virtual machine storage. Items listed here include Fibre Channel host bus adapters (HBAs) installed and iSCSI initiators installed.
NOTE If a large number of hosts are listed, the administrator can use the Host Group, Look For, or Group By fields to display a smaller set of possible hosts. Additionally, the ratings can be customized using the Customize Ratings button. Here, the administrator can select multiple criteria and assign weights of importance for each component, such as processor load, memory used, network utilization, and so forth.
6. Once you have finished selecting the desired host server, click Next. 7. On the Select Path page, select the folder where the files associated with the new virtual machine should be placed. Either accept the default location or click Browse to select a different path. After selecting the desired path, click Next. 8. On the Select Networks page, the Virtual Network drop-down menu displays all the current networks available on the selected host server. Select Not Connected or the appropriate virtual network for the virtual machine to use. After selecting the desired virtual network connection, click Next. 9. The Summary page displays a summary of the settings selected in the Migrate Virtual Machine Wizard. Carefully review these settings and click Move to proceed with the virtual machine migration or click Previous to go back and change the configuration. • An optional check box can be selected to start the virtual machine immediately after deploying it to the host. • As with many actions performed from the VMM Administrator Console, the Deploy Virtual Machine Wizard offers a View Script button. This option enables the administrator to view, modify, and save the PowerShell commands that the wizard will execute to perform the virtual machine deployment. 10. Once you click Move, the Jobs dialog box opens showing the progress of the virtual machine migration. Use this dialog box to monitor the progress of the migration and confirm that the virtual machine is migrated successfully. If the job fails, read the error message in the Details pane for information about the cause of the failure and the recommended course of action to resolve the issue.
Using the Migrate Storage Action The Migrate Storage action is used to perform a storage migration. To complete a storage migration for a virtual machine, complete the following steps:
Deploying Virtual Machines
703
1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Virtual Machines view by clicking the Virtual Machines button. 4. In the Results pane, select the virtual machine to migrate and click Migrate Storage in the Actions pane. This starts the Migrate Virtual Machine Wizard. 5. On the Select Path page, select the folder where the files associated with the new virtual machine should be placed, as shown in Figure 13.19. Either accept the default location or click Browse to select a different path. After selecting the desired path, click Next. ET Migrate Virtual H n r h u i r W i i n r d 6
•H Select Path 5 d « l Kaii
Select s t o r a g e locations o n the h o s t f o r the virtual m a c h i n e Mes Seieced hcit
hvQI carpanvabc com
Vrtual maohr» oath: [C:\Temp VM Location
I
^J I
r Mà ti?s path to (tie hfl of défaut virtuf l «nsd-me [Hein on Ihe !*>s! Ms: 'AtudQsk
[ Levator, r '""niW
S <:iT t ui
bftMi...
Cwrf
FIGURE 1 3 . 1 9
I
The Select Path page.
6. The Summary page displays a summary of the settings selected in the Migrate Virtual Machine Wizard. Carefully review these settings and click Move to proceed with the storage migration or click Previous to go back and change the configuration. 7. Once you click Move, the Jobs dialog box opens showing the progress of the storage migration. Use this dialog box to monitor the progress of the migration and confirm that the storage migration completed successfully. If the job fails, read the error message in the Details pane for information about the cause of the failure and the recommended course of action to resolve the issue.
704
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
Dragging and Dropping the Virtual Machine onto a Host Server In addition to using the Migrate Virtual Machine Wizard to move a virtual machine from one host server to another, you can also just drag and drop virtual machines between host servers. To drag and drop a virtual machine onto a host server, complete the following steps: 1. Log on to a computer that has the Administrator Console installed as a domain user account that is a member of the VMM Administrator role. 2. Next, open the Administrator Console using either the desktop or Start menu icon. 3. Once the console has loaded, go to the Virtual Machines view by clicking the Virtual Machines button. 4. In the Properties pane, expand the various host groups, as shown in Figure 13.20, until you find the host server to which you want to migrate the virtual machine. 5. Next, in the Results pane, select the virtual machine to migrate and drag and drop it onto the new host. The VM is migrated to the new host. runts
TT Virtual MaiJ ine Manager -innml.to« if>anyal>uurai He
W>
Go
«tara
{ E) *ctonj • c ^ j n m 8 M» d p f t Q T O W * NehHSriï*! Ti»ow*rthd ©Heb Virtual Machines
hv01.companyabc.coni
>
Virtual Machne Manager 3
7 ü • Liisro > MVhritOettOl © MyS«ond7«tClWt
<£) •
]
Rvrre fcirtvg Cwww.-. Kumrtg SDppei
® TS
X
Actions
<-"-I hvOi fwOJ HvOJ toQI b^l
o
1
o
ft*.
Ur*rowi 0% CCWA... 0 % COM... U+rtflwl trtrgtm
* ±
J ' fvew virtual p-jthine Csrve t ptytital tevtr " Convert >• "L-ial matfw* — Add iür atv tenir I' Add hoit f* A«dVM».»rtVirtgi»IC
»
UpdatriflcW Mavnitajtgroup Z RUrnh X Remove h«t ill
f«alnnnarne (»««
;. 9op maintenante node x v\ea ftwwjrfasg (U l-KGRrPentwriEGXeun lii.CO«
O
VM Pr flow's« - SvUCT Jgbl
Virtual Mjch iK-i
Property« Virtu. l Kiclanr • ÄDP
* (pnneöi» Virtual rnçHne Netware and Stsrage Latetfeb
FIGURE 1 3 . 2 0
3* MIÇ'«t$Wr|(t
Locating the host server on which to migrate the virtual machine.
NOTE If the selected virtual machine is currently running, VMM displays a pop-up dialog box warning the administrator that migrating the virtual machine will cause the virtual machine to be stopped, resulting in a temporary loss of service to all users of the machine. The virtual machine is not stopped until the migration actually begins. Click Yes to continue or No to quit.
Best Practices
705
Dragging and Dropping the Virtual Machine onto a Host Group This process is the same as dragging and dropping the virtual machine onto a host server, as described previously, with a few differences. Instead of dropping the virtual machine onto a specific host, the virtual machine is dropped onto a host group that contains one or more hosts. Then Automatic Placement, as explained earlier in this chapter, automatically places the virtual machine on the most suitable host in the selected host group. Host selection is based on the host ratings defined either through the VMM global settings or by the override settings on the virtual machine's Properties page.
Summary This chapter focused on how Virtual Machine Manager 2008 R2 can be used to manage an organization's virtual infrastructure. As shown in this chapter, VMM can be managed using the Administrator Console and command shell. By using these interfaces, administrators can execute such VMM-related tasks as performing virtual machine conversions (P2V and V2V), managing user roles, deploying new virtual machines, and migrating virtual machines to new host servers or new storage locations. VMM is a powerful management tool that has a lot of great features built in to it. For example, virtual machines can easily be deployed using both the Administrator Console and the SelfService Portal. Virtual machine migration can be performed easily using wizards or simple drag-and-drop methods. Lastly, Hyper-V virtual machines can be created from physical servers using P2V conversion. This process can be performed online without disrupting the physical server by using the VSS, which can be used to reduce the number of physical servers in the organization's environment.
Best Practices The following are best practices from this chapter: • Use VMM's P2V function to convert physical computers to virtual machines. • Use VMM's V2V function to convert virtual machines created on VMware ESX to Hyper-V virtual machines. • Use the online P2V process to convert physical computers to virtual machines without disrupting the online server. • Use the offline P2V process to convert offline physical computers to Hyper-V virtual machines. • Use the Microsoft Virtual Server 2005 Migration Toolkit (VSMT) to convert Windows NT Server 4.0 computers to virtual machines. • Perform a disk defragmentation on the source computer before performing the P2V conversion.
706
CHAPTER 13
Managing a Hyper-V Environment with Virtual Machine
Manager 2 0 0 8 R2
• Ensure that a fast network connection exists between the source computer and the VMM server. • Use the owner property of a virtual machine to identify the owner or contact person for the virtual machine. • Ensure that the WMI service is running on the source computer and that a firewall is not blocking HTTP and WMI traffic to the VMM server. • Remove the RemoteAdmin firewall exception, if necessary, after the conversion is complete to increase server security. • Increase the size of a VHD to allocate more space for the virtual machine if necessary. • Use the Customize Ratings button to customize the importance of computer and network resources available on hosts. • Use the Jobs view to monitor the progress of P2V and V2V conversions. • Review the details in the Jobs view for errors and to determine the cause of failures and the recommended course of action to resolve issues. • Pay special attention to collect any data that was changed on the source server after an online conversion process was begun. • Copy VMware ESX VMX and VMDK files to a VMM library that is closest to the host server to speed virtual machine conversion. • Always refresh the VMM library server after adding files to the library. • Use the P2V process to create a virtual copy of the organization's production environment for testing. • Use role-based access control (RBAC) to define the administrator roles in VMM. • Because the Administrator user role has full access to the VMM infrastructure, limit the number of members of this group as much as possible. • Use the Delegate Administrators user role to scope administrators to a specific set of objects in VMM. • Create a VMM Administrators group in Active Directory and add that group to the Administrator role in VMM. This is better than adding an individual user account, in case that user account is deleted. • Create security groups in Active Directory and use these groups to define members of the Delegated Administrator and Self-Service User roles in VMM. • Monitor the members of Delegated Administrator user roles because Delegated Administrators can manage the groups they are members of. • Add Administrators or Delegated Administrators to the Self-Service User role if SelfService Portal access is required.
Best Practices
707
• Run wizards, such as the Create Virtual Machine Wizard, to view, customize, and save the PowerShell scripts that the wizard will run. • Build a collection of PowerShell scripts that perform commonly used VMM administration tasks. • Scope the VMM library resources that Self-Service Users can access by creating their own folders in the VMM library share. • Use a common virtual machine path on all host servers to ensure that virtual machine migrations will succeed. • Use quota points for Self-Service Users to control the number of virtual machines they can deploy to hosts. • Monitor the progress of virtual machine migrations using the Jobs view in the Administrator Console or the Properties page of the virtual machine in the SelfService Portal. • Notify users of an active virtual machine before migrating it to a new host because the virtual machine might be temporarily stopped during the migration. • Use Automatic Placement of migrated virtual machines by using the "drag and drop onto a host group" method.
CHAPTER
14
Service Manager 2 0 1 0 Design, Planning, and Implementation Information technology (IT) has grown simultaneously more complex and more central to the success of the organizations it serves. And to meet modern economic pressures, IT departments have to become more efficient and do more with less. To meet these challenges, organizations are embracing, or being forced to embrace by regulatory agencies, service management processes and the frameworks that describe them. These frameworks include the following: • Microsoft Operations Framework (MOF) • IT Infrastructure Library (ITIL) • Control Objectives for Information and Related Technology (COBIT) • International Organization for Standardization (ISO) 2000 These frameworks help organizations integrate people, processes, and technologies into a uniform process. System Center Service Manager 2010 is a comprehensive tool for automating and tracking those service management processes. SvcMgr includes a number of predefined service management processes and provides a platform for developing others. The included processes are as follows: • Incident and problem management • Change control • Asset management
IN T H I S C H A P T E R •
Explaining How Service Manager Works
•
Service Manager Design Parameters
•
Putting It All Together in a Service Manager Design
•
Planning a Service Manager Deployment
•
Deploying Service Manager
•
Deploying Service Manager Connectors
•
Backing Up Service Manager
2010
710
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
Service Manager integrates information from a variety of sources, including the following: • Active Directory • Configuration Manager • Operations Manager This information is integrated in a configuration management database (CMDB). This is, in turn, integrated into a variety of processes, enabling best-practices enforcement and tracking. In particular, SvcMgr addresses a common request from Microsoft users for an incident tracking system that automatically generates trouble tickets (that is, incidents) for issues that are discovered by the System Center family members, Operations Manager and Configuration Manager. These incidents automatically associate the affected services and items, displaying key information about those services and items from the CMDB. This level of synthesis of operations and configuration data into an incident-tracking system is extremely helpful for IT professionals.
Explaining How Service Manager Works Service Manager 2010 is a new product for Microsoft. It constitutes a foray into areas where Microsoft has not ventured before. It moves the System Center suite up from the technical processes of monitoring systems, gathering inventory, and deploying applications to the business processes of change management, interacting with end users, and enforcing policies.
SvcMgr Processes Service management processes are central to any modern IT organization. Standardizing, tracking, automating, and reporting on processes is critical to the success of the IT organization. Service Manager manages the following three major IT processes out of the box: • Incident management • Problem management • Change management These processes are embodied in Process Management Packs. These management packs include workflows, forms, reports, and templates to instrument and automate the processes. The incident management process is designed to drive the identification and resolution of service and system outages. The management pack provides integrated access to synthesized configuration and operational data, relationships between other systems, a search engine that accesses the collective database of IT assets, and automatic generation of incidents from Operations Manager and Configuration Manager. The incidents can be routed, escalated, reported on, and attached to problems. The problem management process is designed to drive the identification and resolution of root causes. These root causes might be the source of multiple incidents or change requests.
Explaining How Service Manager Works
711
The Problem Management Pack integrates incidents and allows flagging of problems that are in process as well as actions taken to diagnose and resolve the problems. This facilitates resolving incidents while working toward a long-term solution to the root causes. The Change Management Pack is designed to ensure that changes are evaluated and approved before implementation, thus ensuring that the IT systems are stable and documented. The management pack enforces the creation of requests for change (RFC), automatically generates RFCs from incidents, provides a routing and review process, and even automates the changes themselves. In addition to the built-in service management processes, Service Manager can be extended with additional management packs and custom management packs can be developed.
SvcMgr Technologies The Service Manager platform is built around a set of key technologies. These technologies enable the Service Manager capabilities. The technologies are as follows: • Workflow engine—The workflow engine automates IT processes and facilitates the integration with System Center products such as Operations Manager and Configuration Manager. • Data warehouse—The data warehouse consolidates data and allows consolidated reporting across the System Center products. • Connector Framework—The Connector Framework provides integration with System Center products like Operations Manager and Configuration Manager, as well as Active Directory and third-party products. • Configuration management database—The CMDB provides a central view of managed assets and relationships between objects. • Self-Service Portals—The Self-Service Portals provide a web-based interface that allows users to reset their password, request software, and request support. • Knowledge base—The knowledge base (KB) is a repository of solutions from both within the organization and from the industry at large. This knowledge base grows over time as incidents and problems are resolved. These technologies help tie together the people, processes, and technologies central to the success of the organization.
SvcMgr Architecture Components The Service Manager architecture consists of six major components. These are the components that can reside on different systems and must be accounted for when designing a Service Manager system.
712
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
NOTE All Service Manager components must be installed on Active Directory domain systems in the same forest. No Service Manager components can reside on workgroup systems or in other Active Directory forests.
The Service Manager components are as follows: • Service Manager management server—The Service Manager management server is the component that runs the workflow engine, manages the CMDB, runs the connectors, and to which the console connects. • Service Manager database—The Service Manager database, also known as the CMDB, is the storage for all the service management information, including objects, configuration information, relationships, and processes such as the problems, incidents, and change management. The CMDB is a superset of the database in Operations Manager. The Service Manager database is appropriately named ServiceManager. • Service Manager data warehouse management server—The data warehouse management server hosts the server components of the data warehouse, such as the reporting engine. • Service Manager data warehouse database—This database stores the long-term historical data from the Service Manager database and provides reporting on longterm trends and history. The data warehouse is composed of three separate databases: the DWStagingAndConfig, DWRepository, and DWDataMart databases. • Service Manager console—The Service Manager console provides administrators, analysts, and help desk staff access to the functionality of Service Manager such as incidents, change management, reports, and administration. • Service Manager Self-Service Portal—The Self-Service Web Portals provide browserbased access to Service Manager for end users and analysts. There are two separate portals, one for the end user (https://servername/EndUser) and one for the analyst (https://servername/Analyst). The Service Manager 2010 architecture is shown in Figure 14.1, with all the major components and their data paths. The databases that make up the Service Manager data warehouse perform very specific roles in the data warehouse. Data travels in a three-stage process through the databases. This is the Extraction, Transformation, and Loading (ETL) process, which moves data from the Service Manager database into the data warehouse. The stages are as follows: • Extraction—The data is extracted from the ServiceManager database and is populated into the DWStagingAndConfig database. • Transformation—The data in the DWStagingAndConfig database is transformed into the proper format and stored in the DWRepository database.
Explaining How Service Manager Works
Service Manager Database Server
FIGURE 1 4 . 1
Data Warehouse Management Server
713
Data Warehouse Database Server
Service Manager 2 0 1 0 architecture.
• Loading—The data in the DWRepository database is finally loaded into the DWDataMart database. Data warehouse reports are generated from the DWDataMart database. Other key components are not architectural components, but are rather operational components. These operational components are as follows: • Workflows—These are sequences of activities defined in management packs that model and enforce service management processes. These workflows are run by the Windows Workflow Foundation in Microsoft .NET Framework 3.5. • Templates—Templates are predefined forms that allow the system to collect data. These can be both manually entered and automatically populated. Templates include constraints that help reduce errors and enforce policies. • Connectors—Connectors provide links to other repositories of information, such as Active Directory, Operations Manager, and Configuration Manager. The connectors transfer and synchronize data into the CMDB. The connectors can leverage templates and workflows to automatically start processes based on the incoming data. • Knowledge base—The KB is the information stored in the CMDB on how to resolve problems and incidents. This can come from external sources such as Microsoft TechNet and also from internal sources such as the IT professionals and the organization's own incident and problem history. These architectural and operational components make up the Service Manager application and deliver the functionality of the application.
714
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
Service Manager Design Parameters SvcMgr's simple installation and relative ease of use often belie the potential complexity of its underlying components. This complexity can be managed with the right amount of knowledge of some of the advanced concepts of SvcMgr design and implementation. Each SvcMgr component has specific design requirements, and a good knowledge of these factors is required before beginning the design of SvcMgr. Hardware and software requirements must be taken into account as well as factors involving specific SvcMgr components, such as the management servers, databases, connectors, and backup requirements.
Exploring Hardware Requirements Having the proper hardware for SvcMgr to operate on is a critical component of SvcMgr functionality, reliability, and overall performance. Nothing is worse than overloading a brand-new server only a few short months after its implementation. The industry standard generally holds that any production servers deployed should remain relevant for three to four years following deployment. Stretching beyond this time frame might be possible, but the ugly truth is that hardware investments are typically short term and need to be replaced often to ensure relevance. Buying a less-expensive server might save money in the short term but could potentially increase costs associated with downtime, troubleshooting, and administration. That said, the following are the Microsoft-recommended minimums for any server running a SvcMgr 2010 server component: • 2.5GHz 64-bit processor or faster • 2 cores • 4GB of random access memory (RAM) These recommendations apply only to the smallest SvcMgr deployments and should be seen as minimum levels for SvcMgr hardware. More realistic deployments would have the following minimums: • 2.66GHz 64-bit processor or faster • 2-8 cores • 8GB of RAM Service Manager 2010 has relatively heavy database access requirements, so generous processor, disk, and memory are important for optimal performance. Future expansion and relevance of hardware should be taken into account when sizing servers for SvcMgr deployment, to ensure that the system has room to grow as agents are added and the databases grow. If the Service Manager 2010 components are to be virtualized, the minimum requirements for the virtual machines are as follows: • 2 virtual CPUs • 8GB of RAM
Service Manager Design Parameters
715
This includes the Service Manager management server, the data warehouse management server, and the Self-Service Web Portal. However, the SQL servers should be installed on physical servers due to the loads placed on them. The minimum hardware requirements given in Table 14.1 are those needed to run the basic Service Manager components.
TABLE 1 4 . 1
Minimum Hardware Requirements
Component
Processor
Cores Memory Disk
Service Manager management server
2.5GHz 64-bit 2
4GB
RAID 1
Service Manager database
2.5GHz 64-bit 2
4GB
RAID 10
Service Manager data warehouse management server 2.5GHz 64-bit 2
4GB
RAID 1
Service Manager data warehouse database
2.5GHz 64-bit 2
4GB
RAID 10
Service Manager Self-Service Portal
2.5GHz 64-bit 2
4GB
RAID 1
Service Manager console
1.4GHz 32-bit 1
1GB
RAID 1
The minimum requirements are typically not enough for optimal performance. To get good console and reporting performance, the recommendations in Table 14.2 should be followed.
TABLE 1 4 . 2
Recommended Hardware Requirements
Component
Processor
Cores Memory Disk
Service Manager management server
2.66GHz 64-bit 8
8GB
RAID 1
Service Manager database
2.66GHz 64-bit 8
8GB
RAID 10
Service Manager data warehouse management server
2.66GHz 64-bit 2
8GB
RAID 1
Service Manager data warehouse database
2.66GHz 64-bit 8
8GB
RAID 10
Service Manager Self-Service Portal
2.66GHz 64-bit 2
8GB
RAID 1
Service Manager console
2.0GHz 32-bit
2GB
RAID 1
2
As can be seen from the recommendations, the Service Manager components have a relatively heavy memory and processing requirement. See the sample designs later in this chapter for recommendations based on specific numbers of users and computers.
716
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
Determining Software Requirements SvcMgr c o m p o n e n t s must be installed on 64-bit versions of the operating system and database. However, the console can be installed on a 32-bit platform. The database can be installed on the same server as SvcMgr or on a separate server, a concept that is discussed in more detail in following sections. T h e software requirements critical to the success of SvcMgr implementations are given in Table 14.3. TABLE 1 4 . 3
Software Requirements
Component
Software
Service Manager management server
Windows Server 2008 64-bit or Windows Server 2 0 0 8 R2 64-bit Microsoft .NET Framework 3.5 with SP1 Windows PowerShell 1.0
Service Manager database
Windows Server 2008 64-bit or Windows Server 2 0 0 8 R2 64-bit SQL Server 2008 64-bit Microsoft .NET Framework 3.5 with SP1
Service Manager data warehouse management server
Windows Server 2008 64-bit or Windows Server 2 0 0 8 R2 64-bit Microsoft .NET Framework 3.5 with SP1 Windows PowerShell 1.0
Service Manager data warehouse database
Windows Server 2008 64-bit or Windows Server 2 0 0 8 R2 64-bit SQL Server 2008 64-bit Microsoft .NET Framework 3.5 with SP1
Service Manager Self-Service Portal
Windows Server 2008 64-bit or Windows Server 2 0 0 8 R2 64-bit Internet Information Services 7 IIS 6 Metabase Compatibility ASPNET 2.0 SSL Certificate
Service Manager console
Windows Server 2008, Windows Server 2003 with SP1, Windows Vista, or Windows XP Pro with SP3 Microsoft .NET Framework 3.5 with SP1
NOTE Service Manager infrastructure components must be installed on either Standard or Enterprise Editions, including both the operating system and SQL Server.
Service Manager Design Parameters
717
SvcMgr components must be installed on a member server in a Windows Active Directory domain. It is commonly recommended to keep the installation of SvcMgr on a separate server or set of dedicated member servers that do not run any other applications that could interfere in the monitoring and alerting process.
Disk Subsystem Performance Disk performance is a critical factor in the SvcMgr overall performance. Because of the volume of data that flows from the components into the various databases, data must make it into the databases quickly. However, for usability, console performance is the single most important factor. The console places a significant load on the server, primarily reading the data from the Service Manager database. If this read access is slow, console performance will be impacted and users will be dissatisfied with Service Manager.
NOTE This usability measure is critical, as there is no point in collecting all this incident, change management, relationship, and configuration data if the users and analysts cannot access it.
The key measure to watch is the average disk seconds per read, that is, Ave. Disk Sec./Read counter and the Ave. Disk Sec./Write counter for the logical disk where the ServiceManager database is located, the ServiceManager.mdf file. These should not be higher than 0.020 seconds (20ms) on a sustained basis. Ideally, the time should be less than 10ms for optimal performance. If the disk subsystem is experiencing greater than 0.020 second read or write times on the ServiceManager database volume, the Service Manager console will have performance issues.
Choosing Between SAN and DAS If possible, always implement the Service Manager database servers with SAN disk subsystems. For information on choosing between SAN and DAS, see the section "Choosing Between SAN and DAS" in Chapter 6, "Operations Manager Design and Planning."
Choosing SQL Versions For Service Manager implementations, the best option is the Server Plus CAL licensing. Service Manager has very low CAL requirements, as the consoles do not require CALs. Purchasing Per Processor licensing is not recommended, as a typical SvcMgr database server will have a lot of CPUs and would not benefit from unlimited CALs.
NOTE For comparison, the SvcMgr license without the SQL technology is $ 5 7 9 . All management servers must use the same licensing model to be in compliance.
718
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
In general, the best-practice guidance is to use SQL Enterprise Edition when • Multiple Service Manager components will coexist on the same database server, as SQL Enterprise Edition handles parallel processing more effectively and can take advantage of additional resources in a scaled-up server. • You have more than four CPU sockets, as SQL Enterprise Edition can use the additional resources. This should not be confused with cores. • Clustering is used, as the additional overhead of clustering can impact performance. Given the cost differential, sometimes it will be necessary to deploy SQL Standard Edition. Best-practice guidance when using SQL Standard Edition is to • Keep SvcMgr database components on separate SQL servers. • Deploy 64-bit versions. This is a requirement for Service Manager components. • Use extra memory in database servers to compensate. In addition, the collation chosen at the installation of SQL 2008 is critical for multilanguage installations of Service Manager. The default collation for SQL Server 2008 is SQL_Latin_CPl_CI_AS but is not supported by Service Manager for multilingual installations. The SQL collation is selected at installation time of SQL 2008 and cannot be changed without a complete reinstall of SQL. If the default SQL collation was chosen, then the Service Manager install will show a warning that the unsupported collation will cause problems with multilingual installations. The supported collations for multilanguage installations are the following: • Latinl_General_100_CI_AS for English • Chinese_Traditional_Stroke_Count_100_CI_AS for Chinese Taiwan • Chinese_Simplifies_Pinyin_100_CI_AS for Chinese PRC • Fr en ch_ 10 0_CI_AS for French • Latinl_General_100_CI_AS for German • Latinl_General_100_CI_AS for Italian • Japanese_XJIS_100_CI_AS for Japanese • Korean_100_CI_AS for Korean • Latinl_General_100_CI_AS for Portuguese or Brazilian • Cyrillic_General_100_CI_AS for Russian • Traditional_Spanish_100_CI_AS for Spanish Using one of the supported collations allows Service Manager to run in multilingual environments without any issues.
Putting It All Together in a Service Manager Design
719
NOTE The collation warning can safely be ignored if the Service Manager installation will be single language only.
Putting It All Together in a Service Manager Design To illustrate the concepts discussed in this chapter, three designs are presented. These design scenarios cover a range of organizations from small to medium to large. The profile of the three enterprises is given in the following list: • Small enterprise—A total of 30 servers in 3 locations, a main office with a shared T1 to the branch offices, and 25% bandwidth availability • Medium enterprise—A total of 500 servers in 10 locations, a main office with a shared 11Mbps Fractional T3 to the branch offices, and 25% bandwidth availability • Large enterprise—A total of 2,000 servers in 50 locations, a main office with a shared 45Mbps T3 to the branch offices, and 25% bandwidth availability Based on these sizes, designs were developed. In these designs, direct attached storage (DAS) was used as a design constraint, rather than a storage area network (SAN). This provides a more realistic minimum hardware specification. Performance could be further improved by using SAN in place of DAS.
NOTE The Service Manager server and the data warehouse management server components cannot be installed on the same server. Any Service Manager design must have at least two servers.
For any Service Manager design that incorporates a data warehouse, there will be two Service Manager management groups. One is for the Service Manager and one is for the Service Manager data warehouse. These two need to be named differently, for example: • Company ABC SM • Company ABC DW
WARNING If the Service Manager and the data warehouse management groups have the same name, it is not possible to register the Service Manager management group with the data warehouse.
The Service Manager management group names should also be different than the Operations Manager management group name.
720
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
Small Enterprise Design The first design point is for a small enterprise consisting of the following: • 500 users • 30 servers For illustration and sizing, the number of incidents, change requests, and concurrent consoles at each location are listed in Table 14.4. Because these are the primary metrics and loading that determine database sizing, it is important to have some sense of the workload. TABLE 1 4 . 4
Small Enterprise Workload Counts
Server Type
Counts
Incidents/month
500
Change requests/month
50
Concurrent consoles
2
Given the relatively small number of managed computers, a single-server design makes the most sense. The recommended design for the small enterprise is as given in Table 14.5. TABLE 1 4 . 5
Small Enterprise SvcMgr Design Recommendation
Server
Component(s)
Processors
Memory
Disk
SMI
Service Manager management server, Service Manager database, data warehouse database, console, Self-Service Portal
8 cores
16GB RAM
4-disk RAID-10 data
Data warehouse management server
2 virtual CPUs
SM2 (virtual)
2-disk RAID-1 logs 4GB RAM
NOTE The Service Manager can be installed on a single physical server. However, the server would have to host the data warehouse server in a virtual guest session running on the physical host.
The SM2 server hosting the Data Warehouse Management Server role would be a virtual server running on the SMI server. For the server software, the recommendations are for the following: • Windows Standard 2008 R2 64-bit • SQL 2008 Enterprise 64-bit
Putting It All Together in a Service Manager Design
721
Given that the components are all on the same server, the single-server option can really use the SQL Enterprise performance improvements. Also, using the Enterprise Edition of SQL allows the database server to add processors in the future if resource utilization dictates it.
NOTE The SQL database instance would be installed on the S M I host server and would contain all four of the Service Manager databases, which are the ServiceManager, DWStagingAndConfig, DWRepository, and DWDataMart.
Figure 14.2 shows the architecture for the small organization. SM2 (Virtual) Data Warehouse Management
Service Manager Database, Data Warehouse Database, Console, Self-Service Portal
FIGURE 1 4 . 2
Service Manager 2 0 1 0 small enterprise architecture.
The databases will grow to their steady state sizes proportional to the number of work items and computers, all other things being equal. Table 14.6 lists the estimated database sizes for the small enterprise databases. These sizes are important for determining the drive sizes and sizing backup solutions. TABLE 1 4 . 6
Small Enterprise Estimated Database Sizes
Database
Retention
Database Size (GB)
ServiceManager
90 days
3
DWStagingAndConfig, DWRepository, and DWDataMart
3 6 5 days
15
722
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
These sizes would be changed by adjustments to the retention periods and work items such as incidents and change requests. When determining the sizing of the disk subsystems, it is important to factor in the following: • Database sizes
• Operating system overhead
• Local backup overhead
• Application overhead
• Log overhead Typically, there should be a cushion of at least two times the database size to account for the overhead factors. The RAID types and number of disks would be changed to accommodate the storage needs.
Medium Enterprise Design The second design point is for a medium enterprise consisting of the following: • 2,000 users • 500 servers For illustration and sizing, the number of incidents, change requests, and concurrent consoles at each location are listed in Table 14.7. Because these are the primary metrics and loading that determine database sizing, it is important to have some sense of the workload. TABLE 1 4 . 7
Medium Enterprise Workload Counts
Server Type
Counts
Incidents/month
2,000
Change requests/month
200
Concurrent consoles
10
Given the number of managed computers, a dual-server design makes the most sense. This would be a Service Manager server and a data warehouse server. The recommended design for the medium enterprise is as given in Table 14.8. TABLE 1 4 . 8
Medium Enterprise SvcMgr Design Recommendation
Server Component(s)
Processors
Memory Disk
SMI
Service Manager management server, Service Manager database, console, Self-Service Portal
8 cores
8GB RAM
2-disk RAID 1
SM2
Data warehouse management server, data warehouse database
8 cores
4GB RAM
2-disk RAID 1
Putting It All Together in a Service Manager Design
723
These are minimum specifications for performance and storage requirements. They can be revised upward based on additional requirements, such as backup storage.
The servers can be virtual in this design.
For the server software, the recommendations are for the following: • Windows Standard 2008 R2 64-bit • SQL 2008 Enterprise 64-bit Given that the database components are all on the same server, the database server can really use the SQL Enterprise performance improvements. Also, using the Enterprise Edition of SQL allows the database server to add processors in the future if resource utilization dictates it. Using 64-bit versions similarly allows memory to be added and utilized without having to rebuild servers. Figure 14.3 shows the architecture for the medium-sized organization. SM1 Service Manager Management Server, Service Manager Database, Console, Self-Service Portal
FIGURE 1 4 . 3
SM2 Data Warehouse Management Server, Data Warehouse Database
Service Manager 2 0 1 0 medium enterprise architecture.
The databases will grow to their steady state sizes proportional to the number of work items and computers, all other things being equal. Table 14.9 lists the estimated database sizes for the medium enterprise databases. These sizes are important for determining the drive sizes and sizing backup solutions. TABLE 1 4 . 9
Medium Enterprise Estimated Database Sizes
Database
Retention
Database Size (GB)
ServiceManager
90 days
4
DWStagingAndConfig, DWRepository, and DWDataMart
3 6 5 days
20
These sizes would be changed by adjustments to the retention periods and work items such as incidents and change requests.
724
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
When determining the sizing of the disk subsystems, it is important to factor in the following: • Database sizes • Local backup overhead • Log overhead • Operating system overhead • Application overhead Typically, there should be a cushion of at least two times the database size to account for the overhead factors. The RAID types and number of disks would be changed to accommodate the storage needs.
Large Enterprise Design The last design point is for a large enterprise consisting of the following: • 10,000 users • 2,000 servers For illustration and sizing, the numbers and types of servers at each location is listed in Table 14.10. Because the types of servers determine which management packs are loaded and the database sizing, it is important to have some sense of the monitored servers. This information can also be used with the System Center Capacity Planner tool. TABLE 1 4 . 1 0
Large Enterprise Workload Counts
Server Type
Counts
Incidents/month
7,500
Change requests/month
1,000
Concurrent consoles
25
Given the relatively large number of work items, computers, and users, a server per component design makes the most sense. This places each component on its own dedicated server, ensuring that there is no contention for resources between components. The recommended design for the large enterprise is as given in Table 14.11. These are minimum specifications for performance and storage requirements. The 4-disk RAID 10 subsystem for the database servers is driven mainly by performance considerations. They can be revised upward based on additional requirements, such as backup storage.
Putting It All Together in a Service Manager Design
TABLE 1 4 . 1 1
725
Large Enterprise SvcMgr Design Recommendation
Server Component(s)
Processors
Memory Disk
SMI
Service Manager management server, console, Self-Service Portal
8 cores
8GB RAM
2-disk RAID 1
SM2
Service Manager database
8 cores
4GB RAM
4-disk RAID 10 data 2-disk RAID 1 logs
SM3
Data warehouse management server
8 cores
4GB RAM
2-disk RAID 1
SM4
Data warehouse database
8 cores
4GB RAM
4-disk RAID 10 data 2-disk RAID 1 logs
NOTE This configuration could really benefit from SAN storage to improve performance and scalability. At the very least, the database servers will require external drive enclosures to support the large number of disks.
For the server software, the recommendations are for the following: • Windows Standard 2008 R2 64-bit • SQL 2008 Enterprise 64-bit Given the scale of the infrastructure, the 64-bit platforms are needed to take advantage of the larger memory and to increase the performance of the SQL database servers. Figure 14.4 shows the architecture for the large-sized organization. The databases will grow to their steady state sizes proportional to the number of work items and computers, all other things being equal. Table 14.12 lists the estimated database sizes for the large enterprise databases. These sizes are important for determining the drive sizes and sizing backup solutions. TABLE 1 4 . 1 2
Large Enterprise Estimated Database Sizes
Database
Retention
Database Size (GB)
ServiceManager
90 days
15
DWStagingAndConfig, DWRepository, and DWDataMart
3 6 5 days
60
These sizes would be changed by adjustments to the retention periods and work items such as incidents and change requests.
726
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
SM3
FIGURE 1 4 . 4
Service Manager 2 0 1 0 large enterprise architecture.
When determining the sizing of the disk subsystems, it is important to factor in the following: • Database sizes • Local backup overhead • Log overhead • Operating system overhead • Application overhead Typically, there should be a cushion of at least three to four times the database size to account for the overhead factors. This is more difficult with large enterprise organizations and their correspondingly large data sets. The RAID types and number of disks would be changed to accommodate the storage needs, online backup to tape, or replication to an offsite recovery site might be used instead.
Planning a Service Manager Deployment A Service Manager project can be a small endeavor or a very large one, depending on the organization, requirements, or budget. Whatever the scale, appropriate planning is key to the success of any Service Manager project.
Planning a Service Manager Deployment
727
NOTE What "appropriate planning" means for any given organization or project will vary greatly. This could be a 100-page design and planning document. Or it could be a single page design and planning outline. The important point is that it be done to the degree needed to ensure the success of the project.
A project is defined by its scope, timeline, and budget. The scope defines what's included in the project and, sometimes more important, what is not included in the project. The timeline defines when the project will start, end, and some level of detail on what occurs in between. The budget defines how much it will cost, which could be in terms of money, effort, resources, or a combination of all of these. A typical Service Manager project will have three to five phases, as follows: 1. Design Principles Training phase (optional) 2. Design and Planning phase 3. Proof of Concept phase (optional) 4. Pilot phase 5. Production phase The Design Principles Training and the Proof of Concept phases are optional and might not be needed for some implementations, especially smaller or less complex ones. The other phases will almost always be needed, even if they vary in scope depending on the environment.
NOTE Although projects can vary in scope and size, by and large Service Manager projects will be compact projects. Ultimately, the project is deploying a management platform to support the applications and is, thus, smaller than the application projects it is supporting.
This section looks at the following project elements: • Major phases • Major tasks • Deliverables These elements help define the project, ensuring that the project team can deliver the project scope on time and within the budget.
728
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
Design Principles Training Phase Before launching into the design and planning process, it is recommended to have a Service Manager subject matter expert (SME) conduct a Microsoft Service Manager training session for all team members. The session should introduce the technology components and principles of Service Manager 2010 design, planning, and integration. The session helps to establish the basic criteria for the architectural elements of SvcMgr and bring all design participants up to the same level of knowledge. The session also allows for general Service Manager technology questions to be addressed in advance of the design and planning sessions. Design principles training for Service Manager can be conducted in a daylong session, a four-hour session, or even just an hour-long session. The length of the training very much depends on the scale of the project and the technological sophistication of the participants. For a large organization, a daylong session would be recommended. For a small organization, an hour-long session would be sufficient. Conducting a design principles training session can make the design and planning sessions flow much smoother, as well as produce a much better design and plan.
Design and Planning Phase During the Design and Planning phase, the project team works together to create a Service Manager 2010 architecture and implementation plan that satisfies the business and technical requirements. The architecture is usually created during a half-day to two-day design session that covers a host of Service Manager design-related topics, including, but not limited to, the following: • Business and technical goals and objectives • Components • Architecture • Fault-tolerant strategy • Disaster recovery strategy • Configuration settings • Integration • Hardware specification • Workflows (incident, problem, and change request) • Templates • Customization • Administrative model • Notification model
Planning a Service Manager Deployment
729
• Administration and maintenance procedures • Documentation The implementation plan is created during the planning session(s), which usually range from a half day to three days. The planning session covers the following topics: • Phases • Tasks • Resources • Timeline • Risk identification and mitigation The deliverable from the design and planning session is the • Design and planning document The design and planning document communicates the results of the design and planning sessions. The outline of the design and planning document should include the following sections: •
Project Overview
•
Goals and Objectives
•
Architecture
•
Configuration Settings
•
Integration
•
Customization
•
Incident and Problem Processes
•
Change Request Processes
•
Administration Model
•
Notification Model
•
Fault Tolerance and Disaster Recovery
•
Project Plan
•
Phases
•
Tasks
•
Deliverables
•
Resources
•
Timeline
•
Budget
730
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
The length of a design and planning document will vary according to the size of the organization and the complexity of the design and plan. A small organization might have 1-5 pages in length. Larger organizations and complex deployments will have a more detailed document 20-50 pages in length.
Proof of Concept Phase The Proof of Concept (POC) phase is essentially the lab phase, also known as the prototype phase. The POC phase begins with the building of a prototype lab. The prototype lab is typically an isolated simulated production environment. It should include all of the types of servers found in the production environment that could potentially affect connectivity and performance.
TIP In today's modern IT environment, the POC lab can be built in a virtual environment even if the production environment will be all physical. This allows for the testing of the functionality of the design, but not scalability of the design. It reduces the expense of the POC significantly to use virtual machines.
Some organizations might choose to forgo the expense of a POC and go directly into a production build. This makes sense for smaller organizations or projects with limited budgets.
NOTE Service Manager is a particularly good candidate for skipping the lab phase. The reason is that the Service Manager infrastructure can be deployed into a production environment with little or no impact to the existing servers. Connectors can be deployed and workflows tested without impacting the environment.
The POC lab should have a minimum set of servers needed to deploy Service Manager and to test key management packs against application servers. The POC lab environment should include the following: • Service Manager servers • Active Directory domain controllers • Operations and Configuration Manager servers • Internet connectivity Much of the testing will be on the Service Manager configuration, connector configuration, testing workflows, and developing templates.
Planning a Service Manager Deployment
NOTE The Service Manager POC infrastructure does not need to be scaled to the full production environment depending on the scope of the POC. Some POCs will want to test and document deployment procedures, in which case a server configuration similar to the production environment is needed. If the POC is to test management pack functionality, a single SvcMgr server with all components can be deployed.
Specific test plans will be developed during the lab build process. Testing areas should include the following: •
Deployment
•
Configuration
•
Administration
•
Incident workflow
•
Problem workflow
•
Change request workflow
•
Connectors
•
Notifications
•
Self-Service Web Portals
•
Failover capabilities
•
Backup and recovery
The lab should exist throughout the entire project to allow testing and verification of configurations, with the primary usage during the POC phase. Once implementation completes, the lab can be scaled back as required. The major tasks for the Proof of Concept phase include the following: • Build servers in the lab • Deploy Service Manager infrastructure • Develop workflow models for incidents, problems, and change requests • Create templates • Create custom reports • Create custom management packs • Develop the notification model • Test the functionality • Test disaster recovery and fault tolerance
731
732
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
This list is definitely subject to change based on the specifics of the project, especially depending on the goals and objectives developed during the Design and Planning phase. The deliverables for the Proof of Concept phase include the following: •
Working lab Service Manager infrastructure
•
Functionality (80%)
•
Tuned workflows (50%)
•
Build documentation
•
Templates
•
Workflows
•
Notification model
•
Administration model
•
Issues database
The Proof of Concept phase, given its scaled-down nature, is unlikely to be able to deliver 100% of the production functionality due to missing applications and simplified architecture when compared with production. The 80% of functionality is a good target. The workflow development will likely only be at 50% at the end of the POC, as the production conditions that trigger incidents, problems, and change requests will not be seen in the lab. It is also important to start an issues database during the POC phase, in which issues that arise are logged and solutions documented. This helps document the solutions and is a useful database to pass to the support teams, so they know what the solutions are to common problems. The issues log can be an actual SQL database or just an Excel spreadsheet. The issues log will be added to throughout the various phases.
NOTE After building the lab environment, it frequently makes sense to leave the lab up and running. This lab provides a platform for testing new templates and processes in a controlled setting before deploying them into production.
Pilot Phase The goal of the Pilot phase is to roll out the production Service Manager 2010 infrastructure and deploy consoles in a limited production environment. This allows the functional-
Planning a Service Manager Deployment
733
ity to be tested in the production environment and the impacts to users and servers assessed. Some key issues to assess are as follows: • Incident, problem, and change request workflows • Self-Service Portals usages • Impact of connectors on Active Directory, OpsMgr, and ConfigMgr • Performance of SvcMgr servers • Database growth Evaluating these and other metrics ensures that the Service Manager infrastructure is performing as expected during the design and planning sessions. The major tasks for the Pilot phase include the following: • Deploy production Service Manager infrastructure • Configure Service Manager infrastructure • Configure and tune workflows • Configure the administrative model • Configure the notification model • Deploy the pilot console • Deploy pilot users, analysts, and help desk • Conduct cross-training • Adjust workflows Users, analysts, help desk personnel, and sites scheduled for deployment in this phase should be a representative sample that includes extremes. They would be migrated to the Service Manager systems and would be submitting incidents and change requests through the system. The number of individuals to deploy in the Pilot phase can vary, but a good rule of thumb is to target 5%-10% of the total number of users in production. The deliverables for the Pilot phase include the following: • Working production Service Manager infrastructure • Users deployed (5%-10%) • Functionality (100%) • Tuned workflows (80%)
734
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
• Updated documents • Cross-training • Issues database (90%) All the functionality of the Service Manager 2010 infrastructure should have been deployed by the end of the Pilot phase.
Production Phase With successful Proof of Concept and Pilot phases, the Production phase should be well understood and offer few surprises. The main purpose of the Production phase is to integrate the system into all aspects of service management, which at this stage in the project should have relatively low risk. Any major issues or concerns will have been uncovered in the Proof of Concept and Pilot phases. The major tasks for the Production phase include the following: • Deploy users • Conduct cross-training • Tune workflows In this final phase, the various tasks that were in progress from previous phases (such as the workflow tuning, user deployment, and the issues database) will be finalized. The deliverables for the production phase include the following: • Users deployed (100%) • Tuned workflows (100%) • Cross-training • Issues database (100%) • Transition to support By the conclusion of the Production phase, the Service Manager infrastructure should be completely tuned and ready to hand over to support. The transition to support is a critical point in the project, as the staff assuming the support and maintenance of the Service Manager infrastructure should be cross-trained on the procedure to ensure that the infrastructure continues to operate at 100%.
Time Estimates The time needed per phase on any given project will vary according to the size of the organization, the organization culture, the scope of the project, and the complexity of the Service Manager project. Table 14.13 provides some estimates of times needed to execute the phase for small, medium, and large organizations.
Deploying Service Manager
TABLE 1 4 . 1 3
735
Sample Project Time Estimates
Phase
Small
Medium
Large
Design Principles Training phase
1 hr
4 hrs
1 day
Design and Planning phase
1 day
2 days
1 week
Proof of Concept phase
N/A
N/A
2 weeks
Pilot phase
N/A
1 week
1 month
Production phase
1 week
2 weeks
1 month
For some of the organization sizes, certain phases are not normally done. For example, a small organization will likely move from the Design and Planning phase directly into a Production phase. There would be no need for a Proof of Concept nor Pilot phase with a small organization. This is reflected in the table.
Deploying Service Manager To demonstrate a sample installation deployment of the Service Manager, the two-server architecture is used. Deploying the Service Manager is done in five steps: • Deploy the Service Manager server • Deploy the Service Manager data warehouse • Register the Service Manager management group • Enable the ETL job • Deploy the Self-Service Portals The servers need to meet the prerequisites defined earlier in the chapter.
Deploying SvcMgr Components The first server (SMI) in the Service Manager two-server deployment will host the following Service Manager components: • Service Manager management server • Service Manager database • Service Manager console
736
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
NOTE The SM servers cannot have any OpsMgr agents or other components installed on them. The products cannot coexist. The OpsMgr agent should be removed prior to installing the Service Manager components.
To install the Server, Database, and Console components for Service Manager, complete the following steps: 1. On the Service Manager server, navigate to the installation media for Service Manager. 2. Double-click Setup.exe to launch the Setup Wizard.
3. Click the Install a Service Manager Management Server link. 4. Enter the product registration information, accept the license agreement, and click Next. 5. Select the installation location and click Next. 6. The prerequisites will be checked. Remediate any issues; otherwise, click Next. 7. Select the Database Server, SQL Server Instance, and the file locations. Click Next to continue.
NOTE The Service Manager installation will check the SQL server collation at this point. If it is not one of the supported collations, then the install will present a warning. This can be ignored if the Service Manager will not be multilingual. If the install will support multiple languages, then the installation should be cancelled and the SQL server reinstalled with a supported collation.
8. Enter the Service Manager Management Group Name, in this example Company ABC SM.
9. Click Browse and select the Management Group Administrators.
NOTE The built-in Domain\Administrators group is not allowed by the wizard, although the COMPUTER\Administrators and DOMAIN\Domain Admins are allowed. It is recommended to use a domain group.
Deploying Service Manager
737
10. Click Next. 11. To configure the account for the Service Manager services, click the Domain Account option button and enter a domain account and password.
NOTE The Service Manager service account must be the same as the account used for the data warehouse service account.
12. Click Test Credentials and wait for the "The credentials were accepted." message.
NOTE Testing the credentials has to be done to enable the Next button.
13. Click Next to continue. 14. To configure the account for the Service Manager workflows, click the Domain Account option button and enter a domain account and password.
NOTE The Service Manager workflow account needs to be mail enabled for email notifications to be sent.
15. Click Test Credentials and wait for the "The credentials were accepted." message.
NOTE Testing the credentials has to be done to enable the Next button.
16. Click Next. 17. Select the appropriate options for the Improvement Programs and for Error Reporting. Then click Next. 18. Review the Installation Summary and then click Install. 19. After the install completes successfully (shown in Figure 14.5), click Close. 20. The Encryption Key Backup or Restore Wizard launches. Click Next. 21. Select Backup the Encryption Key and click Next. 22. Enter a path and filename and then click Next.
738
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
fS
I •Ei Mil niMifl S ^ I n i i r«"r»lrr S**rvii »• Mrtiirtyir SHii|i Wi/rini f inishfni
Setup completed successfully. The Service Manager management server s insta led. It you have a data warehouse, you can register this ¡management server with it using che administrative tasks in che Se-vice Manage'console.
© © © © © ©
Irtttaltze
0
InstnD fifes.
Dypluyi riyril Guicie
Create database
Release Notes
© ©
Imiüj't rridruyutne'iL
Configure registry setthq3 Configure server
Search Support Arodes View System Requirements Upon the setup Log
install se'vlces
finalize
¡7 Open the Ercyption Backup or Restore VV zard after Setup cioses. Ycxi are advised to complete that p'ocess to be orepared in the event of future d aster recovery needs. p Open the service Manager console when Setup doses
Close
FIGURE 1 4 . 5
Service Manager server install complete.
23. Enter a password and confirm the password; then click Next. 24. Click Finish to close the wizard. The Service Manager server installation is complete. The next step is to install the data warehouse component.
Deploying SvcMgr Data Warehouse The second server (SM2) in the two-server deployment will host the following Service Manager components: • Data warehouse management server • Data warehouse databases To install the data warehouse management server and data warehouse database components for Service Manager, complete the following steps: 1. On the Service Manager server, navigate to the installation media for Service Manager. 2. Double-click Setup.exe to launch the Setup Wizard. 3. Click the Install a Service Manager Data Warehouse Management Server link.
Deploying Service Manager
739
4. Enter the product registration information, accept the license agreement, and click Next. 5. Select the installation location and click Next. 6. The prerequisites will be checked. Remediate any issues; otherwise, click Next.
NOTE The Service Manager installation will check the SQL server collation at this point. If it is not one of the supported collations, then the install will present a warning. This can be ignored if the Service Manager will not be multilingual. If the install will support multiple languages, then the installation should be cancelled and the SQL server reinstalled with a supported collation.
7. Select the Database Server, SQL Server Instance, and the file locations. Click Next to continue.
NOTE The database options for the databases (Staging and Configuration, Repository, and Data Mart) can be individually changed by clicking on the database name and then changing the default options.
8. Enter the Data Warehouse Management Group Name, in this example DW_Company ABC DW.
NOTE The "DW_" will be prepended automatically to the Management Group Name to ensure that the name is unique.
9. Click Browse and select the Management Group Administrators. 10. Click Next. 11. The wizard automatically validates the SQL Reporting Services website, as shown in Figure 14.6. After getting the message "The SSRS Web server URL is valid," click Next. 12. To configure the account for the Service Manager services, click the Domain Account option button and enter a domain account and password.
740
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
B Configuration
Configure the reporting server for the data warehouse Soedtv the SQL Server Reacting Services (S5RS) server to tee to' Service Manager resorts.
Resort server:
Report server instance:
|SM2
Default
il
Web wivice URL: JiEEp://SM2 :80/Ftepoitserver @ Ttie SSRS Web w r v H IJRI h VrflicJ
< PmflruK |
FIGURE 1 4 . 6
N«t >
Ouvnl
1
Data warehouse SSRS validation.
NOTE The Service Manager service account must be the same as the account used for the Service Manager server installation.
13. Click Test Credentials and wait for the "The credentials were accepted." message.
NOTE Testing the credentials has to be done to enable the Next button.
14. Click Next to continue. 15. Enter the Reporting Account credentials. 16. Click Test Credentials and wait for the "The credentials were accepted." message. 17. Click Next to continue. 18. Select the appropriate options for the Improvement Programs and for Error Reporting. Then click Next. 19. Review the Installation Summary and then click Install. 20. After the install completes successfully (shown in Figure 14.7), click Close.
Deploying Service Manager
741
¡i m v i f l Sjrnlriii f r i d r r Servil e MrtiirMjpr SHii|i Wi/vinl f inishf^l
Setup completed successfully. The Service Manager date warehouse management server is installed and the date warehouse databases have been created. You car now regime' Sen.ice Manager management servers usirg re administrative tasks in the Service Manager console.
© ©
initialize
0
Iristnli fibs
üepluyi ritíril Guide
©
Create database
0
Concoure registry setthqs
0
Configure caver
© © ©
Configuring r^xxlirsy
©
irstal services
Release Notes Search Support Arados View System Requirements Upen the setup Loo
Im:ort management packs finalize
Upen the hrcryption Backup or Restore Wizard after Setup closes, vou are advised to complete that p'ocess to be prepared tn the event of iurure tfsaster recovery needs.
FIGURE 1 4 . 7
Service Manager data warehouse server install complete.
21. The Encryption Key Backup or Restore Wizard launches. Click Next. 22. Select Backup the Encryption Key and lick Next. 23. Enter a path and filename and then click Next. 24. Enter a password and confirm the password; then click Next. 25. Click Finish to close the wizard.
Registering the SvcMgr Management Group After the Service Manager management server and the Service Manager data warehouse have been deployed, the Service Manager management server must be registered with the data warehouse to enable their integration and allow data to be transferred to the data warehouse. To register the Service Manager management group "Company ABC SM" with the data warehouse "DW_Company ABC DW," execute the following steps: 1. Launch the Service Manager console. 2. Select the Administration node (should already be selected). 3. In the Administration Overview workspace, click the Register with Service Manager Data Warehouse link. 4. Click Next at the wizard introduction page.
742
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
5. Enter the data warehouse management server name in the Server Name field. In this case, the name is SM2. 6. Click the Test Connection button. The message "Your connection to the data warehouse management server was successful" should appear, as shown in Figure 14.8.
1
•
Data Warehouse
Before You Begin
Specify the data warehouse m a n a g e m e n t server n a m e
U5t3 Warehouse Liedflnbafc Summary Completan I T e a Corficctan |
Your connection to the dota warehouse manooement server was successful
Tilt* r unftil ruri'.jlr i n « n inl lur/r- t*:briirirJr>i!ivr |liivilnjrv. m Ihf rluld i'jíirelhlu'if rinHLrtymiirnt sesvrr.
< Previous
FIGURE 1 4 . 8
New >
J.
I..Ü*
Service Manager data warehouse server connection test.
NOTE Port 5 7 2 4 needs to be open for inbound communications to the server. The port is used by the Service Manager console and should be opened on all Service Manager server systems.
7. Click Next. 8. Leave the default RunAs account, which is the DW management group name with "SecureReference" appended. Click Next. 9. Click Create to complete the registration. 10. After the registration is completed, the screen shows the message "The data warehouse registration succeeded." 11. After a brief time, an informational pop-up message appears indicating that the report deployment process has not completed. This is normal, as the report deployment process takes some time. Click OK to close the pop-up message. 12. Click Close to exit the Data Warehouse Registration Wizard.
Deploying Service Manager
743
NOTE The MPSyncJob might take as long as two hours to complete.
After the jobs complete, the data warehouse reports will be available.
Enabling or Disabling Extract, Transform, and Load Job Schedules The Extract, Transform, and Load (ETL) jobs are enabled by default. These are the jobs that move data from the Service Manager database into the data warehouse. They need to be enabled or disabled using the PowerShell commands.
NOTE The scheduled jobs are visible in the Service Manager console in the Data Warehouse space under the Data Warehouse Jobs folder. However, they cannot be enabled or disabled in the user interface, only paused and resumed.
The process to enable or disable the jobs is very similar. In this example, the steps will be shown to enable the jobs. To enable the ETL job schedules, execute the following steps: 1. On the data warehouse management server, launch PowerShell with the Run As Administrator option. 2. Enter t h e c o m m a n d Add-PSSnapIn
SMCmdletSnapIn.
NOTE If the Data Warehouse Management Group name or the Service Manager Management Group names have spaces in them, replace the spaces with the underscore character ("_") in the Enable-SCDWJobSchedule cmdlet. For example, the management group name Company ABC DW would be entered as company_abc_dw.
3. Enter t h e PowerShell c o m m a n d Enable-SCDWJobSchedule
-JobName
Extract_
Warehouse Management Group Name>. In t h i s example, t h e c o m m a n d w o u l d be Enable-SCDWJobSchedule
-JobName
Extract_company_abc_dw.
4. Enter t h e PowerShell c o m m a n d Enable-SCDWJobSchedule
-JobName
Extract_<Service Manager Management Group Name>. In t h i s example, t h e c o m m a n d w o u l d be Enable-SCDWJobSchedule
-JobName
5. Enter t h e PowerShell c o m m a n d Enable-SCDWJobSchedule
Extract_company_abc_sm. -JobName
Transform.
744
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
6. Finally, enter t h e PowerShell c o m m a n d Enable-SCDWJobSchedule
-JobName
Load.
The results will look like those in Figure 14.9, basically no messages. 7. Exit PowerShell. X1 Adminnlralur; Window» PutverSiefl Minrinwn PnußrEhn11 Cfljijirlght ft".} PHH9 Hfrroaoft Coi'pnrat Inn. n i l l'lglitn r«9(!rvcil. PE PS PS PS PS PS
C : 'vUaera^adn in l i t l'-ator. CCO> fldd-P£Sn,ipin EHCndletEnapIn CssUsersVadn in istrator.CCOJ Enable GCDUJobQchcdulc John tine Extraet_conpan v_abc_dw C!\Users\«dflini5tr«tor.CCO> Enable QCDUJobSchedule Jobnttne Extraet_conpany_abc_sn C:\User=Vadniniütr«tor_CCÖ> Enable GCDUJobGchedule Jabnitne Transforn C:SÜ6BrcSadninictrator.CCO> Enable SCDUJobSchadula Jobnana Load C:\UuBri;VndniniuLrdtur.COO> _
FIGURE 1 4 . 9
Enabling the ETL scheduled jobs.
The jobs will now run on an hourly basis, populating the Service Manager data warehouse from the Service Manager database. To disable the jobs, simply execute the same steps using the Disable-SCDWJobSchedule cmdlet. The schedule can be reviewed by running the Get-SCDWJobSchedule cmdlet on the data warehouse management server with no parameters. It will show the schedules of all data warehouse jobs.
Deploying SvcMgr Web Portals The Service Manager Web Portals component allows users to submit new incidents, view announcements, self-help with the IT knowledge base, and reset their passwords. Analysts can use the Web Portal to view and approve activities, view and complete manual activities, and view change requests. The Service Manager Web Portals are deployed after the Service Manager component is installed.
NOTE The Service Manager Web Portal web server must be installed with ASPNET, Windows Authentications, and IIS 6 Metabase Compatibility role services and must have an SSL certificate.
To install the Self-Service Web Portals, complete the following steps: 1. On the Service Manager server, navigate to the installation media for Service Manager. 2. Double-click Setup.exe to launch the Setup Wizard. 3. Click the Install the Service Manager Web Portals link. 4. Enter the product registration information, accept the license agreement, and click Next.
Deploying Service Manager
745
5. Select the installation location and click Next. 6. The prerequisites will be checked. Remediate any issues; otherwise, click Next. 7. Accept the default website name of SCSMPortal, port 443, and select an SSL certificate. Click Next.
NOTE If there is no certificate installed yet, then the certificate selection can be skipped. The SSL certificate will not be bound to the SCSMPortal site and will need to be done manually later in the process.
8. Select the Database Server, SQL instance, and then select the ServiceManager database from the Database pull-down menu. Click Next. 9. To configure the account for the Service Manager portal, click the Domain Account option button and enter a domain account and password.
NOTE The Service Manager service account must be the same as the account used for the Service Manager server installation.
10. Click Test Credentials and wait for the "The credentials were accepted." message.
NOTE Testing the credentials has to be done to enable the Next button.
11. Click Next to continue. 12. Select the appropriate options for the Improvement Programs and for Error Reporting and then click Next. 13. Review the Installation Summary and then click Install. 14. After the install completes successfully (shown in Figure 14.10), click Close. If the SSL certificate was not available at the time of installation, then the certificate will need to be bound to the site once the certificate is obtained and installed on the server. To bind the certificate to the site manually, run the following steps: 1. Launch Service Manager. 2. Expand the Roles node. 3. Expand the Web Server (IIS) node. 4. Select the Internet Information Services (IIS) Manager node.
746
I
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
Mirrmnll Syitfin frntrr Sprvlrr Mnrutgrr Srtiip Wirnrct Finished
Setup completed successfully. StAup l'-db iribtcÜed "avu put Id's:
«dmNStrafty*
»
©
i-thai 7?
0
lestai: files
©
Confère registry sets-es
Q)
tiwfi^jre portai wffc síír
©
Filed ¿a
IJfploynwrT Ciurtp Kfteav NnfM Search Support Articles View System Requirements Open the Setup Log
— «per. rrv e npyption 6Mkup or R w . 7 a r d aft<=r Sfttip ckWrs. Y«i are aßvivrt to foments that process to h? prepare m ih? event of futuro d Sastor recovery needs. OUE
FIGURE 1 4 . 1 0
1
Service Manager Web Portal install complete.
5. In the Connections pane, expand the server name, expand the Sites node, and select the SCSMPortal site. 6. In the Actions pane, click the Binding link. 7. Select the https type and click Edit. 8. In the SSL Certificate pull-down menu, select the appropriate certificate and click OK. 9. Click Close to close the Site Bindings window. 10. Exit Service Manager. There will now be two web portals available: • The End User Portal at https://servername/EndUser • The Analyst Portal at https://servername/Analyst The two portals will be available for use immediately after the installation.
Deploying Service Manager Connectors The Service Manager connectors provide crucial integration between the Service Manager CMDB and Active Directory, Operations Manager, and Configuration Manager. This allows the CMDB to be the central touch point for the organization IT knowledge base, with the synthesized directory, configuration, and operational data.
Deploying Service Manager Connectors
747
Active Directory Connector Deployment The Active Directory connector imports Active Directory users, groups, printers, and computers into the Service Manager database. This is the base of the CMDB, as it provides a record of every object in the organization. This information will be enriched later with configuration and operational data, but must be populated first from Active Directory. The tasks needed to create an Active Directory connector are as follows: • Install an Active Directory connector and import data from Active Directory. • Synchronize an Active Directory connector to reflect changes. To install the Active Directory connector, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space and then the Connectors folder. 3. Right-click the Connectors folder, select Create Connector, and then select Active Directory Connector. 4. Click Next at the introduction screen. 5. Enter t h e n a m e of t h e c o n n e c t o r , s o m e t h i n g like
Directory
Connector, and then click Next. 6. Select the domain to use by selecting the Let Me Choose the Domain or OU option button. Click the Browse button to select a domain and optionally an OU. 7. In the Credentials section, click the New button to create a RunAs account to access Active Directory. 8. Enter a Display Name for the account, something like
748
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
5. After some time, the status should show as Finished Success. Click Refresh to update the status. Now the Active Directory objects have been imported into the CMDB. Each object will have a corresponding Configuration Item (CI) in the database.
Operations Manager Connector Deployment The Operations Manager connector is really a two-part connector, one for the configuration information that OpsMgr collects and the other for the alerts that OpsMgr generates. The OpsMgr configuration information enriches the CMDB object store and the OpsMgr alerts can automatically generate incident processes. The tasks needed to create an Operations Manager connector are as follows: • Import the Service Manager management packs necessary for the configuration item connector. • Create an Operations Manager 2007 connector and import configuration items and alerts from Operations Manager 2007. • Synchronize an Operations Manager 2007 connector to reflect changes made in Operations Manager. The Service Manager management pack import task is a manual process and requires using PowerShell. To import the Service Manager management packs, execute the following steps: 1. Launch PowerShell with the Run As Administrator option. 2. Change the Execution Policy to Unrestricted by running the command SetExecutionPolicy unrestricted. At the confirmation question, press Y and Enter. 3. To change the directory to the location of the management pack files, enter cd \"Program Files\Microsoft System Center\Service Manager 2010\Operations Manager Management Packs" a n d press return.
4. Run the import script by entering the command . \installOMMPs. ps1 and pressing Enter. The script imports 13 management packs. The results are shown in Figure 14.11. 5. Type Exit and press Enter to close PowerShell. The next task is to create the Operations Manager connector. There are two connectors to create, an Alert connector and a Configuration Item (CI) connector. Before creating the Operations Manager Alert connector, an affected user needs to be created. This allows a user to be assigned by default to any automatically generated incidents. To create the affected user, execute the following steps: 1. Launch the Service Manager console. 2. Select the Configuration Items space. 3. Select the Users view. 4. In the Tasks pane under Users, click the Create User link.
Deploying Service Manager Connectors
749
:oi». Notifient In ns .F.ihisiry <MP Ifl nf 1.1> MWi5.I.lhr.ipu ÎMP II of t3> ) iMP J?, of 13)
FIGURE 1 4 . 1 1
Operations Manager connector management pack import.
5. In the First Name field, enter OpsMgr and in the Last Name field, enter Alert. 6. Click OK to create the user. There is now a new user with the username OpsMgr.Alert and the domain SMInternal. This will be used with the Operations Manager connector. To create the Operations Manager Alert connector, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Connectors node. 4. In the Tasks pane, click Create Connector and select Operations Manager Alert Connector from the list. 5. Click Next at the introduction screen. 6. Enter a n a m e for t h e c o n n e c t o r , such as Company ABC Alerts Connector, a n d click
Next. 7. In the Server Name field, type the name of the Operations Manager Root Management Server. 8. In the Credentials section, click the New button to create a RunAs account to access the Operations Manager management group. 9. Enter a Display Name for the account, something like OpsMgr Account, and then enter the credentials. Click OK to save the RunAs account.
750
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
10. Click the Test Credentials button to test. There should be a "The connection to the server was successful" pop-up message. Click OK to clear the pop-up message. 11. Click Next. 12. Click Add to add a routing rule. 13. In t h e Rule N a m e field, enter All Critical Severity High Priority Alerts.
14. Select the Operations Manager Incident Template. 15. Check the Priority box and select High. 16. Check the Severity box and select Error. The result should look like Figure 14.12.
l
^
l
.
f
l
H
U
B
I
'
H
W
H
M
F
T
i
f
l
Rule Name I Alt Critkai E-cverty
Priority Alerts
| Operatises Manager incident Template o ate Select Criteria lype C Opcnstiws Manager Mornioerrent Peek contariri; the Rule or Monitor raising the alert Morugemcnt Pack Nome
Corrcuter for nhkh the alert was raised Computer b a m e m b e r of group
I
i* Custom Flefc:
I
3 I
3 [
C operaftwi >lanagir daK : i '.'.hich the alert .'.a: raioefi M a v t H m g d a K name
select alert seventy an d priority prlaflry
W
^
^
^
M
[7 'V.rjily | Frq.i
-
" Tj CM
FIGURE 1 4 . 1 2
|
GWX=L
I
Operations Manager Alert Routing rule.
17. Click OK. 18. Click Next. 19. Check the Resolve Incidents Automatically When the Alerts in Operations Manager Are Closed check box and click Next. 20. Click Create to create the Operations Manager Alert connector. 21. Click Close to close the wizard. The connector has been created in Service Manager and a corresponding Operations Manager Internal connector has been created as well, but a subscription needs to be created in the Operations Manager console to forward the appropriate alerts to the Service Manager management group.
Deploying Service Manager Connectors
751
The Operations Manager product connectors allow administrators to set up subscription rules to synchronize alerts with Service Manager. In this example, all alerts will be synchronized. To create the Operations Manager connector subscriptions, execute the following steps: 1. Launch the Operations Manager console.
NOTE The Operations Manager console has a similar look and feel as the Service Manager console. They both include the Outlook style layout, with a Folder pane, Items pane, and a Details pane below. They also include similar terminology, such as management group, administration space, connectors, and tasks.
2. Select the Administration space. 3. Select the Product Connectors, Internal Connector node. 4. Select the Alert Sync connector. 5. Select Properties of the Alert Sync connector. 6. Click Add in the Subscriptions section. 7. Enter All Critical Severity High Priority Alerts in t h e Subscription N a m e
field and click Next. 8. Leave all groups approved on the Approve Groups page and click Next. 9. Leave the all targets selected on the Approve Targets page and click Next. 10. Uncheck the Medium Priority box on the Criteria page and click Create. 11. Click OK to close the connector properties. Now all critical severity high priority alerts in Operations Manager will be synchronized with Service Manager. Each alert will create an incident in Service Manager, which will be automatically closed if the alert is resolved in Operations Manager. The next task is to create the second type of Operations Manager connector, the Configuration Item connector or CI connector. This connector will synchronize discoveries from Operations Manager. To create the Operations Manager CI connector, execute the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Connectors node. 4. In the Tasks pane, click Create Connector and select Operations Manager CI Connector from the list. 5. Click Next at the introduction screen. 6. Enter a name for the connector, such as Company ABC CI Connector and click Next.
752
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
7. In the Server Name field, type the name of the Operations Manager Root Management Server. 8. In the Credentials section, select the RunAs account used for the Alert connector. 9. Click the Test Credentials button to test. The system prompts for a password, essentially verifying access to the RunAs account. Enter the password for the RunAs account and click OK. 10. There should be a "The connection to the server was successful" pop-up message. Click OK to clear the pop-up message. 11. Click Next. 12. Check the Select All box to select all available management packs for synchronization and click Next. 13. For the schedule, leave the default of Every Day, select 1:00 AM for the time, and click Next.
NOTE Many of the Operations Manager discoveries run daily at 12:00 AM, so setting the CI connector synchronization gives those discoveries time to complete before being imported into the CMDB.
14. Click Create to create the Operations Manager CI connector. 15. Click Close to close the wizard. The Operations Manager CI connector will run a first-time synchronization right after being created and will then synchronize according to the schedule thereafter. The Operations Manager CI data will be merged with the Active Directory data, creating a more comprehensive view of the assets.
Configuration Manager Connector Deployment The Configuration Manager connector both extends the object data imported from Active Directory and updates the data where needed. In addition, Configuration Baseline information can automatically generate incidents due to noncompliance from the Desired Configuration Management feature of ConfigMgr. The tasks needed to create a Configuration Manager connector are as follows: • Create the Configuration Manager 2007 connector to import inventory hardware and software data. • Synchronize the Configuration Manager 2007 connector to reflect changes made in Configuration Manager.
Backing Up Service Manager 2 0 1 0
753
To create the Configuration Manager connector, execute the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Connectors node. 4. In the Tasks pane, click Create Connector and select Configuration Manager Connector from the list. 5. Click Next at the introduction screen. 6. Enter a n a m e for t h e c o n n e c t o r , such as Company ABC Configuration Manager
Connector and click Next. 7. Make sure the System Center Configuration Manager Connector Configuration is selected in the Management Pack pull-down and then click Next. 8. Enter the name of the Configuration Manager Database Server Name and the Database Name. 9. In the Credentials section, click the New button to create a RunAs account to access the Operations Manager management group. 10. Enter a Display Name for the account, something like ConfigMgr Account, and then enter the credentials. Click OK to save the RunAs account. 11. Click the Test Credentials button to test. There should be a "The connection to the server was successful" pop-up message. Click OK to clear the pop-up message. 12. Click Next. 13. Check the All Systems Collection for Synchronization check box, and click Next. 14. For the schedule, select Every Day, 1:00 AM, and click Next. 15. Click Create to create the Configuration Manager connector. 16. Click Close to close the wizard. The Configuration Manager connector will appear in the Connectors window. The initial synchronization should start automatically in a few minutes. To trigger a manual synchronization, select the connector and click the Synchronize Now link in the Tasks pane.
Backing Up Service Manager 2010 In the event of a disaster, it is important to have backups of the components needed to restore the Service Manager 2010 infrastructure. The components needed for disaster recovery include the following: • ServiceManager database • Service Manager encryption key • DWStagingAndConfig database
754
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
• DWRepository database • DWDataMart database These components need to be backed up on different schedules. Table 14.14 lists the recommended schedule for the backups. TABLE 1 4 . 1 4
SvcMgr Component Backup Schedules
Component
Full Backup
Differential Backup
Service Manager database (ServiceManager)
Weekly
Daily
Root Management Server encryption key
At Installation
Service Manager data warehouse databases (DWStagingAndConfig, DWRepository, DWDataMart)
Weekly
Daily
These backups are above and beyond the standard backups needed for servers, such as filelevel backups, System State, and SQL Server backups.
ServiceManager Database Backup The ServiceManager database contains most of the Service Manager environment configuration settings, workflow information, templates, management packs with customizations, configuration information, and other data required for Service Manager to operate properly. The loss of the ServiceManager database requires a complete rebuild of the Service Manager 2010 infrastructure. The ServiceManager database should be backed up on a daily basis. The recommendation is to do a full backup weekly and a differential backup daily to reduce disk space requirements. To set up the full and differential backups for the ServiceManager database, execute the following steps: 1. Launch SQL Server Management Studio on the operations database server. 2. Click the Connect button. 3. Expand the Databases folder. 4. Right-click the ServiceManager database, select Tasks, and click Back Up. 5. In the Back Up Database dialog box, type the name of the backup set in the Name box. 6. In the Destination section, click Add. 7. In the Select Backup Destination dialog box, type a path and a filename in the Destination on Disk box, and then click OK.
NOTE The destination location selected must have enough disk space to hold the backups.
Backing Up Service Manager 2 0 1 0
755
8. In the Script pull-down menu at the top of the window, select Script Action to Job. 9. In the Name field, enter a name for the job such as Back Up Database ServiceManager Full.
10. In the New Job window, select the Schedules page and click New. 11. In t h e New J o b Schedule dialog b o x , type ServiceManager Weekly Full Backup as
the job name in the Name box, specify the job schedule as weekly, and then click OK. 12. Click OK. 13. At this point, click OK to execute a manual full backup or click Cancel to skip it. 14. Right-click the ServiceManager database, select Tasks, and click Back Up. 15. Select Differential in the Backup Type pull-down menu. 16. In the Back Up Database dialog box, type the name of the backup set in the Name box. 17. In the Destination section, click Add. 18. In the Select Backup Destination dialog box, type a path and a filename in the Destination on Disk box, and then click OK.
NOTE The destination location selected must have enough disk space to hold the backups.
19. In the Script pull-down menu at the top of the window, select Script Action to Job. 20. In the Name field, enter a name for the job such as Back Up Database ServiceManager
Differential.
21. In the New Job window, select the Schedules page and click New. 22. In t h e New J o b Schedule dialog b o x , type ServiceManager
Daily Differential
Backup as the job name in the Name box, specify the job schedule as daily, and then click OK. 23. Click OK. 24. Click OK to execute a manual differential backup right away or click Cancel to skip it.
NOTE The full backup will have had to run before running the differential backup; otherwise, it will fail.
The ServiceManager database backup will now execute automatically according to the recommended schedule.
756
CHAPTER 14
Service Manager 2 0 1 0 Design, Planning, and Implementation
Repeat this procedure for each of the following Service Manager data warehouse databases: • DWStagingAndConfig database • DWRepository database • DWDataMart database Make sure to change the job names to reflect each of the databases.
Service Manager Encryption Key Backup The Service Manager encryption key encrypts the data going between the Service Manager management server and the Service Manager database in the management group. The encryption key is needed to bring the Service Manager back online after a disaster recovery. The SecureStorageBackup tool is used to back up the RMS encryption key. To back up the RMS encryption key complete the following steps: 1. Log on to the Service Management server with a Service Manager administrator account. 2. Launch Explorer. 3. Navigate to \Tools\SecureStorageBackup\ on the Service Manager installation media. 4. Double-click SecureStorageBackup. exe.
5. Click Next. 6. Select Backup the Encryption Key and click Next. 7. Enter a path and file for the backup, such as c: \backup\SMEncryptionKey. bin, and click Next. 8. Enter a password to protect the backup and confirm the password, and then click Next. 9. Click Finish to complete the backup. The key is now backed up and password protected.
NOTE The encryption key does not change over time, so it only needs to be backed up once and stored securely.
Summary System Center Service Manager 2010 is key to managing IT service management processes. This is a critical solution to efficiently integrating people, processes, and technologies, as mandated by IT frameworks such as MOF and ITIL.
Best Practices
757
In addition, Service Manager leverages the data in its sister System Center products Operations Manager and Configuration Manager. It integrates and synthesizes the operational and configuration data from those products to automatically spawn service management processes. Finally, Service Manager extends the IT department's reach by providing Self-Service Portals to end users and analysts that provide rapid solutions to problems while reducing the level of effort of IT staff. Designing and implementing Service Manager 2010 into the organization will improve the operational efficiency, leverage the existing IT investments, and improve the service levels of the IT department.
Best Practices The following are best practices from this chapter: • Always create a design and planning document when deploying Service Manager, even if it is a simple one. • Take future expansion and relevance of hardware into account when sizing servers for SvcMgr deployment. • Keep the installation of SvcMgr components on a separate server or set of separate dedicated member servers that do not run any other separate applications. • Use SQL Enterprise Edition when combining components on the same server. • Use SQL Enterprise Edition when scaling up Service Manager. • Allocate adequate space for the databases depending on the length of time needed to store work items and the number of computers in the organization. • Size the disk subsystems to provide sufficient IOps to support the anticipated data flows. • Use SANs where possible for the improved throughput. • Connect Service Manager to Active Directory, Operations Manager, and Configuration Manager for maximum benefit.
CHAPTER
15
Using Service Manager 2 0 1 0 for Incident Tracking and Help Desk Support Unfortunately, information technology (IT) systems fail. This can be by directly breaking down—as in a server hardware failure, a misguided configuration change, or an application glitch—or by failing to function properly from a user's perspective by not being easy to understand or not behaving as expected. These failures result in incidents. Service Manager creates and tracks incidents to help resolve those failures. Service Manager tracks incidents and problems, which are fundamentally different. Information Technology Infrastructure Library (ITIL) defines incident management and problem management as different but interrelated processes.
Incidents and Problems In the ITIL Service Support discipline, incidents are events where the standard operation of IT services is disrupted or the quality is impacted. Incidents are resolved when operations of IT services are returned to standard. Incident management attempts to resolve incidents as quickly as possible while minimizing the impact to the organization. Problems, on the other hand, might actually reflect standard operations. Problems might have unknown causes or be the result of a known error. The resolution of a problem is normally a workaround or a solution in the form of a change to standard operations.
IN T H I S C H A P T E R Incidents and Problems Configuring Incident Settings Service Manager Notifications Creating New Incidents Working with Incidents Configuring Problem Settings Working with Problems Incident and Problem Reports
760
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
The ITIL definition of problem management attempts to reduce the number of problems and the severity of those problems. Service Manager is designed to automate and facilitate both incident and problem management.
Understanding Service Manager Incidents Incident records are Service Manager records of incidents and are the core of the incident management process. The goal of the Service Manager incident management process is to restore normal operations as quickly as possible. Incidents are equivalent to trouble tickets. These are created in response to a variety of events. The Service Manager incident process covers all the steps in the ITIL incident management process. These steps are as follows: • Incident detection and recording • Classification and support • Investigation and diagnosis • Resolution and recovery • Incident closure • Incident reporting The outcome of incident resolution is the resumption of service, meaning a return to normal service operations. An additional outcome might be the initiation of a problem to identify and address the root cause of the incident.
Understanding Service Manager Problems Service Manager problems are records that group incidents with a common root cause, allowing the underlying problem to be addressed and the associated incidents to be resolved when the problem is resolved. Typically, a problem record will not be created until multiple incidents have occurred. The Service Manager problem process covers the steps in the ITIL problem management process. These steps are as follows: • Problem identification and recording • Problem classification • Problem investigation and diagnosis The outcome of problem resolution is likely to be a change and, thus, leads to the change management processes. This is covered in Chapter 16, "Using Service Manager 2010 Change-Control Management."
Configuring Incident Settings
761
Configuring Incident Settings Before working with incidents, a number of settings should be configured. These settings are as follows: •
Incident prefix
•
File attachment limits
•
Priority calculation
•
Resolution time
•
Operations Manager Web console
•
Inbound email
In some cases, such as the OpsMgr Web console setting, there is no default and a setting must be configured to get it operational. For other cases, such as the default resolution times, the default is not acceptable for most organizations and needs to be set for effectiveness.
Incident Prefix By default, each incident is prefixed with the letters IR, for incident record. This can be adjusted to something different, such as TT for trouble ticket or TICKET. The maximum number of characters is 15. To change the incident prefix, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Incident Setting object. 5. In the General section, change the Prefix field to the desired setting. 6. Click OK to save the change. The change takes effect for all new incidents. This value should only be changed if needed.
NOTE The new prefix is not applied to the existing incident records, only to new records.
File Attachment Limits File attachments to incidents have built-in limiters. This ensures that huge files or large numbers of files don't get attached to incidents and bloat the database unnecessarily. This can be a real issue if help desk personnel or end users attempt to attach 100MB log files or gigabyte PST files to incidents. File attachments are limited by the number of attachments and the size of the attachments. The permitted ranges and the default settings are given in Table 15.1.
762
CHAPTER 15
TABLE 1 5 . 1
Using Service Manager 2 0 1 0 for Incident Tracking and Help Desk Support
File Attachment Settings
File Attachment Limits
Range
Default Setting
Maximum number of attachments
0-10
10
Maximum size (KB)
0-10240
2048
To adjust the default file attachment settings, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Incident Setting object. 5. In the General section, change the Maximum Number of Attached Files and the Maximum Size (KB) fields to the desired settings. 6. Click OK to save the changes. The changes take effect immediately in the console and web interfaces.
NOTE The new file attachment settings are not applied to the existing incident records, only to new records or during changes to existing records.
Priority Calculation Incidents are rated by priority, which is a combination of the impact and urgency of the incident. The priority rating is used to determine the appropriate resolution time for the incident, which drives sending notifications, escalating, and service-level metrics. Impact and urgency are generally defined by ITIL, but the specifics are left to the organizations. Impact is rated as low, medium, or high. It is a subjective measure of how much the incident is impacting the organization. This is frequently measured in terms of the number of users impacted or the level of impact to the organization. For example, an incident for a single end user not being able to access email would have a lower impact than an incident for all users not being able to access email. Urgency is also rated as low, medium, or high. It is a subjective measure of how quickly the incident must be addressed. For example, an incident for a mission-critical system like email being unavailable would have a higher urgency than an incident for a non-missioncritical system like the company event web page. Even though those two systems might impact the same number of users—that is, the entire company—they are assigned different urgencies.
Configuring Incident Settings
763
The default Service Manager priority gives weighting to the urgency over impact, and incident priorities are assigned as shown in Table 15.2. The highest priority is assigned 1 and the lowest priority is assigned 9. These values are not set by default and need to be configured by the administrator. TABLE 1 5 . 2
Priority Table
Impact Low
Impact Medium
Impact High
Urgency Low
9
8
7
Urgency Medium
6
5
4
Urgency High
3
2
1
These priority assignments can be changed, if needed, for consistency with other systems in the organization or to adjust the behavior of Service Manager. To configure the priority assignments, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Incident Setting object. 5. In the Priority Calculation section, use the pull-down menu to change the priorities, as shown in Figure 15.1. • - SE PrnfHy ClEjlcukltim h:., irt
.
t* a I; - < tn . . ' bui dfl IT*
• • arc : f' M .. r ' bv tf< OfKnT-Or.
w* 1» •Art 1$
T
II
I:
a
AV
d
il
1»
¿11=
3 \
Resolution Time ScMfrtte Cur* <•.
m IfOStrn r*u« t4 mtfrtc, t>««d C*i tt Dflency. fV
Y«i «n cr«r,i irotWlgw5 fc»td cn Pmjotf
|
to
J*
dtk » « y r OLA
SLAKate* r««M)c*i
I ncofcitocs V to *x¿VX cocerti fr* w; hsr r«i**Jci if*
"w ieKljo^ Tm
!
J '* |
J
0 ' Ql
3 I
FIGURE 1 5 . 1
Priority calculation adjustment.
OK
| | OnMI
764
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
NOTE Be sure that the chosen priorities match all possible priorities in your Service Manager configuration.
6. Click OK to save the changes. These new settings are used by Service Manager immediately.
NOTE These priority calculation times should only be adjusted for specific and well-understood reasons. In addition, the resolution times need to be adjusted in response to changes in the priority calculations.
Resolution Times The resolution time incident settings define the service levels for the time it is expected to take to resolve an incident based on the priority. Incidents that fall outside of their resolution times can be viewed in the Overdue Incidents folder in the Work Items space under the Incident Management tree. These can also trigger workflows for notification and escalation. The incident resolution times can be set in terms of the following intervals: • Minutes • Hours • Days • Weeks The numeric value can be set from 0 to 2,147,483,647, which should cover the most demanding of needs. If set to 0, the resolution time for that priority is ignored. The default resolution time for all priorities is 0, so by default all resolution times are disabled. To set resolution times for the priorities, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Incident Setting object. 5. In the Resolution Time section, use the pull-down menu to change the target resolution time for the specific priorities. For example, set the resolution times for Priority 1 incidents (high impact and high urgency) to 2 hours, as shown in Figure 15.2.
Configuring Incident Settings
X+íV P« "ÍWÍH
' r ilk«.' ar
•
Pnonf 1
2 3
bt esJ.*:. i&sd ^ C (Mrt* It -
irf^flïHÉî
*
Í I
7 i
ÎPTflï tí «Tí trotz
+1 •. "jeíi ï rcic í fpífftS
If^í
Yí
íWt
tt SlAVúdÉM
DIU
tt^t.
ÍÍKÍJD*. Th^ PfH"™ «"1 o ' 1 >' 1 0-- 1 „Li 1 »f 1 ojöj
•
V tí
765
"3
Operations Manager Web Settings íítt^lUbVrtíKrtíífítrtVrtl
IMM fP SffWI C t f W O p n d « '• 'J.'J V .*.!
le till:
Ol FIGURE 1 5 . 2
Setting resolution times.
6. Click OK to save the changes. These new settings are used by Service Manager immediately. However, the console might need to be closed and launched again to see the changes reflected in the views.
Operations Manager Web Console Setting The incidents created by the Operations Manager connector include links back into the Operations Manager Web console. These links launch the Operations Manager Web console to show the following: • View Alert Details—This is the detailed view of the Operations Manager alert that created the incident. • View CI Health State—This is the Operations Manager Health Explorer view of the object that generated the alert. These help drill down into the details of the alert, leveraging the Operations Manager wealth of data and showing the level of integration of the System Center products. To set the Operations Manager Web console address, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder.
766
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
4. In the right pane, select the Properties of the Incident Setting object. 5. In the Operations Manager Web Settings section, enter the Web console URL. This is typically http://servername: 51908. 6. Click OK to save the changes. Now, clicking on the View Alert Details and the View CI Health State tasks in the incident shows the Operations Manager details.
Inbound Email Settings One of the cooler capabilities of Service Manager is the ability to generate incidents from emails. Rather than launch a special console or web page, users can simply compose an email and send it to a help desk mailbox. Service Manager automatically collects that mail and converts the mail into incidents. The tasks needed to set up Service Manager to accept email incidents are as follows: • Configure Exchange to route email to Service Manager. • Configure Service Manager to accept SMTP mail. • Configure Service Manager to monitor the mail folders. The first task is to configure Exchange 2010 to route email to Service Manager. This requires configuring an accepted domain and a send connector to route the mail to Service Manager. To configure Exchange 2010 to route email to Service Manager, complete the following steps: 1. On the Exchange 2010 Hub Transport server, launch the Exchange Management Console. 2. Select the Organization Configuration, Hub Transport folder. 3. In the Actions pane, click the New Accepted Domain link. 4. Enter a n a m e , such as Service Manager Helpdesk Domain, a n d t h e d o m a i n , such as helpdesk.companyabc.com.
5. Select the Internal Relay Domain option button (shown in Figure 15.3) and then click New. 6. After the wizard completes, click Finish to close the wizard. 7. In the Actions pane, click the New Send Connector link. 8. Enter a n a m e for t h e send c o n n e c t o r , such as Service Manager Helpdesk Send Connector.
9. In the Select the Intended Use for This Connector pull-down menu, select Internal and then click Next. 10. Click Add to add an SMTP address space to route. 11. In the SMTP Address Space window, enter the domain used earlier, such as helpdesk.companyabc.com.
Configuring Incident Settings
•
NfwAcd-iinlDitiirtiri n
767
New Accepted Domain Accepted domains aie used lo dehne which doma»is nil be accepted for nbound e-mal routing. These are any domain; for whkh you wish lo icceive e mail
Accepted Domain. I j ni|inilyrtlr: 1 n i l Aftei Microsoft Exchange accept; e-mal lor Ihic domain, it can handle Ihe e-mai h several Selett ium Fic fuluwing op iurrc. Ayihortaiive Domain. E-mail i: deltveied to a recipient in tfe Exchange organization '» InlPi.-" -i Rp'v, !"'nnr-jn F-rniil r ilfV'PiPfl tn r-np^nl" in lh-. F:.f i w n - niganr.ih-n rr ; rck^cd to on c mal saver outside Ihis bKchongc «garcobon. Uoc this ocltrig it tfic i .'• i.imi i li-jfil I mj I In Fx I .-ti iji-" i in_i-ru.• 1i I-1 .-t i I ,-i ii I'liri iiih: ::nyriij :ji:: i-:iii r
Uet>
Eidernd flelay Dcmaii L maJ i; relayed to an e-mal shy« outside Ihis L «charge organization.
I
FIGURE 1 5 . 3
Exchange 2 0 1 0 accepted domain settings.
12. Check the Include All Subdomains check box and then click OK. 13. Click Next. 14. Click Add to add a smart host to route mail to. 15. Select the FQDN option button, enter the Service Manager SMTP server name (in this case, sm1 .companyabc.com), and click OK. 16. Click Next. 17. Leave the Smart Host Authentication at None and click Next. 18. Select additional Hub Transport Source Servers if appropriate and then click Next. 19. Click New to create the connector and then click Finish when you are done. Now the Exchange 2010 system is configured to route email to the Service Manager infrastructure. The next task is to configure Service Manager to accept SMTP mail. To accomplish this, the Service Manager management server will be configured with an SMTP service. To do this, complete the following steps: 1. On the Service Manager management server, launch Service Manager. 2. Select the Features node and click the Add Features link. 3. Select the SMTP Server feature. 4. If the Add Role Services and Features Required window pops up, click Add Required Role Services.
768
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
NOTE The Windows Server 2 0 0 8 SMTP Server feature is an integrated component of the Web Server (IIS), so the Web Server (IIS) role is required.
5. Click Next. 6. Click Next at the Web Server (IIS) screen. 7. Click Next to accept the role services. 8. Click Install to install the SMTP Server feature. 9. Click Close to close the Add Features wizard. 10. Select Start, Administrative Tools, and then Internet Information Services (IIS) Manager 6.0. 11. Expand the Server node, expand the SMTP Virtual Server #1 node, and then select the Domains folder. 12. Right-click the Domains folder and select New, Domain. 13. Select the Alias option button and click Next. 14. Enter the help desk domain name used earlier, such as helpdesk.companyabc.com and click Finish. The Service Manager management server is now configured to accept mail. The default configuration will only accept mail for the configured domains and will not relay mail to other domains.
NOTE Make sure that the Simple Mail Transfer Protocol (SMTP) Windows service is set to Automatic in the Services startup type so that the service will start at boot.
Finally, the last task is to configure Service Manager to monitor the mail folders. There will be two, one for email (the Drop folder) and one for bad mail (the Badmail folder). The default location for these folders is c: \inetpub\mailroot\. To configure Service Manager to accept emails, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Incident Setting object. 5. Click the Incoming E-Mail link to go to that section. 6. In the SMTP Service Drop Folder Location field, enter c:\inetpub\mailroot\Drop.
Configuring Incident Settings
769
7. In the SMTP Service Bad Folder Location field, enter c: \inetpub\mailroot\Badmail. 8. Enter the maximum number of messages that Service Manager will process at a time, for example 100.
NOTE Service Manager will convert incoming emails to incidents. Service Manager should not generate too many incidents from emails, so this number does not have to be all that high. A high volume of inbound emails is probably a spam issue rather than real incidents.
9. Enable incoming email by checking the Turn On Incoming E-Mail Processing check box, as shown in Figure 15.4. 10. Click OK to save the changes. Ï Î Imldenl Srillngi
BETE3 I n c o m i n g E Mail
Amity Ctk'J al mi
Scringi
rah
hen «id t r i m fe* 5>TP s«v
* Ktrjtcrt. Setsf/ «1 W j f f I w W l b, ufl">5 'Jliveral N a r w ç C w w i w
FÄC4 J«n 11M Cc-'iSm Hants* V Zinumm Í-HM
¿H'F i-îffCi 4-tt (e
«afaíí ;
SMTP SWKt Mit fo4í(f b f f l W :
HMmuffi ranfc-f J e r a l r & u ^ i te J* Ote« al a Em-;
1 i 'iT-SWfc ï"nj*5M > W J cfmpAVintirHCSSKintf
1
P "i,m or Pwrvrfl t m»l pfoossr-g
1
FIGURE 1 5 . 4
Ok
II
CarceJ
-
Enabling incoming email.
Service Manager now accepts incoming emails to the target domain and creates incidents for them. The sender becomes the affected user, the incident title becomes the subject line of the message, the body of the message becomes the incident description, and the original message is attached to the incident as a file.
770
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
Service Manager Notifications Service Manager notifications allow emails to be delivered to help desk personnel, analysts, administrators, and end users notifying them of additions, changes, and deletions of the records that matter to them. The notification architecture is very deep and granular, allowing notification on any Service Manager object and on almost any condition. In addition to configuring the notification infrastructure, this section creates a sample notification. For this example, the network engineer for the company needs to get a highpriority email message when a network incident is created.
Service Manager Notification Architecture Service Manager can notify via SMTP email of changes to objects. Notifications can be made for any class of object defined in the schema, which is extensive. The frequently used classes of objects are as follows: •
Announcement
•
Change Request
•
DCM Incident
•
Domain User
•
Incident
•
Knowledge Article
•
Manual Activity
•
Problem
•
Review Activity
•
Windows Computer
Changes to the object of the classes are what trigger notification emails to be sent. Notifications can be triggered for the following events: • Creations • Updates • Deletions Finally, notifications can be filtered by additional criteria based on attributes from the targeted object class. For example, if the incident object class is chosen, attributes such as Assigned to User, Source, Priority, and all the other incident fields can be used as criteria. The field can be filtered using the following operators: • Contains • Does Not Contain
Service Manager Notifications
•
Starts With
•
Ends With
•
Equals
•
Does Not Equal
•
Is Empty
•
Is Not Empty
771
This gives the notification a fine-grained specification for targeting notification emails. The additional criterion allows the notification to be precisely targeted by exactly the right conditions needed by the most demanding of administrators. The Service Manager notification architecture is composed of three elements: • Channels—The channel is the path by which the notifications are sent. Service Manager only supports SMTP email in this version. Multiple SMTP server destinations can be configured to provide failover capabilities. • Templates—Templates are used by subscriptions to correctly format the notification emails. The notification templates use variables to insert information into the form. The templates use the $Context object to get the current object. • Subscriptions—Subscriptions specify the objects, trigger events, criteria, templates, and, finally, a recipient of the email notification. There is no limit to the number of subscriptions that can be created, so a sophisticated notification model can be developed that delivers precise notifications where they are needed.
NOTE The Service Manager notification architecture benefits from the issues that the Operations Manager notification architecture had during the evolution of the product. The early revisions of MOM 2 0 0 0 , MOM 2 0 0 5 , and even OpsMgr 2 0 0 7 made delivering the proper notifications difficult. Microsoft finally delivered a top-notch notification architecture in OpsMgr 2 0 0 7 R2, and the Service Manager architecture benefits from that evolution.
Configuring the SMTP Notification Channel The notification email channel is disabled by default. The channel needs to be configured with a destination SMTP server and enabled to be able to send notifications. To configure the notification channel, execute the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Notifications/Channels folder.
772
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
NOTE The folder is named Channels, but there is only a single channel predefined in the folder and no way of creating a new one in the Ul. In the future, the product will incorporate the ability to create different SMTP channels and other types of channels.
4. In the Tasks pane, select the Configure link. 5. Check the Enable E-Mail Notifications check box. 6. Click Add to add an SMTP server. 7. Enter the SMTP Server Name and click OK. 8. Enter the Return E-Mail Address for the notification emails. 9. Click OK to save the settings. The channel is ready to send notification emails to the SMTP server. If needed, additional SMTP servers can be configured to provide failover in the event of the outage of a given SMTP server.
Creating Notification Templates Notification templates can be generic or they can be specific depending on the requirements. There is no limit to the number of templates that can be created, so creating additional templates to customize notification messages is highly recommended. As an example, the network engineer notification of network incidents requires the message be sent with high priority. To format the message properly, a new template needs to be created. To create an incident notification template, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Notifications/Templates folder. 4. In the Tasks pane, click the Create E-mail Template link. 5. Enter t h e n a m e Network
Incident Notification
Template.
6. In the Targeted Class section, click the Browse button. 7. Select the incident class and click OK. 8. Select the Service Manager Incident Management Configuration Library in the Management Pack section. It should be listed under the Recommended Management Packs in the pull-down menu. 9. Click Next. 1 0 . In t h e Message S u b j e c t field, enter New Network
Incident Created:.
11. With the cursor still in the Message Subject field, click the Insert button to select a database variable.
Service Manager Notifications
773
12. Select the Work Item ID property from the list and click Add. The string $Context/Property [Type= 1 Workltem ¡System .Workltem 1 ] / Id$ will be inserted at t h e
cursor point.
NOTE The long string $Context/Property[Type='WorkItem!System.WorkItem l ] /Id$ is called a substitution string and will be replaced w h e n the email is generated with the value from the object record. Any field from the target class can be chosen, in this case, with the record ID.
13. In the Message Body field, enter A network incident was created. 14. Change the Urgency field from Medium to High. 15. Click Next to display the Summary page. 16. Click Create to create the template and then click Close to close the wizard. The template is now ready, but needs to be paired with a subscription to actually send messages.
Creating Notification Subscriptions To bring it all together, subscriptions are used. These use the templates, channels, and the objects to deliver email messages. In the example of the notification of network incidents, the requirement is for the message to be sent to the network engineer when a network incident is created. To target the notification, a new subscription needs to be created. To create a notification subscription, execute the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Notifications/Subscriptions folder. 4. In the Tasks pane, click the Create Subscription link. 5. Click Next at the introduction screen. 6. In the Notification Subscription Name field, enter the name Network Incident Notification
Subscription.
7. In the Targeted Class section, click the Browse button. 8. Select the incident class and click OK. 9. In the When to Notify pull-down menu, select When an Object of the Selected Class Is Created. 10. Select the Service Manager Incident Management Configuration Library in the Management Pack section. It should be listed under the Recommended Management Packs in the pull-down menu.
774
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
11. Click Next. 12. On the Additional Criteria page, check the Classification Category check box in the Available Properties section and then click Add.
NOTE The check mark clears from the Available Properties after adding the property to the criteria. This allows the property to be added again for multiple OR clauses such as Networking Problems or Printing Problems classifications.
13. From the pull-down menu, select the Networking Problems classification category, as shown in Figure 15.5. (5 Trfrtt c F-Mrfil Ni il ifïi dl il m Siil ni ri| il ¡til i
lg>4
Additional Criteria
Before You Begin
Apply additional criteria (optional) Select and modify any applicable crteria from the 1st.
•i&tennal urttena
rrilnifl Related classe;: S Incident
Template Rcbpicnt
r A-Ctjj! End Date r Artual sart Dais r Aternate Contact Method r Uafisification Category I- Cbsed Date
Summary Completion
FIGURE 1 5 . 5
Avalable properties:
Notification Subscription Additional Criteria.
14. Click Next. 15. In the E-mail Template section, click the Select button, select the previously created Network Incident Notification Template, and click OK. 16. Click Next. 17. In the Recipients section, click Add. 18. In the Select Objects window, select the appropriate user or group to target the notifications to (in this case, the network engineer), and click Add. Click OK to save the recipients.
Creating New Incidents
775
NOTE This list of users and groups comes from the CMDB, which is synchronized via the Active Directory connector.
19. Click Next. 20. Click Create to create the notification subscription and then click Close to exit the wizard. Now any new incident with the classification of Networking Problems generates a highpriority email to the network engineer.
Creating New Incidents Incidents can be created from a variety of sources, including manually, from OpsMgr alerts, from emails, and even from Configuration Manager. Each of these sources of incidents has different features, requiring different levels of work to evaluate, complete, and assign the incident to an analyst.
Manually Created Incidents Manually created incidents are those created by analysts in response to a service event. They could be creating the incident in response to a help desk call, an email from an end user, or an observed service outage. For example, suppose a help desk analyst receives a report from an end user named Kim who is unable to access a server named WEBSERVER. The analyst wants to create a new incident to resolve the issue. To create a new incident, complete the following steps: 1. Launch the Service Manager console. 2. In the Search field in the upper-right corner of the console, enter WEBSERVER. 3. From the Search pull-down menu, select Windows Computer (as shown in Figure 15.6). 4. A Search Result window pops up with a list of matching objects from the CMDB. Select the WEBSERVER record and click the Create Related Incident report.
NOTE Searching is a fast way to track down any object in the CMDB. This allows analysts to quickly locate users, computers, incidents, problems, and any other record. The CMDB records can be reviewed and tasks launched directly from the search results.
776
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
Ei IcMty MvwpiTKn: O O^snfli • Q:naitA:wij«T
% L brary
jswp Cont Cc*"«! » Nt^orV t W i c!Uijr • The U»r H« hat ti So* System îTa : "aw-t 9h«£0Hfc •fib' tu tnw «ivrr«^ tMit «Trr"ur«i6 Loge Ftl W- Tht User "IK Kot t<
Ciw'e C'i ii Feq.ci', t«n
•Äfe ieetKMen ÈM^K • C-WA T«Î 'Äffe ¿epKMWn • OWA Test U509 ftumhg Afi {TW Oiïvrrîd «Ms wrirvwS Mwfiir«w SAM f r u i SQL 5f»W DftafaiW! îiTOf î r a t t » ÎwfcvP '«t'tc îç- Cï-rplç* Afi tnw Oîivrr«^ «M{ «fl-rrvKiS — «hv4 P - i ' » - , HM u - j
tw
lRl/6 Logon Failure: t he user Has Not Been Granted The Requested Log<
Configuration Items
Object
Data Wirtlwuit
CaplS.' NaT-»;
® talUSSfTrHHV 13 • t< PrCO ir*î Ä frflSfKWCoTtMtf 1
ieMitJifiw.
Q) ¡tic ,* Urc f f Q Wt«r A Ï,« CK".» If O v«*Ot(i:> j't'f AJI Open Inodents
-
in îf*w incident Mjnjgcmoni W^e; ft
H M« fr-r '¿irW ThS l.rsffli;: LAfâC!
-
Crtlï ' 0 i f CrtKïVKw
FIGURE 1 5 . 6
Searching for a computer.
5. The Incident form loads with the required fields highlighted in red. Enter a Title for t h e i n c i d e n t , such as User Unable to Access WEBSERVER.
6. To fill in the Affected User field, click the ellipses (...) button next to the field. Enter the affected user's name in the Search By Name field, in this example Kim, and click the Search icon. Select the user from the resulting list and click OK. 7. In the Classification Category, use the pull-down menu to select the appropriate category. 8. In the Impact and Urgency pull-down menus, select the appropriate impact and urgency. The priority is calculated automatically.
NOTE The Assigned To and Primary Owner fields are automatically populated with the help desk analyst who is entering the incident. The analyst needs to change these to the application administrator for the object.
9. To locate the appropriate application owner to assign the incident to, scroll down to the Affected Items section of the form, select the affected item WEBSERVER, and click the Open button, as shown in Figure 15.7.
Creating New Incidents
Ctrtttt «•*»: • 1SHH4+S700
a
777
v
Incident
• | KwArfMr, | Hwtprf I
(£) Mfclfe Cl ApC^V Tlnnpm» £ Alt®-to Arayit Ig *ti ( r to Me O OviQflMSWrtS»« ® Cos*
•a
• 15
CrMti C^Argi
PrtnJiyiMTW:
oa
® ete*« V TTKitr Q lirk »robw
Affected Services Trir
j* 1
FuE, purffal rVrw
J
| l«t meMyd |
tty.ec C&vc-Sjtr
I J
UMr ?e>.1
<2) a*»-* Affected Hems s]
MKMimtOS!
^^^^^^
" r —'
Action I ckj
ii FIGURE 1 5 . 7
i
Opening the affected item.
10. On the Computer form, scroll down to the CI Information section and note the CI Custodian, in this example "Tyson." Click Cancel to close the form. 11. Back on the Incident form, to fill in the Assigned To field, click the ellipses (...) button next to the field. Enter the CI Custodian name in the Search By Name, in this example "Tyson," and click the Search icon. Select the user from the resulting list and click OK. 12. To fill in the Primary Owner field, click the ellipses (...) button next to the field. Enter the CI Custodian name in the Search By Name, in this example "Tyson," and click the Search icon. Select the user from the resulting list and click OK. 13. Click OK to save the incident. The incident is now created and assigned to the application owner.
OpsMgr Alert Created Incidents Incidents that are created by Operations Manager alerts via the connector are not complete and usually need to be classified, the affected user(s) specified, and assigned to an analyst. Optionally, the impact and urgency might need to be adjusted as all the incidents from the Operations Manager source have the same impact and urgency. To complete an Operations Manager-generated incident, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space.
778
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
3. Expand the Incident Management folder. 4. Select the All Open OM Incidents folder. 5. The middle pane shows a list of all open Operations Manager-generated incidents. Double-click an incident to open the incident form.
NOTE The OK button to save the incident is disabled. This is because the incident form is not complete and the key fields need to be entered to be able to save the incident.
6. Select the Affected User from the CMDB. This can be a user or a group. 7. Select the Classification Category from the pull-down menu. 8. In the Tasks pane, click the Assign to Analyst link. 9. Select the appropriate analyst and click OK. 10. Click OK to save the updated incident. The alert-generated incident is now complete and ready for an analyst to work with the incident. Operations Manager alert incidents are generated with a template, the Operations Manager incident template. This template can be re-created to prepopulate and make it easier to complete the Operations Manager-generated incidents. For example, the template can specify the affected user, adjust the urgency and impact, and classify the incident automatically. Then, the only thing that needs to be done to complete Operations Manager incidents is to assign the incident to an analyst. To create a new template and assign it to the Operations Manager connector, complete the following steps: 1. Launch the Service Manager console. 2. Select the Library space. 3. Select the Templates folder and click Create Template in the Tasks pane. 4. Enter a n a m e , such as Company ABC Operations Manager Incident Template.
5. In the Class section, click the Browse button. 6. Change the View to All Basic Classes and select the Operations Manager-Generated Incident class and click OK. 7. Make sure the Service Manager Incident Management Configuration Library is selected in the Management Pack section and click OK. 8. When the template form appears, select an Affected User for the template. The OpsMgr.Alert user created in Chapter 14, "Service Manager 2010 Design, Planning, and Implementation," is a good candidate user.
Creating New Incidents
779
NOTE Unfortunately, the Operations Manager connector will not be able to determine the actual affected users for the incidents. This is done by the analyst when evaluating the specific incidents.
9. Select the Classification Category as Other Problems. 10. Select the Source as Operations Manager. 11. Adjust the Impact and Urgency to Medium. 12. Click OK to save the new template. 13. Select the Administration space. 14. Select the Connectors folder. 15. Select the previously created Operations Manager Alerts connector, for example the Company ABC Alerts Connector. 16. Open the Properties of the connector. 17. Select the Alert Routing Rules page. 18. Change the default template from the default Operations Manager Incident Template to the new template, in this example Company ABC Operations Manager Incident Template. Note that notifications that match a user-defined routing rule do not use the defined template rather than the default template. 19. Also change the template for any routing rules by selecting the routing rule and then clicking the Edit button. 20. Click OK to save the changes.
NOTE Changes made to the template are applied to all future incidents generated by the Operations Manager connector. The changes do not affect existing incidents.
Now, when the incident is generated, it already contains all the required information. Rather than having to open an incident to complete and then assign it to an analyst, the incident can be assigned simply by selecting it in the console and clicking the Assign to Analyst link in the Tasks pane (as shown in Figure 15.8).
User-Created Incidents Via Web Portal Service Manager 2010 includes the capability for users to create incidents on their own initiative via the Self-Service Web Portal.
780
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
MIOpwhcMfcitf 3« IjTl AfTMTY MiVUO-rnnr
ao
'fj«OpeniXMinoc)erts Q Ui OHn L-M4J InOderti Q M Qpfn lm cWk Cj AJ Dpm CM U 4 0C*n POfZt IfXtfertS U Ml Open UidSHjr«l IruM © FltiWrd lncdfrb [j| jnctfa« ?L««i E9 Mylnoitrts OwrJue Incidents ©PffiSBflLnfiawtt Q PrsWem Hornicmtrt
H8339 Itttt IWlO Efts» tuo* luce r 5.197 ESUM EftM Eii« Eiifrt tH.li.;
ESlil Eii«9 i«U» EHlil I HIM [Rio:
IR304 User Account... * ft«fth Saxe
Swten fcj
Wffs* Fafcjre: The Usef WflOn figure: IT* U*TI1K Pi« Se.. Usen>f*tte»A«e»weS«avift LS90P f l b t : Tht user 'UsMiSt C*vt Cflrnssa to IWwyk Upon Mure: The Ww "Us Hot 9t.. StOwSniiTi jii~ttr*KtS •trip' Lflffxi fo*«: The User»«» Not Ge.
IR204 - User Account Locked Out
Library Kgwor.n. ^Confi
Object
iftJW • Uw akbu* lecktd Out
Data
FIGURE 1 5 . 8
atw^s *
® FUMfe Or Tr»r*V ¿1 Lr< FrMerJ* «"ng fctfn« Cffnowtef J* Remm CKtiep •HVHIVH'M (¿t HtO-rt Searn
«'.rtMcrgt A.f«i
O WfVi O VtewQItaWtfi i\r,e
CI "W t h Enodent Management ' ireale Fi d»
Assigning an incident to an analyst.
By way of example, take the case of a user who is having issues with a laptop cellular modem. The user wants to include the log file (test .txt) that is generated with the request for help. The user wants to create a request to have this fixed, that is, create an incident. To create the incident using the web portal, complete the following steps: 1. Launch the Internet Explorer web browser. 2. Enter the URL of the End-User Self-Service Portal, typically https://<servername>/ EndUser. In the case of this example, the URL is https://sml/enduser. 3. In the web portal, click the Create Request link in the lower-right part of the page. 4. The Create Request page loads (shown in Figure 15.9). The default is to have email as the preferred contact information and for a request type of "Need Help With a Problem," that is, an incident. Click Next. 5. Select the Category of the problem from the drop-down menu. In this case, select Hardware Problems. 6. In the Title field, enter the title of the incident. In this case, the title is Laptop Cellular Modem Not Working.
7. In the Details field, enter the details of the incident. 8. Select the Urgency from the pull-down menu. The default urgency is Medium.
Creating New Incidents
» U' F*«»*«
STl
- ¡3 CatAiate ùrùr • •• * jPj*•••-!
*
:
t x
^ '
» ii - 0 •
àSCrMURWJOft
' m • Poge - itfety • r«fc - $ • * CafvtKtrr
You sre turc Self Service Portal > Cre«t Reqvert Se If-Servi ce
Portal
Ü8
Il Create request )
|
bhhuhHi
'
1
Preferred contact irifoimston for Chft {>mtil wlifrisj! Phone: Not JvKlbk AttsirMÎt; [
My recent requL'L-V,
31—
BU&l Aitivt Helpl [To:"«Mtttthtlpdtf k.«o.«m" <jervitefllhelpdtrkAtiiAom>|
+ fle;et Ptifword
<* Need htipwr»»prowem f~ Need repiir or fa C Need th»nge or np*> rewur« J) 1 *nc*I
fljB»r<» Oft PIg».
FIGURE 1 5 . 9
_
+ fiequert Joftwte + Or air neurit
S
NM
View AJ1 .>
Uptop C»n*i Connect to Network .siti Pending JfcMiSyjttm |T0:"jer.-':e©l>elpdis(.Ct0.C0m"
Requcil Ijpc:
f
781
I
i
1
i
1
Self-Service Web Portal Create Request page.
9. At the bottom of the Incident Creation page, click the Browse button to browse for a file to attach and specify the t e s t . t x t log file. 10. Click Next. 11. A Summary web page is displayed, as shown in Figure 15.10. Click Submit to complete the request. The user is presented with a page indicating the request was submitted and showing the Request ID. The user can see their recent requests by clicking the View All link in the Recent Requests box.
NOTE Because the incident was created by a single user, the impact of the incident is automatically set to low. The analyst can adjust this if needed.
The resulting incident is complete and can easily be assigned to an analyst from the Service Manager console.
782
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
ö^-f ¿Ï Ptmst«
j-J £) cartfuat*LiTW
*»
A
PI
—
p -
y
I I
' - Pjyo •
WKy - To* - »i •
:
You kr« Here: Self Service Partei > Crette Requert
Seif-Service Portal
Create request
My ri'ii-ril rrqui"-l'Prcrvide » detailed description ûf L I ^ — . . . f |
1
View Afl
DlUt Active teptep Can't Connect to Nefcwk BUfî Pend no Sfc^Vt^ (To:'ienÂcetf Helpde?kCCO.COm*
Oele: Wednesday, f tbiuny (on1j.:< Infor m 10, ¿«0 ' '-hin TI»K 7:00 PM
Dlfl Active Help! [TorieMif©hilpdtiMi0^om" |
Hardwire Problemj
Title: Liptup CtlMlr Modem NM Woetinj
ftf set P»S7*n>rd + fleqgerticftwwe 4 Create requejt -.ui.niit
J^
C.m^l
[
t i . LOiaJ nfranet | Protected
FIGURE 1 5 . 1 0
Off
Self-Service Web Portal Summary Request page.
Email-Created Incidents Incidents can also be created from emails. This provides a low-effort method of creating an incident. This method is useful for the following sources: • Users • Analysts • Automated systems The ability to have an automated system generate an incident is particularly useful. Many applications and systems generate alerts, but it is difficult to create a connector for each of these disparate systems as was done for Operations Manager or Configuration Manager. However, many applications and systems generate an email for an alert. This can be targeted at the Service Manager email and have incidents generated automatically for those systems. Earlier in the chapter, the capability to accept emailed incident requests was configured and enabled. To create an incident from an email, complete the following steps: 1. Launch Microsoft Office Outlook. 2. Click New to create a new email message.
Working with Incidents
783
3. In the To field, enter the Service Manager email address. For the one created earlier in this chapter, enter [email protected]. 4. In t h e S u b j e c t field, enter Problem Synchronizing
Files.
5. In the Body, enter a description of the issue. 6. Click Send to submit the incident. The incident is submitted. The Affected User is the sender, the Title of the incident is the email subject, the incident Description is the body of the email, and the Source of the incident is E-Mail. However, the incident is not complete, as the Classification Category is not entered.
Working with Incidents Once incidents are created, analysts need to work with those incidents. The incidents need to be • Evaluated • Analyzed • Resolved The steps move the incident along the process toward resolving the service outage.
Evaluating and Assigning Incidents The first step in working with incidents is for an analyst to evaluate the new incident and route it to the proper analyst for analysis and resolution. Depending on the nature of the specific incident, different expertise, authority, or availability is required to process the incident effectively and efficiently. In addition, many new incidents are not complete, such as those created from Operations Manager alerts or email incidents. Operations Manager incidents need to be assigned based on the source of the Operations Manager alert. Email alerts will typically need to be classified and assigned. An analyst must evaluate the new incidents and correctly do the following: • Complete the incident—This means filling out any required fields, such as the Affected User, Title, Classification Category, Source, Impact, and Urgency. • Evaluate the incident—This entails reviewing affected items and services, the nature of the issue, the priority of the incident, and making a determination about the best way to assign the incident. • Assign the incident—Finally, the incident needs to be assigned. These steps might vary by organization and by incident. It is important to develop procedures and train analysts to perform these tasks.
784
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
To evaluate and assign an incident, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Incident Management folder. 4. Select the All Open Unassigned Incidents folder. 5. Select an incident to evaluate from the list pane and click the Edit task in the Tasks pane. 6. Complete any of the fields highlighted in red (required fields). These fields should generally be completed, but might not be depending on the source of the incident. 7. In the Affected Items section, select the item and click the Open button. 8. In the CI Information section of the item form, note the CI Custodian. This is the individual to assign the incident to by default. 9. Click OK to exit the affected item form. 10. Back on the incident form, click the Assign to Analyst link in the Tasks pane. 11. Locate the CI Custodian name noted before and click OK. 12. The Assigned To field in the incident form now contains the CI Custodian name. 13. Click OK to save the changes and exit. The incident is now gone from the All Open Unassigned Incidents view and is assigned to the custodian of the affected item. In the evaluation, the analyst can also easily add affected services or affected items to the incident.
Analyzing Incidents This is where the real work of fixing the issue and bringing the incident to resolution occurs. The assigned analyst reviews the incident and performs the following activities: • Analyze • Troubleshoot • Update • Escalate • Link The analyst reviews the incident to better understand the nature of the problem, investigates related configuration and work items, links these related items where appropriate, and leverages the CMDB to perform these activities quickly and efficiently.
Working with Incidents
785
As an example of an analysis, suppose you, as the analyst, are coming in to work first thing in the morning and will review incidents that have been assigned to you. Complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Incident Management folder. 4. Select the My Incidents folder.
NOTE The My Incidents folder is filtered to only show incidents that have been assigned to the current analyst. This is very helpful for rapidly drilling into the incident the analyst is responsible for.
5. To quickly prioritize which incidents to process first, click the Priority column to sort by priority. The analyst has seven total incidents assigned, with one active priority 1 incident (the highest level), as shown in Figure 15.11. There is also a second priority 1 incident, but its status is resolved. W Sy lent Center Serine M a w Cumule ifc
» WirtJWl* , lhOSfriK
10 t*î»
QJs ¿rt-ry Mwgemcn:
• OMOft • Ü inaitn! HWeéfftêtt y
¡aï* £3239
€j al Om« OCM Iw :rr<. i l or
IS50?
J Ml Optrt Jnt Strb
Tlf t
» i#<4 j>r.f WWfjWa ce«: 'têt w w n hki i î î i i ) A«arirBulHMagn4twHvvblttobnd S*vie«TlWlSpC*a*!Fai «fifp1 Cm «« im New flww [r«"*n*»#M
Tvçr î«eâjtw Trse yiyiOlO 5:10:07 AH ifl/KlO felü&P«
IR296 railed to sen... a Stso^î • i Mt$f » MM)« Q
® C'sse
ij «I Ow Por» irîldwî
Cr«;« Cnyvjè Seiiès".
y Kl Ow Unuajred inc-iertî
Q EsolMùdlnirftrti ij| i n « « U-fpon Oogp P MylnoOirte L% Cvtrtut jnoder« ßtoiängto^U H freWo-i Hncwwt
AifflrBSW»
O curçf^iititsrii.»
IR2% Killed 10 send nouOcaüon using swvei/dwiec Object
Hit
l*> iliVtot S' Tr»Vé o
L«cPr»w 'ffliÎBrtCWKtff
I 1 - « - F.j JsJ te itri lUäfcaäan uüi*$ M StVtn fQ'
Q Vis» A tri Dea t 9 VMwOWKnSiKé
Data Warelwui«
Ci ienwi "m idiTil Hyugemont Cr« i F £.<]<-
FIGURE 1 5 . 1 1
My Incidents sorted by Priority.
786
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
6. Select the active priority 1 incident, which is the IR296 incident, and click Edit in the Tasks pane. 7. Review the description of the incident to get a better understanding of the issue. The affected item, OPSMGR, was unable to send a message using SMTP server EDGE. 8. To record that relation, select the Related Items tab in the incident form. 9. In the Configuration Items: Computers, Services, and People section of the Related Items, click Add. 10. From the CMDB, select the EDGE server, click Add to add the related item, and then click OK to save. 11. To review the status of the related EDGE server, click the Open button. This opens the Computer form for the EDGE server. 12. To determine if there were any issues with the EDGE server that correlate with the incident, select the Related Items tab in the Computer form. 13. In the Work Items Affecting This Configuration Item section, note that incident IR292 Transport Service Stopped was resolved (shown in Figure 15.12) and was the root cause of the SMTP failure in incident IR296.
;Vr«.il I ivd,',.vf Sofrwn ftifeMd ¡teT4 wn | tn«ty
«
Work Rems affecting this configuration Item
edge.cco.com CW( ! ( « « C»"Çf B«vt
Tfe
Crwii *> i'.eJ '.'< Sir",
:MD7 U M t s ^ m « « - w ftwHj»w MJM • !«iVic<*F4«Ai.M:HCSU*F4i :BJSi iifiKSi'TSrtftûniiaYM VJW1
> i fun
iflht
:W) • UMtttlrwottttf**
HJL • Alef. CfWAUd by "jtf-1 Qjcot % L«« Ttfi fttictveC • £4n+Mtalfran M5B«tM ZWJS • Co->?jter Bianri Vrvir- itcflind Atîtrt:
10 |
General ¿J 1WW
Tyc*
( « i f k juration Items: Computers, Servîtes arid People ]Q
I
Typ-
I
IJW
I
;BHB
I
Hv&tts
I
Knowledge Articles
I
1]
FIGURE 1 5 . 1 2
Related item incident root cause.
14. With the root cause identified, close the Computer form by clicking OK.
Working with Incidents
787
15. In the Work Items section of the Related Items form of incident IR296, click Add. 16. Locate the root cause incident IR292, select the incident, click Add, and click OK to add the related incident to the current incident. The resulting changes to the incident are shown in Figure 15.13.
a
U '
v
1(U9{> - l-ailed to send notification usina see...
¿CM« B
¿pet?
^ ASSft UAMyS
ES W«nt«Mc O C ' f i t t i f MfirSwji
Trarsport Serv es 5:oo»r
Qe> c w Crei i C^ecçe fcMjM! Li] ( W l î-c&er ®
Configuration Items: Computers, Services and People Tdi
f Jf,
rarne
J
fitHwer'rjrrtr
• Uffc »'40 ff
LiH rriflAid
1
«Bild
* I Ow
I
fCo^iOaStr
*> PtH ¡5 Sii-n« SdlrtOff J f.Kj^e« Jin irp.t © R*»*
Knowledge Articles
î w f *V tiwwpt W « i O
w i f i
0 F«tOHM<1 1'JH CiW.ll
r r**iS tagwMtyt Vüt*
fil fwrtst
Attached Hies
«tKEedbr
I
Satlnbit«"
I
FIGURE 1 5 . 1 3
Cirvrd
J
Related configuration and work items recorded.
17. Click OK to save the changes to the incident. The incident has now been analyzed, troubleshot, and updated to reflect the findings. Service Manager's CMDB and related items features allow for rapid troubleshooting and root cause analysis and, more important, clear documentation of the relationships between not only objects, but also work items such as incidents.
Publishing Announcements Sometimes an incident will result in a protracted service outage. Rather than leave the end users in the dark, it is best to get the information out that there are service-level problems. Service Manager announcements accomplish this goal. To create an announcement, complete the following steps. 1. Launch the Service Manager console. 2. Select the Administration space. 3. Expand the Announcements folder and select the All Announcements folder. 4. Click the Create Announcement task in the Tasks pane.
Ol
788
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
5. Enter a Display Name for the announcement. This will not be seen by the end users. 6. In the Announcement section, enter a Title such as Active Directory Performance Slow.
7. In the Body field, enter a description of the outage. 8. In the Expiration Date field, select a date and time for the announcement to expire. 9. In the Priority field, select the appropriate priority for the announcement. 10. Click OK to save the announcement. The announcement will be immediately visible in the Self-Service Web Portal, as shown in Figure 15.14. When the announcement expires, it will no longer be visible to end users. However, the announcement record will still be in the Service Manager console, which is useful for reusing announcements or recurring announcements.
O à
"»J if CHtfKMe irOi
* IlL "
,, ravert«
©
.. »
t x Ki
p -
«I»? *
MflWjif ftf-Mmc*
^ - E| •
• m» - Page -
• T«k - e- "
YOti art here:Home
Cfcnttitrr ~~
S e l f - S e r v i c e JPortaJ
a
Welcome. C iris
View All >
Haroe; Ttle; Office: Ph»nv: Company:
j Ii/îî/î0tÙ MM? PM| Mrdhia priority! ftrllw ff ii-rlnfr Mow Anne nrwrarnt Active Directory Pe
Ctiii; Amwi; Chief lïthnoluy,' Oflitei Hot ava'abt Hal *vrt.bl> Convergent Computing
My rt«nt requeiti tàewAll »101 Mr* Can Not Sync Htw (Phone |ÏO:*i*iW<*©hdpifclfc.i
>
View A l ?
1&.
FIGURE 1 5 . 1 4
^ (Uq,-Jtït wftmw | ft.i-r-3 Ha*. CM
z. j. +,100% -
Service outage announcement.
Running Troubleshooting Tasks In addition to the CMDB, Service Manager has a number of built-in tasks to help analyze incidents directly. A number of troubleshooting tasks are available to assist the analyst in analyzing and troubleshooting incidents. The troubleshooting tasks include the following: • Ping Related Computer—This runs a ping against affected items or related items. The task allows the analyst to select which item to ping. The results are recorded in the activity log of the incident.
Working with Incidents
789
• Remote Desktop—This launches an RDP session to an affected or related item. • Request User Input—This requests user input and places the incident in a pending status. • View Alert Details—This shows the alert that generated the incident in the Operations Manager Web console. • View CI Health State—This shows the affected item's health state in the Operations Manager Web console. These tasks can help the analyst quickly understand the current status of the affected items. By way of example, suppose you are an analyst assigned an incident IR312 Health Service Heartbeat Failure. The affected item is a domain controller ATHENA and the affected service is Active Directory Topology. To troubleshoot, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Incident Management folder. 4. Select the My Incidents folder. 5. Open the incident, in this case IR312. 6. The incident shows that the Affected Service is Active Directory Topology and the Affected Item is ATHENA, as shown in Figure 15.15.
Kticnt [R31? - Health Service Heartbeat Failure - Attn* a
-fmvi .H-: <WV ¿Jen
v
tKJiz • Health Service Heartbeat F-af jre -- «
|
B ¿Pty "e-"«1*
-c»Tt<M f »1.«
4 « i f i l i ï AfJ jK
| The neitfc Savtfc £
Eg A»fln to w«
O Cr»"çf Tri mw Brui <x) C«H
flfHilkMiMan CitrgafY:* &W*!
Cretf* CMf^e -.es*etf
fritfr"*
Imped:* est ÎWW ( I M : I-sr 1
tQ i w t - 'COtT
Urgency:" » B i t I- e*«ljee<J »
® BtHïef'irKtr lii*
!«c | P»*
* Prp ie Kta eam&jstr
OA
M> («1 ¡¡J J ieq^ei". <mb Irput
Affected Services
1
AWveCMOSfy"opûl l'crïî;*:.'.Vir ; i i - e r , - e i 1/X/XlC9:27:17MH
I
I
9 vvw Off
Gmn.ii 6e*fesr
Affected Iterits A f « « IM CU;
J J
FIGURE 1 5 . 1 5
Cjrvrd 1
Affected Services and Items.
¿eft,
DtU*
U ¥ « c n m i iyit
I
11
790
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
7. Click the Remote Desktop link in the Tasks pane to establish an RDP session to be able to interact directly with the affected computer. The task prompts for which computer to connect to, as there might be more than one affected computer or related computer. 8. Then click the Ping Related Computer link in the Tasks pane to ping the affected item. Select the computer and click OK to ping.
NOTE The ping does not show any results directly, which can be confusing. The results of the ping are recorded in the action log.
9. To see the results of the Ping task, go to the Action Log section of the incident. Figure 15.16 shows the results of the Ping task. The action log also shows that the record was assigned and that the Remote Desktop task was run before the Ping task.
Scvtuv Kuiitt-SeraaiM Z'otSsfi torn , ' ) • iiîlv»
CR312 • Heath Seo'<e Hear,beat Falure Î" i c v w
Action Log
i Ajffltlc Mt O crr^*
JS«vf
Î W ( CnIi"9t ' « W til C'fWf (f) btl^Mer'rlRfn ¡™.it* ..
J, fwcf<} to?«
1
Cr rat«¡tv
QMr W* !/i2/30W*awr 2/13/3)10 i:îi.-3
[/]
M u d CfT-puter rJSk r.r
On Amins
(3 U* >-£0 it ÜS e "t s « ; r« fri-1 *
Smwoé-
(¿f Èf»lt l i s j i a j ubtai
±es [1S.U.1.U i f i t i 12
hilf
1: byui*H tutHtu n x - l ü
»
ï.iji'j' fron • j
3: t ^ i i ' i : SIM-..BJ Î:
stM'.inj t t i - i i ï
h
stM'.inj t t i - i i s
iïirit" "Or
nr-t-i «
41 V w a H i w i i m ?J R f w
»sag n i s l n l n for lC,iî.i Ît i : t t : i : tost • I, i i M i v i t I M » l t • ÎM. t&MHB • ÎW
FIGURE 1 5 . 1 6
Ping task results in the action log.
10. Because the computer is responding to pings, click the View Alert Details link in the Tasks pane to show the Operations Manager alert in the Web console. After reviewing the alert description, close the Operations Manager Web console. 11. Then click the View CI Health State task in the Tasks pane to view the configuration item's health state in the Operations Manager Web console. Select the appropriate
Working with Incidents
791
object, in this case ATHENA. After reviewing the health state, close the Operations Manager Web console. 12. Based on the analysis, the problem is that the Operations Manager agent is stopped. Start the agent on ATHENA to resolve the issue. The incident closes automatically when the Operations Manager alert closes. Tasks help analysts quickly execute diagnostic and repair tasks from the Service Manager console without having to launch another tool. They also have the advantage of documenting the tasks that were executed in the action log, allowing fellow analysts to review and understand what transpired on a given incident. NOTE Custom tasks can be created in the Library space in the Tasks folder. This allows administrators to extend the task mechanism to include custom diagnostic and resolution commands.
Resolving Incidents Resolving the incident is really resolving the incident record in Service Manager. The results of the incident analysis should be a resolved issue, which then allows the analyst to resolve the incident. Incidents can be resolved in the following ways: • Manually by the analyst • Automatically by the system • By end users The most common method of resolving incidents is done manually by an analyst. To resolve an incident manually, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Incident Management folder. 4. Select the My Incidents folder. 5. Select the active priority 1 incident, which is the IR296 incident. 6. Click the Resolve link in the Tasks pane to resolve the current incident IR296. 7. At the Resolve pop-up window, select a Resolution Category and document the results of the analysis in the Comments field. NOTE The Comments field automatically checks the spelling of the text, which is extremely helpful to ensure quality documentation of incident resolutions.
8. The incident status now shows a status of Resolved. Click OK to save the incident.
792
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
Manually resolved incidents are controlled by the analyst, so the resolution details can be updated when the incident is resolved. However, auto-resolved incidents present a bit of a challenge, as they do not prompt for resolution details. An alert might auto-resolve in response to actions by the analyst, such as when starting the Health Service for incident IR312. To properly document the incident or update the resolution details of the incident, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Incident Management folder. 4. Select the My Incidents folder. 5. Select and edit the resolved incident that needs to have the resolution details updated. 6. Select the Resolution tab. 7. The Resolution Description field on the Resolution tab of the incident should be updated with a description of the fix, as shown in Figure 15.17.
FIGURE 1 5 . 1 7
Resolution Details update.
8. Click OK to save the incident update. Another way that incidents can be resolved is by the end users themselves. When an end user creates an incident in the Self-Service Web Portal, Service Manager tracks the user's
Configuring Problem Settings
793
incidents and displays them in the web portal. The end user can close his or her own incidents if the problem goes away. To close their own incidents, end users would complete the following steps: 1. Launch the Service Manager Self-Service Web Portal. 2. In the My Recent Request section, click the View All link. 3. Select an active incident and click the Close Request button. 4. At the confirmation pop-up, click OK. The status of the incident now shows as Closed. This gives end users the capability to close their own incidents and reduces the burden on the IT department to close misguided incidents.
Configuring Problem Settings Before working with incidents, a number of settings should be configured. These settings are as follows: • Incident prefix • File attachment limits • Priority calculation The problem prefix and attachment limits are optional configurations. The priority calculation must be set for the proper computation of priority from the urgency and impact values.
Problem Prefix By default, each problem is prefixed with the letters PR, for problem record. This can be adjusted to something different, such as PT for problem ticket or PROBLEM. The maximum number of characters is 15. To change the problem prefix, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Problem Setting object. 5. In the General section, change the Prefix field to the desired setting. 6. Click OK to save the change. The change takes effect for all new problems. This value should only be changed if needed. NOTE The new prefix is not applied to the existing problem records, only to new records.
794
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
File Attachment Limits File attachments to problem have built-in limiters. This is supposed to ensure that huge files or large numbers of files don't get attached to change requests and bloat the database unnecessarily. This can be a real issue if help desk or end users attempt to attach 100MB data files or gigabyte installation files to change requests. File attachments are limited by the number of attachments and the size of the attachments. The permitted ranges and the default settings are given in Table 15.3.
TABLE 1 5 . 3
Change Request File Attachment Settings
File Attachment Limits
Range
Default Setting
Maximum number of attachments
0 to 2 , 1 4 7 , 4 8 3 , 6 4 7
10
Maximum size (KB)
Oto 2,147,483,647
64
NOTE The number 2 , 1 4 7 , 4 8 3 , 6 4 7 seems like an odd upper boundary at first. Interestingly, it is 2 A 3 1 - 1 and is the eighth Mersenne prime number. More important, it is the maximum value of a 32-bit signed integer, that is, the maximum value of a variable of type i n t . Hence, the seemingly arbitrary limit is actually a programmatic limit.
The limit on both the number of files and the size is over 2 billion. This seems excessive, especially for the maximum number of attachments, and likely isn't supportable. It future revisions, these are likely to be set to more reasonable limits. To adjust the default file attachment settings, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Problem Setting object. 5. In the General section, change the Maximum Number of Attached Files and the Maximum Size (KB) fields to the desired settings. 6. Click OK to save the changes. The changes take effect immediately in the console and web interfaces. NOTE The new file attachment settings are not applied to the existing problem records, only to new records or during changes to existing records.
Configuring Problem Settings
795
Priority Calculation Problems are rated by priority which is a combination of the impact and urgency of the problem. Impact and urgency are generally defined by ITIL, but the specifics are left to the organizations. Impact is rated as low, medium, or high. It is a subjective measure of how much the problem is impacting the organization. This is frequently measured in terms of the number of users impacted or the level of impact to the organization. For example, an problem for a single end user not being able to access email would have a lower impact than an problem for all users not being able to access email. Urgency is also rated as low, medium, or high. It is a subjective measure of how quickly the problem must be addressed. For example, a problem for a mission-critical system like email being unavailable would have a higher urgency than an problem for a nonmissioncritical system like the company event web page. Even though those two systems might impact the same number of users—that is, the entire company—they are assigned different urgencies. The default Service Manager priority gives weighting to the urgency over impact, and problem priorities are assigned as shown in Table 15.4. The highest priority is assigned 1 and the lowest priority is assigned 9. TABLE 1 5 . 4
Priority Table
Impact Low
Impact Medium
Impact High
Urgency Low
9
8
7
Urgency Medium
6
5
4
Urgency High
3
2
1
These priority assignments can be changed, if needed, for consistency with other systems in the organization or to adjust the behavior of Service Manager. To configure the priority assignments, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Problem Setting object. 5. In the Priority Calculation section, use the pull-down menu to change the priorities. 6. Click OK to save the changes. NOTE Be sure that the chosen priorities match all possible priorities in your Service Manager configuration.
796
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
These new settings are used by Service Manager immediately. NOTE These priority calculation times should only be adjusted for specific and well-understood reasons.
Working with Problems Problem records are typically created in response to several incidents. These incidents could be a group of incidents that are congruent in time or a group of incidents that are spaced out over time. Sometimes a cluster of dissimilar incidents is due to a common root cause, such as the loss of an SMTP routing server resulting in an incident about mail routing, an incident about reports not being delivered, and a Windows service failure. Sometimes there is an incident that occurs, is resolved, occurs again, and so on, which is due to the same root cause. Problems give analysts a way to manage groups of incidents, updating and resolving them as a group. This reduces the administrative overhead and allows the easy documentation of root causes of incidents.
Creating a Problem Problems can be created from scratch, but more often they are created directly from incidents. This is a natural outcome of the purpose of problems, which is to group incidents. For example, an analyst might review the assigned incidents and find a group of five User Account Locked Out incidents (shown in Figure 15.18) related to a hacking attempt. The hacking attempt is from the same attack vector, which was a particular IP address that was blocked to resolve the issue. Rather than resolve each incident separately, the analyst would rather resolve them all at once and have a problem record identifying the root cause. To create a problem record from the incident, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Incident Management node and select the My Incidents folder. 4. Ctrl-click to select the incidents to link the problem, and then click the Create Problem link in the Tasks pane. 5. In the Title field, enter a title for the problem such as Hacking Attempt. 6. Enter a Description for the problem. 7. Select the Assigned To analyst. 8. Select a Category, Impact, and Urgency.
Working with Problems
797
V Sintcni Cciilcr S c n i c M a w Cutimle
P Oiitftfly Mi-njemw O O^sng* • Q InaSiCiS
10 1*311
[329$
€j Opt" OCM \rt zrrt-.
J »I Optn Jnc Strb
iau ft*.«
*«**t4
hi » rend n«#«fcer «rg
jSJlO 1*310
IPW; 7 W drtaM n r ^ g r y UHr Lack« Out
t^W
*wyir tecfcwd 0«
EW»
Si «IOW IPildwi «I Oct" unassured inc-iertl , - bulMsd Indäerb ij| ;nctSf«t U-tpon Ooup P MylnoOrte L% Cvtrtut jnodtf« ßtoiängto^U H PreWm Kmevwt
rat
bit O*«lo i
Tvffft Trse J^lfWlO 10113» r*t 3ft2/»l0 5:10^7 AM
(<i
» « W Art**
SAflOlOSMidSFM
iiCfcinr LKiccd Ca
1*37*
A vr.t ft« Vi-.; nie w«
iyoi j OQ7 IW3
UMT»raunt LOCMM Cf Kt !',•"! New PK;«« !Tc;"«n.wtW ijw ¿ereunt loeVcd Cvt
Ii«:
logon ftluw'Th« UHr Mlf Not »cantor«...
Ait-.r
item» (5) ®
& MffAti Q Ajfflptswe Q 0!W9t nc9cfltsan» ® < sie Crtn C ^ f t Seats'. tÜ Owe ® biaHwe-TrriAif ßj LIWftOMfln 0
CJ i n t » IfKttOtt HJHU^tllKTd f 7* CrtJU F e « '
Atfminirtratio n ^
•
Llbriry
it« Win Cr«!* V>w
t l ** Conjuration Itwm Data iVarchouM
FIGURE 1 5 . 1 8
Cluster of incidents.
9. Note that the Affected Items will be populated automatically from the incidents that were selected when the problem was created. 10. Click the Related Items tab to see the linked incidents. 11. Click OK to create the problem. The problem, PR321 in this example, is now created and the affected items and related incidents are automatically linked. To see that the problem has been linked, open one of the incidents and select the Related Items tab. The linked problem will be listed in the Work Items section.
Analyzing Problems Once a problem has been created, the analysis of the problem can be done. The underlying incidents are evaluated and a determination of the appropriate action to take is made. Problems can have detailed status notes, in several categories: • Error—This is the root cause of the incidents that are linked to the problem. • Workarounds—These are the workarounds to allow resolving the incidents, but not necessarily the resolution of the problem. • Review Notes—These are notes on the problem. • Resolution—This is the actual resolution of the problem. This provides overarching documentation of the root cause, known errors, known workarounds, and the long-term resolution to the problem.
798
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support NOTE In reality, most of the analysis is done at the incident level. Based on that analysis, the problem root cause and solution are developed. The problem serves as mainly an organizing element.
For the problem created in the example Hacking Attempt, complete the following steps to analyze the problem: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Problem Management node and select the My Problems folder. 4. Select the PR321 Hacking Attempt problem and click the Edit link in the Tasks pane. 5. The ISA firewall was a related item, so select the Related Items tab and click Add in the Configuration Items: Computers, Services, and People section. 6. Select the ISA computer, click Add, and then click OK to add the firewall to the related items. 7. To update the status, select the Resolution tab. 8. In the Error Description field, enter a description of the hacking attempt. 9. In the Workarounds field, enter a description of any workarounds. In this case, unlocking the users' accounts is the main workaround. 10. In the Review Notes field, enter any notes, as shown in Figure 15.19. Ï7 PR3Z1 : Hdkimj Atempt PB35 Î Ui ARfct CtTtnl 1 Si*H«l (5*5 [ Motory Ettot
hetej
a
Hadting Atempt « Crt^fSüM P Cto» Crttf è ÛUtyt ïiî JÈK «J .V>. [U HtKtVHt K few M Sijrtr fer iwwit «c« («vnl A 5J e*beî'
and problem review
ÉtiOf >*ret«n M CV iA « 1 ijs 'Fori a vrje t* ati'Si /. r, jfcs-p", a SaS w i crd l i h n ' î «dockng aga«neti rV, >terntt i. ivtrtafCvriSs Cv ¿WC » yrJ«* 9* WWÎ ï R.Î-,wi Nam r«,s h! kxfc£.l r, îurjttO by It-e ätfnil frit Wï «tiJXS, £W[lo paSA i MdaJ! r<J¡ht e i n»n f,V&B ny SLï KUOi X i nWV »iiw:, s jï UJ
Resolution Del ¡ills P Auîo-rtsetn al ooderts wiWfMtfri mth Ab pfoUsm b»lubcn CMnf.y RsotjWn DescnpOon:
CK J 1 CarH i ]|
FIGURE 1 5 . 1 9
o
P9321 •
Problem analysis and documentation.
**
l
Incident and Problem Reports
799
11. Click OK to save the problem updates. The problem is now documented, so when future incidents of the same type are linked, the analysts can review the notes.
Resolving Problems Once the underlying root cause of the problem has been identified and addressed, the problem needs to be resolved. To resolve a problem, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Problem Management node and select the My Problems folder. 4. Select the PR321 Hacking Attempt problem and click the Edit link in the Tasks pane. 5. Click the Resolve link in the Tasks pane. 6. Select the Resolution tab. 7. In the Resolution Details section, check the Auto-resolve All Incidents with This Problem check box. 8. Select a Resolution Category. 9. Enter a Resolution Description, in this case, Hacker
IP Address Blocked.
10. Click OK to save the edits to the problem. After saving the problem, the incidents are automatically resolved as well. This saves the analyst the effort of having to update each incident individually.
Incident and Problem Reports Reports help analysts, administrators, and management view and understand what is happening with incident and problem work items. This is useful to track the ebb and flow of issues, as well as understand how well the IT department is handling the workload. The default reports are included in the report library management packs, specifically: • Incident Management Report Library • Problem Management Report Library The reports pull data from the data warehouse. The data warehouse must be installed, the Service Manager management group must be registered, and the ETL jobs must be run for data to be available for reports.
Service Manager Report Controls The Service Manager reports are very sophisticated, although not many reports are included in the management packs. The reports are very flexible and each report has the following options:
800
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support
• Parameter Control Header—Allows the report parameters to be adjusted. • Print—Allows the report to be printed. • Print Layout—Shows the report onscreen as it will print. This addresses a really annoying problem where the report looks one way onscreen and another way when printed. • Page Setup—This allows the page size to be adjusted to change how the report paginates when printed. • Export—Allows the report to be exported to a file. This supports a variety of formats such as XML, CSV, PDF, MHTML, Excel, Tiff, and Word. The tasks allow reports to be generated and reports to be saved. Report tasks include the following: • Run Report—This generates the report onscreen with the current parameters. • Save as Favorite Report—This allows a report with specific parameters to be saved to the Favorite Reports folder. • Save as Linked Report—This allows a report with the specific parameters to be saved in a management pack for exporting. The reports all include the parameter control header to filter the results as needed. The options in the parameter control header vary depending on the report parameters. When the parameters for a particular report are adjusted, the report can be saved in the Favorite Reports folder to generate it quickly in the future with all the adjusted parameters. NOTE Seriously lacking is an ability to schedule the reports. This will likely be included in future releases.
Exploring Incident Reports Four different incident reports are included with the Incident Management Report Library. These incident reports allow analysts to view incidents in aggregate and allow management to evaluate analyst performance and service management performance. The incident management reports are as follows: • Incident Analyst report—This report shows a summary of the analyst performance in working on and resolving incidents. • Incident Detail report—This report shows the detail of a single incident. • Incident KPI Trend report—This report shows the incident key performance indicator (KPI) trends. • Incident Resolution report—This report shows a graphical analysis of incidents not meeting the target resolution times.
Incident and Problem Reports
801
• List of Incidents report—This report shows a list of incidents in tabular form. Each incident includes a link to the Incident Detail report. To generate the List of Incidents report, complete the following steps: 1. Launch the Service Manager console. 2. Select the Reporting space. 3. Expand the Reports node. 4. Select the Incident Management folder. 5. In the Incident Management folder, select the List of Incidents report and click the Run Report task in the Tasks pane. 6. The report automatically generates a list of all incidents within the default time, which is 1 month. The top of the report shows the parameters used to generate the report, as shown in Figure 15.20.
Ol
FIGURE 1 5 . 2 0
List of Incidents report.
7. The parameters of the report can be adjusted by clicking on the Parameter Control header at the top of the report. 8. Any of the parameters are available for filtering the report. Click the Source pulldown menu to show the different options. Click the Source pull-down menu again to close it.
802
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support NOTE Each of the parameters with defined values allow the (All) option or selection from a prepopulated drop-down menu. This allows multiple values to be selected without having to guess what the possible values are.
9. Select the Assigned To pull-down menu and pick an analyst. This filters the report by the selected analyst, in this case "Chris." 10. Select the Status pull-down menu, uncheck the (All) selection, and check the Active selection. This filters the report to show only Active incidents. The results should look similar to Figure 15.21.
Parameter Control tleadef o .:.
List oMncMents Rep...
|F Cm 1 h
..>.•/i.. '.N,.
1
n
WW"
J
FT5T
— H _J
pr^r
M^ ¿C'-lt
3 p
Awjiy^To [SS
r <" • M
H
«
3
ftr Rtporr Sî. t IS Fj-.sr ;e toi Si. i IS UÄWfl 4M6(1 G0W3I
r
owipdH
J J j j U -
Libl of Incideiils g eqwSftdtftiWwt iMifcwttÔHÎIhiTOit F'tv".«l unnritei]
; 2/lJÎ20l07;29;2ÎAM
St» t/End dV» mrJ Une OdtelAer
m If 1+ßOIO 3;Î7;Î7 PH In 2/11,'MIO 3:27:37 PH ; Created Ort
Sou ce
httty
FIGURE 1 5 . 2 1
Report parameter selection.
11. Click the Parameter Control Header to close the panel. 12. Click the Run Report task in the Tasks pane to generate the report with the new parameters. The report shows those incidents that meet the parameters, specifically those active incidents assigned to the selected analyst. The report is generated onscreen, but might be needed in the future. Rather than duplicate the parameter selections each time the report is needed, the report can be saved to the Favorite Reports to save time in the future.
Incident and Problem Reports
803
To save the report, complete the following steps: 1. With the desired report onscreen, click the Save As Favorite Report task in the Tasks pane. 2. Enter a name for the favorite report, in this example Active Incidents for Chris. 3. Click OK to save the report. 4. Close the current report. 5. In the Service Manager console, select the Reporting space. 6. Select the Favorite Reports folder. 7. Select the previously created favorite, in this example "Active Incidents for Chris." 8. Click the Run Report task in the Tasks pane. 9. Verify that the report generated with the correct parameters. Saving to the Favorite Reports folder can save a lot of time when customizing reports. Individual incidents can be drilled into by clicking on the incident ID in the list. This launches the Incident Detail report for that incident record. This is helpful for investigating individual incidents without having to go back to the console. In addition to the list and detail incident reports, two analysis reports provide insight on how analysts are performing and on how the organization is performing. To evaluate analyst performance, generate the Incident Analyst report. To generate this report, complete the following steps: 1. Launch the Service Manager console. 2. Select the Reporting space. 3. Expand the Reports node. 4. Select the Incident Management folder. 5. In the Incident Management folder, select the Incident Analyst report and click the Run Report task in the Tasks pane. 6. The report automatically generates a report on the analyst performance (as shown in Figure 15.22) within the default time, which is 1 month. The report has both a graphical view of Average Resolution Times and Average Time Worked and a detailed table of stats for each analyst. The report shows an uptick in resolution times that should probably be investigated. To instigate analyst resolution performance, generate the Incident Resolution report. To generate this report, complete the following steps: 1. Launch the Service Manager console. 2. Select the Reporting space. 3. Expand the Reports node. 4. Select the Incident Management folder.
804
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support HEÜE3
Ü ImidciA Aiuflyil Reiwtt
Parameter Control (leader
V
cJ • JJ y-
fajeVWUi
U
birvice M,liW)fT
tnridrnt Analyst Krport
mwVtd •íul.Hr.l.iJíkr.lHr*
i ¡WllbHXiW I I ICÍI, I/H^.TID 4DJ 11 tW 1,1-.71 I^UIO 11
FIGURE 1 5 . 2 2
Incident Analyst report.
5. In the Incident Management folder, select the Incident Resolution report and click the Run Report task in the Tasks pane. 6. The report automatically generates a report on the incident resolution performance (as shown in Figure 15.23) within the default time, which is 1 month. The report shows three graphical views of the organization performance toward meeting resolution time goals. The report also includes a table with detailed statistics by week during the reporting period.
Exploring Problem Reports Only two problem reports are included with the Problem Management Report Library. The reports basically allow analysts to get lists and details of problems. The problem management reports are as follows: • List of Problems—This report shows a list of problems in tabular form. Each problem includes a link to the Problem Details report. • Configuration Items (CIs) with Most Incidents—This report shows a list of the CI with the most incidents associated with them. This is useful for tracking down problem hardware or users. • Problem Details—This report shows the details of a single problem.
Incident and Problem Reports
805
ImfcdeiA Reiufcillufi Repurt
Parameter Control Header of i
j J i j d -
r v M f l
w
i r v j d f N o t MrtMngRrvokjltor Itnr
Birikdpwn by' -< > - J . k I. ..
b I n d r n l i Hrrtnq K r u b t m In I % M í t t i r q Reaa luti a n Time
1:IE /J 10 1 Trna b w r ö
VdßM
rit^jlD
UWStC
* irviriontc
i Hot rneodng reiokiton tine
1 i'JolO A.g. tin» n arhvo
1-5-SoiP
vnut
Avg. trrw n ( v n i n j
iltjilff Avfl. toH tOrefCfcOCrt
FiKjay, Janu*Y 29.2010 • fndíf, OS, 2010
TO
3009mn(i)
Ftít»ujy 05. 2010
14?
r£H n » ( f )
FIGURE 1 5 . 2 3
Incident Resolution report.
To generate the List of Problems report, complete the following steps: 1. Launch the Service Manager console. 2. Select the Reporting space. 3. Expand the Reports node. 4. Select the Problem Management folder. 5. In the Problem Management folder, select the List of Problems report and click the Run Report task in the Tasks pane. 6. The report automatically generates a list of all problems within the default time, which is 1 month. The top of the report shows the parameters used to generate the report, as shown in Figure 15.24. Individual problems can be drilled into by clicking on the problem ID in the list. This launches the Problem Detail report for that problem record. This is helpful for investigating individual problems without having to go back to the console.
Ol
806
CHAPTER 15
Using Service Manager 2 0 1 0 for Incident Tracking
and Help Desk Support HEÜE3
i-y LM ill Probien»
Pararrwter Control Header
FIGURE 1 5 . 2 4
v
M
List of Problems report.
Summary System Center Service Manager 2010 is a valuable tool for managing and resolving IT systems failures. The Service Manager service management process allows incidents to be generated from a wide variety of sources, then provides tools for the analysts to rapidly analyze and resolve the issues. The Service Manager platform also provides key information that allows analysts to spot incident trends, group those into problems to track and resolve the root causes, and ensure that the information is recorded in the organization's CMDB for future reference. Finally, Service Manager allows management to set target goals, and then provides reports that evaluate the performance of individual analysts and the service desk as a whole against those targets to ensure that the IT department is meeting service levels.
Best Practices The following are best practices from this chapter: • Develop policies and procedures for processing incidents and problems. These polices and procedures should leverage Service Manager capabilities as much as possible. • Deploy the Self-Service Web Portal to allow end users to create their own incident requests and close those requests to reduce the help desk workload.
Best Practices
807
• Deploy the Self-Service Web Portal to allow end users to view announcements. • Configure resolution times to allow incident resolution times to be measured against target goals. • Create a custom Operations Manager incident template to complete incidents generated from alerts. • Configure the Operations Manager Web console setting to allow analysts to use the tasks to get Operations Manager health state and alert details from the Service Manager console. • Don't adjust the Priority Calculation setting unless required for interoperability with other systems. • Configure the Inbound Email setting to allow incidents to be easily generated from emails to the help desk. • Link clusters of incidents to a single problem to ease the administrative burden of managing incidents. • Save reports with adjusted parameters to the Favorite Reports folder to easily generate custom reports. • Generate the Incident Analyst report to analyze how analysts are performing. • Generate the Incident Resolution report to analyze how the service management is performing.
CHAPTER 1 6
Using Service Manager 2 0 1 0 Change-Control Management Information technology (IT) systems change. To quote the early nineteenth century English novelist Arnold Bennett, "Any change, even a change for the better, is always accompanied by drawbacks and discomforts." Because change is unavoidable, it is important to have a process for managing those changes to minimize the drawbacks and discomforts. Information Technology Infrastructure Library (ITIL) defines the change management process to accomplish this. Service Manager 2010 implements and automates the change management process. Service Manager tracks change requests and activities, which are fundamental to the change management process. ITIL defines change as an event that results in a new status for one or more configuration items (CI). ITIL change management seeks to • Minimize the change-related disruption of services • Reduce back out activities (that is, having to undo changes) • Maximize the efficiency of implementing changes Change management is narrowly focused on what might be termed configuration changes. It is not the type of changes made in developing new systems or project management, for which there are other ITIL processes.
IN T H I S C H A P T E R •
Change Requests and Activities
•
Configuring Change Settings
•
Change Management Templates and Workflows
•
Initiating Change Requests
•
Working with and Approving Change Requests
•
Implementing Change Requests
•
Managing Configuration Items
•
Change, Activity, and Configuration Management Reports
810
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
NOTE The ISO 2 0 0 0 0 international standard for service management has a more direct and arguably better definition of the goal of change management: "To ensure all changes are assessed, approved, implemented and reviewed in a controlled manner."
In addition to change management, this chapter also addresses managing the repository of the CIs that change management affects. This is the configuration management database (CMDB). Like any other repository of information, the CMDB requires a certain amount of maintenance.
Change Requests and Activities The ITIL Service Management discipline defines change management to ensure standardized methods, processes, and procedures are followed for all changes. Service Manager 2010 provides the platform and tools to implement an automated ITIL change management process. Fundamental to the change management process are the Service Manager change requests and Service Manager activities. An important point about change is that from a Service Manager perspective, changes are fundamentally changes to CIs in the CMDB. Service Manager does not change the computers, users, or software itself.
Understanding Service Manager Change Requests Change requests provide a framework and workflow for changes. Sometimes referred to as requests for change (RFC), change requests allow the change process to be managed. Change requests document key information like who is requesting the change, what the reason for the change is, how urgent the change is, and what the impact is. The change request also captures what the steps are in the change management process, rather than what the technical steps are in the change itself. The change request also captures key supporting information like what CIs will be changed, related items like services or incidents, and the planning. The planning is a critical part of a complex change, as it includes the implementation plan, testing plan, risk assessment, and the back out plan in case the change fails. At its core, Service Manager change management is a workflow of a sequence of activities. The actual steps in the change requests are activities, either review or manual activities.
Understanding Service Manager Activities Activities are where the actual work in the change management process gets done. Much of the Service Manager 2010 change management process is automated, but activities are where humans interact with the change management process. In Service Manager 2010, activities can either be review activities or manual activities.
Configuring Problem Settings
811
Review activities are where an analyst either approves or rejects the change request. This is a chance for the change request to get a change reviewer to look at where things stand and decide whether to proceed. There is almost always a review activity at the beginning of a change request process, but there can be additional review activities throughout the change request workflow. When the workflow reaches a review activity, the workflow stops and waits for the review activity to be approved or rejected. Manual activities are placeholders for work to be done in the real world. This is where the actual steps of the change take place. The implementer executes the real-world tasks represented by the manual activity and then either marks the manual activity as Completed or Failed. NOTE Service Manager 2 0 1 0 does not include any tools to actually do any changes, such as installing software, reconfiguring Registry settings, or replacing hardware. It is strictly a tool for managing the process and relies on human "agents" to do the real work.
The status of the activities directly impacts the status of the overall change request. For example, if a manual activity is marked as Failed, the change request status is set to Failed. If a review activity is rejected, the change request status is set to Failed. All activities must complete successfully (that is, have a status of Approved or Completed) for a change request to succeed.
Configuring Change Settings Before working with change requests and activities, a number of settings need to be configured. These settings are as follows: • Change Request Prefix • File Attachment Limits • Activity Prefixes In most cases, the default prefixes are appropriate for the organization. The file attachment settings will vary from organization to organization.
Change Request Prefix By default, each change record is prefixed with the letters CR, for change request. This can be adjusted to something different, such as CM for change management or CHANGE. The maximum number of characters is 15. To change the Change Request Prefix, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space.
812
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Change Request Settings object. 5. In the Change Request Settings window, change the prefix field to the desired setting. 6. Click OK to save the change. The change takes effect for all new change requests. This value should only be changed if needed. NOTE The new prefix is not applied to the existing change request records, only to new records. Make sure to adjust this setting before creating any change request records to avoid confusion.
File Attachment Limits File attachments to change requests have built-in limiters. This ensures that huge files or large numbers of files don't get attached to change requests and bloat the database unnecessarily. This can be a real issue if help desk or end users attempt to attach 100MB data files or gigabyte installation files to change requests. File attachments are limited by the number of attachments and the size of the attachments. The permitted ranges and the default settings are given in Table 16.1. TABLE 1 6 . 1
Change Request File Attachment Settings
File Attachment Limits
Range
Default Setting
Maximum number of attachments
0 to 2 , 1 4 7 , 4 8 3 , 6 4 7
10
Maximum size (KB)
Oto 2,147,483,647
64
NOTE The number 2 , 1 4 7 , 4 8 3 , 6 4 7 seems like an odd upper boundary at first. Interestingly, it is 2 A 3 1 - 1 and is the eighth Mersenne prime number. More important, it is the maximum value of a 32-bit signed integer, that is, the maximum value of a variable of type i n t . Hence, the seemingly arbitrary limit is actually a programmatic limit.
The limit on both the number of files and the size is over 2 billion. This seems excessive, especially for the maximum number of attachments, and likely isn't supportable. It future revisions, these are likely to be set to more reasonable limits. To adjust the default file attachment settings, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space.
Configuring Problem Settings
813
3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Change Request Settings object. 5. In the Change Request Settings window, change the Maximum Number of Attached Files and the Maximum Size (KB) fields to the desired settings. 6. Click OK to save the changes. The changes take effect immediately in the console and web interfaces.
NOTE The new file attachment settings are not applied to the existing change request records, only to new records or during changes to existing records.
Activity Prefixes By default, each activity is prefixed according to the type of activity. The prefixes are as follows: • AC for activity • MA for manual activity • RA for review activity This can be adjusted to something different, such as AR for activity record or ACTIVITY. The maximum number of characters is 15. To change the incident prefix, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Administration/Settings folder. 4. In the right pane, select the Properties of the Activity Settings object. 5. In the Activity Settings window, change the prefix fields to the desired setting. 6. Click OK to save the changes. The change takes effect for all new activity records. This value should only be changed if needed.
NOTE The new prefix is not applied to the existing activity records, only to new records. Make sure to adjust this setting before creating any activity records to avoid confusion.
814
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
Change Management Templates and Workflows The workflows allow the administrator to automatically initiate the application of templates and emailing notifications when records are created or changed. Workflows apply templates to the records, modifying the settings. The organization in this example has a requirement that all high-priority change requests must be reviewed by the security officer and the requester must be notified via email of the approval requirement. The organization has limited the domain administrators in the domain, so any manual Active Directory changes need to be implemented by the designated Active Directory domain administrator. Templates and workflows will be configured to make this happen.
Change Request Templates For the change request automation, the first step is to create a template that ensures that the security officer will be included in the review process for any high-priority change requests. Then an email template needs to be created to notify the creator of the security review. To create a change request template, complete the following steps: 1. Launch the Service Manager console. 2. Select the Library space. 3. Expand the Library node and select the Templates folder. 4. Click the Create Template link in the Tasks pane. 5. Enter a N a m e for t h e template, such as High-Priority Change Request Template.
6. In the Class field, click the Browse button, select the Change Request class, and click OK. 7. Confirm that the Service Manager Change Management Configuration Library Management Pack is selected and click OK. 8. The template form launches. 9. Enter a description for t h e form, such as High-priority change
requests
security officer review.
10. Click the Activities tab. 11. Click Add. 12. Select the Default Review Activity and click OK. 1 3 . Enter a Title for t h e activity, such as Security Officer Review.
14. In the Reviewers section, click Add. 15. Select the security officer name from the CMDB. 16. Check the Has Veto and the Must Vote check boxes, and then click OK. 17. Click OK to close the review form. 18. Click OK to close the template.
require
Change Management Templates and Workflows
815
The second template to create is an email template. This will be used to notify the creator of the change request that the request is subject to a security officer review. To create the email template for the change request, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Expand the Notifications node. 4. Select the Templates folder. 5. Click the Create E-Mail Template link in the Tasks pane. 6. Enter a Name, such as User Change Request Security Review Template.
7. In the Targeted Class section, click the Browse button, select Change Request, and click OK. 8. Confirm that the Service Manager Change Management Configuration Library Management Pack is selected and click Next. 9. In the Message Subject field, enter Change Request $Context/Property[Type= l WorkItem!System.WorkItem l ]/Id$
Security
Review.
NOTE The substitution string $Con t e x t / P r o p e r t y [Type= 1 W o r k l t em ¡System . W o r k l t em1 ] / I d $ can be inserted by clicking on the Insert button and locating the ID.
1 0 . In t h e Message B o d y field, enter The change request will be reviewed by the security officer.
11. Click Next. 12. Click Create and then click Close when the wizard completes. The change request templates are now ready for the change request workflows, which are configured in the next step.
Change Request Workflows The manager of the IT department wants to be notified via email of any high-priority change requests that are submitted. To do this, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Expand the Workflows node. 4. Select the Configuration folder. 5. Select the Change Request Event Workflow Configuration in the List pane and click the Properties link in the Tasks pane. 6. Click Add to add a new workflow.
816
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
7. At the introduction screen, click Next. 8. Enter a N a m e for t h e workflow, such as High-Priority Change Requests Workflow.
9. Leave the Check for Events set to "When a New Object of Class Change Request Is Created" and then click Next. 10. In the Available Properties, check the Priority box and click Add. 11. In the Criteria pane, change the field to High. This sets the criteria to trigger the workflow when the priority is high, as shown in Figure 16.1. 12. Click Next.
Specify Criteria Befcre vou Begin
First add the criteria 'or events in cfc;ec£s cf class Charge Request tha: w l l trigger the workflow. Then, selec: criteria and specify the threshold for ea<± one.
Workflow [rfarmaSion
Changed To
L-pecify Cntena
|
Related classes:
Hipty Template
Available properties:
5dcct People to Not fy r F r F
Summary Completion
Post Involemertation Review PTKf.lV RcrtS iri K M - r e d By Date
[ Change Request J Pnooty
(. Previous | |
FIGURE 1 6 . 1
N e t > ~|
| |
Lar
Workflow trigger criteria.
13. Select the change request template created earlier, the High-Priority Change Request Template, and click Next. 14. In the Select People to Notify, change the User to Created By User. 15. Change the Template to the template created earlier, the User Change Request Security Review Template, and then click Add. 16. Click Next. 17. Review the configuration, click Create, and then click Close when the wizard completes. 18. Click OK to close the Configure Workflows window. The change-control event workflow is now configured to require a review by the security officer of high-priority change requests and will also notify the change request creator of the security review.
Initiating Change Requests
817
Initiating Change Requests Service Manager 2010 supports creating change request records from a number of different sources. In this section, the following methods of creating change requests are demonstrated: • Creating a request • Creating a request from a configuration item • Creating a request from an incident • Creating a request from the Self-Service Web Portal These different methods give the organization flexibility in initiating change requests. The different methods result in slightly different entries in the Config Items To Change, which are the CIs that will be changed directly by the proposed change request, and the Related Items, which are the CI and work items that might be indirectly changed by the proposed change request.
Creating a Change Request from Scratch A new change request record can be created from scratch within the Service Manager console. This is a useful option for requests that have no specific CI or incident basis. It is also appropriate when multiple sources are initiating the request. For example, an analyst gets a request to install a service pack on several servers and needs to initiate a change request. To create a change request, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Click the Create Change Request link in the Tasks pane. 4. Select the Minor Change Request template and click OK. 5. Enter a Title and Description for the change request. 6. In the Reason field, enter the reason for the change. 7. In the Assigned To field, enter the analyst to assign the change request to. 8. Select a Priority, Impact, and Risk from the drop-down menus. 9. In the Config Item To Change section, click Add. 10. Select the computers to apply the service pack to and then click OK to save. 11. Click OK to save the new change request. The request has now been created. Note that the configuration item had to be browsed for and added to the change request.
818
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
Creating a Change Request from a Configuration Item Another way to initiate a change request is directly from a configuration item. This can be done for any configuration item in the CMDB, including users, computers, and printers. For example, suppose a user has requested that their mobile phone number be changed in Active Directory. To create a configuration request from a CI, complete the following steps: 1. Launch the Service Manager console. 2. Select the Configuration Items space. 3. Select the Users folder. 4. Locate the user for the change using the Search function. NOTE The CMDB can be searched using the Search field in the upper-right corner of the console. This searches the entire CMDB by default.
5. In the Search Results window, highlight the user and click the Create Related Change Request link in the Tasks pane. 6. Select the Standard Change Request template and click OK. 7. Enter a Title and Description for the change request. 8. In the Reason field, enter the reason for the change. 9. In the Assigned To field, enter the analyst to assign the change request to. 10. Select a Priority, Impact, and Risk from the drop-down menus. NOTE The user will already be in the Config Items To Change section.
11. Click OK to save the new change request. There is now a change request for the user. This is a very flexible method of creating change requests that can be used to create requests for computers, printers, software, or even business services. NOTE Because the CI is listed in the Config Items To Change section, the CI will be changed directly. If a CI is listed in the Related Items, the CI might or might not be changed indirectly. An example of an indirect change might be if the audit settings on domain controllers are changed, then there might be an increase in size to the database that collected audit events. The database CI would be listed in the Related Items.
Initiating Change Requests
819
Creating a Change Request from an Incident or a Problem Sometime the resolution to an incident requires a change request and almost all resolutions to problems require a change request. Service Manager 2010 facilitates the creation of change requests directly from the incidents or problems, allowing the incident or problem to be linked directly to the change request. This provides a clear trail from incident to problem to change. To create a change request from an incident or problem, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand either the Incident or Problem Management node. 4. Select an incident or problem folder. 5. Select an incident or problem to create a change request from. 6. Click the Create Change Request link in the Tasks pane. 7. Select an appropriate template depending on the change to be requested. 8. Enter a Title and Description for the change request. 9. In the Reason field, enter the reason for the change. 10. In the Assigned To field, enter the analyst to assign the change request to. 11. Select a Priority, Impact, and Risk from the drop-down menus. 12. Select the Related Items tab. 13. In the Work Items section, select the Incident or Problem and click the View button. 14. In the problem or incident form, note the Affected Items and then click OK to close the form. 15. Select the General tab. 16. In the Config Items To Change section, click Add. 17. Select the affected item noted from the problem or incident, and then click Add. 18. Click OK to save the selections. 19. Click OK to save the new change request. There is now a new change request with the linked related incident or problem. NOTE The incident or problem is linked as a related item, so the change might not directly affect the incident or problem.
Creating a Change Request from the Self-Service Web Portal Users can also initiate change requests using the Self-Service Web Portal. This method is great for reducing the service desk workload, as users can submit standard change requests without tying up an analyst's time. The request is formally captured and is, of course, subject to review.
820
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
For example, suppose a user needs to have Office 2003 upgraded to Office 2007. They need to submit a change request for this to happen. To create the change request using the web portal, complete the following steps: 1. Launch the Internet Explorer web browser. 2. Enter the URL of the End-User Self-Service Portal, typically https://<servername>/EndUser. In this example, the URL is https://sml/enduser. 3. In the web portal, click the Create Request link in the lower-right part of the page. 4. The Create Request page loads (shown in Figure 16.2). Set email as the preferred contact information and a Request Type of "Need Change or New Resource," which is a change request. Click Next. El
^ C r e a t e Request - Windows I n t e r n e t t x p l o r e r ^
» i a
9f Favorites
srnl I ^
d B
¡H Suggested S t a r *
Certificate Error
*t
X
P •
| * 1 L-TOCte
JB j Web 5 k e Gafcry »
Gr
Create Request
- Q
•
Ji
me *
Page -
Safety -
You art here: Seff Service Portal - Great» Request
j'Borthttr
—•••
l| Create request —» Prpvide i) detailed description of I Z your requeit f
-<
-fz'-tat
is
V i e w All
>
CRI84 Need More M e m o i y tn Laptop ER30T
Summary
Can Not ^ n c New ¡Phone [To: 'ï ervice fph elpdeifcxco.com" < serviceJOih el pd esfe.cco.co m > I CR258 Problem Synchronizing Files [ T o r ' j tivice £>h elpde jfc.ccorco m" «; wrvic e fi'h el pde jfc.ceo.com >)
Preferred contact informatiut r i ( I n i t t* E-mail address: C Phono:
-
Contact IT
S e l f - S e r v i c e Portal
^^^•nBgH^^^^^HHHBJBHHHI in d c l i f f y the request li
»
Tools -
N o t available
Alternate:
Request type; Reset Password
Need help w i t h a problem C" Need repair or fa
Request software
^ Need change or new resource Next
i
|
Cancel
Create request
|
«V. Local intranet I Protected Mode; Off
Done
FIGURE 1 6 . 2
-
+ 100%
-
Self-Service Web Portal Create Request page.
5. Select the Category of the change from the drop-down menu. In this case, select Software. 6. In the Title field, enter the title of the change request. In this case, the title would be Office 2003 Upgrade on Laptop.
7. In the Details field, enter the details of the change request.
Initiating Change Requests
821
8. Click Next. 9. A Summary web page is displayed, as shown in Figure 16.3. Click Submit to complete the request.
0) FIGURE 1 6 . 3
Self-Service Web Portal Submit Change Request Summary page.
The user is presented with a page indicating the request was submitted and showing the Request ID for the change request. The user can see their recent requests by clicking on the View All link in the Recent Requests box. NOTE All requests for the user are shown, including incidents, change requests, and requests made on behalf of the user.
By default, the user change requests are submitted with the Standard Change Request template. The change requests created through the web portal will not be complete and will need to be processed by an analyst to assign priority, impact, and other key fields. NOTE Most important, nothing will be populated in the Config Items To Change or the Related Items sections. The change request needs to have these entries filled out so that it is clear what will be changed.
822
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
Working with and Approving Change Requests Once change requests are initiated, the change requests need to be worked with before being considered complete. The steps in working with change requests are as follows: • Investigating the change request • Adding activities to the change request • Approving the change request The steps ensure that the basis for the change request, impact of the change, and the required steps for the change are clearly documented in the change request. This helps smooth the approval of the change request.
Investigating Change Requests Investigating the change requests varies by the class of the change request and the organization's procedures. Some organizations' policies require extensive planning and documentation, but other organizations' policies are less stringent. Service Manager 2010 has the flexibility to support either scenario. Instigating the change request can involve the following: • Adding related items—Related items can help provide better background on a change request and supporting details for the approval process. • Adding activities—Manual activities in the change request ensure that key steps are taken, such as reviews, documentation, or key implementation steps. • Adding planning details—The planning section documents details, such as the scheduled start and end dates, implementation plan, risk assessment plan, test plan, and the all-important back out plan. Filling out these details provides a much better understanding of the change request and allows reviewers to better assess the change request. Adding related items is a common task in the investigation process. Related items can include work items such as incidents and problems, configuration items such as computers and users, and knowledge articles from the CMDB. To add related items to a change request, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Change Management node. 4. Select the All Change Requests folder. 5. Select a change request and click Edit in the Tasks pane. 6. Select the Related Items tab. 7. In either the Work Items, Configuration Items, or Knowledge Articles sections, click Add.
Working with and Approving Change Requests
823
8. Add the appropriate related items and click OK. NOTE Multiple items can be added per category and items from more than one category can be added as related items to the change request.
9. Click OK to save the changes to the change request record. Another key step in investigating change requests is adding activities to the change request. These are key manual activities needed to ensure the success of the change or to stay in compliance with policy. NOTE Any activity not included in the original change request template can be added to the change request with this process.
To add a manual activity to a change request, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Change Management node. 4. Select the All Change Requests folder. 5. Select a change request and click Edit in the Tasks pane. 6. Select the Activities tab. 7. Click Add in the Process Activities section. 8. Select the Default Manual Activity template and click OK. NOTE The choices are Default Review Activity or Default Manual Activity. The review is a review and the manual activity is a specific change to be done.
9. The Manual Activity form loads. 10. In the Title and Description fields, enter a title and a description for the manual activity. 11. In the Activity Implementer, select the person who will complete the activity. 12. Click OK to save the changes to the manual activity. 13. Click OK to save the changes to the change request record.
824
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
NOTE Activities can be predefined in the change request by creating custom change request templates that include the required set of activities.
The manual activities ensure that the key steps are taken. Multiple manual activities can be added to a change request and the order they need to be completed in can be specified. Finally a critical factor in a well-defined change request is the planning. Adding planning details ensures that the crucial planning is done to ensure that the change has a clear implementation plan, that risks were assessed, that there are clear tests, and that there is a back out plan in case it all goes south. To add the planning details to a change request, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Change Management node. 4. Select the All Change Requests folder. 5. Select a change request and click Edit in the Tasks pane. 6. Select the Planning tab. 7. If appropriate, select the Scheduled Start Date and the Scheduled End Date. 8. In the Implementation Plan section, enter the implementation plan details. 9. In the Risk Assessment Plan section, enter the risk assessment plan details. 10. In the Test Plan section, enter the test plan details. 11. In the Back Out Plan section, enter the back out plan details. 12. Click OK to save the changes to the change request record. This is the section that will likely pay the most dividends, as filling out this section requires the change to be thought through carefully to develop the planning sections. This ensures that there is an implementation plan, a test plan, risk assessment, and back out plan.
Adding Reviewers to Change Requests A change reviewer can be assigned to ensure that a change request activity is reviewed by a specific person. For example, a specific activity might require the security officer to review the change request. To assign a change reviewer to an activity, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Change Management node. 4. Select the All Change Requests folder.
Working with and Approving Change Requests
825
5. Select a change request and click Edit in the Tasks pane. 6. Select the Activities tab. 7. In the Process Activities, select an RA (as shown in Figure 16.4) and click Open. i? CR-ITO; RcpIulc Mi/Ulee w th Forefront Airtivirui
W I P
Cuierl AilrMv: cnr,ol
Cttegw-
«CMft; KA+Sl
r
«r.TStf
n>rrng
Crttt*4 tust:
(to
"tftttoi* 1M1; M rorVii^flt-is'jist
>
i/lfc'MiG -fc» PM
a
t r x * . | t.rwiri !tr-ro I
TWks e
CK4/V; Replace M... *
Pf6T«l M M l K Trie 1 i
HA4(1 Hwa:
Fitting fcrcr-;
hpt
^^ u
L'-vUhs DMktfmiK Change t«w>p CMfifli QqkHmm
t
i
^
M
I/lttiOlO PF 2/I6OU0 * S » i W ?/ISi?0 D Pf
|
i
CrtK*
»tEjes:
* • 9m
~ 1 OP*" 1
P\eOi Mgig ff..-r U M i v t y Ccute
ft**»
51
SchwUtditirtCra: itHoJ Jte irt Ctti: CWBHd;
I MwVtfiJ I VWt VuM |
VWfldDy
|
tWJM1 na rtr. veted
1 - 1
|
0v3wr Orx
1
| ioTT«rB |
= »1
1 1 » OK
FIGURE 1 6 . 4
1
Cvwl
1
ist>v
||
Selecting an RA to change the reviewer.
8. In the RA form, click Add to add a reviewer. 9. Select an analyst and check the Must Vote box. Click OK to save the reviewer selection. 10. Click OK to save the RA. 11. Click OK to save the changes to the change request. Now the reviewer is assigned to the change request activity.
Holding, Resuming, and Cancelling a Change Request A change request is just that, a request. As with any request, there is a possibility of additional questions and even rejection. If a change request is not acceptable for some reason, the reviewer can take the following actions with the change request: • Put on Hold—A change request that is put on hold can be resumed after further review, clarification, or modifications to the request.
O)
826
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
• Cancel—A change request can be cancelled, which is permanent. Once cancelled, a change request cannot be resumed. A new request would need to be submitted. Change requests can also be restarted. The change reviewer can take the following actions with a change request: • Resume—Following a hold, a change request can be resumed. This removes the hold and allows the change request to continue. • Returned to Activity—This option allows the change request activity sequence to be restarted at any step in the sequence, even if the activity has already been completed. If a return to activity has been initiated, the steps that were completed will have a status of Rerun. This allows change reviewers to control change requests and ensure that change requests meet organizational policies, good IT practices, and do not negatively impact the IT environment. Each change request action allows comments to be entered to explain cancellations, holds, resumptions, and restarts. These comments can be viewed on the History tab of the change request. To place a change request on hold, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Change Management node. 4. Select the All Change Requests folder. 5. Select a change request and click Put On Hold in the Tasks pane. 6. Enter any comments about the hold and click OK. Placing a change request on hold also places any pending review or manual activities on hold as well. Activities that are on hold cannot be marked as approved or complete. For example, attempting to complete a manual activity while the change request is on hold results in a message similar to the one shown in Figure 16.5. A change request can be edited following a hold. This allows the change request to be made acceptable to the change reviewer. After the appropriate corrections, the change reviewer can resume the change request. To resume a change request following a hold, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Change Management node. 4. Select the All Change Requests folder.
Working with and Approving Change Requests
827
-ioJ*|
4 Talk:
o
MAJil i r v f l t me--.fi: MJ > I T . . - WI-VK Ft « Aril
Mcrtyi
ISBITMW
v.v^h J . n i l
^atenottet
CHlvriW Swj!
TTT
FIGURE 1 6 . 5
On Hold warning when completing an activity.
5. Select a change request and click Resume in the Tasks pane. 6. Enter any comments about the hold and click OK. The change request is now in the exact spot in the process it was before the hold and can continue. Sometimes, a change request needs to be restarted to an earlier step in the process due to the changes to the request or other circumstances. Rather than cancel the change request and create a new one, change request activities can be restarted at any point in the activity sequence. This is referred to as returning to an activity. Because the activities, both review and manual, are in sequence, returning to a particular activity in the sequence causes all the subsequent activities to be redone as well. To return to an activity, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Change Management node. 4. Select the All Change Requests folder. 5. Select a change request and click Return To Activity in the Tasks pane. 6. A Return To Activity window opens with completed activities listed (shown in Figure 16.6). Select a completed activity to return to. 7. Enter any comments about the return and click OK.
828
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
Select t h e a c t i v i t y f r o m w h i c h y o u w a n t t o r e s t a r t t h e change r e q u e s t . The a c t u a l s t a r t date a n d e n d d a t e fields, t h e v o t e s o n r e v i e w a c t i v i t i e s , end any i m p l e m e n t a t i o n results o f m o n u o l a c t i v i t i e s b e t w e e n t h e selected a c t i v i t y a n d t h e current activity will be cleared. * 0 1 7
|
ID RA502 MA503 MMM
|
Status Gompidted CcTipleted rurnplriffl
|
Stase
|
Nome
|
Type
RA302; Apo'ove Cnergen; Rtview Activity MA503 fAanual Activity MMM l^mml ftrlivily
Comments:
|
FIGURE 1 6 . 6
OK
| |
Cancel
Return To Activity window.
When Return To Activity is run against a change request, all the activities from just after the return point on down have their status changed from Completed to Rerun. The management server then processes the updates and changes the states from Rerun to Pending, except for the activity at the return point. The activity at the return point changes from Rerun to In Progress. After a small amount of time to become quiescent, the fact that the Return To Activity command was executed will not be apparent. To see that the command was run, the history of the activities can be reviewed to see that a return was done. This details the precise steps and accounts that triggered the return point. The History tab in the Properties of the affected activities shows the return, as shown in Figure 16.7. The status change from Completed to Rerun at 5:31:42 AM by CCO\Chris shows when the return was initiated. This history shows that this activity was the return point, as the last status is changed from Rerun to In Progress. The Return To Activity process also works to reset a change request following a failed review or manual activity.
Implementing Change Requests Ultimately, the activities in a change request are what get approved or completed. It is important to distinguish between review and manual activities. Review activities (RAs) are used to have change reviewers review change requests at key junctures. Manual activities (MAs) are used to have implementers execute tasks to effect the change. These activities are really the business end of the change management process.
Implementing Change Requests
829
Q MASffik inierueiKy Clunqe Devefapnmit
O •f 2/17/2Q10 5:ÍJ:ü«6 AH CTQ\i1irti * J/17/2ûlQS;2ï:4ûAH
MAjQJ t'(l!(C'IN< RtOWJt
rf O^iiibninlUiMlar
« Ce^ixt* m u a ft m
Prtttn JTnprrtv OldV*li* NtwVilur.
Î Î j f ï f ítr t w « « irk < i 2 / 1 / / ¿010
AM C.CU\admlnMrM«r
General Si
PrwîïihiT"»»:
I P?fPT*Tl 9" v*luT I ^ " ^ L Ft^nyfliw^!
I PfQprftyl ^Vffc^l N^VJI^L -V 2/17/2010 5:31:42 AM CCO\Chrts
Iv Old v«tu* I 2/17/2010 5:32:00 AM CiO i.adminlrtrtlor FtiTfly Ourtfii; I
Iv WJ itrus fiervi
FIGURE 1 6 . 7
M^V.lur
Return To Activity History.
Approving and Rejecting Review Activities Review activities are activities in the change management workflow that trigger reviews. Review activities can be assigned to individuals or open to anyone with the appropriate rights. Review activities are designated with the prefix RA by default. Each review activity can have multiple reviewers with an approval condition, which can be unanimous, a percentage of reviewers, or automatic. Approval thresholds can be set as well. The reviewers can be designated as Must Vote and Has Veto, which provide the ability to empower key reviewers as needed. Review activities can be set to the following states: • Approved • Rejected To approve a review activity, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Activity Management node. 4. Expand the Review Activities node. 5. Select the Review Activities: Active folder. 6. Select a Review Activity.
0)
830
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
7. Click the Approve link in the Tasks pane. 8. Enter a comment about the approval and click OK. The RA status is changed to Approved. After the Service Manager management server processes the change, the status of the RA changes to Completed and the status of the next activity in the workflow changes to In Progress. Sometimes, the review activity needs to be rejected. If the change reviewer determines that the RA should be rejected, the following steps should be followed: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Activity Management node. 4. Expand the Review Activities node. 5. Select the Review Activities: Active folder. 6. Select a Review Activity. 7. Click the Reject link in the Tasks pane. 8. Enter a comment about the rejection and click OK. The RA status is changed to Rejected. After the Service Manager management server processes the change, the status of the RA changes to Failed and the status of the change request changes to Failed. A failed change request due to a failed review activity is shown in Figure 16.8. 5; Minor Chdmjr Reifunt - Afptr Servile Pmk Z to DNS Server» CuntntMMtf *®4 Rri,M
r I M t ; f&ra*
(¡MrfS:
CiMifJCw*:
"tr-phM 13: H f irL--j*.¡vsCuMt
Vlfy 2010 2:4) PN
rotary
CK421: Minor C . . • Cwt
taertAtf : ; 3
Td4
itiU
K-+.:; KA-CS KMI*
f^rttty
TM»
ustr^i«
o«*
J
i'ii'.t Cr-Wflt-te.tsi
¡/li'JOKIiiiJftH
c»»%ie "estoa Ch»ny5 Off***!-***
Prrirlg
J
S t ^ j r ICwt»9C A
c m m *
General c - y v j i Reaves:
5)
A»v*v ¡rpplftnwm fttauwavtc«»: bthidj*; £nd D4M: DaKihKsr,-
WWv«ts | H w t w * |
VBjadfly
I
I
J/IT/WW 7:34:3:
ICom-ntra|
I
FIGURE 1 6 . 8
CWd
I
¿ppy
[|
Failed change request due to rejected review activity.
Implementing Change Requests
831
Once a review activity has been rejected and the change request has failed, the only way to restart the change request is using the Return To Activity task.
Completing and Failing Manual Activities Manual activities (MAs) are activities in the change management workflow that trigger something to be done, that is, something to be changed or done to support the change. This is the work part of a change request. Manual activities can be assigned to individuals or open to anyone with the appropriate rights. Manual activities are designated with the prefix MA by default. Each manual activity can have an assigned Activity Implementer. The manual activities can also have a priority, scheduled start and end dates, and area and stage for the manual activity. The impacted configuration items can be specified from the CMDB, which allows the activities to be directly linked to the service maps. And detailed notes about the manual activity can be entered. Manual activities can be set to the following states: • Marked as Completed • Marked as Failed To be able to set the state of an MA, the state must be In Progress. This indicates that the change request is waiting on this activity in the workflow. Activities waiting for other activities to complete are in a Pending state. Activities might also be on Hold or Cancelled, depending on the state of the change request. To complete a manual activity after doing the work, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Activity Management node. 4. Expand the Manual Activities node. 5. Select the Manual Activities: Active folder. 6. Select a Manual Activity. 7. Click the Mark as Complete link in the Tasks pane. 8. Enter a comment about the completion and click OK. The MA status is changed to Completed. After the Service Manager management server processes the change, the status of the next activity in the workflow changes to In Progress. Sometimes, the manual activity needs to be failed if the work was unsuccessful. If the implementer determines that the MA should be failed, the following steps should be followed: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Activity Management node. 4. Expand the Manual Activities node.
832
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
5. Select the Manual Activities: Active folder. 6. Select a Manual Activity. 7. Click the Mark as Failed link in the Tasks pane. 8. Enter a comment about the failure and click OK. The MA status is changed to Failed. After the Service Manager management server processes the change, the status of the change request changes to Failed. A failed change request due to a failed manual activity is shown in Figure 16.9. CR-125; Minor Chamjr Reuueit - ttvutj Servile Pmk Z lu DNS Server» Cuieri Aitnrtv;
CtttgWY!
CrWttJCw«:
*®4 ten€f. M43fc "«r-ptKe 10; rr*i»
Mi ^tas
toJa
i.'14/MlO 2HÏ PM
ffccWàJ It**«» 1 -ntt«T
CK4/S: Minor Change Request - Apply Servie... itw
seo I
P>«ä. HM2? KA43 MM»
I
CM-fJetrf Corsieted File: Pfranfl
*ce«wt
Crrtie Cnjfflf ».*fi wet!
Mau«
* Pril
Chon« T«tnç
fiei.ir.»-«',-v
I
FIGURE 1 6 . 9
Cwgd
"1
Failed change request due to failed manual activity.
Once a manual activity has been failed and the change request failed, the only way to restart the change request is using the Return To Activity task.
Closing Change Requests Once a change request has either completed or failed, the change request needs to be closed. Closing a change request is permanent. Once closed, a change request cannot be opened or resumed again. NOTE Only Completed or Failed change requests can be closed. Change requests in other states such as In Progress or On Hold have to be cancelled instead.
Implementing Change Requests
833
To close a change request, complete the following steps: 1. Launch the Service Manager console. 2. Select the Work Items space. 3. Expand the Change Management node. 4. Select the All Change Requests, Change Requests: Completed, or the Change Requests: Failed folder. 5. Select a Completed or Failed change request. 6. Click the Close link in the Tasks pane. 7. Enter a comment and click OK to close the change request. The change request is now closed and cannot be changed. If the change request is opened, the fields will all be grayed out.
Automatic User Notification of Change Request Status When a change is requested, it is important to notify the requestor of the status of the change. There are two steps to the process, create an email template and create an email workflow. To create the email template for the automatic user notification of the change request close or cancellation, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Expand the Notifications node. 4. Select the Templates folder. 5. Click the Create E-Mail Template link in the Tasks pane. 6. Enter a Name, such as User Change Request Final Status Notification Template.
7. In the Targeted Class section, click the Browse button, select Change Request, and click OK. 8. Confirm that the Service Manager Change Management Configuration Library Management Pack is selected and click Next. 9. In the Message Subject field, enter Change Request $Context/Property [Type= 'Workltem¡System.Workltem 1 ]/Id$ Has 1
Been $Context/Property[Type=
CoreChange¡System.Workltem.ChangeRequest 1 ]/Status$.
NOTE The substitution string $Context/Property [Type= 'Workltem¡System.Workltem 1 ] / Id$ can be inserted by clicking on the Insert button and locating the ID. The substitution string $Context/ Property[Type= 1 CoreChange¡System.Workltem.ChangeRequest 1 ]/Status$ can be inserted by clicking on the Insert button and locating the Status variable.
834
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
10. In t h e Message B o d y field, enter The change request you submitted has been finished and has a final status of $Context/Property[Type= 1 CoreChange¡System.Workltem.ChangeRequest 1 ]/Status$.
11. Click Next. 12. Click Create and then click Close when the wizard completes. The change request email template is now ready for the change request workflows, which are configured in the next step. To create the email workflow for the automatic user notification of the change request close or cancellation, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Expand the Workflow node. 4. Select the Configuration folder. 5. Select the Change Request Event Workflow Configuration and click Properties in the Tasks pane. 6. Click Add. 7. Click Next at the introduction screen. 8. In t h e N a m e section, enter Notify Requestor When Change Request
Is Closed
or Cancelled.
9. In the Check for Events drop-down menu, select the When an Object of Class Change Request Is Updated. 10. Click Next. 11. Select the Status in Available Properties and click Add. 12. In the Criteria section, change the Status box to Closed. 13. Select the Status in Available Properties again and click Add to an OR clause. 14. In the Criteria section, change the second Status box to Cancelled. The result should look like that shown in Figure 16.10. 15. Click Next. 16. Uncheck the Enable Template Application for This Workflow and click Next. 17. Select the Created By User from the User drop-down menu. 18. Select the User Change Request Final Status Notification Template created earlier from the Template drop-down menu and click Add. 19. Click Next. 20. Click Create and then click Close when the wizard finishes. Click OK to close the workflow configuration window. Now the user will be notified when the status of their change request is set to Closed or Cancelled.
Managing Configuration Items
I
w
f
l
835
W
• ' J Mgh '.vcrkffcw LrfcmHîicn t pe:j!y(
-t t.
Tonptatc
i rn ; tha :n:&rla 'or avaria fi ' V " . cf class charge R e c a s t l h a t u i l ni CTitcria artd ' • the ttircdwte tor v:;t arte. Changed Fron
Changed io
Related classe:: It rhrfinj«- R r r | u r s l
the vjarfcFoiC. Ttufi
i
| Availatte properties:
M e e t People to Notify r Scheduled Start Dote Status P T«ii]Ailr tn r lest^laii
iumTiory GïnrfdKft
1 ~ 1 OH,™: rwl
» m
c. freyiaus | |
FIGURE 1 6 . 1 0
r.ett > ~|
| [
• r
User notification of change request status criteria.
Managing Configuration Items Ultimately, changes modify configuration items (CI). As such, it is important to understand configuration items and maintaining the configuration management database (CMDB). The CMDB is in effect a model of the IT environment, allowing analysts, users, processes, and management to track and report on the state of IT.
Understanding Configuration Items Configuration items are records in the CMDB that hold information about services, computers, users, software, updates, and other objects. These CIs can be linked to work items such as incidents, problems, change requests, and activities. This ensures continuity in the workflows and a clear understanding of the relationships between events and objects. Although a powerful tool, the work of building and maintaining the configuration items and the CMDB is a daunting task for all but the most dedicated of organizations. As such, CMDBs are frequently only approximations of the true state of IT. Service Manager 2010 addresses this issue head on by providing integration points with Active Directory, System Center Configuration Manager, and System Center Operations Manager. Together, these three systems provide a complete picture of the vast majority of IT objects. Service Manager 2010 leverages these sister products with connectors to automatically develop and maintain the CMDB. After the initial population of the CMDB, the connectors keep the CMDB updated with changes as they happen in the IT environment.
836
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
Searching Configuration Items The CMDB is a searchable database that contains both the configuration items and the work items that affect the configuration items. From any window in the console, the Search feature can be used to search the CMDB. The Search tool is available in the upper-right corner of the console. The search can be for any of the following: •
All Objects
•
Windows Computer
•
Configuration Item
•
Incident
•
Change Request
•
Problem
•
Advanced Search
•
Knowledge
This allows the search to return precisely the objects needed. To execute a search of the CMDB, complete the following steps: 1. Launch the Service Manager console. 2. Click in the Search field in the upper-right corner of the console. 3. Enter a keyword such as Chris to search for and then click the drop-down menu to select the scope of the search, as shown in Figure 16.11. 4. Click the All Objects selection. 5. The Search Results window launches and shows the objects returned by the search. The Advanced Search selection allows more advanced searches to be conducted using an object class and criteria model. This allows any class of object to be selected and the precise criteria to be specified in a flexible interface. For example, Figure 16.12 shows a search specification of all Windows Computer objects that are virtual machines.
Deleting and Removing Configuration Items Configuration items sometimes need to be eliminated from the database. In Service Manager 2010, the elimination process has two steps: deletion and removal. The first step deletes the object from the Configuration Item views and the second actually removes the configuration item from the database. Deleting a configuration item moves the object out of all views in the Service Manager console, except for the Deleted Items view in the Administration space. After a configuration item is deleted and moved to the Deleted Items folder, it can be restored back or in effect undeleted. Or it can be removed or in effect permanently deleted. After removal, the configuration item is gone from the database and cannot be recovered.
Managing Configuration Items
Syilent Center SerTke M a i j u n Cumule
I
<
Management Pacte 125 f>
¿j'CcinflCTfî • Maibra XJ5, Kanj^eri Pf. NÏIVWK * Pert* iiSKiity
Save«
Ld*Cnterta v
*
ReKrtri
Save« """araSs1 Urkrfl f-aroewcrt LferU\ Save« """araî»r ï c r i ' r l H
S>«im wert lean Ftitlm Li»aiv
l«i3a-t w i
S'.van Wait asm haUan Lb
f r t t n C«ri«r Virtual KKNne Movga 2001 U MO ' Siiisti i-rfia .nutl H K h r i Save« ytraftr Zi^tj^aiiir y r j g r w l "«to
SBV«
CcflrQuOMn
f r t t n C«ri«r WMll KKNne Movga 2001
v
SW* Utaar»
t w f ufcrary; COMA« SIIM» Î
Kf- Java 30» ( C m m y )
TWTÛÎÎA SQL S a w MO*
Syseir c«ri«< t a u \
W!ua l irtKn C f t Lit
it j « h « ( 1 isrs uErry
Tht iMMJOWt tW. eCftM
Save« ^-ari^a ¡rteund t-"-ia I Ubary Save« r-tCA^a Url.rfl ^ « W w r k CWÎÇwrttôil Save« r t r * ? » Cens«« Hap •*-4#sT-ai!.»ac>,
Savm "'araça CeWc irtSail .'»I j i j a ' j c i Ltaarv; T
Library ( ° J WOrtt ItWTIf
Data W i r t l w m t y u o u A w n * M Cat ul Swsari Mo I'.ît Lbrary
FIGURE16.il
CMDB search.
Sparrh fry nhjpfts nf a spwlflr d a m : «VÏMIIUV. r<ïii|K.ilrr Related classes:
Available properties:
Windows Computer
^ Oiydni/viliinrtl l i n l P Principal Narv: F" T i n e added F Virtual Machine
•
Windows Canputw]Virtual Machine
e-auals
^ I I True
-|
I
FIGURE 1 6 . 1 2
Advanced CMDB search.
â
Search
|
Cancel
a
Cirt^yrtaäi p ej-i lnodtft
OMt fr»-!
CKia mj CÎ StflWl
fMith
837
838
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
To delete a configuration item, complete the following steps: 1. Launch the Service Manager console. 2. Select the Configuration Items space. 3. Expand the Computers node. 4. Select the All Computers folder. 5. Select a computer to be deleted and click the Delete link in the Tasks pane. 6. At the confirmation prompt, click Yes to confirm the deletion. The configuration item is now deleted. However, the object is still in the CMDB. The administrator has the option of permanently deleting the configuration item or restoring the configuration item. To restore the deleted configuration item, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Deleted Items folder. 4. Select a computer to be restored and click the Restore Items link in the Tasks pane. 5. At the confirmation prompt, click Yes to confirm the restoral. The object is now back in the Configuration Items space. This includes the configuration item relationships and the configuration item history. To permanently remove an object from the CMDB, complete the following steps: 1. Launch the Service Manager console. 2. Select the Administration space. 3. Select the Deleted Items folder. 4. Select a computer to be removed and click the Remove Items link in the Tasks pane. 5. At the confirmation prompt, click Yes to confirm the removal. This permanently removes the configuration item from the CMDB and removes all history and relationships that the CI had with other CIs.
Change, Activity, and Configuration Management Reports Reports help analysts, administrators, and management view and understand what is happening with change requests, activities, and configuration items. This is useful in tracking the ebb and flow of changes, as well as understanding how well the IT department is handling the workload.
Change, Activity, and Configuration Management Reports
839
The default reports are included in the Report Library Management Packs, specifically: • Change Management Report Library • Activity Management Report Library • Configuration Management Report Library The reports pull data from the data warehouse. The data warehouse must be installed, the Service Manager management group registered, and the Extraction, Transformation, and Loading (ETL) jobs run for data to be available for reports.
Service Manager Report Controls The Service Manager reports are very sophisticated, although there are not that many reports included in the management packs. The reports are very flexible and each report has the following options: • Parameter Control Header—Allows the report parameters to be adjusted. • Print—Allows the report to be printed. • Print Layout—Shows the report onscreen as it will print. This addresses a really annoying problem where the report looks one way onscreen and another when printed. • Page Setup—This allows the page size to be adjusted to change how the report paginates when printed. • Export—Allows the report to be exported to a file. This supports a variety of formats such as XML, CSV, PDF, MHTML, Excel, Tiff, and Word. The tasks allow reports to be generated and reports to be saved. Report tasks include the following: • Run Report—This generates the report onscreen with the current parameters. • Save as Favorite Report—This allows a report with specific parameters to be saved to the Favorite Reports folder. • Save as Linked Report—This allows a report with the specific parameters to be saved in a management pack for exporting. The reports all include the parameter control header to filter the results as needed. The option in the parameter control header will vary depending on the report parameters. When the parameters for a particular report are adjusted, the report can be saved in the Favorite Reports folder to generate it quickly in the future with all the adjusted parameters. NOTE Seriously lacking is an ability to schedule the reports. This will likely be included in future releases.
840
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
Exploring Change Management Reports There are only two change management reports included with the Change Management Report Library. The reports basically allow analysts to get lists and details of change requests. The change management reports are as follows: • List of RFCs report—This report shows a list of requests for change (RFC) records in tabular form. Each problem includes a link to the RFC Details report. • Change Management KPI Trend report—This report shows the average process time per change, which is a key performance metric (KPI). • RFC Details report—This report shows the details of a single RFC. To generate a List of RFCs report, complete the following steps: 1. Launch the Service Manager console. 2. Select the Reporting space. 3. Expand the Reports node. 4. Select the Change Management folder. 5. In the Change Management folder, select the List of RFCs report and click the Run Report link in the Tasks pane. 6. The report automatically generates a list of all change requests within the default time of 1 month. The top of the report shows the parameters used to generate the report, as shown in Figure 16.13.
raí ai i
^
«_uiiuih i i e a u w <
1
Of 1 C
>1 1 * ú J • 4J ¿J-
iSSBraSSSFEBS^Ä
H 0 E
U
m fajefcttli
—
i k r of H K s
¿«pert pww »•iXftdlhl* C-étUm ® sim«*
tfSÍWn
IIifiKt
±1
i IflTfXIt III LSiSk PM 1 I/4ÍJWl0/i»H|AM»0íyi#Aíl»'r«í:«IAM i Jklurf9»l > («I . [«) i (Ali
Assisi* ClSO**«i hMi fcek OiHribv
'
' (*•> 1 [Al) I (*l) 1 (Al) W 1 (AC i (AI)
! f
»
$
0
(HI)
S
CMS
u
iftW*
A Hftif Chm» ft**»* . Mi»«H* RXV.^J'.J ATHCI I/I Hrnr QunpahaquMt • A(«Jv P i J I D>N6 S n > !
»W,
riM^HW« M«T»»T r Lie'op
13
otni
IWÍluPtK.' Oí F I M J
Ö
OL«
F' i\Ar.I J-k/Jtn nth Fur fi vrf. Mnk*
is
C B
„
Or«
m
ihn;
í/iífittO HlHiM m I/S/WIO IN;- IK
l/tt-Cílí U MiflO AH l/IWI UIWIM
FIGURE 1 6 . 1 3
CMI
Mm
FFLI^SIOIN*« Í/LÍ/STLÍJ.JO.» AH
• iiwUd
In r*o l>«5
OM
r_W4
an í/í«S»j? d.W.» AH
AH ifi/ntl l i : » : » AH
In ?»<*>«=
CAM
E
Anaudia ..
O«!
'Simat 4m JI on Aitew. 'Jiirpjt .TAJJ* KTPcnt- lJ
8
trtütHft
•On Hi«
CnHctd
Cha
144
Íhrtí
List of RFCs report.
Mvln
M í/M^WÍrli.«
il.oa-.m AH If lfm I lK>CC AH l / l f l » l IliHiH AH ififiuni
CrHxibft and t/lftmt U:TO:W m W/tm c.M.tm AM ;.ítf.ícu iiMi» Wi 1/1 iWL tilWi» Iflpni Ö'WiW lyi^MPl Lti OiW m 1/tiWtt UiHIH W I/I/WI i:n'«iitii
M
Change, Activity, and Configuration Management Reports
841
Individual change requests can be drilled into by expanding the change request record in the report and clicking on the Change Request Detail Report link. This launches the RFC Details report for that problem record. This is helpful for investigating individual change requests without having to go back to the console.
Exploring Activity Management Reports There are only two activity reports included with the Activity Management Report Library. The reports basically allow analysts to get lists and details of activities. The activity management reports are as follows: • List of Activities report—This report shows a list of activities in tabular form. Each manual activity includes a link to Manual Activity Details report. • List of Manual Activities report—This report shows a list of manual activities. • List of Review Activities report—This report shows a list of review activities. • Activity Distribution report—This report shows the distribution of the activities by Status, Type, or Stage. • Review Activity Details report—This reports shows the details of a single review activity. • Manual Activity Details report—This report shows the details of a single manual activity. To generate a List of Activities report, complete the following steps: 1. Launch the Service Manager console. 2. Select the Reporting space. 3. Expand the Reports node. 4. Select the Activity Management folder. 5. In the Activity Management folder, select the List of Activities report and click the Run Report link in the Tasks pane. 6. The report automatically generates a list of all activities within the default time of 1 month. The top of the report shows the parameters used to generate the report, as shown in Figure 16.14. Individual activities can be drilled into by expanding the activity record in the report and clicking on the Manual Activity Details Report link. This launches the Manual Activity Details report for that activity record. In addition, the change requests can be drilled into by clicking on the Parent Work Item ID in the list. This launches the RFC Details report for that change request record. This is helpful for investigating change requests without having to go back to the console.
842
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
513 E)
Í7 LM uf «ilivitir»
IT
Parameter Control Íleadeí i
fit
> M
• 4J k i '
List ol activities t m i U «Hapm « M r »
From 1/MH» MlrB AM I» Ï/1IM1D TiMj» M
AituJ-rfJrf.
14 m
W&7
0
hum
0
râ
st+b*
ñ
Afftj-dvin» Dmbfuwii
u MA.«) u hi
—
*
>1*1
S**"
wi»U»i 1C-
/IÍ/S0» UPiBAH
IAWM UtOitO w
HW**4
Í/1Í/»» lllfilSSAH
JlAWJ Hi»;* m
UióíiM AH i/i/nti iiWiW AH
¡luno
lAJMi lïiHi» W
1/1 AMI 12 i 04 I (4 AHCAW)
Wir-jJ
lllMAH
Mint*
IW
JSSBS
iftWoi xfift&n
fchrf1 Mmwl
FIGURE 1 6 . 1 4
Ç 9*4
N|fK«l
MVfcVJ
aots mm
LJIWÍTJLH
ou«
lilfiÍ?«*
CMS
ifl/OWl
List of Activities report.
Exploring Configuration Management Reports There are only two configuration management reports included with the Configuration Management Report Library. The reports basically allow analysts to get lists and details of configuration items, but more specifically computers. The configuration management reports are as follows: • Computer Inventory report—This report shows a list of computers in tabular form. Each computer includes a link to Computer Details report. • Computer Details report—This report shows the details of a single computer. To generate a Computer Inventory report, complete the following steps: 1. Launch the Service Manager console. 2. Select the Reporting space. 3. Expand the Reports node. 4. Select the Configuration Management folder. 5. In the Configuration Management folder, select the Computer Inventory report and click the Run Report link in the Tasks pane. 6. The report automatically generates a list of all computers within the CMDB. The top of the report shows the parameters used to generate the report, as shown in Figure 16.15.
Summary
843
Parameter Control Header I
of 5 •
H
Computer inventory Report
: Î/17/MW 11 32 4!
Total Computers : 10 i I'I iy.it
i imi| il il m : )S8
VirIil.il [ ï M i q B i t m : Ji DH5H** ntu rfh*««"«*
*
Ca*çMwH|A+
(MÎ.IA 1H-&M». »1
r"* AtM«
hliti^ij-rnjiTO
Ot-UtHH) ".»TlKf.
A Vtruer, ù
«IAO MÖGT nVxox^il)
Ä . *
w
M*
»M, w
rJt*
1®°"*
«Mi—
*
" W * * " ::
*
1*
MOI* lO-lH*
WH.
BUSSCS3 0flTiL KWWW CCOLWKPl
FIGURE 1 6 . 1 5
Computer Inventory report.
Individual computers can be drilled into by clicking on the NetBIOS Computer Name in the list. This launches the Computer Details report for that computer record. This is helpful for reviewing individual computers without having to go back to the console.
Summary System Center Service Manager 2010 is a valuable tool for managing change. The Service Manager change management process allows requests to be generated from a wide variety of sources, then provides tools for the analysts to execute the change requests in a standardized and documented manner. The Service Manager platform also provides key information that allows analysts to view the impacts of change based on the data in the CMDB. In addition, the automated connections to Active Directory, Operations Manager, and Configuration Manager allow the effects of the changes to flow into the CMDB automatically. Finally, Service Manager allows management to enforce change management policies and procedures, and then provides reports that evaluate the effectiveness of those policies and procedures.
844
CHAPTER 16
Using Service Manager 2 0 1 0 Change-Control Management
Best Practices The following are best practices from this chapter: • Develop policies and procedures for change management. These policies and procedures should leverage Service Manager capabilities as much as possible. • Deploy the Self-Service Web Portal to allow end users to create their own change requests to reduce the help desk workload. • Deploy the Self-Service Web Portal to allow end users to view the status of their change requests. • Create a notification template and workflow to notify users on the final status of their change requests. • Use the planning portion of the change requests to clearly document the implementation, testing, and back out of proposed changes. This should be a review activity to ensure that it is done for all change requests. • Always enter notes when changing the status of activities and change requests to ensure that the process is documented.
CHAPTER 17
Using System Center Capacity Planner for Predeployment Planning W h e n deploying information technology solutions, there is always a certain level of black magic that goes into estimating the infrastructure needs for these solutions based over some future period of time. For IT professionals, this dark art is called capacity planning. During this activity, the primary concern typically centers on the projected increase in demand for resources over time in relation to a solution's ability to meet that demand. As such, a capacity planner attempts to project system usage based on business plans and forecasts in an effort to imagine what future needs will be. When done correctly, a successful capacity plan would allow the solution to be • Scalable, stabile, and predictable over some period of time • Able to handle the increasing or decreasing amount of load based on projected demands • Designed such that resources do not go unused or overtaxed over a long period of time • Designed to possess the ability for just-in-time capacity additions • Deployed in the most cost-efficient manner Unfortunately, many different variables need to be considered when conducting a capacity planning exercise; for example, how various server hardware profiles impact application performance, how different types of users will use system resources, or even how related infrastructure such as network, storage, security systems, and so forth might
IN T H I S C H A P T E R •
What Is System Center Capacity Planner?
•
System Center Capacity Planner Features
•
System Center Capacity Planner Background
•
System Center Capacity Planner Prerequisites
•
Installing System Center Capacity Planner
•
Creating a Capacity Model
846
CHAPTER 17
Using System Center Capacity Planner for Predeployment Planning
impact the overall performance of a solution. In other words, a certain amount of ambiguity goes into capacity planning (hence the dark art reference).
What Is System Center Capacity Planner? Luckily, for organizations planning to deploy certain Microsoft Server products, Microsoft created a capacity planning tool called Microsoft System Center Capacity Planner or just Capacity Planner for short. Built based on the Microsoft Operations Framework (MOF) capacity planning principles, Capacity Planner helps IT professionals deploy infrastructures (hardware/software) by guiding them through the capacity planning phase prior to deployment. By using this tool, IT professionals can effectively design system architecture that is able to meet their capacity and service-level goals for Exchange Server 2007, System Center Operations Manager 2007, Windows SharePoint Services 3.0, and Office SharePoint Server 2007. To do this, information is inputted into Capacity Planner, which then allows it to construct capacity models that describe the recommended hardware and software architecture for a solution. These capacity models are based on the analysis of the following: • Infrastructure sizing information and analysis for distributed server deployments—Using this information, required hardware and software can easily be identified based on a prescriptive architecture recommendation that has been tailored toward your organization's requirements. • Hardware utilization analysis—Capacity Planner is able to calculate the utilization for each server by simulating real-world user workloads. Using this information, IT professionals can easily determine if proposed hardware configurations will meet projected requirements. • Transaction latency analysis—Capacity Planner also has the ability to calculate transactional latencies based on the modeled architecture configuration. If latencies are found to be too high, Capacity Planner provides the needed information to update the architecture model to remove the found bottleneck. • Hardware and architecture "what-if" analysis—In Capacity Planner, IT professionals can also modify a modeled infrastructure and then see the effects those changes have on the overall capacity model. Using this capability, a "what-if" analysis can easily be constructed for changes that might be introduced into an environment, such as new hardware, additional sites, and so on. • Software "what-if" analysis—Like hardware and architecture "what-if" analysis, IT professionals can also experiment with various software configurations in a capacity model. By doing so, an accurate picture can be constructed on the implications of what different software features might have on infrastructure. • Organizational "what-if" changes—Additionally, the effect of changes to an environment (like adding new users from a company merger) can easily be evaluated for their impact on a capacity model.
System Center Capacity Planner Background
847
System Center Capacity Planner Features The System Center Capacity Planner has a number of features designed to assist IT professionals to evaluate an information technology infrastructure during the planning phase, prior to deployment. These features are as follows: • Capacity Planner Model Wizard—Using the Model Wizard, you can easily create an initial capacity model by entering information such as site and network information, number of users, typical or average usage, hardware preferences, application configuration specifics, and so on. After providing this information to the Model Wizard, it generates a model that can be saved and reused to perform simulations or be further modified using the Model Editor. • Capacity Planner Model Editor—As its name might suggest, the Model Editor can be used to edit an already existing capacity model. For example, you can add or remove objects such as sites, servers, usage profiles, and network connections. By doing so, a capacity model can be further refined and validated based on new information. Additionally, using the Model Editor, you can export information from a capacity model to Microsoft Excel or Microsoft Visio. • Capacity Planner Simulation—Using this feature, you run a simulation against a capacity model that will generate utilization and latency performance data. The results from a simulation can then allow an accurate picture to be constructed around things like resource utilization or transactional latencies for a proposed architecture design. This information is important because it allows IT professionals to determine if further changes are needed to a capacity model to remove any performance bottlenecks and improve the overall design of a solution. • Capacity Planner Hardware Editor—The Hardware Editor is used to view, edit, and add Computer and Device configurations, which can be used in a capacity model. These configuration definitions are representations of hardware that is used in a solution. Although Capacity Planner comes with many predefined configurations in its library, you can use the Hardware Editor to ensure there are configuration definitions that more closely match the hardware configurations that might be deployed.
System Center Capacity Planner Background The current version of Capacity Planner is the 2007 release. This is the second major release of this planning tool with the first release being Capacity Planner 2006. Details about each major release and the intermediate 2006 SP1 release are covered in the following sections.
System Center Capacity Planner 2006 System Center Capacity Planner 2006 was released in December of 2005. With this release of Capacity Planner, there was only support for Microsoft Exchange Server 2003 or Microsoft Operations Manager (MOM) 2005 capacity models.
848
CHAPTER 17
Using System Center Capacity Planner for Predeployment Planning
System Center Capacity Planner 2006 SP1 In late 2006, Microsoft released the SP1 version of Capacity Planner. In this release, the following updates were introduced: • Compatibility with Windows Vista • Support for low-speed WAN links • Enhancements to optimize planning for MOM deployments • Minor bug fixes NOTE System Center Capacity Planner 2 0 0 6 SP1 should be used by organizations that still need to do capacity planning for Microsoft Exchange Server 2 0 0 3 or Microsoft Operations Manager (MOM) 2 0 0 5 deployments.
System Center Capacity Planner 2007 Released in early 2008, the 2007 version of Capacity Planner introduced the following major features/changes: • Built-in capacity model support for Exchange Server 2007 • Additional capacity models from Microsoft for: • System Center Operations Manager 2007 (SP1) • Windows SharePoint Services 3.0 • Office SharePoint Server 2007 • Support for 64-bit processor architectures • Updated deployment wizards designed to streamline the user experience • Comprehensive reporting of disk I/O and storage details • Increased flexibility in customizing server usage profiles
System Center Capacity Planner Prerequisites This section describes the hardware, operating system, and software requirements that must be met before installing and using System Center Capacity Planner 2007.
Hardware Requirements The following are the minimum and recommended hardware requirements for System Center Capacity Planner 2007:
Installing System Center Capacity Planner
849
• Intel Pentium or compatible 1GHz or faster processor • 512MB of RAM • 30MB of available disk space or greater
Supported Operating Systems The following operating systems are supported by System Center Capacity Planner 2007: • Windows Vista Ultimate, Enterprise, and Business • Windows Server 2003, Standard and Enterprise Editions with Service Pack 2 • Windows Server 2003 R2, Standard and Enterprise Editions • Windows Server 2008, Standard and Enterprise Editions • Windows XP Professional with Service Pack 2 • Windows XP Professional x64 Edition with Service Pack 2 • All localized versions of the operating systems listed are supported except right-toleft language versions
Software Requirements The following software requirements must be met before installing System Center Capacity Planner 2007: • Microsoft .NET Framework 2.0 • Microsoft Data Access Components (MDAC) version 2.6 or later
Installing System Center Capacity Planner You can find the download media for Capacity Planner in the System Center Capacity Planner TechCenter on TechNet athttp://technet.microsoft.com/en-us/sccp/bb969059. aspx. After downloading the media, the installation process is guided by a very straightforward installation wizard that has only two configuration options: the installation location and sharing options. To install Capacity Planner follow these steps: 1. While logged on with administrative credentials, locate and double-click the Setup.msi file that you downloaded. 2. Review the information presented on the Welcome page of the Setup Wizard, and then click Next when you are ready to continue. 3. Review the license agreement, click I Agree, and then click Next. 4. Select or browse to an installation folder and choose a sharing option (Everyone or Just Me), and then click Next. 5. Confirm that you want to install Capacity Planner, and then click Next.
850
CHAPTER 17
Using System Center Capacity Planner for Predeployment Planning
6. When the installation is complete, just click Close and Capacity Planner will start if the Start System Capacity Planner 2007 option is still enabled. After you have finished installing Capacity Planner, you'll need to install the Capacity Planning Models for System Center Operations Manager 2007, Windows SharePoint Services 3.0, and Office SharePoint Server 2007. These Capacity Planning Models can be downloaded from the same location on the System Center Capacity Planner TechCenter as the System Center Capacity Planner 2007 installation media. Additionally, the installation process for these planning models is pretty much the same and very straightforward. NOTE You do not need to download and install the Exchange Server 2 0 0 7 Capacity Planning Models. This planning model is installed by default when you install Capacity Planner.
Creating a Capacity Model In this section, you learn how to complete a basic Exchange Server 2007 capacity modeling exercise using Capacity Planner. The steps in this section assume that you have a basic understanding of Exchange Server 2007 and will be using the default Computer and Device configurations found in Capacity Planner. At the end of this section, you will have generated an Exchange capacity model using the Model Wizard, edited the capacity model using the Model Editor, and lastly run simulations against the model to generate utilization and latency performance data.
Getting Started When deploying a new solution to meet business requirements, you should be following some form of framework for managing information systems. For example, you might use the Information Technology Infrastructure Library (ITIL) or the Microsoft Operations Framework (MOF) as a basis for managing your information systems. Irrespective, a common thread among all IT management frameworks is the need to conduct predeployment and infrastructure planning before rolling out a new solution to meet business requirements. As part of your planning process, Capacity Planner can be used to help flush out infrastructure requirements by conducting predeployment sizing using simulated hardware and software infrastructure in what is called a capacity model. By creating and using a capacity model, you can then start to understand the following: • The hardware requirements for the solution • The user experience in relation to the deployed infrastructure based on defined requirements, such as service-level agreements (SLAs), operating-level agreements (OLAs), and operating-level requirements (OLRs) • The performance and capacity of a proposed infrastructure design • The potential cost of infrastructure in relation to requirements and capacity
Creating a Capacity Model
851
For the capacity planning exercise in this section, the goal is to generate a capacity model as part of the predeployment and infrastructure planning phase of an Exchange Server 2007 deployment. However, before generating a capacity model, you need to first understand what the basic infrastructure requirements are based on known business requirements and information that has already been gathered. In this case, the basic requirements for the fictitious Exchange deployment are as follows: • There are two central Mailbox Sites: SFO and TKO. SFO has 1,000 users and TKO has 500 users. In each location, ActiveSync is being used, there is a mailbox quota of 200MB, usage is average, and SAN is being used for database storage. • The usage breakdown in both locations is Outlook 2007 in Cached Exchange Mode 60%, Outlook 2007 Anywhere + ActiveSync 20%, and Outlook Web Access + ActiveSync 20%. • Connected to each Mailbox Site is a SOHO Client-Only Site. • Each SOHO site has 50 users and the usage breakdown matches the Mailbox Sites. • The two Mailbox Sites have a site-to-site OC1 network connection with 30% bandwidth available. • The two SOHOs use a shared WAN with a 128Kbps (ISDN 1 BRI) network connection with 40% bandwidth available. • The Internet connection is an OC1 network connection. • Both Mailbox Sites are using CCR and all other server roles are deployed in a faulttolerant manner.
Using the Hardware Editor Capacity Planner comes with many predefined hardware configurations in its library. For the capacity planning exercise, you use configurations to create your capacity model. However, because each environment is different and hardware specifications change over time, there might be instances where you need to have hardware configurations that more closely match what will be used in your production environment. Using the Hardware Editor, you can view, edit, and add Computer or Device configurations that can be used in Capacity Planner. Computer configurations are definitions that are used to represent actual servers or storage area network (SAN) devices that will be used in a deployment. As such, these configuration definitions consist of at least one CPU and at least one disk or multiple disk arrays. Device configurations are definitions that are used to define CPUs, single disks, and disk arrays objects, which are then, in turn, used to define hardware makeup of Computer configurations. When working with Device configurations, keep the following in mind: • A CPU device can include multiple physical processors. • A disk configuration is a single physical disk. • The disk sizes for a disk configuration are displayed in unformatted capacity.
852
CHAPTER 17
Using System Center Capacity Planner for Predeployment Planning
• When a disk is formatted with NTFS, only approximately 91% of the disk capacity is usable. • A disk array includes between 1 and 16 disk groups. • A disk group or volume can contain up to 64 individual disks. • A disk group is also called a volume and RAID is applied at the disk group level. NOTE To access the Hardware Editor, you can use the Review or Edit Hardware Configuration link on the Capacity Planner Start page, the Go, Hardware Editor menu option, or the Ctrl+4 keyboard shortcut.
Adding or Modifying a Device To add or modify a Device configuration, navigate to the Device Configurations page in the Capacity Planner Hardware Editor. Once on this page, you can add or modify CPU, disk, and disk array device types. You cannot, however, modify or delete the default Device configurations that come with Capacity Planner. Additionally, if you happen to modify a Device configuration that is being used by a Computer configuration in an existing capacity model, that change is reflected on the corresponding item in that model. Adding or Modifying a Computer To add or modify a Computer configuration, navigate to the Computer Configurations page in the Capacity Planner Hardware Editor. If you are adding a new Computer configuration that uses devices that are not currently defined in Capacity Planner, those devices must be defined before adding the new computer. Also, like Device configuration, if you modify a Computer configuration that is being used in an existing capacity model, that change is reflected on the corresponding item in that model. Lastly, you cannot modify or delete the default Computer configurations that come with Capacity Planner. Understanding the Hardware Editor List Icons In the Hardware Editor list view, each configuration item has an icon that signifies its status in the editor. A locked icon indicates that the item is a default configuration item and cannot be modified. Conversely, an unlocked icon indicates that the configuration item can be modified. Lastly, a model icon (similar to a campus icon) is used to represent computer, disk array, and SAN Device configuration items that are being used within a capacity model. These items are copies of the originating configuration item that was used and represented in the list view using the following naming schema: •
SiteName\ServerName
•
SiteName\ServerName\DiskArrayName
•
SiteName\SANName
Creating a Capacity Model
853
Using the Model Wizard The next phase in the capacity planning exercise is to use the Exchange Server 2007 Model Wizard to generate a basic capacity model. While the wizard guides you through the steps to create the capacity model, you need to provide the wizard with the following information: • Site and network information for mailbox server and Client-Only Sites • The number of users in each site • The type of users (user demand) • Hardware configuration information • Information about replication, clustering, redundancy, and so forth if you plan on using these deployment options Use the following steps to complete the Exchange Server 2007 Model Wizard. Step One: Start the Model Wizard 1. Start Capacity Planner. 2. On the Capacity Planner Start page, select Exchange Server 2007 in the Capacity Model drop-down menu. 3. Click the Create a New Capacity Model link to launch the Exchange Server 2007 Model Wizard. Step Two: Mailbox Sites Page The first page that is displayed after the Exchange Server 2007 Model Wizard has started is the Mailbox Sites Page. Use this page to specify information about Mailbox Sites and their clients. On this page, there are three links that can be used. The first, Add Mailbox Site, is used to add a new Mailbox Site to the capacity model. If this link is selected, the New Mailbox Site form is opened where you can specify information about a new Mailbox Site, such as name, number of clients, SAN usage, user types, usage patterns, and so on. The second link, Customize Usage Profiles, is used to open the Customize Usage Profiles form. Using this form, you can modify the usage profiles for servers and clients. Depending on how your users use email within your environment, you might or might not want to tweak the default usage profiles. Lastly, you can use the Using the Model Wizard link to download a help video that explains how to use the Model Wizard. To add the two Mailbox Sites required by the capacity planning scenario, complete the following steps: 1. On the Mailbox Sites page, click the Add Mailbox Site link. 2. Next, on the New Mailbox Site form, specify the information that is appropriate for this Mailbox Site and click OK. An example of a completed form is shown in Figure 17.1.
854
CHAPTER 17
Î SyMLTi Center Capacity Planner 7007
Using System Center Capacity Planner for Predeployment Planning
F n h a n p S « r w ) ?007
3 A d d Mabooc Site f t . .KM 4 M l * » . S to-, ckrt Arid S l l r . VCu C * i W f r f y the r i r r b i H of f V n i i that » P « M , « I itso O v o » * v u g a p n A < Jfr t « h d w i t t n » . w o hjw® p o w i r f ttf-it, t m j Q t , HiMw*. . r i l Viry rt-.rvy i r - U • i x n ü - To custcrm» ö . t f J i . r - U ' CrOftr.,. kk P i r . t o n L T U S * * PtuHk-v ttolu t f U l OCttr O ji <."tl»rj uMQ* Jlfutt J CitMti w H i h uSv ttwt trotte. •
To e d t ir> ensung Mafco* y t e , nfeet it n the table below.
C u s c w i e e Usage f t o f t e »
Q Using t t e N b d d W e i r d M.nlticra Sill- V.BIJT
General SeUfcto*
Citent Pro l i e s
MaferjT y>.<S r i j i w :
3F0
UXJlCtont CftiW:
1 too
IJiii .1 SAN ta H É I I :( ' . t i j r w ?
©Yte
Al» M M 9 V K dWe O i h u » ?
©vte
r, it*., j
OY«
ÜJIJA»
; OHö ONO
Tyiiii.ü ll'..N |I" a t e u»Q9 Piofie:
A-*».**
Into* quota, r MB:
¿00
?
1
Usage ftofte
Outfei* 2007 h C * t w J C t h i r t » » Mette:
60
Sue Usage Profte
J
O u U « * 2007 h O r * * Mori*
0
Sfte Usage Profte
J
OuDC* 2007 g j n a O M x k * t r * h m v :
0
S«e Usage Profte
d
OulkX*: V f t b ACCOM:
0
Sue Usage Profte
¿ä
O j t k X i 3007 CXtotf * ActrroSyrX:
0
Sue Usage Profte
Oui»«* 3007 O i * *
0
S«e Usage Profte
tS
Oulfci* 3007 ArtrWhW » AtthvSiTK:
£0
Sue Usage Profte
d
O u i * * * V A * AMOM t AethOS**:
30
Sue Usage Profte
Shew C a n t s
ActivtiSyrK:
Total «ft;
100
J
FIGURE 1 7 . 1
c
New Mailbox Site form.
3. Lastly, complete the same process for the second Mailbox Site. 4. Once you have added both Mailbox Sites, click Next. NOTE Press F1 to get detailed help on the options on each page of the Model Wizard.
Step Three: Client-Only Sites Page The second page in the Model Wizard is the Client-Only Sites page. This page is used to specify information about Client-Only Sites Profiles and the users that reside in these sites. Like the Mailbox Sites page, there are three links that can be used on this page. The first link, Add Client-Only Site Profile, is used to add a new Client-Only Site Profile to the capacity model. If this link is selected, the New Client-Only Site Profile form is opened where you can specify information about a new Client-Only Site Profile, such as profile name, number of clients, whether ActiveSync devices are in use, user types, usage patterns, and so on. The other two links, Customize Usage Profiles and Using the Model Wizard, provide the same functionality as found on the Mailbox Sites Page. To add the Client-Only Site Profile required by the capacity planning scenario, complete the following steps:
Creating a Capacity Model
855
1. On the Client-Only Sites page, click the Add Client-Only Site Profile link. 2. Next, on the New Client-Only Site Profile form, specify the information that is appropriate for this Client-Only Site Profile, and click OK. An example of a completed form is shown in Figure 17.2. £ System Conler fap.ui I y Planner 7007
f«c hange Server 7007
Client-Only Sites Mafcox &tes oent-Qrtf we? Hftwcrts Kfriw.iii
Ckre-Cnfr Sites ort* ccntan dents, they depend on ¡erven locked r MatH* Sites,
J Add Ciait-Orfy Site Proffe
To one or rrrns ilMiT^rtf sit
&XXX* .1
To eat iQent-Crtv $1« Prone, setecntn the tat* below.
• Customise Usage ftoftes © Using the Model Vfiwrd
niMkriy Mir FHifii-
Ni « 1: llcrn-Mily Sue- Pi 01 lie lirnrf.il Srtting'.
I Will !"infill".
Qe it
Out)»* 300? r, CJ«hpd SadWO» Mode:
Local QMt Court;
CuttoOi: 200? r, Or**> MOi»:
SrtiilJjWPrpttg
-
Oent'C*^ a t e Count;
Cut»»*: a » ?
SAiUwgii^tpHu
v. v
Cut*»*; 2007 '.acred + Actwesyrc;
MtUupPrOtl»
-
Cuttoofc 20a? Cnlne t AttrveSirtc;
5rtoUi«rtPra1fc.
Outtok 200? Arretiere * ACtrveSynC;
StoUswProite
v.
Outlook web Access + MtnsSyne
SH iUW0»Pra1*>
v
TyiMcil thjge
Irbcn <*ot.i, n m*
cwioet e j ^ t v r e :
Outlook web ACCESS:
fl/e Acth'eSYnc dsnces n use'
SiW Mi*»» J>rirfc»r
uugonoAi
[Averije*
Show Court*
Tut J V*
100
[ Cm* J FIGURE 1 7 . 2
New Client-Only Site Profile form.
3. Once you have added the Client-Only Site Profile, click Next. Step Four: Networks Page The Networks page is used to specify the typical type of network connectivity that exists between all the sites. Notice the usage of typical. There is a limited amount of customization that can be done as to how sites are connected. Instead, by default, the Model Wizard connects all of the Mailbox Sites together and then chooses an even distribution of physical and logical connections between Client-Only Sites and Mailbox Sites. When defining the typical type of network connectivity between sites, you have three different configurable areas on the Networks page that can be modified. The first area, Specify Typical Connectivity Between Mailbox Sites, is used to define the typical type of network connections between Mailbox Sites. The second area, Specify the Typical Connectivity Between Client-Only Sites and Mailbox Sites, is used to define the typical type of network connectivity that exists between Mailbox Sites and Client-Only Sites. Additionally, if needed (and if available), you can also use the Specify Connectivity for Each Client-Only Site link to define unique connection details for each Client-Only Site.
856
CHAPTER 17
Using System Center Capacity Planner for Predeployment Planning
The last area, Specify Typical Internet Connectivity, is used to define the typical type of Internet connectivity. NOTE Once you have completed the Model Wizard, you can further customize network connectivity settings between sites using the Model Editor.
To define the typical network connectivity required by the capacity planning scenario, complete the following steps: 1. On the Networks page, define the typical type of network connections between Mailbox Sites. 2. Next, define the typical connectivity between Client-Only Sites and Mailbox Sites. 3. Finally, define the typical Internet connectivity and then click Next. After you have finished defining the typical network connectivity between sites, the Networks page should look similar to Figure 17.3. £ Syriern Ccnlet f a p . u i I y Planner 7007
Mafeo* &tes OenKrft NWtWOife Kfdw.MI
f i t hange Server 7007
Oi tfts page, YOU specif* the chyacil and tojcä comectlrtty of Mafcc S i t « and denï-Cnff Capacity Mattet wt autan-jtcrfr' correct Ü MafcOt ätes logeth« 3rd wl t f r n » an f 'fc>
0 Using the Modd W&râ
'rfr*
SpL-tlly ( y i * J tuf•«.•( tivlty Iwlwwn Mjrfbo* S i t » : 0
Metwort: topdbgy: BancNrtcWi;
O ^ 5 h * « l wAf j
~ 9
KttpKOCl)
E-a">3nv3lh '• ) avatàfe;
~
30
Specify typKal comectiylty between L lient-Unly » t e s and Mailbox b i t « : W w C r t U»C*W:
0
|
-
Bshared WAN ®ÇJl'ï
I aateSite
126 (.bps (KCN1 BRI)
v
4Q
Vftr mjy QOttmlr » « o f f >>>T>ji w r w t m t v « U n * fa « c h Oerit-Ortf Srt*. The typfctf « m e t t h t t * Hittr^ft spwJhéd w# tx US«) tf> M aJl Mfltrnfc fa « c t i We.
;
H Specify CtimeoWtY for Each CkilC'CHy S s c
Spi'tily l y u k J trili-nwl lunfR'Uivily Internet cameetMty:
'it rA-f* (CC j )
v
• C FIGURE 1 7 . 3
Networks page.
Creating a Capacity Model
857
Step Five: Hardware Page The Hardware page is used to select the computer hardware that will be used in the capacity model. It is important to understand that the computer and disk configuration options that are presented on this page are limited to the ones that meet Exchange Server 2007 requirements. For example, CPU choices are limited to only 64-bit processors. To define the computer hardware that will be used, there are three different configurable areas on the Hardware page. The first two areas, Select Possible CPU Configurations for Mailbox Servers and Select Possible CPU Configurations for Hub Transport, Edge Transport, and Client Access Servers, are used to define the possible CPU configurations that can be used by Exchange servers in the capacity model. When generating the capacity model, Capacity Planner will attempt to scale up the hardware resources in the model that uses CPUs based on the following order: 1. If the least powerful CPU that was chosen meets the needs of the capacity model, it is used. 2. If the least powerful CPU does not have enough capacity, the next most powerful CPU that was chosen is evaluated. If it is found to have enough capacity for the capacity model, it is then used. 3. If that CPU doesn't meet the needs of the capacity model, the most powerful CPU is then evaluated. If this CPU meets the needs of the capacity model, it is then used. 4. If the most powerful CPU does not meet the capacity needs for the capacity model, Capacity Planner then scales the model out by adding an additional server. The load of the capacity model is then distributed between the servers and the previous steps are repeated. This process continues until enough servers have been added into the capacity model to handle the calculated load. The last configurable area, Select Disk Configurations for Different Roles, is used to define the disk configurations that can be used for the various Exchange Server roles. Based on the chosen preferences from this area, Capacity Planner automatically determines the number of disks needed when it generates the capacity model. To define the hardware configurations required by the capacity planning scenario, complete the following steps: 1. On the Hardware page, define the possible CPU configurations for Mailbox servers. 2. Next, define the possible CPU configurations for Hub Transport, Edge Transport, and Client Access servers. 3. Finally, define disk configurations that can be used by Exchange servers, and then click Next. After you have finished defining the hardware configurations, the Hardware page should look similar to Figure 17.4.
858
CHAPTER 17
t System Co nlet fap.ir i 1 y Pia nncr 7007 We
*>
Using System Center Capacity Planner for Predeployment Planning
f i t hange Server 7007
S
E
*
l«*r
c r z ä r i . . . . Model Wizard Mat»* Stes OenKrtv Metwcrfs • Hpthv.fi> ftptfcW
_ Hardware Wheci »ecorrrnendng a deçtormerit achtectue h the Modst Wtard cptfnces for the smatest rurràer of servers dut meet (Mfomttce ârtf UaCity iepj*emeriti, Model Viand rfcrcmmertiMipnî wt r&ifeim to ifi* CPu jnri s t « ^ in«***"-*; tpw&ed bekw. ifie CPU dvnc(« hawö bivfi Imtwl to M-ht p r a a t u i to cönäami to s- . rt vty Sftwy . 007 njqwflmonw. S t m p MKcmmondwonf ** to nwv bwri cri «h» »OMQ» ' « M V W C of W» «Xie jlbn dHtoltncrt. RAID .»r.rr. me! SANi ta» bd COnStiOCl*! lmtu Um (fck iünfi*».iliri bùkjw- Ft» mere rilt»nul*jri (fl Mödül WiMrd r«<»wrien<Wjir6. M « « COfSUt C r * » lif%>.
& Usnç the Nbdd W & r d
Svfcit p u v M ' CIHI tunlKiuriiUum fur H a l w x u r w n ÇHJ cwniftfiöon #1:
ö-wocess« 2 * 0 QHr X«r> ?I00-Se
t P J ccnffcraflon fir.
4-ptxmstw 2-20 Ott OpWOn (2 dip i 2«n>)
ienfl^.wiCMi r*
2-trgtwK» 1.40 OHi Otftwn <2 dH> * Ucre)
Splpit pntutilii 1 Ml rnnfigtvjIJniK for Huh Triui(|Mirl, 1rQP lr Mi(|tnrlr
* • M
1 Ii •fit Af[»U Si* w r t
CKJ confl&mion i l :
2-cotesw 2.13 GHr teen M00-S«les (1-chp. ¿core)
0 * J ccfiBOJ«Bn f?
4-processor L60 dm xecrt SlOO-Setiei (2-dHO * 2-care)
CPJ ccnfoiaoon fi
«^ÖCM» X00 OL- nonSiOOScw.
J l
3
« 2
Select dlst lonftouratloro for Afferent roles Mai»* sema diU dBfc; M A e i S r a bgdjk:
SAS 3.0 <3bK 15000 RPH, 300 08
*
SAS3X1 ÇbfbOOOOfim 3 0 0 «
r
1
FIGURE 1 7 . 4
• B*>
Hcril >
1
1
Hardware page.
Based on the chosen hardware configurations, Capacity Planner automatically generates server configurations that match the resource requirements of the capacity model. As mentioned before, these server configurations will appear in the Hardware Editor after the capacity model has been generated. You can edit these server configurations, but cannot delete them.
NOTE Capacity Planner will only model the infrastructure as it directly relates to the Exchange Server deployment. As such, infrastructure items such as firewalls, reverse proxies, network traffic shapers, and so on are not included in a capacity model or the Hardware Editor.
Step Six: Application Page The Application page is used to define what type of high availability and redundancy options should be used in the capacity model. To define these options, there are two configuration areas on this page. The first area, Mailbox Servers, is used to define what type of Mailbox Server clustering configuration should be used (if any). The second area, Other Server Types, is used to specify if the Hub Transport, Edge Transport, and Client Access Server roles should be deployed with additional servers to increase fault tolerance.
Creating a Capacity Model
859
To define the high availability and redundancy options required by the capacity planning scenario, complete the following steps: 1. On the Application page, define the Mailbox Server clustering configuration that should be used. 2. Next, specify if the Hub Transport, Edge Transport, and Client Access Server roles should be deployed with additional servers to increase fault tolerance, click Next, and then the Model Wizard generates the capacity model. After you have finished defining the high availability and redundancy options, the Application page should look similar to Figure 17.5.
Mafcox Sttas Oant-Qn* itrtttcite HjLhVJL' ^ Atfàttttri Modal Sunmaiy
The trewwj to (WsîlWnj Cf> Ifij pa»f w# Nfc Sflttffl Center CfcJèCity provide tlw Cfttrcm asolffinient äKhrtectif e recorrmendMBn for you woarcaton Lfon ccmdeoon of the N ade) Wöafd, the M J Ö Êcitw can be used to refine vou deployment architecture.
S Using rh* Mode) Wfcard
of the fclowig typ« of M j i » . $ • » » O W O I S t n t t t willflu! tLr.liH»o c < l i i m * ; . i U t i O Mai»* Setvws WUi Loc f Contract» PetJteal»n O Ojstefed Mai»« Seoers n Srtfe Copy 3uste*s ® Outcted W*fcfl. SMWii with CUSti« COAtttuOu! AOftCSrQCA Vihat repteation factor do you want to use fa Stands Ccntnuaus Kepfcaborv1 © Mo itefcMOT
Oi « . « t j y topy
O 2 JWWby eqMH
O t h « Server Typet OeyttJ Wilt t o d t & t l **thon*l CWvit AKtBSttvfrt fa n r u w i f*Jt tel**>e*i ©YW
Otto •vl
00 you Wilt re deptay ©Yos
Trirtpcrt Servers fa roAKtfd f * i t w f e i c n ?
OMO
OP you wilt W dcptoy .ydtoonil n i l rr,yvpc#t so™** fa riCT*K*d fail ©Yes
FIGURE 1 7 . 5
Ofto
Application page.
Step Seven: Model Summary Page After the Model Wizard has finished generating the capacity model, it creates a summary of the results and displays them on the Model Summary page. The summary results from the capacity planning scenario are shown in Figure 17.6. From this page, you can copy the summary information to the Clipboard, run a simulation against the capacity model, save the capacity model, or click Finish and open the capacity model in the Model Editor for further modification.
860
CHAPTER 17
Using System Center Capacity Planner for Predeployment Planning
"-wrxi *t
6e rttb £2
U
Model Wizard
'^Birai M o d t l Summary
Ni*Ku «M. Cimt-Of ti S t « H i t * Oris midw* •eWB»"
COP» ID dW>c 3 A
Topolmjy 5it»i nth Mftirs: Sfi? «tri fliwns ortf: ToW nwnbif of dii«tJ
0
2 2 1600
-
a i e : SfO Nuntbei Of users;
1000
Number at $Ak connection^
]
Server: dent A u e » Serrer 1 ProcMior
2-çrs£f i l 9 . 2.13 âKt, Xeon JÛOD-Setle; (1-cfip X 2-tûre]
0*1
CWWitw HVohim* Ï {Oita H « } , 1« <30 HAID 1 tî * 1*6.00 68 SCM 15,0» SS*M) Sépara» îM-d Ui HWO-i a«îy for OS 1 x 1,000 r-fc.'j dwrt Aice»
OS V«jm<j NIC: Rulti:
Server: Ckeut Accr« Berner 2 ProctiKr Minimum msmory; Dfit Oak (OS VctimvJ: NIC Holer:
2-tr:>r»tiO', 2.13 Giir. Jf*on 3000-5«n« (].dïp xI-:o™j 4,0 Û6 &->tAnay îwohime : :0aU HtîJ, 146 GB MID J [2 * 146,00 GB îCS] l î . S » W1> S*pint* tira-dHlc ftûl 3-t my for OS 1 X 1,000 rt},<s a s r t ftcr;:s
MMM Edhui *i =b>
Hantvrarf idilo»
FIGURE 1 7 . 6
|
Fin t!
|
Model Summary page.
To finish the Model Wizard for the capacity planning scenario, complete the following steps: 1. On the Model Summary page, click Finish. 2. Then once the Model Editor had finished loading, save the new capacity model as ExampleExchange.sam.
Using the Model Editor After completing the Model Wizard, Capacity Planner generates a basic capacity model that contains a recommended hardware and software architecture. This basic capacity model is but a starting point and does not yet have all of the information required to accurately reflect your organization's architecture or full requirements. Therefore, the next phase in the capacity planning exercise is to use the Model Editor to make any needed changes to the capacity model. For example, using the editor, you can add additional sites, make tweaks to the network connections, further modify usage profiles, and so on. In general, the Model Editor is a fairly simple yet effective topology-based editor. It has three primary views. The first view, Global Topology, as shown in Figure 17.7, shows the overall deployment topology in relation to sites, network connections, and the Internet. By double-clicking on a site, using the navigation pane, or right-clicking an object, you can drill into the second view called Site Topology, as shown in Figure 17.8.
Creating a Capacity Model
FIGURE 1 7 . 7
t
Cumplfl(ifchaii£*.Mm
Io
rk
<So
Global Topology view.
Syitwn Canltr Capacity Planrw 2007 - Cxchanga Sarvor 2007
I
a ^A,•
Modal Edltor
T K O Site t o p o l o g y
Current View Actions Per connection behve«i
Qabd Twofagy ate rcettgy Model •immarv
silo "SPO" . « d site *n.'0" 63 foen site O Edrt correctcn tisiaifs •
QvJJtu.cacncttlCD
O ü c f r c t similar ctolccfa
0
V
0
o
a
\
£Jr JL FIGURE 1 7 . 8
a
/
Site Topology view.
<3
0 0
861
862
CHAPTER 17
Using System Center Capacity Planner for Predeployment Planning
This view shows the deployment topology of objects within a site, such as servers, SANs, client profiles, and logic network segments. The last view is the Model Summary view, which provides exactly the same information as the Model Summary page in the Model Wizard. Using this view, you can see a summary of the topology in relation to sites, application roles, number of users, hardware, and so forth. Depending on the current view or which object(s) is selected, different tasks will be available in the Current View Actions pane. The actions in this pane only apply to objects that are selected or the view that's active. However, regardless of the view or objects selected, the tasks in the General Actions pane will always be the same. Additionally, at any time, you can zoom in or out of a view, modify the routing display selections, and move objects around. Lastly, using the Model Editor, you can also export the information from a capacity model to Microsoft Excel and Microsoft Visio. NOTE To export information from a capacity model to Visio, you must have Visio installed. Additionally, to export information to Excel, you must have already run a simulation.
Running a Simulation Once you have finished making any needed changes to the capacity model using the Model Editor, the next phase in the capacity planning exercise is to conduct a simulation against the model. Simulations are designed to generate utilization and latency performance against a capacity model. Once completed, Capacity Planner will provide you with data as to how resources in the model might be used in the real world. Using this data, you can then determine if resources are being overutilized or if transactions are experiencing high latency. At which point, if needed, you make any needed corrections to the capacity model and remove the bottlenecks. To run a simulation, use the following steps: 1. On the Model Editor toolbar, click Run Simulation. 2. If the simulation is successful, the Results Summary page is displayed. However, if the simulation is not successful, any needed simulation adjustments are listed, as shown in Figure 17.9. If you need more information to fully understand what is causing the failure and how to correct it, click the Help Link icon. Then once you fully understand the adjustment that needs to be made, you can do so by modifying the capacity model using the Model Editor. For example, to correct the issues found with the capacity model that you generated during the exercise in this chapter, you need to increase the amount of bandwidth available on the WAN link to the SOHO sites or increase that link's network connection speed. Then after making any needed corrections to the model, rerun the simulation, and correct any further issues until the simulation successfully completes and the results are displayed, as shown in Figure 17.10.
Creating a Capacity Model
t
Cumplfl(ifchan£*.Mm
863
Syitwn Center C i j w c i l y Planner 2 0 0 7 - Exchange Sarvor 2 0 0 7
Global Topology
Current View Actions Per connection b e h v e « i site " S W and WAN Tniwrtrt"
v O o M ToegfeQy Site toofifew Mode) Stmmarv
• CdlL w r r H t t a i i ifataite Q
üüilimmilkzi
O be >°ct similar cblecte
¿1-
*
j
P Md a n e w t He B edit usaga prppites 9
WAN Irt, dDOwntoad } between WAN W: (Ttowrtoad") between
IlifcLr* *
l' arid y - o Wan' is overloaded 2' and "TKO Wan" e oveiloaded
Baw.anwüflMM d
Enttfiiiutfj
n Coilaose nodes
Da H-il'ln.y» fciW"i
FIGURE 1 7 . 9
Simulation adjustments.
r 2007
Exchange S«rvar 2 0 0 7
Mi
Results Summary Simrunr
f^
Sslilmdi
.•ulpK
I .'ii:.ili»i erf CPU L t t a t K o of storage I/O U t o r t j c n of stcraoa jpace
Utency by Latency by s i e
llur-'Jmlrl'. Lfcdite setCnos
Oevcef. and C o m e c t o n s
IIIIII Highest CPU utitoatlon
Lonoest transactions (sec) SOMO 2\OWft O p t «
soHO
tWstj»
37.62S
SFOV*>bO« $Ww»\CPV(J)
26. 14.01 %
I\OWA EVEN MESSA^
ij.tjo?
TKOfyttiui seri*\CPu(s>
SCMÖ 2\ÖWA SEND Message
17.909
5fO\Cknt Access Server 2KWJ(s)
5 0 M 0 2\OWA
17.350
SOHO T\OWA MOM MWUGN
SCHO 2\OWA More Message
AiWtt
0.94%
17.324
T>:o\CK»it Ateo»S«:»vw2\CiVisj
4.73%
17, i 4 S
TKOVOant « c e s s s e n « XVÄHS)
4.70%
''
Highest connectivity utifcation
SPO\S«l AffayWdune 1
».43%
TOYSAN AiwWfltune 1
25.«%
SFO\SAHAirMViA#ne3
2 4 . 4 3 % CTO to TKO
WiCASAN An.»f\VoUnfr 2
12.86
SfO\M.-4xu
SFO\£M AirayWotirne 3
10.38%
S K i t o S W Wan
$PC*$AiJAiraY\ve*me4
Simulation results.
e.w%
1\CPV<»)
I/O u U k u l l o n
FIGURE 1 7 . 1 0
•vl
Common O h i i I O H • tow do I hteipret these resdts>
Ltents W i t t e n of dent
inflation of Stwaoe I/O UtirtUcn f t o u o * ¡twee UrtMftCrtOiSAH connections
Hiijln-,1 ',l
2 to TKO Wan SCWltoSfOWan
0 . 3 5 % TKO to TKO Wan
61.06% 60.41% 0.73%
to Internal LAN
0,68% O.S3% 0.51%
864
CHAPTER 17
Using System Center Capacity Planner for Predeployment Planning
Summary This chapter was dedicated to System Center Capacity Planner 2007. Based on the information that was provided in this chapter, you should now have a better understanding of how this tool can be used to create capacity models for Exchange Server 2007, System Center Operations Manager 2007, Windows SharePoint Services 3.0, and Office SharePoint Server 2007. The information that is contained in these models can then help you conduct capacity planning for these products and ensure that your infrastructure deployments are on target in regard to capacity, design, and budget.
Best Practices The following are best practices from this chapter: • When deploying infrastructure such as Exchange Server or SharePoint, be sure to conduct predeployment and infrastructure planning. • As part of your deployment project, conduct a capacity planning exercise to help flush out the hardware requirements and base infrastructure design. You might or might not use Capacity Planner for this. • When using Capacity Planner, choose the correct version based on the version of Microsoft software you are installing. • When working with System Center Operations Manager 2007, Windows SharePoint Services 3.0, or Office SharePoint Server 2007, make sure to download and install the capacity models for these products. • Before conducting a capacity planning exercise, make sure that you have a clear set of capacity goals based on real business requirements. • Lastly, capacity models are not an end-all to capacity planning. The information that is gathered from Capacity Planner should be used as a basis that is validated against real-world systems.
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices System Center Mobile Device Manager is a product Microsoft sells that helps organizations manage their Windows Mobile devices. Management of mobile devices means keeping an inventory of the devices, patching and updating the devices, and providing a method to provision and deprovision the devices among several other management and administrative tasks.
Why Mobile Management? A common question that is asked is "Why do I need mobile management?" as most network administrators see and experience mobile devices as nothing more than mobile phones with email. However, in a number of areas, mobile device management becomes extremely important. Mobile device management is important in helping organizations enforce laws and regulations that control the access to information and the secured or encrypted storage of information. Mobile devices also need controls when they are implemented in specialized uses in hospitals or warehouses where the mobile device is not a mobile phone but rather a mobile data acquisition device. When you expand your thinking of a mobile device as more than just a normal employee using their personal phone to send and receive emails to devices that have specialized usage, then mobile device management becomes even more important. However, even for the organization where the mobile device is just a mobile phone with email and calendaring, laws and regulations require more attention to the management of the mobile device than has been the norm in the recent past within IT departments.
IN T H I S C H A P T E R •
Why Mobile Management?
•
Background of Mobile Device Manager
•
Planning and Designing the Implementation of MDM
•
Prerequisites for Mobile Device Manager 2008 SP1
•
Installing System Center Mobile Device Manager
•
Self-Service Tasks with Mobile Device Manager
•
Device Management Tasks with Mobile Device Manager
•
Policy-Based Tasks with Mobile Device Manager
•
Mobility Access Controls Using Mobile Device Manager
•
Adding Exchange and Configuration Manager to an MDM Rollout
866
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
As an IT administrator, business manager, security officer, or IT professional, would you ever deploy all of the laptops and workstations in your organization without passwords? Would you basically allow your laptop and desktop users to simply walk up to a computer, turn on the monitor, and start accessing sensitive information? It's highly unlikely; however, that's what millions of mobile device users are allowed to do every day. Users simply touch the keyboard or slide an unlock bar across their screen to access their email, which likely has sensitive and protected attachments, confidential business information in emails, and access to private mobile phone numbers and other sensitive business data. Mobile device management is extremely important to businesses and it is just a matter of time before organizations will clearly understand their need to do something about device management. Those of you reading this chapter and implementing a technology like System Center Mobile Device Manager will be a step ahead of others.
Managing Mobile Devices Just like Laptops and Desktops Systems management became a big thing a decade ago when no one thought twice about patching and updating their desktop and laptop systems until a swarm of viruses and worms like Blaster, Melissa, and Nimda swept across the Internet and brought down what seemed like every company across the nation. From that period on, systems management, including patching and updating systems, became a standard. Now, several years later, we think nothing of patching and updating systems—it's something we just do religiously every single month when updates come out. Any time we build a workstation or server, we sit for minutes patching the system with the latest updates. So why do most IT professionals have no strategy for patching and updating mobile devices? Just like a decade ago on PCs, until something bad happens, no one does anything. System Center Mobile Device Manager helps organizations take care of the patching and updating of Windows Mobile devices just like patching and updating client systems and services.
Enforcing Policies to Mobile Devices Policy management for mobile devices is also something that few administrators think about, and many IT professionals have no idea why anyone would want to enforce a policy on a mobile device other than possibly forcing users to use passwords on their mobile devices. Organizations that come under regulatory compliance requirements are well aware of the need to have passwords, enforce passwords, and force users to change their passwords on a regular basis. Mobile device password management is no different from desktop and laptop password enforcement considering the same internal financial statement documents, sensitive HR employee conversations, and company trade secret content is on the mobile device as is on the desktop. Organizations that work in sensitive information businesses such as top-secret development, environments working with national security information, or simply organizations with employees handling information related to employee privacy need to control the accidental or purposeful unauthorized distribution of information. In what is more
Why Mobile Management?
867
recently called data leak prevention, or DLP, organizations are preventing employees from bringing in video equipment, cameras, or recording devices into sensitive-information areas. However, an employee with a pretty typical mobile phone these days has a camera, video recorder, and sound recorder built in to their mobile phone. With System Center Mobile Device Manager, the organization can allow employees to bring in their mobile devices as long as they are managed by policy to prevent the use of the built-in camera or prevent the recording of information. MDM provides simple policies to enforce key information protection. Mobile Device Manager also can force a policy on managed mobile devices to encrypt the mobile device so that if the device is lost and the device is properly locked and encrypted, the potential for information on the device being leaked is less than if the device had no policies to manage the device itself. Device management can be audited and reports can be generated to show auditors that policy enforcement is done automatically through the use of a tool like Mobile Device Manager.
Tracking Mobile Devices as Organization Assets MDM also keeps track of mobile devices by keeping track of device serial numbers, validating that the device still exists and is active in the environment, and transfers serial numbers and asset tag information between users when a device changes from one individual to another in an organization. No longer are employees walking around with simple $50 mobile phones, but rather $299 or $399 phones that are now reaching the cost of most laptop and desktop systems. Organizations track laptops and desktops in their environment as assets; the need to address mobile devices with similar costs and basic functionality needs to be considered by the organization in asset tracking, management, and control.
Managing the Provisioning and Deprovisioning Process Mobile Device Manager helps administrators provision, or set up a mobile device for users. Beyond just creating a user profile for the mobile device user to access and synchronize their emails and contacts, MDM's process of provisioning helps the IT personnel to lock down the device, uninstall unnecessary applications, encrypt content on the mobile device, enforce security on the mobile device, and provide secured (VPN) access from the mobile device into an organization's business resources. If a user loses their mobile device, MDM can send a "poison pill" to the device and wipe the data off the device and completely reset the device's configuration. This is important as a user who loses their device with sensitive emails or confidential file data is subject to the same laws and regulations that protect privacy of protected data, and as such, organizations need a process where device security can address laws and regulations around data protection. In addition, when an employee is terminated and leaves the organization and the IT department needs a way to quickly and easily deprovision the user's accounts and devices, Mobile Device Manager can be part of that process of quickly and easily deprovisioning the user and disabling the device from usage. Again, this whole process is auditable and
868
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
trackable so that auditors can be provided a paper trail showing that a user deprovisioning process is in place in the enterprise.
Providing the Help Desk with Additional Tools As an organization starts to take mobile device management seriously and starts to enforce passwords and PINs on mobile devices, the challenge of employees forgetting their password or PIN and needing support resetting their device becomes important. Using Mobile Device Manager, the administrator is given password and PIN control configuration options that allow the administrator the ability to change passwords and security settings of mobile devices all from the centralized MDM console.
Background of Mobile Device Manager Mobile Device Manager is a newcomer to the Microsoft System Center family of products. Many of the features in Mobile Device Manager were actually around two to three years before MDM shipped as a separate product. As an example, Exchange Server 2003 Service Pack 2 included many mobile device management components like device wipe capabilities and password enforcement capabilities specific to mobile devices connecting to Exchange. However, even though many of these features were included in Exchange, organizations where users weren't connecting to Exchange needed the same device wipe or password enforcement capabilities from a standalone tool.
Initial Release of Mobile Device Manager 2008 In 2007, Microsoft released Mobile Device Manager 2008 as a standalone product. The initial rendition of the product took the basic functions supported in Exchange Server 2003 to any and all Windows Mobile managed devices. By having a Windows Mobile device provisioned and deprovisioned by MDM 2008, the organization was able to force password policies, including the complexity of the mobile device password, frequency of the password change, and the ability to centrally wipe a device if the device was lost. The initial release of Mobile Device Manager was greatly appreciated by those organizations that needed better device management that did not use the policy capabilities built in to Exchange Server 2003 SP2; however, for most of the marketplace that was managing mobile device capabilities through Exchange Server 2003, the release of MDM 2008 was of little interest or value.
What's in System Center Mobile Device Manager 2008 SP1 A year after the initial release of Mobile Device Manager 2008, Microsoft released Service Pack 1 of the product, which is the current rendition of the MDM product today. Mobile Device Manager 2008 SP1 added in significantly more features and functions that were not included in Exchange and that organizations were looking for. The release of SP1 with these enhancements now made MDM a good mobile device product to add in to an environment because MDM now not only provided capabilities found in Exchange out of the box, but also dozens of other critical business features. All of these functions are managed
Background of Mobile Device Manager
869
from the System Center Mobile Device Manager 2008 SP1 management console shown in Figure 18.1.
^ S y s t e m Center Mobile Device M a n a g e r Console F le
I
Action
View
Help
I Console Root
FL - | R
Moble Device Manager
Ho'-:
11 MuUlttoviteMur H I®.
Device M« HUCIIEI IL AL MdiitjyeJ Dcvice •
»
Rfc«k«lfVivii ir.
IJ'HDM
M DM i'ÜMDM
Device Monaoerrient
set-uerf
I VCKIMI
V o s i o n l . O tbuld 4 0 5 0 . 0 )
FmoknJ
V a » n 11l (laill
Se f Seivic-e
V e t : i c c 1 0 (buld 4 0 5 0 . 0 )
14fl r ifl
Vfcw
ll|
F
HefrKti
(3
P PKIHÍIIIJ FI IRI ill l i r a i '
«ip
MDN GrtlHwuiy rrVil triijrain il
[S
•Ü ^ d f V r v i h Plirl i-J¡
J jJLii FIGURE 1 8 . 1
Help
J ±J
Mobile Device Manager 2008 SP1 management console.
Some of the biggest features added to Mobile Device Manager 2008 SP1 include the following: • Active Directory self-service domain join—Today when an organization wants to join a laptop or desktop to Active Directory an administrator needs to physically sit at the Windows system and "join" the workstation to the domain. With Mobile Device Manager, a mobile device user can log on to a self-service web portal and self-enroll their mobile phone. Within minutes and after IT personnel approves the enrollment request, the user can have the mobile device connected to Active Directory for centralized administration and management. • Mobile VPN with dual-factor authenticated access—Another feature in Mobile Device Manager 2008 SP1 is the ability for a Mobile VPN tunnel to be established between the device and the network over an IPSec policy-based encrypted session. Mobile VPN can be set to be always on, thus ensuring that all communications from the mobile device go through the company network and that policies are enforced on a consistent basis. • Over 125 policies—Mobile Device Manager 2008 SP1 adds over 125 policies to Active Directory with simple rules that can be enforced on mobile devices, such as disabling SMS and MMS texting, preventing an internal mobile device from connecting to a phone service provider, preventing the use of POP/IMAP or other personal
870
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
mail accounts with a business-related device, and limiting the use of a built-in camera and other devices on the mobile device. • Device encryption—Mobile Device Manager 2008 SP1 also includes the ability to automatically encrypt a Windows Mobile device via an Active Directory group policy. By enforcing encryption on a device, organizations can address laws and regulations that ensure privacy of personal information or protection of business data are covered. • Support for WSUS 3.0 updates—Mobile Device Manager 2008 SP1 adds the support for WSUS 3.0 in terms of using WSUS to patch and update Windows Mobile devices just like WSUS does in patching and updating workstations and servers in so many organizations.
Planning and Designing the Implementation of MDM For an organization that wants the features and capabilities of Mobile Device Manager 2008 SP1, the architecture is one that can be built on a single server for a small environment, or the roles can be split across about three different Mobile Device Manager servers plus SQL Server on a fourth system. The distribution of server roles primarily addresses the need for distributed security; however, for very large enterprises, the distribution of roles also assists with handling the scalability of server components to handle the demands of thousands of mobile devices in the enterprise.
Understanding Mobile Device Manager Server Roles Mobile Device Manager 2008 SP1 splits the server functions across four different server roles plus the administrator-focused management console. All of the server roles (including the SQL database and management console) can be installed on a single server with the exception of the Gateway server, which must reside on a standalone system and not be combined with any other role other than a copy of the management console. Each of the roles serves a specific purpose in the System Center Mobile Device Manager 2008 SP1 environment. Management Console The management console is the administrator console for Mobile Device Manager 2008 SP1. The management console typically gets installed on the main MDM server; however, an administrator can easily install the management console on a workstation so that the administrator does not have to remote into one of the MDM servers and can simply manage MDM from their client system. Device Management Server The Device Management server is the main server in the System Center Mobile Device Manager 2008 SP1 configuration. The Device Management server is the system that processes mobile device-specific policies and enforces the policies. Effectively, the management console connects to the Device Management server and any mobile device configuration modifications and changes are initiated by the Device Management server. The
Planning and Designing the Implementation of MDM
871
Device Management server runs on Windows Server 2003 and can host all other roles other than the Gateway Server role. The Device Management server also acts as a Windows Server Update Services (WSUS) system that holds patches and updates for Windows Mobile devices so that all patches and updates are pushed from the Device Management WSUS server system. Enrollment Server The Enrollment server in MDM is used by Windows Mobile devices and Windows Mobile device users to automatically provision mobile devices and to conduct self-service functions for Mobile Device Manager. Although an organization might have just one Device Management server, in a large environment with a lot of user provisioning and deprovisioning connections, the organization might be using one or more dedicated Enrollment server systems. For smaller environments, the organization would usually place the Enrollment Server role on the Device Management server system. NOTE Because the Enrollment Server role can be moved to another server at any time, an organization can easily start off with the Device Management Server role and the Enrollment Server role on the same system, and when server utilization begins to exceed 40% to 50% of the server's capacity, the Enrollment Server role can be installed on a separate system.
Gateway Server The Gateway server is always installed on a separate system from the other server roles and, in fact, must be placed on a completely separate system from the onset. The Gateway server is the system that Windows Mobile devices connect to using IPSec for secured remote device connections. By default, Windows Mobile devices connect to the Enrollment server, Device Management server, and other network resources over 128-bit SSL connections; however, when the organization wants to have an "always-on VPN tunnel" between mobile devices and the organization's network, the Gateway server is placed in the organization's DMZ to accept IPSec connections from the mobile devices. The Device Management server system communicates with IPSec VPN connected systems through the Gateway server and manages the connections over the IPSec VPN tunnel when a Gateway server is installed in the network and a mobile device policy forces communications of mobile devices over the IPSec VPN session connection. SQL Server All data information in a Mobile Device Manager 2008 SP1 environment is stored in a SQL Server 2005 (Standard or Enterprise Edition) server. The SQL Server 2005 server stores information such as the mobile device serial numbers and configuration settings. Active Directory and Group Policies Within a System Center Mobile Device Manager 2008 SP1 environment is Microsoft's Active Directory that handles user logon credentials, maintains a list of Windows Mobile
872
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
devices within an organizational unit container within Active Directory, and handles the Active Directory Group Policies that enable and disable features on the managed mobile devices. Active Directory is a critical component of MDM and manages the directory and authentication pieces of the mobile device management system.
Scenario 1: Small Environment with Basic SSL Security Requirements Architecturally, the design and deployment of System Center Mobile Device Manager 2008 SP1 for a small environment or one with basic needs places all of the server roles on a single server. If the organization wants to start off testing MDM to see how it works, this single approach is the easiest way to deploy MDM. If the organization finds that their usage and demand of MDM grows, they can easily add additional servers and split out the roles from the single, all-in-one configuration to a distributed roll configuration. But to start, putting all of the roles on a single system is the easiest. In this single-server configuration, the environment will look similar to what is shown in Figure 18.2.
MDM/SP1
Device Management Server Enrollment Server SQL Server Management Console f
Internet
•A
1Firewall and/or ISA/TMG Server
FIGURE 1 8 . 2
Active Directory
Small environment with basic SSL security requirements.
In this single-server configuration, the server has the System Center Mobile Device Manager Device Management role and the Enrollment Server role, has the SQL Server 2005 database running on the system, and has the administrative management console on the system. The system connects to Active Directory where user logon and authentication is validated, and the mobile devices are added to Active Directory as managed devices. All communications from the MDM server go through the Internet (or also just locally on the LAN or WAN of the company backbone), and the Windows Mobile devices connect to the network via 128-bit SSL certificate-based encrypted communications. This single-server configuration will easily handle an organization with 200-300 Windows Mobile devices under management, and depending on the number of adds, deletions, policy changes, or device configuration changes, the MDM all-in-one configuration could handle a lot more managed mobile devices.
Planning and Designing the Implementation of MDM
873
Scenario 2: Small Environment with Advanced IPSec VPN Security Requirements For an organization that wants to leverage the IPSec VPN encrypted end-to-end communications from its Windows Mobile devices to the network, the organization would take a similar configuration as identified in scenario 1 with a single, all-in-one server approach, but will add a Mobile Device Manager Gateway Server role on a separate system in the environment, as shown in Figure 18.3. The Gateway Server role must be installed on a separate server as it cannot be part of the existing MDM server configuration due to security considerations. MDM/SP1 Gateway Server
MDM/SP1
Device Management Server Enrollment Server Management Console
Firewall and/or ISA/TMG Server
FIGURE 1 8 . 3
SQL Server
Active Directory
Small environment with advanced IPSec VPN security requirements.
Windows Mobile devices that have IPSec VPN encryption enabled will communicate over the Internet (or across the LAN or WAN) using IPSec encryption to the Gateway server. Devices that do not have the VPN encryption enabled will continue to communicate over the Internet (or across the LAN or WAN) using standard 128-bit SSL certificate-based encrypted communications. In scenario 2, the SQL server has been broken out of the all-in-one, single-server configuration not that it is a requirement to have a separate SQL server when running the MDM Gateway scenario, but typically because organizations that are doing more active security management tend to have more devices in management or more policies being applied and managed for the devices. This additional management overhead and oversight typically suggests additional demands against the database server managing the devices as well as additional overhead on the main Mobile Device Manager server to handle the connections. A single Device Management server can handle 15,000 managed devices and additional Device Management servers can be added and load balanced to provide scalability in mobile device support. So in this scenario, separating out the SQL server was done to provide more capacity on both the MDM server and the SQL server. For an organization to test the scalability and performance capacity of the servers, the administrator can monitor the server utilization and network communications traffic to confirm whether additional capacity is needed for the servers.
874
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
Scenario 3: Medium to Large Environment with Extensive Enrollment Requirements In this third scenario, the Mobile Device Manager Server roles are split across several servers, as shown in Figure 18.4. The reason an organization would split out the roles would be for the purpose of security and scalability. Similar to scenario 2, where the Mobile Device Manager Gateway server is split out on a separate server for security purposes (and the requirement that the Gateway can't be on the same server as the Device Management server), scenario 3 has two separate servers, one MDM server and one Gateway server. As with scenario 2, any Windows Mobile device utilizing the IPSec VPN connection that will connect through the Internet (or over a LAN or WAN connection) will connect to the MDM Gateway server. All other Windows Mobile devices connect through the Internet (or over a LAN or WAN connection) to Mobile Device Manager over a 128-bit encrypted SSL connection.
ISA/TMG Server
FIGURE 1 8 . 4
Medium to large environment with extensive enrollment requirements.
In this third scenario, the Enrollment Server role has been split out from the main Device Management Server role. The Enrollment server is used for the provisioning of Windows Mobile devices and the certificate management between Active Directory and managed mobile devices. At any one time, an Enrollment server can handle 25 concurrent device enrollments. Considering users do not request new certificates to be issued after the instance when the device is initially provisioned, the load on the Enrollment server is limited to when devices are initially added to the network. The Enrollment server frequently handles the self-service provisioning process that allows users to access a self-service web page to request adding their Windows Mobile device to the Active Directory network.
Prerequisites for Mobile Device Manager 2 0 0 8 SP1
875
In this scenario, the SQL Server 2005 server has been separated to a separate server, making the assumption that the organization has enough mobile device connections that separating the demands and traffic of connections for mobile devices, enrollment requests, and the management of the mobile devices suggests the separation of the database from the Mobile Device Manager systems.
Prerequisites for Mobile Device Manager 2008 SP1 System Center Mobile Device Manager 2008 SP1, like every product, has a series of prerequisites as well as supported versions of operating systems, service pack updates, and component updates. MDM, however, is one of those products where it very clearly only works with specific versions of operating systems, service packs, and component versions, so make it a point to confirm the prerequisites before you start installing software. Unlike a lot of products where a newer version of Windows, or a more current version of a component, will work just fine, with MDM, PowerShell v2.0 does not replace the requirement that the product requires PowerShell vl.0. Or Windows Server 2008 R2 x64-bit does not replace the product requirement of Windows Server 2003 x64-bit. So stick to the versions noted.
Prerequisites for the MDM Device Management Server The System Center Mobile Device Manager Device Management server has very specific versions of operating systems, service packs, and components supported. The supported configuration for the MDM Device Management server system is as follows: • Windows Server 2003, Standard x64 Edition with SP2 • Member of the Active Directory domain • Internet Information Services (IIS) 6.0 and World Wide Web Publishing Service • .NET Framework 2.0 SP1 or later • Windows Server Update Services (WSUS) 3.0 SP1 • Microsoft Report Viewer Redistributable 2005 (optional)
Prerequisites for the SQL Database Server Component of MDM SQL Server is another one of those server-based applications for which MDM requires specifically SQL Server 2005, Standard or Enterprise Edition with at least SP2 installed. MDM does not work on SQL Server 2008 at all, nor does it support SQL Express or SQL Workgroup editions. MDM can work on a system running SQL Server 2005 system and that has MDM Device Management server on it, effectively combining two server roles onto a single server system. The specific configuration of the SQL database server is as follows: • Windows Server 2003 with SP2 • Member of the Active Directory domain
876
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
• Microsoft SQL Server 2005, Standard or Enterprise Edition Service Pack 2 (SP2) or a later version • Full product version of SQL Server must be installed; Express Edition is not supported • Microsoft SQL Server 2008 is not supported • Install the English or local language version of SQL Server • For better performance in a production environment, do not install SQL Server on a server that is running MDM
Prerequisites for the MDM Enrollment Server The System Center Mobile Device Manager Enrollment Server role can be (and frequently is) placed on the MDM Device Management server; however, for environments that have a lot of devices with frequent provisioning and an environment with self-service setup, having the MDM Enrollment server on a separate system helps with scalability and distribution of roles. The MDM Enrollment server is nothing more than a web server running a self-service portal, and as such, the configuration has the IIS web components and configuration as follows: • Windows Server 2003, Standard x64 Edition with SP2 • Member of the Active Directory domain • Internet Information Services (IIS) 6.0 and World Wide Web Publishing Service • .NET Framework 2.0 SP1 or later
Prerequisites for the MDM Gateway Server The MDM Gateway server needs to be on its own system due to security configuration isolation and the fact that the MDM Gateway will be in the organization's DMZ and not fully protected on the internal organizational network. The MDM Gateway server is a combination web server plus security and policy enforcement server for IPSec VPN communications from Windows Mobile devices back to the organization's network. The MDM Gateway server has a configuration as follows: • Windows Server 2003, Standard x64 Edition with SP2 • Standalone server in perimeter network, or member of the Active Directory domain • Internet Information Services (IIS) 6.0 and World Wide Web Publishing Service • .NET Framework 2.0 SP1 or later
Installing System Center Mobile Device Manager The installation process for the System Center Mobile Device Manager involves preparing the MDM server with all of the necessary prerequisites, acquiring the MDM tool, and running the setup program.
Installing System Center Mobile Device Manager
877
Preparing the Server for Mobile Device Manager As noted in the "Prerequisites for Mobile Device Manager 2008 SP1" section, MDM has a specific configuration that is needed before MDM can be installed. To prepare the system, the following tasks need to be performed: • Have a system running Windows Server 2003 x64-bit edition (Standard or Enterprise Edition). • Make sure the system is running Service Pack 2 or higher. • Join the server to Active Directory. • Install the Web Server (IIS) components onto the server, specifically Active Server Pages (ASP.NET). • Download and install .NET Framework 2.0 SP1. • Download and install Windows Server Update Services 3.0 SP1. (Note: WSUS 3.0 SP2 is not supported, so stick to WSUS 3.0 SP1.) • Install Microsoft SQL Server 2005 (Standard or Enterprise Edition) on the server, or have a SQL Server 2005 system available where the MDM database can be installed. • Ensure that SQL Server 2005 is running SP2 or higher. • Make sure there is a Certification Authority server in the environment that can issue certificates for mobile devices. Once the base system is configured and ready, the Mobile Device Manager installation can begin.
Initial Mobile Device Manager Acquisition and Setup Options The initial installation and setup process involves acquiring the software and launching the setup program. The initial process is as follows: 1. Download the System Center Mobile Device Manager 2008 SP1 (evaluation) program or acquire the licensed System Center Mobile Device Manager 2008 SP1 software. 2. Run the EXE executable, which expands the code to a directory of your choice (such as c: \MDM2008\). 3. Type SETUP to run the MDM setup management tool. The Start screen, shown in Figure 18.5, shows the setup options available for the Mobile Device Manager program. Under the Prepare section, a couple of documents are available (release notes and prerequisites) that have product guidance information. The third item in the Prepare section is the Configure Active Directory for MDM option.
878
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
1 1ÎHWW ltfflTRI£!LmS
Prepare Read the Release fcjoles Read about the Prerequisites Configure Active Directory for MDM
Install Mobile Device Management Server rnrnllmfint fienrer Gateway Server Administrator Tnnls Self Seivice Portal
Other Information Dm :urriH lithium Vieil the MDM Wcboitc Uï"OM»?
System Center Mobile Device Manager 200a
ßrriwiH Itiis On E¿it
Service Pack 1 (SP1J
FIGURE 1 8 . 5
MDM Setup management tool screen.
NOTE This does not actually configure or make changes to Active Directory just yet. Clicking this option merely shows what will be run during the installation process that will ultimately extend the schema and prepare Active Directory to have extended mobile device support. You need to complete the following tasks to actually invoke the changes in Active Directory.
4. At t h e DOS p r o m p t t h a t y o u are left at f r o m r u n n i n g t h e Configure Active Directory for M D M option, type in ADConfig
/createlnstance :
/domain :<domain>
where
/domains:companyabc.com.
5. At t h e DOS p r o m p t , type in ADConfig
/createTemplates :
Installing System Center Mobile Device Manager
6. To enable t h e templates, type in ADConfig
879
/enableTemplates :
/ca:
/enableTemplates:MobileDeviceMgr
/ca: cert.companyabc.com\cert.
7. Type Exit to close the Active Directory configuration setup.
Performing the Actual Installation of MDM To install the Mobile Device Manager software, the installation process is initiated as an Install task in the setup screen. Specifically, the process is as follows: 1. Click on Mobile Device Management server in the Install section of the setup program. 2. With all the proper prerequisites installed, the MDM installer stops at a Device Management server Setup screen to notify you that the installation is about to begin and to click Next to begin. If the prerequisites are not installed on the system, such as .NET Framework 2.0 SP1 or WSUS 3.0 SP1, the setup stops and informs you to download and install the updates. If you need to complete the updates, do so, and once the updates have been installed, go back to step 1 and begin the setup process again. Otherwise, you should just click Next to continue with the setup. 3. Read the Microsoft Software License Terms and if you agree, select the I Accept the License Terms for Microsoft Software check box and click Next. 4. In the Instance Selection screen, the MDM instance created in Active Directory (such as MobileDeviceMgr) is displayed. Highlight the instance and click Next. 5. For the Installation Directory, choose the default installation directory or select your own installation directory where you want the MDM software installed, and then click Next. 6. For the Database Installation, provide the name of the SQL server that will be used for MDM. Choose to use the "Current Windows Credentials," which will use the logon account currently being used (if a domain administrator account is being used for the installation, you might just choose the current credentials); however, if MDM is being installed with a standard user account, you likely want to choose the SQL account option and choose the name of an account and password. Click Next. 7. The next screen asks for the fully qualified domain name of the MDM server you are installing if you are installing just one server, and for the name of the load balancing if you are installing multiple MDM servers. Enter in the name and then click Next. 8. The next prompt is for the ports that will be used to access the Device Management website and the Administration website. You are prompted with default options 8443 and 8446, respectively, for the ports; unless you want to change these, leave them as is and click Next. 9. As MDM uses a certificate of authority server to issue certificates for servers and devices, enter in the name of the certificate server in your environment. The name entered should be fully qualified with the ServerName\Cert, and then click Next.
880
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
10. Click Install to begin the installation process. 11. When the installation is complete, click Finish.
Installing the MDM Enrollment Server With the base installation of Mobile Device Manager installed, the next step is to install the Enrollment server. As mentioned previously, the MDM Enrollment Server role can be installed on the same system as the MDM Device Management server just installed, or the MDM Enrollment server can be installed on a completely separate system. The installation process to set up the Enrollment Server role is as follows: 1. Click on the Enrollment Server option in the Install section of the setup program. 2. At the initial splash screen, click Next to continue. 3. Read the Microsoft Software License Terms and if you agree, select the I Accept the License Terms for Microsoft Software check box and click Next. 4. On the Instance Selection screen, the MDM instance created in Active Directory (such as MobileDeviceMgr) is displayed. Highlight the instance and click Next. 5. Specify the installation directory (if MDM is already installed on this server, the option to choose a different directory will be grayed out). Click Next to continue. 6. When prompted about the SQL Server to use, the server name will be grayed out when installing the Enrollment Server role on the same server as previous components. Choose to use the current Windows credentials assuming you are logged in as a qualified administrator. Click Next to continue. 7. When prompted for the name you'd like to use for the Enrollment server, enter in the fully qualified domain name of the MDM server for external and internal server names. 8. Specify the port that will allow access to the Administration website (this will be the same port as defined in the basic installation instructions), and then click Next. 9. On the Device Certification Authority screen, enter in the name of the certificate server in your environment. The name entered should be fully qualified with the ServerName\Cert, and then click Next. 10. On the Server Certification Authority screen, enter in the name of the certificate server in your environment. The name entered should be fully qualified with the ServerName\Cert, and then click Next. 11. Click Install to begin the installation process. 12. When the installation is complete, click Finish.
Installing the MDM Gateway Server With the base installation of Mobile Device Manager server and the Enrollment server completed, the next step is to install the Gateway server. The Gateway server cannot be installed on the same server as the Mobile Device Manager server because the Gateway server is intended to provide a gateway connection function.
Installing System Center Mobile Device Manager
881
There are two parts for the MDM Gateway server setup: One part is to create an association on the MDM server side to acknowledge a gateway will exist. The second part is to create the gateway itself. The reason an association needs to be created is for security purposes. With the MDM Gateway server sitting in the DMZ (outside the organization's network), from a security standpoint, the Gateway server needs to know which MDM server to connect to, and the MDM server needs to authorize this external MDM Gateway server to connect to it. To create the association file for the MDM Gateway server from the internal MDM server, do the following: 1. Launch and run the System Center Mobile Device Manager console. 2. Right-click the Gateway Management branch of the tree and choose Add MDM Gateway Wizard. 3. When prompted for the MDM Gateway name, enter in a general name for the MDM Gateway (such as MDM Gateway), and then click Next. 4. For access points, enter in the IP address of the MDM Gateway in the External IPSec field. 5. For the Web URL of the MDM Gateway, enter in the fully qualified domain name of the MDM Gateway for web access. 6. Enter the port address for the MDM Gateway, typically 443. 7. The Access Point screen should look similar to Figure 18.6. Click Next to continue.
MnhrleDevir.fiMgr - Add
H
Inüuduutiuri
D A t u ! 5 3 Puirils Addreu P o d DNCAtfNS
MDM
fintewny
Wiznrd
A c u e s s Points Fnler If* 1 IPEW ariiies;: fnt ihe PutPtniWarinrp rifpffar.fi fm rhft ( l e e w a y SPIVM D e v i r « nil IBC Ihn oddicss to connect to t h e b o l c w o y S a v e r . FxliiruJIPjw:
]
¡U
46 .
0
.
7
Add Gateway Completion
Enter rhe r t e r n a M a c n g a c e e r c point lor remote MDM Gateway Seiver management ThisDNS enhy :fould bo o c c c s s f c l e from within your company nctwoik. Important' Tht? ifrnilrl p n r f tn Ifw arimhiilraiivfl DMR entry rnnfiguieri riming fiiipwaip bcivcr Setup and should be Ihc some ac you specihcd in the c a b h c a t c . N OJQe:
htlpj:/V
|im kuijilKw^i a mq i.inyrtl
00
i a on
Example: gateway1.pHimeter.conlojo.com Port
Help
FIGURE 1 8 . 6
¡443
< Mock
| [
Neat >
|
Lanccl
[
MDM Gateway configuration for the access point.
882
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
8. Enter the IP address for the IP address pool of the subnet for mobile devices. Choose whether the routing of the mobile devices is VPN based or whether it is source-based routing, and then click Next. 9. Specify the preferred DNS address, alternate DNS address, preferred WINs address, and alternate WINs address, and then click Next. 10. Click Add to configure and set the settings. After setting up the MDM Gateway configuration, the next step is to export the XML file that will allow the MDM Gateway server to be associated with the MDM server. To create the XML configuration file, do the following: 1. On the MDM server, launch the Mobile Device Manager Shell (Start, All Programs, Microsoft System Center Mobile Device Manager, Mobile Device Manager Shell). 2. At the shell prompt, type Export-MDMGatewayConfig. 3. Copy the XML file generated to the MDM Gateway server. The file will be saved in the subdirectory from which you ran the Export command. So if you were in the c: \ root, the file GatewayConf ig .xml will be in the c: \ root of the M D M server. With the MDM gateway configuration file exported and available, the next step is to create certificates for the MDM Gateway. To create the MDM Gateway certificates, do the following: 1. On the MDM Gateway server, create a text file with the following information: [NewRequest] Subject="CN=FQDNofYourMDMGatewayServer" MachineKeySet=True KeySpec=1
2. Save the text file as GatewayCertRequest. inf. 3. At a DOS command prompt, type the following: certreq -new GatewayCertRequest.inf GatewayCertRequest.txt
4. Still at a DOS command prompt, type the following: certreq -submit -attrib "CertificateTemplate:SCMDMWebServer (YourMDMInstanceName)" GatewayCertRequest.txt GatewayCert.cer
NOTE The YourMDMInstanceName in step 4 is the MDM Instance Name created back in step 4 of the "Installing the MDM Enrollment Server" section of the initial installation.
5. Still at a DOS command prompt, type the following: certreq -accept GatewayCert.cer
6. Type gatewaycert. cer to display the certificate. Click on Install Certificate. 7. When the Certificate Import Wizard begins, click Next.
Installing System Center Mobile Device Manager
883
8. Select the Automatically Select the Certificate Store Based on the Type of Certificate option, and then click Next. 9. Click Finish. 10. With the gateway certificate still displayed, click the Certification Path tab and click the root certificate, as shown in Figure 18.7. ? General | D e t a f c
X
CeftlffcaHan P a t h
Certification giath
1 rkifrn.company a b c . com
i firliFirfltp i t a í i IÍ: Tiro ceri-iÍD-dlí; ¡ i O K .
OK
FIGURE 1 8 . 7
Choosing the root certificate.
11. Click View Certificate. 12. Click the Details tab. 13. Click Copy to File. 14. In the Certificate Export Wizard, click Next. 15. Select the DER Encoded Binary X.509 (CER) option and click Next. 16. For the filename, type in c: \rootca, and then click Next. 17. Click Finish. 18. At a DOS command prompt, type c:\rootca.cer. 19. Click Install Certificate. 20. Click Next at the Certificate Import Wizard initial screen. 21. Choose Place All Certificates in the Following Store. 22. Click the Browse button, highlight Trusted Root Certificate Authorities, and then click OK. 23. Click Next. 24. Click Finish.
884
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
Once the MDM Gateway XML configuration file and the certificates have been processed, the next step is to install the MDM Gateway software. The installation process to set up the Gateway Server role is as follows: 1. Click on the Gateway Server option in the Install section of the setup program. 2. At the initial splash screen, click Next to continue. 3. Read the Microsoft Software License Terms and if you agree, select the I Accept the License Terms for Microsoft Software check box and click Next. 4. Specify the installation directory. Click Next to continue. 5. Choose the Internal IP Address for the MDM Gateway server (this is the IP address of the MDM Gateway server on which you are installing the Gateway software). Keep the default TCP port 443, and then click Next to continue. 6. When prompted to enter the M D M Gateway Configuration file, browse to the location where you have a copy of the GatewayConf ig .xml file, select the X M L file, and then click Next. 7. For the Gateway server Certificates, for the Gateway authentication certificate, click Browse. 8. Choose the MDM Gateway certificate that was created for the MDM Gateway, and then click OK. 9. For the Certification Authority certificate, click Browse. 10. Choose the RootCA certificate that was created and installed on the MDM Gateway server, click OK, and then click Next. 11. Click Install to begin the installation process. Once all of the gateway configurations have been completed, go back to the main MDM server and run a PowerShell command to enroll the gateway configuration. Do the follow1. On the MDM server, go to Start, All Programs, Microsoft System Center Mobile Device Manager, Mobile Device Manager Shell. 2. At the shell prompt, type the following: Set-EnrollmentConfig -GatewayllRI {IPAddress of the Gateway server}
Installing the Self-Service Portal If the organization wants to provide user-initiated provisioning, effectively allowing the user to submit a request to have their Windows Mobile device provisioned into Active Directory as a managed device, then the Self-Service Portal software needs to be installed, typically on the system running the Enrollment Server role. The installation process to set up the Self-Service Portal is as follows: 1. Click the Self-Service Portal option in the Install section of the setup program. 2. At the initial splash screen, click Next to continue.
Installing System Center Mobile Device Manager
885
3. Read the Microsoft Software License Terms and if you agree, select the I Accept the License Terms for Microsoft Software check box and click Next. 4. On the Instance Selection screen, the MDM instance created in Active Directory (such as MobileDeviceMgr) will be displayed. Highlight the instance and click Next. 5. Specify the installation directory (if MDM is already installed on this server, the option to choose a different directory will be grayed out). Click Next to continue. 6. When prompted for the name you'd like to use for the Self-Service Portal system, enter in the fully qualified domain name of the MDM server for the server, then click Next. 7. Specify the port that will allow access to the Self-Service Portal website (default is 443) and the Self-Service Portal TCP port (default is 8442), and click Next. (If you get a conflict, you might use another port, such as 444 for the Self-Service Portal port.) 8. On the Server Certification Authority screen, enter in the name of the certificate server in your environment. The name entered should be fully qualified with the ServerName\Cert, and then click Next. 9. Click Install to begin the installation process. 10. When the installation is complete, click Finish.
Installing the Administrator Tools During the installation process of the Mobile Device Manager server, the Administrator Tools are not installed by default. To install the Mobile Device Manager Administrator tools, PowerShell 1.0 or higher and WSUS 3.0 SP1 or higher needs to be installed on the system where the Administrator Tools will be installed. NOTE If you want to install the Group Policy Management functions of the Mobile Device Manager Administrator component, the Group Policy Management Console (GPMC) needs to be installed on the system on which the Administrator Tools are installed. However, because GPMC won't install on a Windows Server 2003 64-bit system (which is a requirement for MDM to be installed on), to be able to install the Group Policy functions, they need to be installed on a separate (non-x64) system.
With the prerequisites installed on the system, to install the Administrator Tools, do the following: 1. Click on the Administrator Tools option in the Install section of the setup program. 2. At the initial splash screen, click Next to continue.
886
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
3. Read the Microsoft Software License Terms and if you agree, select the I Accept the License Terms for Microsoft Software check box and click Next. 4. On the Custom Setup Option screen, choose the options you want to install. By default, the Group Policy Extension is set to not install, and the Mobile Device Manager Console and the Software Distribution Console options are set to install. If you want to install the Group Policy Extensions, choose to install the extensions. Click Next to continue. 5. After a prerequisite check has been completed and passed, click Install to begin the installation of the Administrator Tools. 6. When the installation is complete, click Finish.
Self-Service Tasks with Mobile Device Manager The best type of administration and management is one where users can take care of tasks themselves. Users like it better because they don't have to submit a request and then wait days for someone to get back to them, and IT administrators like it because they don't have to be burdened with dropping everything all day long to handle the individual requests of their users. Mobile Device Manager provides a self-service portal where users can go to a website and request their mobile device to be added to the network Active Directory.
Device Provisioning Through the Self-Service Portal The Self-Service Portal is a website that the users log on to and enter in information about their mobile device. The users fill in information and submit their request. The process is as follows: 1. Log on to the Mobile Device Manager Self-Service Portal. 2. Click on the New Enrollment tab. 3. You are prompted to enter in a device name. The device name needs to be unique to the user with 1 to 15 characters. These characters can be alphanumeric (a to z, 0 to 9) characters, but at least one nonnumeric character is required (thus, the device name can't be 123456789 because there must be a nonnumeric character), and the device name must begin with a letter (a to z). Enter a name for the device, and then click Create Enrollment Request.
NOTE If you select a name that has already been selected, the portal informs you the name has already been selected and asks you to choose another name for your device.
Self-Service Tasks with Mobile Device Manager
887
4. A Pending Enrollment Details web page similar to the one shown in Figure 18.8 provides instructions to go to your Windows Mobile device and follow the instructions to add your Windows Mobile device with a one-time device password.
3 Pending Enrollment Details - Microsoft Internet Explorer Efe
Edt
O Back
-
View
FflVOfit« •
Iools
Search
2
=m
Hdp Favorites
4-
Address | « j httpsii/rndnv.compaiyabc.conri:94-13/Pages/5taftEnro|lment.a5py
My Devi cos
*
J
Now Enrollment
Portal Administration
ü
| Ponding Enrollment Details
To «nroN your device, turn on your Windows Mobile device RAND-HTC and then do the following;
^
I==3
a
s.
Links
w
—
pTjnt
'
!• Go to Start, Settings, Connections - Open Domain Enroll; and then select Enroll 2. At the E-mail Address prompt» type your enrollment e-mail address rand 3, 3f the Enrollment Server information is not found automatically, type the Enrollment Server external URL mdm.companvabc.com
4, At the Enrollment Password prompt, type the password for this devrwi mZrBhbqycr
Tou may be prompted to restart your device. You will receive confirmation that your device has been enrolled in your company domain.
Password expires;
T h u Dec 24 Z3;Z5:3Z PST Z0D9 Z !
|.4|Dcne
FIGURE 1 8 . 8
3
)
Internet
Pending Enrollment Details web page.
Pre-enrolling Devices Using MDM Rather than having users use the Self-Service Portal to add their device to Active Directory an MDM administrator can precreate a user's device in MDM and provide the user the same information to add their device, so that the user only has to enter the device information rather than complete the self-service process. The process for an administrator to pre-enroll a mobile device in MDM is as follows: 1. Launch the System Center Mobile Device Manager Management Console. 2. Expand Device Management and click on the Pending Enrollments folder. 3. Click on Create Pre-Enrollment in the Actions pane on the right side. 4. When the wizard starts, click Next to continue past the Introduction page. 5. Enter in the name of the device you want to add. The same naming rules apply where the name needs to be 1-15 characters long, including alphanumeric (a to z, 0 to 9) characters, with at least one nonnumeric character required (thus, it can't be
888
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
123456789 because there must be a nonnumeric character), and must begin with a letter (a to z). Enter a name for the device, and then click Next. 6. Specify the user of the device so that you can associate the device to the user as well as send the attachment instructions and one-time device password to the user. Click Next to continue. 7. Click Create to pre-enroll the device. 8. Click Finish as the wizard completes. NOTE If you didn't send the enrollment information to the user, cut and paste the information on the Pre-Enrollment Wizard page shown in Figure 18.9 and send to the user so the user can follow the steps to add the device to the network.
MnhrlfiDevir.fiMgr - P r e - r n r o l l m e n t W i z n r d
H
IriljuduLb-n
Cuniplcliuri
! ! Name Device
Y u u I w v e '¿uu-eTiMy t u n n e l e d I h e Pie-Emdbiierit rciidii). T h e J c v i u r m u l i i c r i l l l e u j i d w a : a d i a d to Pendng Eniollmerrts. To cloce UTK wizad r cicK Finish.
S3 Select Uier
Elapsed time: 00:00:01
•
Sunrnaqi: 1 Kem(O) 1 succeeded, 0 laied.
Create Pre-Cnrolment
H Completion
¡•H Enrolment Dato
0
rioi/1 rp n a n p ~
£
RATfDS-RJT.I
Owner: Pond I t o i r m o t o I ' c v i c c c o n t a i n e r p a t h : OU - £CHE'll M a n a g e d D c v i c c s (Hrrtil ] eriAL'lcPlTgr ] , n r r n » p f l n y f l h p r l j r r m » I - u u l
addreii/Uxsr
niii»:
PJLfJl>
Enro lli»siit
pazjvord:
¿tfipcL"j0jt
EniullaetiL
Paisuurd expire*.
l£/24/£005
TTrthl 1 P DPV1 PP Hflriflffpr S h e 11
11. 40. OS
Pit
r n u b n n r l f map J p r e r l -
J i t : ' v - E m u l l i i e n l P e q u e sL -Owixet 1 CW-P.aj.iJ HoEl.laofco,CH-^f cr^,DC-coll(laIvyal5c,^C-oo^l - r n n r . d l n i r 1 nnsSnHTilT TrflnarjArt rii
-Haiic
'Pjmd
-BJ3'
4Hob ¿1 e t ' i v i c e J J o r ] , D C - c o a i p a n y a b c , D C ~ c o a 1 Elapsed Time:
00:00:01
Piecs Ctil+C lo copy the cortenls c4 Otis page. Help
1
FIGURE 1 8 . 9
< Back
|[
Frith
j
Cancel
|
Pending enrollment details from the Pre-Enrollment Wizard page.
Identifying Devices That Are Pending Enrollment Once users submit their information to the portal or the administrator pre-enrolls the device, the user will have eight hours to follow the configuration steps on their Windows Mobile device to connect their mobile device to Active Directory. The list of users with pending enrollment procedures can be seen in the Mobile Device Manager management console. To view the devices that are pending enrollment, do the following: 1. Launch the System Center Mobile Device Manager management console. 2. Click on the Pending Enrollments folder.
Device Management Tasks with Mobile Device Manager
889
3. In the Pending Enrollments container is a list of devices that are pending users to complete the enrollment process. A pre-enrollment request can be canceled by rightclicking the device and choosing Cancel Enrollment.
Device Management Tasks with Mobile Device Manager Once a device has been provisioned using the Self-Service Portal, a number of tasks are available for managing the Windows Mobile devices. Some of the common tasks include resetting a user's password, wiping the device in the event the device is lost, blocking a device connection, and packaging and deploying software. All of these tasks are performed from the System Center Mobile Device Manager management console that is typically installed on the Mobile Device Manager server itself, but can also be initiated on a workstation running the MDM management console.
Resetting a User's Password with MDM A common task in an enterprise environment is resetting passwords, whether it is a user's logon account password, or in the case of a Windows Mobile device, the password used to lock the handset of the mobile device. System Center Mobile Device Manager has the ability to issue a one-time password so that a user who forgot their device password can use the one-time password and reset the device password for their Windows Mobile device. The process to reset the password is as follows: 1. To support password resets, the MDM Password Reset client software must be installed on the MDM device. This client software adds a Reset Password option to the menu option of the password screen on the device. The Password Reset client CAB file is in the MDM 2008 SP1 Resource Kit at http://www.mi crosoft. com/downloads/details.aspx?FamilyID=53799354-e949-47e68f2d-8395fc213d60&displaylang=en. 2. Expand the file you downloaded, which makes the file MDMPasswordResetClient.CAB available.
3. Deploy the CAB file either by copying the file to the mobile device and running the CAB file or by using the Software Deployment capability of MDM to push out the file "over the air." See the section "Software Packaging with Mobile Device Manager" for steps on software deployment. 4. The administrator also needs to enable Device Password Recovery on the Portal Administration screen. From the MDM management console, click on the SelfService Portal container. 5. Right-click on the server that has the Self-Service Portal option installed and choose Manage. 6. A web page shows up; select the Portal Administration tab and check the Device Password Recovery check box, as shown in Figure 18.10.
890
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
-Iff x;
3 s d f f c r v i t e Pcwtfll f a n f i i j u r f l l i n n - M a r r w o i l I n t r m r l FHptnrcf File
Edfc
V|ew
Favor tes
Q Back *
tcols
•;
Help 5earch
1 *"" i Favert«
f
Ad±ess ¡ £ j http5r|i;mdri,CQriipan¥abc.coin;9i^3/Pages/Achih(:onfio,a5C'(
Instance;
MobileDeviceMgr
My Devices
New Enrollment
Version: 1.0.4050.0000
Unte
1
"
A
T o l o g n u t , c l n = e all browser windows L o g g o d In a s : C O M P A N Y A EC V ^ n d LOO in 35 a d i f f e r e n t u s e r
System Center Mobile Device Manager 2008 Self S e r v i c e P o r t a l
Portal Administration Instance: MotoileDeviceMgriMobileOeviceMgr) Available Portal Features
1 D e v i c e Enrollment
^ Device Password Recovery
J* D e v r c e ¿¿rpe
Enrollment Default
Settings
|ou=SCMDM Manaqed Devices fMohileoevieeMoij Unlimited Requests
U E n r o l l m e n t R e q u e s t s Lirnal Eassword Delivery M e t h o d : Device Name ^atidator:
ff i
, •
I3 E-mail
:"i'I 1* Portal
1 l
l a
3
FIGURE 1 8 . 1 0
• Internet
J
Enabling self-service password reset.
7. Once the package has been deployed to the mobile device(s) and the Self-Service Portal has been configured to allow password resets, when you click the Menu button on your mobile device, a new Reset Password option appears. When you select to reset the password, a request goes to Mobile Device Manager and a one-time password is generated. 8. You can then go to the MDM Self-Service Portal (or request the one-time password from the MDM administrator) and choose your mobile device on the My Devices page. A one-time password will be available for the device. 9. You can then take the one-time password and enter it on your Windows Mobile device, which will unlock your device and allow you to reset your password again.
Wiping a Mobile Device In the event that a user loses their Windows Mobile managed device or cannot find their device, rather than waiting days to find that the device has gotten into the wrong hands and sensitive information has been compromised, the best practice is to send a "poison pill" to the mobile device and immediately wipe the device of any data. This is a very simple process and ensures that information that might be compromised will be eliminated from the device. In the event that the user finds their Windows Mobile device at a later date, they can easily reprovision the device at any time. The process of wiping the data off a Windows Mobile device can be done in one of two ways. The user can go into the Self-Service Portal and wipe their device, or alternately, the administrator can go into the MDM management console and select to have data on the user's device wiped.
Device Management Tasks with Mobile Device Manager
891
The process for the user to wipe data off their device themselves is as follows: 1. As the user, log on to the Mobile Device Manager Self-Service Portal. 2. Click on the My Devices tab (which should be the default page when entering the Self-Service Portal). 3. A list of your Windows Mobile devices (or just one device if you only have a single device associated) appears. You can click on the Wipe button shown under Actions on the page similar to the display shown in Figure 18.11.
S y s t t J i U C ú n t e r Mubili: QBvlcu MÛIIÙUOI 2 0 0 6 Sutl HorvícD Mortal I n i t a n c * ; MobileDíviceMgr
IttyDtvlcri
Act*»« 1
1 Wip»
To log out, clos* iâ W O * í « MnrtflOwí. Upqçc i « 4 Í I COMPAHYABCVoívd ( oig in at .i ilifffironT u ^ r
N«w IiMollmenl
P e v t c a Nanw
Status
££¿SC¡
Enro*m*nt Pwvjng
¡
L w j j i fcrrrted
Bfcofitly Wfttd or U n a f t d M
1 Cumien ; f r m c m urtanc •oniann'iOafaflUnDUln) Tirrrw Of U J t 1 fYliiCl SïMiffwrtt | t i ±
FIGURE 1 8 . 1 1
Self-Service Portal user-initiated device wipe.
4. After clicking the Wipe button in the Self-Service Portal, a poison pill is sent to the Windows Mobile device. If you find your mobile device at a later date, you can follow the instructions in the section "Device Provisioning Through the Self-Service Portal" to reprovision your device. The other option to wipe a Windows Mobile device is to have the administrator wipe the device. If the organization does not have the Self-Service Portal option available to users, or possibly the user is not in a location where they can easily get to an Internet connection to access the Self-Service Portal, the user can call their help desk and an administrator can initiate a device wipe. For an administrator to wipe a device, the administrator would do the following: 1. Launch the System Center Mobile Device Manager management console. 2. Click on the All Managed Devices folder. 3. From the list of devices in the middle pane, scroll down the page to find the device that needs to be wiped.
892
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
NOTE To more easily find the device on the list of devices, the administrator can click on the Owner column to have all of the devices sorted by owner. Assuming the device is associated with the individual calling the help desk to have the device wiped, the username will be associated with the device.
4. Once the device has been found and selected, right-click on the device and choose Wipe Now, as shown in Figure 18.12.
vice Manager Console
B> All M a n a g e d D e v i c e s All Mriiirtijnl r ifh Creole Pre
Last Connected FBK100Î
ibkuí
TDK20Q
Ibkuil llikus
FRK7ÍH FBK300
Sock Device Connections
View
S E E dov, Octobcr 0 3 , 2 . .
y
day. October 03.2...
FBi:30l
Ibkus lbkuE__Hdp
KUMULI
Ibkusatü
FDK30C
Ibkusei03
FRK4ÍH
MuxrafW
daji, October 0 3 , 2 . . d ^ , October 0 3 , 2 . . roKioo
Wednesday, Uotobor U J , 2 . Wedneîdav. October 03. ! . . WwfriHïiIrty. f l i d u l n f t l ?
Block Dart
z\
Wipe Now
F8K100 NAPSrfüius
Rrfrrrdi
G? Help
iL?. Ocluid 0 3 . 7
Z I
VPN Setting'.; I
ROM Packages |
Ccililiudcï |
Irntabd SuUwaitf |
Ffc Irifmnwüuri
Dfivi«RtaliK I device History | beneial Intccrnabon | Afplicaticin Setlngs | Device SeJbngc | ttony beltngs Decajpticn *-
I Vafc B
D c v c c Nome
hUMUU
Qimer
lW;u:ei02
t .1:1 Hurrfiiinl
10/3/7(10711 HÜSRAM
Wipe Slatuî
Not Found
Wipe Recfiect Ciealion
m/ODO I 1200:00 AM
Blocked
No
if
Update L> Help
I
Time Blocked Lait Puiuy C a b i d i u i
FIGURE 1 8 . 1 2
10/18/2007 8.19.32 AM
Administrator-initiated device wipe.
5. After the administrator clicks the Wipe Now button in the MDM management console, a poison pill is sent to the Windows Mobile device. If the user finds their mobile device at a later date, they can follow the instructions in the section "Device Provisioning Through the Self-Ser vice Portal" to repr o vision their device.
Blocking a Device Connection Another similar task is to block a device from connecting to the network or Mobile Device Manager. Rather than simply ignoring a device connection state, MDM can specifically block access of a device. If the organization simply ignored the device, the device can still attempt to self-provision itself, connect or log on to the network, or reset configurations of the device. However, by specifically blocking a device, MDM identifies a device by the
Device Management Tasks with Mobile Device Manager
893
device ID, and any connection from the device will be directly refused. The process for blocking a device is as follows: 1. Launch the System Center Mobile Device Manager management console. 2. Click on the All Managed Devices folder. 3. From the list of devices in the middle pane, scroll down the page to find the device that should be blocked from access.
NOTE Similar to finding a device to wipe the data off the device, to more easily find a device on the list of devices to block the connection, the administrator can click on the Owner column to have all of the devices sorted by owner. Assuming the device is associated with the individual needing to have their device blocked, the username will be associated with the device.
4. Once the device has been found and selected, right-click on the device and choose Block Device Connections, as shown in Figure 18.13.
E> All M a n a g e d D e v i c e s All Managed C
Create Fifeer
|ijl
Create Pre-
[H
Refreîh
il?
Help
roKioo J<
fSnrkFJAVl Wipcftaw
,z NAT G e t t n o j
|
VrtJSetthoi
|
flOM P a c k a g e !
1
Calificat«
|
Installed Software
|
Update Ui
Hie Irfoimaticn
Dkvíiv! SlrtliK J Device H B t a y | General Inloimâtion | Appicaiiori Seflingc | Device Setting; \ P r a y Sewings Description
*
| Value
DCVKC Home
F-BK1UU
Owner
IMuuoCC
La:t CuniwUttJ
1 0 / 3 / 2 0 0 7 1 1 . 5 5 . 3 8 AM
Wipe Status
Not Found
Wipe R equest Creation...
1/1/0001 12:00:00 AM
blocked
No
Time D locked L s . t Puku.v Cdlu-idhun
FIGURE 1 8 . 1 3
10/18/2007 8 . 1 9 . 3 2 A M
Blocking a device connection to MDM.
5. When the device is okay to allow connections again, the administrator can simply right-click the device in the same list and choose Allow Device Connections.
894
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
Software Packaging with Mobile Device Manager Similar to patching and updating a mobile device, which pushes out updates to a device, software packaging and deployment is the active process of sending software "over the air" to a Windows Mobile device for installation on the device. This may be a software program, a utility, or other application the organization wants to push out to mobile devices. Software packaging for mobile devices is a relatively simple task as most Windows Mobile devices have limited memory and free storage on the device themselves, so the default installer file—typically a CAB (cabinet) file—is a single file that needs to be pushed and run on the device. Before initiating the package creation process, get a copy of the CAB file that you want to deploy. For the example that is used in these instructions, we use the MDMPasswordResetClient. CAB file from the "Resetting a User's Password with MDM" section earlier in this chapter, which is an application that allows a mobile device user to initiate a device password reset. NOTE With a copy of a CAB package in hand, before going through the steps of creating and pushing out the package to several devices, it is best to just download the package to the mobile device, run the package, and make sure the results of running the package on a specific Windows device work. Some packages only work on certain versions of Windows Mobile, or on certain versions of hardware of Windows Mobile devices. Testing the CAB package on a system confirms the package works.
With a working CAB package available, you need to run the software packaging administration software on the MDM server. Software packaging is actually run from a separate administrator console than the other tasks for Mobile Device Manager. The software packaging and deployment console is called the System Center Mobile Device Manager Software Distribution console. To create a software package and deploy it on a Windows Mobile device, follow these steps: 1. Launch the System Center Mobile Device Manager Software Distribution console. 2. Double-click Software Distribution to expand the list of Mobile Device Manager servers. 3. Double-click the name of the MDM server for which you want to create a software package to open up the list of options that can be performed on the MDM server. 4. Double-click Packages to expand the packaging options on the server. 5. Click the Software Packages container to choose the container where ultimately packages will be created. 6. Click Create in the Actions pane on the right side to begin the process of creating a package. 7. On the Create Package Wizard screen, click Next to continue past the Introduction page.
Device Management Tasks with Mobile Device Manager
895
8. Click Browse to select the CAB file that will be used to push out to devices. This is the CAB file that you had gathered before starting the package creation process. Click Next to continue. 9. Give the package a title and description that you will be able to see on the MDM management console screen so you will know what the package is for, and then click Next. 10. Choose which devices you want this package to deploy to, and then click Next. 11. Specify which version of OS that the package will install on. In our example of using the MDM Password Reset client, this package will only work on devices running Windows Mobile 6.1.4 or higher, so we will enter 6 in the Major, 1 in the Minor, and 4 in the Revision fields for the target operating system, as shown in Figure 18.14. Click Next to continue.
Create
H
Package
Inüuduutiuri
H Suítwdtt PÄL&JÄDS Î P a c k a g e Title Target Devices
Wizard
Tdiytrl O p e i d l i n u S y s t e m s Rufral lliK W i m l i M N M i l «IK i i | m n l i n y :,y.\leiu In I«MYH l l r r
c
Al
(*
OS VRITli inï l i r d w r n i
#-» Target Qpaating
Motor
SYSTEMS
Device Language:
Finn
(i-u:knijK
Minor
jC
Revision
|1
[4
I"
I"
Package Dependencies Kcqistiv Dependencies
To
Permit Uninstal
For example: Frcm 6 . 1 . to 6. . "
II
6.1.4 up to the next major vefîion Or from 6.1. "
to ".' " - b.l and dbcwc.
L r c d c InstoBabon PRTIKRTU«
• f j m | IHI in f
On^i the lolowng OS veiîioriî: IL
I*
MINI H
RKVIXIII
J I Í M M I I I-
Tor « a m p l e : G.'." - oHC venions. Or G.1.4 - o n b G.1.4.
00 <£ack
FIGURE 1 8 . 1 4
II
Nerf) K I
Uoncd
|
Selecting the operating system version support for a package.
12. Specify the languages this package should support (typically All languages if the update is a security update; however, if the package is an application, you want to make sure that if there is a localized copy of the application that supports the various languages supported by devices in the enterprise that the localized language packages are installed and pushed to devices of users who use the specific languages). Click Next to continue. 13. For dependencies, if the package has dependencies like specific versions of a security drive, hardware device drive, or the like, this ensures that any prerequisite packages are installed before this package is installed. Click Next to continue.
896
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
14. If specific Registry settings need to be set prior to installing the package, enter the Registry settings in the Installation Requires the Following Registry Keys and Data section; otherwise, click Next to continue. 15. When prompted whether the user should be allowed to uninstall the package, if the organization's policy is to not allow users to uninstall applications, then specify No so that the user cannot uninstall this package. Click Next to continue. 16. Review the package settings and click Create if the choices are correct. 17. Click Finish when you are done. Once a package has been created, the package needs to be approved to be installed on specific systems. Even though the configuration task specified the type of devices that the package will install on, no specific devices have been identified for the package to run against. This next series of steps allows you to create a group of devices and then approve the package to be deployed to that group of devices.
Creating a Device Group to Group Together Similar Devices By default, all Windows Mobile devices are grouped together in a common group called "Unassigned Devices." To effectively push out packages and manage devices with similar groupings, specific device groups should be created. A device group could be a group of devices focused at sales associates, or a group of devices focused at accounting personnel, or another group of devices focused at managers. To create a device group and assign devices to the device group, do the following: 1. Launch the System Center Mobile Device Manager Software Distribution console. 2. Double-click Software Distribution to expand the list of Mobile Device Manager servers. 3. Double-click the name of the MDM server you want to manage devices to open up the list of options that can be performed on the MDM server. 4. Double-click Devices to expand the All Devices options on the server. 5. Double-click All Devices to see the Unassigned Devices container. 6. To create a new device group, right-click the All Devices container and choose Add Device Group. 7. When prompted to specify a device group, enter in a logical name of the group you want to create, and then click Add. 8. Right-click a device in the Unassigned Devices group and choose Change Membership. 9. In the Set Device Group Membership box, select the device group(s) to which you want this device to be associated. Click OK to confirm the selection.
Device Management Tasks with Mobile Device Manager
897
NOTE You can place a device in multiple device groups; therefore, a single device can be in an All Manager Devices group as well as in an All San Francisco Based Devices group. Having a device in multiple groups provides the MDM administrator the flexibility of applying rules to the device despite the device being in different groups.
Approving Packages to be Deployed to a Device Group Once CAB packages are created in the MDM management console and devices are assigned to logical device groups, the next step is to approve packages to be deployed to specific device groups. Once a package has been deployed to a device group, the package will be pushed out to the device(s). The process of approving packages to a device group is as follows: 1. Launch the System Center Mobile Device Manager Software Distribution console. 2. Double-click Software Distribution to expand the list of Mobile Device Manager servers. 3. Double-click the name of the MDM server on which you want to assign a software package to a device group. 4. Double-click Packages to expand the packaging options on the server. 5. Click on the Software Packages container to choose the container where the packages you have created reside. 6. Right-click the package you want to approve for deployment, and choose Approve. 7. Click the down arrow of the device group you want to target. 8. A pull-down menu appears where you can choose Approved to Install for the device group you selected, as shown in Figure 18.15. Click OK to approve the package for deployment to the group specified.
A p p r o v e Packages Sfllfirt a grmip Frnm HIP lid-, rtrk fhs arrow, anri tlwn rhnriíp fhp type nf approval. Devirp Grrrnp ^^
Approval
All Dcvicos <3
Not approved
Unassigned Devices
Wot approved (inherited)
10 A l l Manaoer Devices Not approved (inherited) Approved for Install Ctrl+I
j
Approved for Rernovli^Ctrl+R Not Approved
Ctrl+N
Same asParsnt
Ctrt+P
Apply to Children
Cbrf | £
FIGURE 1 8 . 1 5
I
J
Crtrrp. 1
Selecting to approve a package for deployment.
898
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
9. The package will be prepared for deployment to the device group; click Close when the approval process has been completed.
Checking on the Status of Packages for Deployment After packages have been created and approved for deployment, the administrator can check on the status of package deployment through the System Center Mobile Device Manager Software Distribution console. To check on the status of package deployment, do the following: 1. Launch the System Center Mobile Device Manager Software Distribution console. 2. Double-click Software Distribution to expand the list of Mobile Device Manager servers. 3. Double-click the name of the MDM server on which you want to run the report for package deployment status. 4. Click Reports to view the standard reports available to generate reports. There are several default reports available. The default reports are as follows: • Package Status Summary—The Package Status Summary report provides information by package for which device groups the package(s) are being deployed to as well as a status on how many systems the package has installed on and failed to install on. • Package Status Details—The Package Status Details report provides more than just a summary of how many devices the package has installed or failed to install on, but also specifically which devices the package has successfully installed or failed to install. • Device Status Summary—The Device Status Summary report provides a similar report, but instead of being sorted by package, the Device Status Summary shows a summary of devices and the number of packages that have been installed (or not installed) on the devices. • Device Status Details—The Device Status Details report provides a more detailed listing of specifically which packages have successfully been installed device by device. By selecting the report and choosing to run the report, an administrator can quickly see the distribution of software on devices being managed by Mobile Device Manager.
Policy-Based Tasks with Mobile Device Manager Certain tasks on a Windows Mobile device are driven by a policy typically invoked from an Active Directory group policy. Unlike device-management-driven tasks of the previous section "Device Management Tasks with Mobile Device Manager" that are commonly single-process tasks, policy-based tasks are set, assigned, and pushed to all or a group of mobile devices. These tasks include setting policies to lock down a mobile device,
Policy-Based Tasks with Mobile Device Manager
899
disabling built-in applications to devices, forcing a device to have its storage encrypted, and setting a password policy standard for the organization. Before being able to perform Active Directory Group Policy management tasks specific to Mobile Device Manager settings, the MDM Group Policy administrative templates need to be installed on a system running the Group Policy Management Console (GPMC). The following steps need to be performed on each Group Policy Management Console system: 1. On a system with the Group Policy Management Console (GPMC) installed, insert the System Center Mobile Device Manager 2008 SP1 DVD and run the Setup program. 2. At the MDM Setup program, click on Administrator Tools. 3. At the Administrator Tools screen, click Next to continue. 4. After reading the licensing agreement and agreeing to the terms, click to select the I Accept the License Terms for Microsoft Software check box, and then click Next. 5. Choose to install the Group Policy Extensions by selecting the Will Be Installed on Local Hard Drive option. 6. For the Mobile Device Manager management console, if you want to have the console installed on this system, choose Will Be Installed on Local Hard Drive; otherwise, choose Entire Feature Will Be Unavailable as the MDM console is not required to set Active Directory group policies for mobile devices. 7. For the Software Distribution console, if you want to have the console installed on this system, choose Will Be Installed on Local Hard Drive; otherwise, choose Entire Feature Will Be Unavailable as the Software Distribution console is not required to set Active Directory group policies for mobile devices. 8. Click Next and then click Install to begin the installation of the Group Policy Extensions. 9. Click Finish when the installation is complete. 10. Launch the Group Policy Management Console by clicking Start, Administrative Tools, Group Policy Management. 11. Select a policy for which you want to view and modify mobile device management policies. Typically, double-clicking the Forest container to expand the forest, doubleclicking the Domains container to expand the domains, and double-clicking the name of the domain will open up a domain view that has the Default Domain Policy. Click this Default Domain Policy. 12. Right-click the policy and choose Edit, which opens up the Group Policy Management Editor. 13. Double-click the Computer Configuration container to expand the computer policy container. 14. If running Active Directory 2008 or 2008 R2, double-click the Policies container to expand the container. If you are running an earlier version of Active Directory, you can skip this step.
900
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
15. Right-click on the Administrative Templates container and choose Add/Remove Templates. 16. Click Add. 17. Scroll all the way to the bottom and choose mobile. adm (the file is typically in the c: \windows\inf \ folder), and then click Open. 18. Click Close. 19. If running Active Directory 2008 or 2008 R2, double-click the Classic Administrative Templates (ADM) container to find the Windows Mobile Settings folder. If you are running an earlier version of Active Directory, the Windows Mobile Settings container will be in the Administrative Templates container. Double-click the Windows Mobile Settings container to see the available groups of mobile policies, as shown in Figure 18.16.
£ G r o u p Policy M a n a g e m e n t Editor le
Action
View
Kelp
B
>j-| T
' Default Domain Pokv [AD20013R2-2.C0MPAflYADC Fl A Computo Confipj-flton R LÜ Pufcirs lïl SI il E3
Z 3 Software S e t t i v ~ j W«lcmn; 5 r t l n V . i¡ Wr*fti»wi Mohär i>lt»*j% .. fafcrirBslrrtlivr Trin^rttt".; Pubt y tlrfki cœjIIPIP<**I a ES Mr I mirk
W i n d o w s Mobile S e t t i n g s Select an (tern to view its description.
Setbnq Password P okies j Platform I ariafawn J ApptcaDon usable J Security PoUaes J FUeCnCTïDbon Derne Kariaiieiiieni 23 MnhJp VPN ipfflngs
50 __ System
J software Uistnbubon
8B 1 _ Wlrwfcwis rorrponentn S L j C h s * A/lirtnfttratlvp Twnpinti*; (J J3 Password Policies j Platform Lodcdown lûppiicatson CNsaWe IÜ Security Poldes 1 file Encryption j a ZI
Device Management MobdeWNsettngs Software LVstnbution
Al Settings ty [ a
Preferences
User configuration l+J Q Pokoes td L
Preferences
i] \ FIGURE 1 8 . 1 6
Extended / Standard /
Viewing policy containers in GPMC.
With the Windows Mobile Settings administrative template installed in the Group Policy Management Console, you can now perform policy-based tasks.
The next handful of policy-based tasks assume you are at the point shown in Figure 1 8 . 1 6 to begin the process of applying AD group policies to policy tasks.
Policy-Based Tasks with Mobile Device Manager
901
Locking Down a Windows Mobile Device Through the use of simple Active Directory group policies, a mobile device can have specific features of the device locked down. Lockdown of features typically impacts hardware-based components that are disabled and rendered unusable by the user. A common usage of a policy-based lockdown is the use of a camera on the mobile device or the use of a memory storage chip on the system. Cameras are a security challenge for organizations as users can simply take a picture of top-secret or confidential documents and distribute the picture of the document and not the actual document itself. Either way, the distribution of confidential or privacy protection information is important. MDM has the ability of locking down different components supported by MDM. The process of locking down something like the use of a camera on a mobile device is as follows: 1. From the Windows Mobile Settings container in the Group Policy Management Console, click on the Platform Lockdown container. 2. Double-click on the Turn Off Camera policy. 3. Click Enabled and then click OK to effectively disable the camera on a device to which this policy applies. NOTE You will notice in this Platform Lockdown container a number of devices and features can be disabled, such as turning off P0P3 and IMAPSMS and MMS texting, removable storage, wireless LAN, and the like. Simply choosing the policy and enabling the policy to turn off a feature can set the settings by policy.
Disabling Built-in Applications Another policy task that can be set up and pushed through an Active Directory group policy is the ability to disable built-in applications on a Windows Mobile device. Built-in applications are things like Internet Explorer, Solitaire, Bubble Breaker, or the like. These applications are on the built-in ROM of the mobile device and are not as simple to delete; however, through policies, the applications can be disabled from launching. The process of disabling built-in applications is as follows: 1. From the Windows Mobile Settings container in the Group Policy Management Console, click the Application Disable container. 2. Double-click Block Applications in ROM. 3. Click Enabled and then click Show. Under Value Name, enter in the name of the application you want to block; under Value, enter in a simple friendly name for the application, similar to what is shown in Figure 18.17.
902
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
U í ! oí applications to block: V/álK rwmr 1 BubbleBrcaker.cxe a& ilarc aœ
Bubble B r o k e r üome Soltare Gome
%
OK
FIGURE 1 8 . 1 7
Cancel
|
Blocking specific applications from being run on mobile devices.
NOTE For the specific name of the various built-in applications that you can disable, go to the TechNet article at http://technet.microsoft.com/en-us/library/ccl35654.aspx, which lists the names of the applications that can be added in individually to this AD Group Policy Object.
Forcing Device Encryption by Policy Many state and local jurisdictions have laws that require data stored on devices to be encrypted; if the information is not encrypted and a device is lost, the organization needs to inform any and all individuals whose information might have been compromised that they need to be aware of the potential loss of their confidential information. The process of enforcing file-level encryption on managed devices is as follows: 1. From the Windows Mobile Settings container in the Group Policy Management Console, click the File Encryption container. 2. Double-click Turn On Device Encryption. 3. Click Enabled and then click OK to specify to have the files on the device encrypted.
Setting Password Policies for Windows Mobile Devices A series of password policies can be applied to Windows Mobile devices. Some of the various policies available include the following: • Whether a device requires a password for the user to access the device • Password complexity • How long after a device is idle that a password will need to be typed in again • How frequently the user will need to change the password on the device • Minimum length of the password
Mobility Access Controls Using Mobile Device Manager
903
• Whether to automatically wipe the device after the user unsuccessfully enters their password a set number of attempts • Whether the user reset process is initiated by MDM 2008 or by Exchange Server 2007 SP1 when both platforms exist in the environment To set any of these password policies, do the following: 1. From the Windows Mobile Settings container in the Group Policy Management Console, click on the Password Policies container. 2. Choose and set the policies desired.
Mobility Access Controls Using Mobile Device Manager One of the common solutions provided by Mobile Device Manager 2008 SP1 is the IPSec VPN access solution that comes as part of MDM. The VPN connection is "always on"— meaning that everything from the mobile device goes through the VPN tunnel on the MDM Gateway server and uses an IPSec encrypted session. Many typical phone/email administrators wonder why they would ever want all of a mobile device's traffic to go through the company network rather than allow user traffic to go straight from the mobile device to the Internet. The answer is when the mobile device is not a personal Internet surfing device but rather the device is a mobile business device. A common example is a mobile handheld device used in a hospital where the doctor goes from patient room to patient room with a Windows Mobile device to check on a patient, gain access to patient records, enter in prescriptions, and order tests and the like to be performed on the patient. In this scenario, the device is not connected to the public Internet at all—the device is connected to the hospital's private network. If the device is connected to, for example, Wi-Fi, the connection from the device over the general Wi-Fi connection is completely encrypted for patient privacy and data protection. But even if the mobile device is used as a mobile phone by a mobile salesperson, the organization can lock down the connection from this company-issued mobile device so that the user can make and receive phone calls like a normal mobile phone, but all data communications from the device go securely to the company network over the public Internet. The salesperson can have secured access to sales data, order-processing information, and client information without having to carry around a laptop or other device. The encrypted end-to-end session provides protection needed by laws and regulations, such as the Sarbanes-Oxley Act, that require protection on sales entry data and inventory data that a less-secure system might not provide. The mobile sales professional can still surf the Internet; however, rather than insecurely surfing the Internet from the device directly to the Internet, all Internet traffic goes through the secure VPN connection through the organization's proxy and firewall to ensure that viruses or worms don't enter the network and device, and protected company information does not leave the device or network. Always-on VPN communications is not the right solution for all organizations as a lot of users are used to having direct Internet connections and access to everything; however, for
904
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
organizations that really want or need to protect information (especially organizations working in highly regulated industries), letting users "do anything" with their mobile devices opens the organization up to risk of data loss or other nonmanaged protected device situations.
Creating Mobile VPN Settings To set up the Mobile VPN connections, the Windows Mobile device needs to be running Windows Mobile v6.1 and the organization needs to have set up a Mobile Device Manager 2008 SP1 Gateway Server system in the DMZ. To configure the Mobile VPN, complete the following steps: 1. From the Windows Mobile Settings container in the Group Policy Management Console, click on the Mobile VPN Settings container. 2. Double-click the Mobile VPN name policy. 3. Choose Enabled and enter a logical name for Mobile VPN that will appear in the user's mobile configuration settings. This could be something as simple as MobileVPN. Click OK. 4. Double-click the MDM Gateway server name policy. 5. Choose Enabled, enter the fully qualified domain name of the MDM Gateway server, and then click OK. 6. If you want to prevent the users from turning off Mobile VPN, double-click the Allow User to Turn Off Mobile VPN option, click Disabled, and then click OK. 7. If you prevent users from turning off the Mobile VPN, you need to double-click the Always Connected when Roaming option and enable that setting so that the keepalive packets are maintained to ensure the user session reestablishes in case of a disconnection. Also enable the Time Interval Between Keepalive Packets and choose an interval of 0 for this setting.
Adding Exchange and Configuration Manager to an MDM Rollout Microsoft Mobile Device Manager 2008 SP1 can be implemented as a standalone application or integrated in conjunction with Microsoft Exchange Server 2007 SP1 and System Center Configuration Manager (SCCM) 2007 R2 SP2. MDM does not require Exchange or SCCM to work; however, the three applications can be complementary to one another or in some cases complete substitutes for one another depending on the needs of the organization.
Mobile Device Manager and Microsoft Exchange Server When integrating Mobile Device Manager into an environment that has Exchange Server 2007 SP1 (or later) or Exchange Server 2010, a key question that the administrator needs to ask is whether the features and capabilities regarding mobile devices built in to Exchange are good enough for the organization, or does the organization need more capabilities and, thus, MDM 2008 SP1 is a better overall solution for the enterprise. It's not so
Adding Exchange and Configuration Manager to an MDM Rollout
905
m u c h that M D M 2 0 0 8 SP1 and Exchange Server 2 0 0 7 SP1 and higher "work better t o g e t h e r " — t h e y just have overlapping features and you either choose to use the mobile device m a n a g e m e n t features in Exchange or you use the mobile device m a n a g e m e n t features in MDM. Table 18.1 was extracted from the Microsoft website (http://technet.microsoft.com/en-us/ library/bbl23484.aspx) that has information about the various policies available and built in to Exchange Server 2 0 0 7 SP1 that have carried on to Exchange Server 2 0 1 0 . The list of supported policies is extensive, covering everything from device lockdown support, password change enforcement, password length and complexity, provisioning and deprovisioning capabilities, and the like.
TABLE 1 8 . 1
Mobile Device Policies Built in to Exchange Server 2007 SP1 and Higher
Setting
Description
Allow Bluetooth
This setting specifies whether a mobile phone allows Bluetooth connections. The available options are Disable, HandsFree Only, and Allow. This policy setting requires an Enterprise Client Access License.
Allow Browser
This setting specifies whether Pocket Internet Explorer is allowed on the mobile phone. This setting doesn't affect thirdparty browsers installed on the phone. This policy setting requires an Exchange Enterprise Client Access License.
Allow Camera
This setting specifies whether the mobile phone camera can be used. This policy setting requires an Exchange Enterprise Client Access License.
Allow Consumer Mail
This setting specifies whether the mobile phone user can configure a personal e-mail account (either P0P3 or IMAP4) on the mobile phone. This policy setting requires an Exchange Enterprise Client Access License.
Allow Desktop Sync
This setting specifies whether the mobile phone can synchronize with a computer through a cable, Bluetooth, or IrDA connection. This policy setting requires an Exchange Enterprise Client Access License.
Allow HTML E-mail
This setting specifies whether e-mail synchronized to the mobile phone can be in HTML format. If this setting is set to $false, all e-mail is converted to plain text.
Allow Internet Sharing
This setting specifies whether the mobile phone can be used as a modem for a desktop or a portable computer. This policy setting requires an Exchange Enterprise Client Access License.
AllowlrDA
This setting specifies whether infrared connections are allowed to and from the mobile phone. This policy setting requires an Exchange Enterprise Client Access License.
906
CHAPTER 18
TABLE 1 8 . 1
Using Mobile Device Manager to Manage Mobile Devices
Mobile Device Policies Built in to Exchange Server 2007 SP1 and Higher
Setting
Description
Allow non-provisionable devices
This setting specifies whether older phones that may not support application of all policy settings are allowed to connect to Exchange 2010 by using Exchange ActiveSync.
Allow POPIMAPEmail
This setting specifies whether the user can configure a POP3 or an IMAP4 e-mail account on the mobile phone.
Allow Remote Desktop
This setting specifies whether the mobile phone can initiate a remote desktop connection. This policy setting requires an Exchange Enterprise Client Access License.
Allow simple password
This setting enables or disables the ability to use a simple password such as 1234. The default value is $true.
Allow S/MIME software certificates
This setting specifies whether S/MIME software certificates are allowed on the mobile phone.
Allow storage card
This setting specifies whether the mobile phone can access information that's stored on a storage card.
Allow text messaging
This setting specifies whether text messaging is allowed from the mobile phone. This policy setting requires an Exchange Enterprise Client Access License.
Allow unsigned applications
This setting specifies whether unsigned applications can be installed on the mobile phone. This policy setting requires an Exchange Enterprise Client Access License.
Allow unsigned installation packages
This setting specifies whether an unsigned installation package can be run on the mobile phone. This policy setting requires an Exchange Enterprise Client Access License.
Allow Wi-Fi
This setting specifies whether wireless Internet access is allowed on the mobile phone. This policy setting requires an Exchange Enterprise Client Access License.
Alphanumeric password required
This setting requires that a password contains numeric and non-numeric characters.
Approved Application List
This setting stores a list of approved applications that can be run on the mobile phone. This policy setting requires an Exchange Enterprise Client Access License.
Attachments enabled
This setting enables attachments to be downloaded to the mobile phone.
Device encryption enabled
This setting enables encryption on the mobile phone. Not all mobile phones can enforce encryption. For more information, see the phone and mobile operating system documentation.
Password enabled
This setting enables the mobile phone password.
Adding Exchange and Configuration Manager to an MDM Rollout
TABLE 1 8 . 1
907
Mobile Device Policies Built in to Exchange Server 2007 SP1 and Higher
Setting
Description
Password expiration
This setting enables the administrator to configure a length of time after which a mobile phone password must be changed.
Password history
This setting specifies the number of past passwords that can be stored in a user's mailbox. A user can't reuse a stored password.
Policy refresh interval
This setting defines how frequently the mobile phone updates the Exchange ActiveSync policy from the server.
Maximum attachment size
This setting specifies the maximum size of attachments that are automatically downloaded to the mobile phone.
Maximum calendar age filter
This setting specifies the maximum range of calendar days that can be synchronized to the mobile phone. The value is specified in days.
Maximum failed password attempts
This setting specifies how many times an incorrect password can be entered before the mobile phone performs a wipe of all data.
Maximum inactivity time lock
This setting specifies the length of time that a mobile phone can go without user input before it locks.
Minimum password length
This setting specifies the minimum password length.
Maximum e-mail age filter
This setting specifies the maximum number of days' worth of e-mail items to synchronize to the mobile phone. The value is specified in days.
Maximum HTML e-mail body truncation size
This setting specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile phone. The value is specified in kilobytes (KB).
Minimum device password complex characters
This setting specifies the minimum number of complex characters required in a mobile phone password. A complex character is any character that is not a letter.
Maximum e-mail body truncation size
This setting specifies the size beyond which e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in kilobytes (KB).
Password recovery
When this setting is enabled, the mobile phone generates a recovery password that's sent to the server. If the user forgets their mobile phone password, the recovery password can be used to unlock the mobile phone and enable the user to create a new mobile phone password.
Require Device Encryption
This setting specifies whether device encryption is required. If set to $true, the mobile phone must be able to support and implement encryption to synchronize with the server.
908
CHAPTER 18
TABLE 1 8 . 1
Using Mobile Device Manager to Manage Mobile Devices
Mobile Device Policies Built in to Exchange Server 2007 SP1 and Higher
Setting
Description
Require encrypted S/MIME messages
This setting specifies whether S/MIME messages must be encrypted.
Require manual synchronization while roaming
This setting specifies whether the mobile phone must synchronize manually while roaming. Allowing automatic synchronization while roaming will frequently lead to larger-than-expected data costs for the mobile phone plan.
Require storage card encryption
This setting specifies whether the storage card must be encrypted. Not all mobile phone operating systems support storage card encryption. For more information, see your mobile phone and mobile operating system for more information.
Unapproved InROM application list
This setting specifies a list of applications that cannot be run in ROM. This policy setting requires an Exchange Enterprise Client Access License.
The decision about using Mobile Device Manager 2008 SP1 versus using the mobile device options built in to Exchange comes down to whether the policies built in to Exchange cover what the organization requires (if so, then using Exchange policies instead of MDM likely makes sense) or whether the organization wants to manage mobile devices outside of Exchange. For many organizations that are using mobile devices as data entry tools in hospitals and factory floors, point-of-sale instruments in retail stores, or the like are commonly not using the mobile device for email and Exchange access. The device is merely a mobile device connected to a network that is shared by a variety of users. In these cases, regardless of how many policies are in Exchange, if the device never connects to Exchange for email, then the policy support for provisioning, deprovisioning, password management, and the like must be in an external product like System Center Mobile Device Manager 2008 SP1.
Mobile Device Manager and System Center Configuration Manager 2007 Similar to Mobile Device Manager and Exchange integration and coexistence, Mobile Device Manager and System Center Configuration Manager share similarities in what the two products can do for mobile devices. An organization can choose to use just Mobile Device Manager 2008 SP1, or the organization can choose to just use Configuration Manager 2007 R2 SP2, or the organization can choose to use both. As shown in Table 18.2, there are limitations in Mobile Device Manager regarding managing non-Windows Mobile 6.1 or higher devices. For many organizations with old devices, particularly handheld devices for specialized hospital or warehouse applications built on and running Windows Mobile 6.0, using Configuration Manager 2007 to manage those devices either in place of Mobile Device Manager or in addition to Mobile Device Manager would be a good business option.
Summary
TABLE 1 8 . 2
909
Mobile Device Manager 2 0 0 8 SP1 Versus Configuration Manager 2007 R2
Product/Feature
Mobile Device Manager 2008 S P 1
Configuration Manager 2007 R2 SP2
Centralized policy management
Yes
Yes
Software distribution
Yes
Yes
Asset tracking
Yes
Yes
Software inventory
Yes (full)
Yes (files only)
Mobile device policies
Yes (extensive)
Yes (limited)
Active Directory auto/ self-enrollment
Yes
No
Remote management
Yes (via IPSec VPN)
Yes (via SSL)
Support for Windows Mobile v 6 . 1 and higher
Yes
Yes
Support for Windows Mobile v6.0 and earlier
No
Yes
For organizations that are really looking for self-service functionality in their enterprise applications, the autoenrollment and the self-service capabilities of Mobile Device Manager really provide an organization the benefit of zero-touch administration of mobile devices. Most organizations serious about mobile device management implement Mobile Device Manager 2008 SP1 for their mobile device requirements to take advantage of the improved benefits in Group Policy management and the Self-Service Portal functionality, and leverage Configuration Manager for managing the handful of devices that might be preWindows Mobile v6.1.
Summary Microsoft Mobile Device Manager 2008 SP1 fills the need for an organization that has requirements to manage Windows Mobile devices just as the organization manages desktops, laptops, and server systems. MDM inventories devices and keeps track of mobile devices as assets in the enterprise. MDM works in conjunction with the patching and updating process of other client and server systems in an enterprise leveraging WSUS and System Center Configuration Manager to keep mobile devices up to date on the latest updates available. Most important, MDM provides administrators a method of enforcing security on mobile devices through the use of policies that control everything from encrypting device access to network resources, to enforcing password policies established by the organization, to wiping a device in the event of a device loss or breach, to limiting users' access to nonessential applications on the mobile devices.
910
CHAPTER 18
Using Mobile Device Manager to Manage Mobile Devices
Although an organization might have other tools available to manage mobile device policies built in to Microsoft Exchange Server or System Center Configuration Manager, in scenarios where an organization wants to focus on the setting, management, and environment of policies specific to mobile devices, the System Center Mobile Device Manager provides more options for the administrator to control the mobile devices in the enterprise.
Best Practices The following are best practices from this chapter: • Use System Center Mobile Device Manager when policies need to be enforced specific to mobile devices around security, remote access, device encryption, and password controls. • Consider using the device management policies in Exchange Server 2007 SP1 or higher when the needs of the organization relative to mobile device management are specific to Exchange-related provisioning, deprovisioning, password change controls, and device wipe. • Leverage the mobile device policy management capabilities in System Center Configuration Manager to manage devices that are running Windows Mobile v6.0 or earlier. • Utilize the Self-Service Portal in Mobile Device Manager to simplify the provisioning of mobile device connection to Active Directory to allow users to more easily and quickly connect their devices to Active Directory for policy-based management and security. • Use Mobile Device Manager to regularly push out mobile device patches and updates utilizing the same update schedule used for the patching and updating of desktop, laptops, and servers in the environment. • Install a Mobile Device Manager Gateway Server and enable IPSec VPN encrypted connection for mobile devices to have an "always-on" encrypted session between the mobile device and the organization's network. • Utilize Active Directory group policies to centrally manage and administer policies that control and manage mobile devices through the common policy management system used for client and server policy management in the enterprise. • Place the Mobile Device Manager management console software on the administrator's desktop or laptop system to minimize the need of the administrator to remotely access the MDM Device Management server, but instead access a locally installed copy of the management console software.
CHAPTER 1 9
IN T H I S C H A P T E R •
What Is System Center Essentials?
•
Background of the System Center Essentials Product
•
System Center Essentials 2 0 1 0 Prerequisites
•
Installing System Center Essentials 2010 on a Single Server
F o r smaller organizations looking for management tools but without the personnel to manage three or four separate System Center products to do things like monitoring servers, patching and updating systems, or managing virtual guest sessions, Microsoft created a product called System Center Essentials as a lighter, all-in-one solution. System Center Essentials is focused on organizations with fewer than 500 users and fewer than 30-50 servers (which can hardly be called "small" businesses). System Center Essentials utilizes wizards and automated monitoring and management components from the full System Center products and provides these key components in a tightly integrated solution.
•
Installing System Center Essentials 2010 on Separate Servers
•
Getting Familiar with the SCE 2 0 1 0 Management Console
•
Performing Computer and Device Discovery
•
Checking the Monitored Status of a Server and Application
•
Using Remote Assist and Remote Desktop
•
Using Essentials for Patching and Updating Systems
•
Creating Packages to Push Out New Software
What Is System Center Essentials?
•
Inventorying Systems Using System Center Essentials
•
Authoring an Agent to Monitor a Custom Website
•
Using the Virtualization Management Features of Essentials
•
Generating Reports Out of Essentials
•
Installing Agents on Target Systems
•
Troubleshooting Common Problems in SCE
•
Regular (Every 2 - 3 Days) Tasks an Administrator Should Perform
•
Weekly Tasks an Administrator Should Perform
•
Monthly Tasks an Administrator Should Perform
Using System Center Essentials for Midsized Organizations
System Center Essentials, currently System Center Essentials 2010, is an all-in-one management product that combines the most common features in System Center Configuration Manager, Operations Manager, and Virtual Machine Manager. The focus is for organizations that have limited IT personnel but still need enterprise-class management capabilities. Microsoft released the first version of this product as System Center Essentials 2007 and is now in its third generation of the product. (For those who follow Microsoft's product development, it's usually the third rendition of the product where it actually really works, and System Center Essentials 2010 continues that trend as being a solid release.)
912
CHAPTER 19
Using System Center Essentials for Midsized Organizations
Business Needs Addressed by System Center Essentials Systems management for an organization with fewer than 500 employees is no different than the systems management requirements of a large enterprise. However, large enterprises have the luxury of having IT personnel who focus on servers, IT personnel dedicated to client and desktop systems, and other IT personnel doing help desk and application support. But in a smaller enterprise, many times the management and support responsibilities land in the hands of just a handful of IT individuals or potentially just one individual. With limited staff but with the same responsibilities of maintaining and managing systems, the IT personnel need to be more efficient and effective at what they do. Instead of having three or four management products with thousands of features, functions, and capabilities that the limited IT staff will never utilize, System Center Essentials 2010 focuses on the top half-dozen or dozen management functions commonly performed by administrators. Some of the main business needs addressed by System Center Essentials 2010 include the following: • Keeping systems updated—System Center Essentials patches and updates systems to minimize the potential for viruses, worms, or other malware from attacking servers and client systems that impact employee productivity. • Proactively monitoring system operations—Systems are proactively monitored and IT personnel are notified when systems are not working properly, allowing IT personnel to take corrective action before systems fail and service is interrupted to employees. • Consolidating systems to maximize system utilization—System Center Essentials 2010 provides tools to convert physical server systems to virtual guest server sessions, a process that consolidates systems and better utilizes hardware and software resources in the organization. • Reporting on systems operations—Management reports are generated from System Center Essentials providing information about the overall health, operations, and optimization of the network environment being managed by the System Center tools.
Technical Solutions Addressed by System Center Essentials System Center Essentials 2010 provides core monitoring, patching, updating, and reporting capabilities; however, for the more System Center-sawy IT administrator, the question of "Specifically what is in System Center Essentials 2010?" is commonly asked. The specific System Center technical features included in System Center Essentials include the following: • Patching and updating—System Center Essentials includes the patching and updating capabilities found in Windows Server Update Services (WSUS) with enhanced update capabilities found in System Center Configuration Manager 2007.
Background of the System Center Essentials Product
913
Unlike WSUS that only updates Microsoft products, System Center Essentials provides the capability of updating Microsoft and non-Microsoft products. • Software deployment—System Center Essentials 2010 provides the software deployment capability built in to System Center Configuration Manager 2007, allowing an IT administrator to create MSI, EXE, or other packages that can be pushed to client and server systems. • Server monitoring—The server monitoring capabilities found in System Center Operations Manager 2007 are built in to Essentials, allowing for proactive system monitoring and alerting in the event of a system failure, or even in the event of a system not performing within the norms of daily operations. • Application monitoring—Also included in Essentials is the ability to monitor applications such as Exchange, SharePoint, SQL, and the like so that beyond just the uptime operations of a server system, Essentials monitors the proper operations of applications and alerts an IT administrator of any variances. • Hyper-V host management—System Center Essentials 2010 inventories Hyper-V host servers, including the capacity demands of the servers and allows virtual guest sessions to be intelligently placed on the host servers with the most capacity. • Physical-to-virtual server conversion—For organizations converting physical servers to virtual (P2V) guest sessions, Essentials includes the P2V capability found in Virtual Machine Manager 2008 R2 and allows for the conversion of systems into a virtual environment. Note that the P2V capability also provides the conversion of guest sessions running on VMware to Hyper-V as part of the supported migration capabilities of Essentials. • SQL reporting—SQL Reporting Services is part of the System Center Essentials 2010 product with dozens of report templates built in to Essentials as well as the ability for administrators to customize reports specific to the needs of the organization.
Background of the System Center Essentials Product System Center Essentials is in its third major edition with the 2010 release of the product. When Essentials 2007 was released, it had the basic features of patching, monitoring, and reporting built in; however, many of the wizards and automation tools that truly simplified the installation and administration of Essentials were not added into the product until subsequent releases.
System Center Essentials 2007 System Center Essentials 2007 was released in 2007 as a product focused on helping smaller enterprises with their systems management needs. Unlike the mainstream System Center products at the time, such as System Center Configuration Manager (SCCM) 2007 and System Center Operations Manager (SCOM) 2007, SCE was intended to run on a single server with a limited number of features targeted to directly help smaller organizations manage their networking environments. SCE 2007 provided monitoring, patching,
914
CHAPTER 19
Using System Center Essentials for Midsized Organizations
updating, and reporting capabilities, which were the most common features used on SCCM and SCOM. Although a vl.O product, being that the components built in to SCE 2007 were all brought in from the full-blown SCCM and SCOM products, SCE was fully operational from day one. Rather than spending days planning and implementing SCCM and SCOM, implementers of SCE 2007 found the implementation and setup could be done in under an hour, and the IT administrator was already getting alerts and was able to patch and update systems within a couple hours of implementing SCE.
System Center Essentials 2007 SP1 Microsoft updated Essentials early in 2008 with the release of System Center Essentials 2007 SP1. The SP1 release not only rolled up patches and updates to SCE, but actually also included a number of additional features and functions to SCE. Some of the new updates included the following: • Support for Workgroup computers—SCE 2007 SP1 provided organizations the ability to manage non-domain-attached systems. Similar to SCOM 2007 that provides the ability to issue a computer certificate to a system, SCE 2007 SP1 now provided the ability to issue a certificate to a system so that it could be monitored and managed without actually being attached to the domain. This is quite common for systems sitting in the DMZ of the Internet, such as web servers, firewalls, gateways, and the like that are critical and need to be monitored and managed, but outside the internal network and not attached to the organization's domain. • Network and device monitoring—Also added to SCE 2007 SP1 was the ability to monitor and manage network components and devices such as switches, routers, network applications, SANs, and the like. Not only does network and device monitoring help consolidate and simplify the number of management tools a company needs to buy and support, there are critical times when a WAN connection is down when having SCE know of a device failure helps the Windows administrators better direct the corrective actions by pinpointing the failure more quickly to a failed network device rather than a failed Windows server. • Improved patching and updating capabilities—SCE 2007 SP1 added the support for Windows Server Update Services (WSUS) 3.0 that was a major enhancement for patching and updating. WSUS 3.0 integration added support for auto-approval rules to allow automatic push of updates based on type and classification. Now, instead of requiring the administrator to approve updates each and every time, the administrator could simply approve any and all updates for specific operating systems or applications under management. • Calculating object health state—The object health state calculation is something Microsoft added to SCOM 2007 that provided a quick glance, as shown in Figure 19.1, at the state of a server or service along with a historical view of when the system fell in and out of operational state.
Background of the System Center Essentials Product
^ Health Explorer for S C E 2 0 1 Q . c o m p a n y a b t c o m I ©KesetHeailh
B
; « ! overrides
Properties
- i ° 0 ( J ) Heip
;
|
I
Hc-oltii monitors lor StbJCilU.connparralJC.MiTi
®
915
ttumlnkj« State Chonqc E v e r t s (21
|
AvnlrJiHy - S C F 3 0 1 [I axn)u*qwtic: czkti (Frilfly) 0 Hard ware Availably Rnlkp - S T F 7 0 1 0 m i r p a r
ffl ( 5 ) Operating System Availably Rollup - S C E 2 0 1 0
12/19/2UU9
Q Ping Sialui - SCE20l0.corrpanyabc.coni (Vine til 0 Windows Corrputer Roie Heaflh Roftjp - SCE2C B _£i Windows Local ^plication Health Kofup - SCh ¿ I ( £ ) Araitabffiy |
Q 1 Availobiity
¡-1
SCt2U1U.comsMnYabc.com ( b Microsoft.SyitemCerltcr.Natificc
Avoilobilty - Microsoft.SystemCerfer.EMenb j\ Windows Update Agent CorAgurobon L 0 WDK CIWS TLFX NTR Ajirril CNRRMJIAI I Jri
0 WIVKMA LlptUl« Ac^rit Prniy f j m f i f f i r
Context No context was available for this state change e v e n t
Wlrvtows Update Service « a i e Unt mo S
J\ Avallabftty - Microsoft. SyeemCerier.EMenti ttj- 0 QpeMgr
figst
Avaiabty Dependency1
Lt
iVj Virtual M a c h r ® Manager Ajent Availab
•
ji Windows Update Agent Avoilobity Uepi EI
Avaiabiity
Mcfwat1.5jy3tcfliLcntc>
W h d o w s Itodate Agenl Configt ( ¿ ) Windows Itodate Agent Conne Wrirlnvra IJptUip Aji-jiI Pirny f ( j j W n l c i w s IJpdritf? Senricas s l ^ r § C c < f i g j r a £ i o n - SCE2010.carrpanyabc.com (Ertty) MOM 2 0 0 5 Morttowig Roflup - SCE2010.ccmpanya (V) Performance - S C E 2 0 lO.companyabc com (Entity} |y) Securty - 5CE2QI Q.companyatoc.com (Entity)
FIGURE 1 9 . 1
Object health state view in SCE 2007.
• Improvements in performance and installation—Service Pack 1 of SCE 2007 also improved the performance of the SCE console, speeding up the refresh time as well as the scroll time between SCE session windows. Additionally on performance improvements, SCE 2007 SP1 greatly improved the installation time as components are installed on server systems. • Override capabilities—With the original release of SCE 2007 relative to system monitoring, if an event was thrown and logged, there was no way to simply ignore the event or subsequent events, so even if the administrator was well aware of a problem, there was no way to ignore the event. SCE 2007 SP1 provided an override function where the event would not only be ignored, but subsequent events can be ignored and overridden as well. • Improvements in management pack support—Lastly, SCE 2007 SP1 saw the improvement of management packs for SCE, not just the inclusion of management pack updates for new products like Exchange Server 2007 SP1 or SQL Server 2008, but also significant updates and improvements in existing management packs for Windows Server 2003 and the like.
System Center Essentials 2010 With organizations virtualizing server systems and the common practice of using the System Center Virtual Machine Manager 2008 R2 (VMM) product to convert physical to virtual guest sessions, Microsoft added core VMM technologies into Essentials 2010 as well as expanded the number of wizards and automated configuration tools to greatly simplify
916
CHAPTER 19
Using System Center Essentials for Midsized Organizations
an administrator's task of installing and managing Essentials 2010. Some of the features in System Center Essentials 2010 include the following: • System monitoring—SCE 2010 continues to provide monitoring of servers as did its predecessor SCE 2007; however, unlike SCE 2007 that installed several dozen management packs from the get-go, SCE 2010 only installs the base management packs, and then as new servers and applications are added to the network, the management components are automatically installed, greatly improving the applicability of management packs and management components only to those applications and devices installed on SCE 2010. • Automatic system detection—SCE 2010 also monitors the addition of devices in Active Directory and when a new device is added, SCE 2010 can automatically detect these devices, install an agent, and manage the systems without requiring the network administrator to manually update SCE to support new systems. • Maintenance mode—Continuing on from SCE 2007 is the Maintenance mode in SCE 2010 that allows you to note that a server will be maintained/updated/rebooted and as such to not send alerts on the system during this maintenance time. This is important, as simple patching and rebooting of a system could generate a system alert. Maintenance mode helps focus actual alerts to actual unplanned problems. • Patching and updating—SCE 2010 has automatic patching and updating, a mainstay from the very beginning of the SCE product; however, drastically improved with SCE 2010 is the ability for SCE 2010 to know what operating systems and applications are in use in the environment and only download the updates for those systems. SCE 2007 used to download way more patches and updates than an organization needed—taking it a lot longer to get to the point where SCE 2007 was ready to send out patches and updates to systems. Now as new operating systems or applications are added to an SCE 2010-managed environment, the corresponding patches and updates for that product are downloaded. • Software deployment—SCE 2010 continues to support the ability to deploy new software to managed systems, and as an improvement over SCE 2007 that only supported the packaging of MSI installation files, SCE 2010 now provides the ability to use "exe" installers to create packages to be pushed out by SCE 2010. • Virtualization support—The big enhancement in SCE 2010 is the addition of managing virtual host systems. SCE 2010 can identify and manage Hyper-V host servers, including monitoring the state of guest sessions as well as invoking failover between physical host servers in the event of a system problem of one of the host systems in a virtual cluster. • P2V conversion—As part of the virtualization support, SCE 2010 provides the ability to convert physical servers into virtual guest sessions running on Hyper-V. For organizations looking to consolidate servers and gain more efficiencies by minimizing the number of physical systems in the environment, P2V helps organizations achieve their goals of a better managed environment.
System Center Essentials 2 0 1 0 Prerequisites
917
System Center Essentials 2010 Prerequisites System Center Essentials 2010 for the most part runs on both Windows Server 2003 and Windows Server 2008 (and R2) editions of the operating system as well as both 32-bit and 64-bit systems. Microsoft understands that smaller enterprises have fewer options available in terms of hardware systems and operating systems, so SCE 2010 provides better flexibility in support of these systems.
Supported Operating Systems Specific support for operating systems that SCE 2010 will run on is as follows: • Windows Server 2008 R2, Standard or Enterprise (x64)—Windows Server 2008 R2 only comes as an x64 operating system. • Windows Server 2008, Standard or Enterprise (x86 or x64)—x64 is required if virtualization management is desired. • Windows Server 2003, Standard or Enterprise (x86 or x64)—Service Pack 2 or higher is required. • Windows Small Business Server 2008—x64 is the only version supported. • Windows Essentials Business Server 2008—x64 is the only version supported. Beyond the base operating system supported, additional components are required to be installed on the server that will be running SCE 2010. The additional components required include the following: • Internet Information Services (IIS) • Background Intelligent Transfer Service (BITS) v2.0 or higher • Microsoft .NET Framework v3.5 SP1 • Microsoft XML Core Services (MSXML) 6.0 • Windows Installer v3.1 • Microsoft Data Access Components (MDAC) 2.81 • Microsoft Management Console (MMC) 3.0 • Microsoft ASP .NET 2.0 • Microsoft SQL Server Database Services • Microsoft SQL Server Reporting Services • Windows PowerShell 1.0 • Windows Remote Management (WinRM) • Active Directory must be deployed in the environment (AD 2000 or higher)
918
CHAPTER 19
Using System Center Essentials for Midsized Organizations
NOTE The installation process of SCE 2010 checks to see if the additional components are installed on the SCE server and if the components are not installed, SCE automatically installs the components during the installation process. Also, Essentials virtualization management support can only be installed on servers running Windows Server 2008 or Windows Server 2 0 0 8 R2 x64.
Supported Versions of SQL Server System Center Essentials 2010 requires a SQL server to write inventory data, log transaction data, and other monitored information to. SCE 2010 supports the following versions of Microsoft SQL Server: • SQL Server 2008, Express Edition (x64 and x86)—With Service Pack 1 or higher • SQL Server 2008, Workgroup Edition (x64 and x86)—With Service Pack 1 or higher • SQL Server 2008, Standard Edition (x64 and x86)—With Service Pack 1 or higher • SQL Server 2008, Enterprise Edition (x64 and x86)—With Service Pack 1 or higher
Hardware Requirements for a Single-Server Configuration A System Center Essentials 2010 server running the Essentials Server component, SQL database component, and Essentials console should have the following hardware: 4GB of RAM, a 2.8Ghz or faster processor, and at least 150GB of available disk space if you are planning to run the virtualization management component. If the system will not be used for virtualization management, the disk storage requirement drops to 20GB of available hard disk space.
Hardware and Software Requirements for a Multiserver Configuration If the SCE 2010 server and console components will be split across multiple systems, then each system has fewer requirements needed. The Essentials server can run on a 2Ghz processor with 2GB of RAM and have 12GB of available disk space (150GB is still required for an Essentials server running virtualization management support). In a multiserver environment where the Essentials console will be installed on a separate system, that system needs to run Windows Server 2003, 2008, or 2008 R2 or Windows XP Pro with SP2 or higher (including Windows Vista and Windows 7), and have at least 1GB of RAM and 10GB of available disk space.
System Center Essentials 2 0 1 0 Prerequisites
919
Support for a Multisite Configuration With SCE 2010, multisite configuration is not supported. SCE is a product intended for a single site. If you want to monitor another site, you need to set up an entirely separate copy of the System Center Essentials 2010 server software on a system in that other site. System Center Essentials servers do not talk to one another nor consolidate information; however, a System Center Essentials console system can open a connection to different SCE servers, so an administrator can effectively look at and manage multiple SCE servers from a common console.
Other Supported and Unsupported Configurations for SCE 2010 Frequently when installing software, questions such as the following come up: Can the product be installed on a domain controller? Will it support being installed in a virtual environment? How many administrators can access the product remotely? The following are scenarios that are and are not supported. SCE 2010 supported scenarios: • SCE 2010 can be installed on a single server with the management server, reporting server, SQL server, and console on the same system. • SCE 2010 can be installed in a virtual guest session on an existing physical host server. • SCE 2010 and all components can be on one server, and the reporting server can be installed on a completely separate system (typically found in environments where an executive wants to generate and see reports without having to ask IT to provide the reports). • SCE 2010 and all components can be on one or multiple servers and the Essentials console on a separate system (up to five remote consoles can access SCE 2010 at the same time). • SCE 2010 can have any of its components installed on a domain controller. • SCE 2010 can manage computers or network devices that are in different domains from the SCE management server as long as the domains are in the same Active Directory forest. SCE 2010 unsupported scenarios: • There is no support for SCE 2010 itself to be clustered. • There is no support for SCE 2010 to manage servers or devices in another forest (unless the server has a certificate installed and the server is considered a certified managed remote device). • There is no support for SCE 2010 to save its information to a SQL Server mirrored database configuration. • There is no support for SCE 2010 to manage IA-64-based systems.
920
CHAPTER 19
Using System Center Essentials for Midsized Organizations
• SCE 2010 does not support a remote WSUS server or a downstream WSUS server. • There is no support in SCE 2010 to manage a system that does not have the SCE 2010 agent installed.
Installing System Center Essentials 2010 on a Single Server Although System Center Essentials 2010 can be installed on multiple servers, it is commonly installed all on one server, including the Essentials software, database, reporting functions, and management console. When installing System Center Essentials, assuming the prerequisites have been met, the installation process is really a matter of shoving in the DVD and initiating the installation process.
Preparing the System Center Essentials 2010 Server Before the installation of Essentials can be performed, the base Windows operating system needs to be installed. With the release and full support of Windows Server 2008 R2 server, that is the preferred server operating system for Essentials 2010, although as noted in the "Supported Operating Systems" section earlier in this chapter, System Center Essentials 2010 can be installed on Windows Server 2008 and even Windows Server 2003.
NOTE Even though the best practice is to install System Center Essentials 2010 on a Windows Server 2008 R2 server, the organization can still remain on Active Directory 2003. The Windows Server 2008 R2 server is just a member server of Active Directory, so earlier releases of Active Directory are supported.
When installing the base Windows operating system, an administrator does not have to worry about installing and configuring the various subcomponents needed for SCE 2010, such as .NET Framework, BITS, Windows Installer 3.1, and so on. Simply install the Windows operating system, configure the server with a name and IP address, and join the domain. Make sure to download the latest patches and updates. As part of the installation process of SCE 2010, it checks for all prerequisites and if a component is missing, the SCE 2010 installer automatically installs the missing component(s).
Installing System Center Essentials 2 0 1 0 o n S e p a r a t e S e r v e r s 921
Running the System Center Essentials Installation With a basic Windows server installed and joined to the domain, it is time to install System Center Essentials 2010 onto the system.
NOTE Before installing SCE 2010, you should make sure the SCE system is properly connected to the network and you can access the file servers, Exchange servers, SharePoint servers, and other application servers you want to manage. As part of the installation process of SCE, the system goes out and assesses the applications on your network and if it finds the application servers, it adds them to SCE for management automatically. Therefore, if you had the choice of installing SCE first or applications first, install the applications first and SCE toward the end so that SCE finds the applications installed and installs the application agents at the time of SCE installation.
To install SCE 2010, do the following: 1. Insert the SCE 2010 installation disc into the DVD/CD drive and the installer begins (if not, run SETUPSCE on the disc). 2. From the System Center Essentials 2010 Setup screen shown in Figure 19.2, click Install.
NOTE During this time, any prerequisites required to install SCE such as .NET Framework 3 . 5 1 and the like install.
3. For product registration, enter your Name, Organization Name, and a Product Key (if it applies). Read the terms of the licensing agreement, and if you agree to the terms of the licensing agreement, select the I Have Read, Understood, and Agree with the Terms of the License Agreement option, and click Next. 4. You are prompted to select the components you want to install. At a minimum, you will install the System Center Essentials Server option on the system. You could choose to not install the Reporting Services and/or the Virtualization Management components on this same system by unchecking the options. For a single-server configuration, keep all the boxes checked by default selected and click Next.
922
CHAPTER 19
Using System Center Essentials for Midsized Organizations
System Onler FNVIIIMK Î010 Setup
^
|xl
Microsoft'
System Center Essentials 2010 # Install
O Restart may be required O Rrfmr yuu lirijin
Si iiibi L1B1 nt* 1 titri|Mi»eiil\ These an be installed on a computer different from the one on which you •mlnit Furniidh 7010 \riuri. Iriildll Essential;» console
ft Release Notes Installation Guide Read Documentation Obtain
liisliilUtinn
Assivlitrn
e
Syvlrni Ceriler Onine
4 Install Essentials ¿gent install Essentials reporting t~ Get the latest updates to System Center Essentials 2010 during setup and use Microsoft update when 1 ctieck lor updates (recommended] lee the Microsoft Update TAQ Read the Microsoft Privacy poicy O J O B W
FIGURE 1 9 . 2
tart
Main setup screen for SCE 2010.
NOTE If you choose to place the Database or the Reporting Services roles on separate systems, it is during this step where you select to only install the main System Center Essentials components, and uncheck the Database and/or Reporting Services roles, choosing to install those roles on separate systems.
5. The system begins a process of checking for additional requirements and prerequisites. If your system does not meet the basic requirements for the installation of SCE 2010, you are prompted to fix the problem (such as not enough memory, not enough disk space, and so on). If your system passes the basic requirements, you are prompted to have core components installed like IIS or SQL, as shown in Figure 19.3. Select the components to install them on the system and click Next. 6. Once all of the prerequisites have installed, click Next to continue. 7. You are now prompted to choose where you want to install SCE 2010 as well as Updates that'll download from Microsoft. If you want to install in the default, the C: of your system, just click Next. If you choose to install them elsewhere, choose the destination where you want to the software to install (such as on D: or E:). 8. You are prompted where to install the virtualization management files for SCE 2010. Again, the default is to install the SCE 2010 virtualization components on C:; click Next. 9. When prompted for the credentials you'll use to administer and manage systems, enter the domain administrator logon and password name, assuming all systems
Installing System Center Essentials 2 0 1 0 o n S e p a r a t e S e r v e r s 923
have been joined to the domain and the domain administrator has access to all of the systems. Type in the administrator name and password, click Test to confirm the account is valid, and then click Next.
/ S y x l n n O i i l r r F w u l u i k S r i u p Wi/sml
Prerequisites
• .. Help
m
Repurt a PidUem
Setup will install these missing software prerequisites Essentials setup will install the missing prereqwtes when you elide Next.Frorn some prerequisites, you might be required to select an opoon before the Next button becomes available.
_1 tii PrvTfVj fill Nyvlnri i n f i n r n l N
a - n y - -
J FIGURE 1 9 . 3
I
J
Choosing to install required components of SCE on the system.
10. You are prompted to choose whether you want to participate in a customer experience improvement program, have errors automatically sent to Microsoft, and provide operational data reporting to Microsoft. The default is Yes to all of these. You can choose to not participate and change them all to No. Click Next to continue. 11. Review the summary of the installation process and click Install to begin the installation of the SCE 2010 program. 12. Once the installation of the software has been completed, a summary of the components installed is shown, similar to what is shown in Figure 19.4. Review the list to confirm everything installed okay, and then click Close.
NOTE By default, after closing the installation wizard, the SCE 2 0 1 0 console is launched and the Quick Installation Wizard is initiated, which walks you through the initial configuration of SCE.
924
CHAPTER 19
Using System Center Essentials for Midsized Organizations
I / Syst fin Ouirr h v n l ukSflup Wrsirrl
*J
Complete
Help Reiiurt a PioUem
Component installation is complete
Rovtew Ore results of the installation, compMwntE whose installation farted can be added again sr. lat For more inform atx>n on bow to add or remove Essentials components, see the System Center EssenSiols Decfcyment Guide. O Update Services 0 System Center Essentials & Virtual izalkjri Management. Client ©Reporting fj Virtual ¡¿alion Management Seiver 0 Hnal configuration
o Release Notes [nslidlntui finir Ir Read Documentation System canter ynline
& Opm llw Systran f>ntrr Fsamiflls. i urisulr wirai hn kviM»rl ckw%
r FIGURE 1 9 . 4
am
1
Summary of the installation status of SCE.
Running the Initial Configuration Wizards As just noted, when installing SCE 2010, at the end the SCE 2010 console launches and an SCE Configuration Wizard begins. You can cancel the running of the configuration wizard; however, you might as well start the wizard and walk through the installation process that will help you get SCE configured and working. To begin the SCE Configuration Wizard, do the following: 1. Click Start to begin. 2. The first prompt is whether you want to have Essentials create a domain-level group policy. This set of user and computer policies is installed to set up firewall exception rules—so that SCE can monitor and manage systems—as well as remote assistance rules—so that SCE can be used to remote support users. Choose Yes, click the Use the Following Credentials to Configure Group Policy option, and enter an administrator logon and password for the domain. Click Test to validate that the credentials work, and then click Next to continue. 3. The firewall exceptions policy prompts you to confirm that you want to have firewalls set for remote administration and remote access. Choose the default Yes, Create Windows Firewall Exceptions and click Next to continue. 4. You are then prompted whether you want to enable remote assistance (so that, as an administrator, if a user needs help, you can remotely control the system). This assumes the workstations are running Windows XP or a more recent version of client operating system. Assuming you want to provide remote support and assistance, choose Yes, Enable Remote Assistance and then click Next.
Installing System Center Essentials 2 0 1 0 o n S e p a r a t e S e r v e r s 925
5. The next step is to automatically discover new computers added to the network. Select Yes, Automatically Discover and Manage All Computers in My Domain. This initially finds all systems in the network as well as periodically scans the network for new systems that can be added to SCE for management. By not choosing this option, any time you want to add systems for management, you need to manually scan the network using the Computer and Device Management Wizard in the SCE console to manually discover systems. After completing this step, click Next. 6. For Daily Health Reports, SCE has the ability to email the administrator a daily report on the status of servers and systems under management in the network. If you want to receive this daily report, enter a fully qualified email address where you want the report sent to in the To field, enter the name of the default sender in the From field, enter the fully qualified domain name of the email server in your network (similar to what is shown in Figure 19.5), and then click Send Test Report. Check the recipient email box where you just selected to have the message sent to and confirm that the message has been received. Click Next to continue.
,
Get S t a r t « ) ij ; , '
hrcwzil
n u y m i wriill I o r r c r h r r tlit- n
:
Lonfigure e-mail setting s so if an i s s u e occurs, t s s e n t i a l s can send you e-m ail notifications. Also, Essentials can u s e t h e s e s e t t i n g s to send t h e Daily Health R e p o r t , a useful summary of
Configure Remote Aaaia Lancc
C
NO, I will s e t u p notifications later
Cwnpoter C i s e o v e f y
f*
Y e s , I want to s e t up my e mail notifications and e n a b l e Daily Health R e p o r t ( r r t cminiriiclptl)
I B H I 8 B B Hraxy £ c f v c f Monitoring Configwalion EIIUI Munit« inu
t h e previous day's health Information.
P l e a s e enter t h e e-mail a d d r e s s ynu would ¡Ike r n H f l r a t l a n j and niallyHealfti R e p o r t s e n t t o , as well as the a d d r e s s you would like notifications to be s e n t from, and y o u r £ M T P s e r v e r . T o s u b s c r i b e a d d i t i o n a l notifications, launch Notification S u b s c r i p t i o n m t h e Administratis n s p a c e . To:
|rand'£coTpanya4>c.coTi
(Example: y o u Ç c o n t o s o . c o m )
From:
j«fcnimlr*tt«
SMTP S e r v e n
|adX']3.co(npar.yobc.coin
Lrror horwardino Microsoft U
ciirçuiriynlH .t am
(etampleisendenBicontoso.com) (example; rmwl.coiitoso.com)
Update C l « s i f i c o t i o n a Update Deployment :
Summary C onuS elisor.
L_J
FIGURE 1 9 . 5
~3
vi . . .
I T.IVl AM Netf i
—Í I
IF ' v,enH r « f Uwinrf ' ]| CnnfigirR
|
Cancel
Configuration information for email settings for the Daily Health Report.
7. If you have a proxy server in your environment, enter the name of the proxy server. If you are unsure, choose No and click Synchronize to begin having management packs and updates downloaded. If you have a proxy, enter the Web URL for the proxy (typically the port used for proxies is 8080). If your proxy requires you to enter a logon and password, enter that information for credentials to access the Internet through the proxy.
926
CHAPTER 19
Using System Center Essentials for Midsized Organizations
NOTE If you can just sit at the server, launch a browser, and access the Internet without having to configure anything special or enter a logon or password to access the Internet, you do not have a proxy and can simply choose No and then click Synchronize.
8. After running the synchronize process in the previous step, several minutes later you are prompted to choose all of the products you want to monitor, such as Windows Server 2003, Windows Server 2008, Exchange Server 2007, Hyper-V, and so on. The default is to choose all of the servers and products it found, which is recommended to keep everything in your network monitored and managed. If you agree, you should keep the check marks on the Notify Me when Appropriate Management Packs Are Available and the Don't Notify Me for Applications I Have Rejected check boxes, and then click Next. 9. The next option is whether you want to have SCE dump error reports for troublesome systems to a file. These error reports are helpful if you open a support incident with Microsoft and they ask you to send them an error report. So, you should choose the default Yes, Collect Applications Errors and specify a directory where you want SCE to dump the reports (something like c: \ErrorReportDumpFolder\ will do). Keep the default error report port of 51906 and click Next. 10. You are then prompted if you want to send your error reports automatically to Microsoft. Many organizations choose to not send the reports automatically and only send the reports if a support incident is opened with Microsoft and they are asked to submit an error report. Because you have the error reports being saved to disk from the previous step to manually send the reports if need be, you can leave the Automatically Forward All Collected Errors to Microsoft check box unchecked and click Next. 11. The next step is for the patching and updating process in SCE. The default is to automatically have SCE download necessary updates from Microsoft based on the operating systems and applications in your environment, which is best because it'll bring down only necessary updates. If you want to manually pick and choose updates to download, then choose Manually and choose the specific updates you want to have downloaded. Otherwise, keep the Automatically option selected and click Next.
NOTE SCE 2 0 1 0 is aware of the operating systems and applications in your environment and continually updates itself as new operating systems and applications are added to the network. This process greatly minimizes the effort of the administrator by letting SCE keep track of everything that needs to be patched and updated.
Installing System Center Essentials 2 0 1 0 o n S e p a r a t e S e r v e r s 927
12. The next option is language sets for the applications installed. The default is English, so choosing Yes and clicking Next is all that needs to be done unless you have applications on your network that run in different languages. If you want to choose additional languages, choose No, I Will Choose the Languages I Want to Download from the List Below and choose the languages, and then click Next. 13. For updates, the default is to download Critical Updates, Service Updates, and Service Packs, which keep systems up to date for security purposes. Choose Yes and click Next to keep the default. If you want to add the automatic download of Feature Packs, Update Rollups, Tools, Security Definition Files, or the like, choose No, I Will Choose the Types of Updates I Want to Download and select the choices. Click Next when you are finished.
NOTE As much as Microsoft selects the default for updates to be Critical Updates, Service Updates, and Service Packs, it is helpful to also include Definition Updates (used to keep security updates up to date), Update Rollups (which is a common way that Exchange distributes necessary updates of the product), and Updates as additional choices.
14. The next option is to choose to have updates automatically approved and pushed out to systems. Auto-approving critical and security updates minimizes the administrator's time and effort to manually choose updates to push to systems. The choice for autoupdates can be done for client systems, server systems, or both. An additional option of choosing to force the installation of updates ensures that updates are not only downloaded, but if the update requires a reboot that a forced reboot occurs. If a forced installation is selected, make sure to pick a time when the installation (and potential forced reboot) will occur. Usually in the evening is best. Select the options and click Next to continue.
NOTE Automatically approving and forcing the installation on client systems ensures that workstations are up to date on patches and updates without having the administrator do anything. Some administrators might choose to have updates on servers not automatically approved nor forced, providing the administrator the opportunity to choose patches and updates to be applied. The key to this choice is if all you do is just approve updates today, or apply service packs and updates when they are available, you might as well choose to have SCE automatically update your systems. However, if you methodically check the Internet to look for known problems, check to see if a patch or update is "safe" to apply to a system, and do a lot of due diligence to ensure the safety of updates before applying them, you don't want to have updates auto-approved and force installed.
928
CHAPTER 19
Using System Center Essentials for Midsized Organizations
15. You are prompted with a summary of the choices made. Review the choices and then click Configure to begin the configuration of SCE based on the choices you made. This process takes several minutes to complete (typically pausing on the Monitoring Configuration option to download management packs from Microsoft). The rest of the configuration goes relatively quickly as it goes through all of the settings and configures SCE with the settings.
NOTE During this configuration process, the system is merely configuring the SCE 2 0 1 0 server. Patches and updates are not pushed out nor are agents deployed to systems. This process merely configures SCE with the settings chosen plus downloads management packs from Microsoft for the applications that'll be managed and supported by SCE.
16. When the configuration is completed, you are prompted to Start Discovering Computers to Manage when This Wizard Closes as well as Synchronize Updates when This Wizard Closes. Typically choose both of the options so that it begins the process of downloading patches and updates and identifies all of the systems on the network that it will manage. After choosing the two options, click Close to continue.
NOTE After you click Close, you end up in the SCE management console. You only see one Windows computer in the computer list and no client systems. This is because it only knows of itself for now: however, assuming you chose to discover systems, SCE begins to find additional systems on the network. This process can take several hours and has been known to take two to three days to complete on a network with 3 0 0 - 4 0 0 workstations and 4 0 - 5 0 servers, so be patient.
Installing System Center Essentials 2010 on Separate Servers As much as the best practice is to just install the entire System Center Essentials 2010 on a single server, an administrator might choose to install the Essentials components on one server, but leverage an existing SQL database server, or put the reporting services on another system, or add the reporting console on yet a different system. So, this section walks through the process of installing certain supported components on different server systems.
Installation of the Management Console Tools on a Server One of the options for separating SCE 2010 components is to put the SCE management console tool on another system. You might choose to do this for the purpose of having
Installing System Center Essentials 2 0 1 0 on Separate Servers
929
the management tool on your Windows XP, Vista, or Windows 7 workstation at your desk. That way, you do not have to remote in to the SCE server to run the management console; instead, you can have it right on your desktop. Or if there is another system or server you use regularly, you can install the SCE management tools on that system as well. You can install the SCE management tools on as many systems as you want; however, you can only launch and remotely connect to an SCE server from five separate systems at any one time. To install the SCE management tools on a separate system, do the following: 1. Insert the SCE 2010 installation disc into the DVD/CD drive and the installer begins (if not, run SETUPSCE on the disc). 2. From the System Center Essentials 2010 Setup screen, click Install Essentials Console. 3. For product registration, enter your Name, Organization Name, and a Product Key (if it applies). Read the terms of the licensing agreement, and if you agree to the terms of the licensing agreement, check the I Have Read, Understood, and Agree with the Terms of the License Agreement option, and click Next. 4. The system begins a process of checking for additional requirements and prerequisites. If your system does not meet the basic requirements for the installation of the SCE console, you are prompted to fix the problem (such as not enough memory, not enough disk space, and so on). If your system passes the basic requirements, it might download the .NET Framework 3.51 tools or other components to the system that are required for installation. You are asked where you want the System Center Essentials files to be located; unless you want to install them somewhere different from the default location, click Next. 5. You are prompted to choose whether you want to participate in a customer experience improvement program and participate in error reporting to Microsoft. The default is Yes to all of these. You can choose to not participate and change them all to No. Click Next to continue. 6. Review the summary of the installation process and click Install to begin the installation of the SCE 2010 management console on this system. 7. Once the installation of the console software has been completed, click Close.
Installation of the SCE Reporting Services on a Separate Server SCE Reporting Services can be installed on another system if the SQL database that is used by SCE is on another server. For example, if the organization already had a SQL Server 2008 server in the environment and chose to use that SQL server to install SCE (instead of an all-in-one implementation of SQL installed on the same server as SCE), the SCE Reporting component could be installed on the separate system. To have the SCE Reporting Services be installed on a separate computer, you need to make sure that the separate computer has its own copy of SQL Server 2008 (Enterprise, Standard, Express, or Workgroup) along with SQL Server 2008 Report Services installed on the system. SCE reporting needs the SQL Report Services to be able to run and SQL Report
930
CHAPTER 19
Using System Center Essentials for Midsized Organizations
Services needs to have a copy of SQL on the system; therefore, these are necessary requirements for SCE to work on a system. To install the SCE Reporting component on the SQL server that SCE is communicating with, do the following: 1. Insert the SCE 2010 installation disc into the DVD/CD drive and the installer begins (if not, run SETUPSCE on the disc). 2. From the System Center Essentials 2010 Setup screen, click Install Essentials Reporting. 3. You are prompted to choose the server running System Center Essentials. It suggests the server it found in Active Directory; if the selection is correct, click Next. 4. For product registration, enter your Name, Organization Name, and a Product Key (if it applies). Read the terms of the licensing agreement, and if you agree to the terms of the licensing agreement, check the I Have Read, Understood, and Agree with the Terms of the License Agreement option, and click Next. 5. The system begins a process of checking for additional requirements and prerequisites. If your system does not meet the basic requirements for the installation of the SCE Reporting component, you are prompted to fix the problem (such as not enough memory, not enough disk space, and so on). Click Next to continue. 6. SCE 2010 uses a database server instance to host the data used in SCE; select the database server, specify the folder you want SCE to use to start the database files, and then click Next. 7. You are shown a local reporting service instance and asked to specify a URL to the reporting server if a default could not be selected; click Next to continue. 8. You are prompted where you want the Reporting Services application files to be installed; unless you want to install them somewhere other than the default C:, click Next. 9. When prompted, enter a username, password, and domain of a user who has administrative rights to read and write data in the SCE database; click Next to continue. 10. You are prompted to choose whether you want to participate in a customer experience improvement program, the error reporting program, and the operational data reporting program. The default is Yes to all of these. You can choose to not participate and change them all to No. Click Next to continue. 11. Review the summary of the installation process and click Install to begin the installation of the SCE 2010 Reporting component on this system. 12. Once the installation of the console software has been completed, click Close.
Getting Familiar with the SCE 2010 Management Console With SCE 2010 installed and agents deployed, it's time to get familiar with the SCE 2010 management console. When you launch the SCE 2010 management console, the first
Getting Familiar with the SCE 2 0 1 0 Management Console
931
thing you see is the main screen. Notice a selection pane on the lower left with Computers, Monitoring, Updates, Software, Reporting, Administration, and Authoring options, as shown in Figure 19.6. ^ S y ç t p m c p n t p r F w n t l a k - S T F 7 0 1 0 . MG FA-
Fill
Vït-rt
fiii
T«fcs
Tuufc
» • E l
HP
| • ' J
\f-i.ter
Ccmpi/tcr Groups A. Al windows Uients ((J)
P
Käme
V All windows Computers ( 6 )
Alert status
dpmiOU/
••V. Al W i m W S n v n - . (7)
®
tfP ocs
j AJ VTLUdl MddtinO
update status I Unknown
«C
1
•y sreTOJO frsp win2008rms
truena
®
0 O K
©
Frrar
ÍJ
Unknown
warning
^
error
Q
unknown
1, Warning
*
_1
Co'ectlnverr Detect Softw'
Q ) OK
0 O K
w
a
Computer
OK
Warning
( J ) OK
-
Vf1
Unknown
Unknown
Q ) OK
seem
fcdit
Agent status
«1* > Jlnticrir Av.ii
»
( ¿ ) OK
Craivn! In VT Piti|iinlir\
• « C o m outers
1.1
•i.
E l , Monitoring
Remove Co
I
1 dnm?007.rjommnvabr..rom
Updates OjmíitirHj system:
Reporting
Ihikiiuvni
Asset tog; btUS sftnaJ number;
Administration Authoring -
MuH:
Ihibmim
Manufacturer:
Unknown
Memory;
0 EMes
Software Dec
m
Update Deplt
Ctinfiic— **
Health: UK
General
1 Software
V
93 iH
Designate a fl
Ijf) Alerts:
OK
(3
llpriar«:
Unknown
SfiflwíUf:
llnkrHHVi]
Agents;
Unknown
- f- New Virtual J import Virtue — T]
Manage lern tdit Group
Performance CPU Performance Processor Queue Length
-
FIGURE 1 9 . 6
SCE 2010 management console screen.
On the right side of the screen is a Tasks pane, which lists tasks that can be performed. The tasks change depending on whether you have the mouse cursor selecting something in the left window pane, the middle pane, or elsewhere on the screen. The tasks change based on the options possible for the object selected.
The Computers Option in the Management Console When you click the Computers option on the lower left of the management console, you see a list of systems that SCE has found in the environment. The systems are broken down as Windows clients (such as Windows XP, Vista, or Windows 7 systems) or Windows servers (such as Windows Server 2003, Windows Server 2008, Windows Server 2008 R2) as well as All Virtual Machines. At a quick glance, you can see the status of the systems, whether there are any warnings or alerts, and the state of the system—whether it is up, down, or unknown. The Computers option includes tasks such as collecting inventory of the servers and client systems, checking on patches and updates for the systems, or virtual host tasks, such as converting physical systems to virtual guest sessions and creating virtual guest sessions from scratch.
932
CHAPTER 19
Using System Center Essentials for Midsized Organizations
The Monitoring Option in the Management Console When you click the Monitoring option, the view changes to one that shows alerts from monitored systems, similar to what is shown in Figure 19.7. ™ S y s t e m r p n f p r Fttpnriafc - s r F ? o i n _ M G fifc Fill
Virvr
fin
Tr&kv
T«±.
Hrlji
Show at least 1 week ol
E I 5 I Montoring ~ _ J Adiyc f l e r t s ' J Döcovcrcd
an
imíw
M ë
M
-^Luukfui: J A
•
¿2)
Source
/,
Updates i
Script or Executable Fated to run
stun.tüinuianyfl...
Suiplur ExeuitaUc Paled lui un
5Π2010. corn pa...
{51S02DCA-57D2-EB9A-9384-096775471
^
J
<1
A
il
Sotrcer
SP.oomponycbc.com Canaium Opera bo \\St1O1
Math:
"H Ovemides *
Alert D. Faied to-
Administration Authoring
Start Martenarce Mode.«
>
Script or E x c c u t o b k Failed to s t a r t
Penonofiie viewsubxripGon -J
create-
-J
Modify-
I lealtti S e r v i c e T a s k s Compjter Management
SV-oompanyabc.com\SRcompanyabccom domain / Tj
FIGURE 1 9 . 7
Close Alert
Health Explorer
Alert D e t a i l s
Software
Reporting
J£
Pm|iprlir\
j\ senn.companya...
New View •
Monitoring
Desona non Mar-agernent Group 5cnpt or fcxecutaWe f-aled to start
S a w » Hille
ÜJ
) V«w or edit the settings of this n
scE20i0.cDmpa...
<1
Vi*
Alett A c t i o n s
S e v e r i t y : Winning ( 1 9 )
^jnmni urns
Computers
Nome
D'sabie Audi* Co!'ecton
SCE 2010 management console Monitoring option screen.
In the upper-left tree, you can scroll down to view specific monitored servers (grouped by type of server, such as Exchange Server 2007, SQL Server, Active Directory, and the like) along with the servers in the monitored type plus the events that correlate with the monitored component. When SCE 2010 refers to a management pack, it is the components that are being monitored for each specific product. As an example, the Exchange Server 2010 management pack added several dozen new components specific to Exchange Server 2010 that SCE is monitoring, such as email queues, Client Access Server (CAS), and Hub Transport Server (HT) systems. The SharePoint 2010 management pack is tracking information specific to SharePoint, such as the status of the Content Database, how page views are being handled by the SharePoint server, and how the underlying SQL database for SharePoint is handling requests. An administrator can choose tasks in the right pane, such as viewing more details about an event, closing an alert, or choosing to override an alert. Other information about monitored servers can be found by selecting Discovered Inventory in the upper-left pane, which then changes the middle pane to display all of the discovered servers and the health state of the systems. The tasks in the Tasks pane on
Getting Familiar with the SCE 2 0 1 0 Management Console
933
the right change, providing the administrator the ability to check the health status of a specific system, take a specific server into Maintenance mode meaning that no alerts will be logged (done at a time when a server is being brought down to be patched or updated), and ping a server to check the status of a server. Additional tasks for discovered inventory include providing remote assistance by taking control of the targeted system as well as collecting inventory and generating reports about any of the monitored systems.
The Updates Option in the Management Console By selecting the Updates option in the SCE 2010 management console and selecting the All Updates container, an administrator sees a screen similar to the one shown in Figure 19.8. The Updates option is used to identify what patches and updates are available for the systems on the network and to choose to approve or decline the installation of a patch or update to a system or group of systems. _ |[?| x |
"71 System Center Essentials - SCE20 L0_MG R4c Edt View Go Taste; Toob Help Updates *
<
All U p d a t e ( 9 1 ) Pj
Updates Nrtrr**
f All Lactates (31)|
^
* Critical Updates (G) ^ Jf
rttvjficrtliuu Cumulative Security Update for Into
Needed Updates ( 0 )
C u h i U m ; Srnaily Updflli: fc« T ll«
becuniy updates
Microsoft .NET Framework i. 1 Sen.
Security Updates
®
security Update for ActiveX Killbits
Security Updates
Security Upttote tor ActiveX Killbits
Sn uriy llficUlm
Seunity IVdale fur InterrieL Explut
securtty updates
Jg \
Security Update for Internet Explor
Security Updates
i®
security Update for Microsoft XML (
Security Updates
Unapproved updates ( 1 0 )
Computers Monitoring
cumulative security update for internet txptorer 8 fo ~ 1 There a r e related u p d a t e s a s s o c i a t e d with this u p d a t e . P l r r i w u * l f i \ R f l d l n l U[tiJ
j
Software
Reporting -
Administration Authoring
Release Date; 12/8/2009
EXscTipUuil
KB M i d e : 376325
security issues have t e e n
Tasks
V
•J
Add and Remove Approvals
X
Decline Update
^
UrUmhM "
Deployment status
attacker to compromise a \y.Irni 11 iflfl K running
A See to Microsoft Internet Explorer and gain control over it You can 1 r n m p u t m waularwl thK mriah help protect your system by Update Details
^
Delete Update Properties Sri Oriirl inp Export P a d a o c XML
v
All U p d a t e s Q
a
Refresh Properties
."
Delete view
Updates
Summary |
FIGURE 1 9 . 8
>
&
Upddle
V t u r l y Updrtes
SCE Rewired Updates [Q>
"fr Security updates ( l b ) ^
51a O t o t o v
^
•*
New Update New View
Ci
Refresn
Related Updates
SCE 2010 management console Updates option screen.
As shown in Figure 19.8, in the Tasks pane on the right, as the administrator selects different patches and updates available, the administrator can add or remove approval of the installation of the update. Within the Updates option, an administrator can get a quick view of what updates have been applied, what updates are pending to be applied, which servers or workstations have gotten all of the required updates, and which systems have not gotten updates. SCE 2010
934
CHAPTER 19
Using System Center Essentials for Midsized Organizations
not only helps administrators automatically download and update systems, but also easily reports on the status of updates on systems throughout the enterprise.
The Software Option in the Management Console The Software option in SCE 2010 provides a view of all of the software deployment packages that are available to be deployed on workstations or servers. By clicking on the Software option and then clicking on the All Software Packages, the administrator sees a screen similar to the one shown in Figure 19.9. V S y s t e m C e n t e r E s s e n t i a l s - SCE20 File
*
Ed*
View
Go
Tadis
Took
Hdp
P
1 j Software Packages H] All Software Packages (2)
Ñame
Eckt Cntena
Category
H Stat
4
¡
V
Software
Adobe Acrobat 9
Applicants
- - ;<J
Ritfroj For windows
Applicants
J-.
*
Ada a r c Remove Approval
Delete SetOesû'Inê Properties Export Paöoge Xm Computers EL,
Monitoring Updates
r
| ( Software Reporting
Oepioyfflffi! Status Ml
,
1
Adobe Acrobat 9
Description
creation oate: iz/20/2009 Category: Ajjplcabons
Adobe Acrobat 9
Deployment Status 11
0/3 groups approved for I...
4 Computers svaulated this updatiAdministration ,
Authoring
0/3 groups approved for,,, Failed
0
. , O
Reíres*
L
Properties
j
S o f t w a r e Packages ^
New ®aciagè
^
New View
Q Reiresrt
*
,
Successful 0 Summary | Software Details 1
FIGURE 1 9 . 9
SCE 2010 management console Software option screen.
Packages that have already been created are shown in the middle pane. The administrator can pick any of the packages and approve the package to be deployed to any workstation or server. As seen in the Tasks pane on the right, a deadline can be set when a package can or should be pushed. Additionally, in the Tasks pane, new packages can be created from MSI or EXE installers, following which the package installer bundles the package for installation.
The Reporting Option in the Management Console The Reporting option in the SCE 2010 management console, shown in Figure 19.10, provides the administrator a view of all of the reports that are built in to SCE 2010. Some of the standard reports available include viewing a list of all Active Directory domain
Getting Familiar with the SCE 2 0 1 0 Management Console
935
controllers, a disk-space analysis of used and available disk space on servers, and a list of all of the systems broken out by the operating system that the system has installed. W S v s t c m Center Essentials Hie
tcbt
; ¡¡J-
Open
Vtew
Go
lacks
SCE2Q10 M G loots
Reporting
<
Active Directory S e r v e r C o m m o n Library
• í _ j Jlcporbnq Active Drectory Server C d e n t MonitorfK] Views LI
^ifijxjl
Help
AD Demur! CluirHjt*s ;a AD Machine Account Authentication i-aiures
Microsoft Data Worchous
3 AD RcpJ cabon Site Links
Microsoft ODR Report Lb Microsoft Service Levd R< Renter yirtualratj Systemn Cen er Vi r l T1
Computare
S.. Monitoring
Tasks
Report
ij AD Daman Controllers
Essentials Reports MkrosoFt Generic Report —
>
Opcr
H«>RalelldkSers
jjjj| AH SfM Ac t
PI JUT
Clviiyn
DC Dsk Space Chart 3 LX. Repleadon Bandwth
iL Repurl IV'l.tls
Updates Q
AD
Domain
Changes
• J Software Summary 111
Reporting
Administration Authoring
How d o e s t h i s
type '
Fy^nlhirj: SAM EvcntID:
FIGURE 1 9 . 1 0
report w a '
T h e AD D o m a i n C h a n g e s r e p o r t disprays Evente of this
A(1640B|12297|
16G52)t
SCE 2010 management console Reporting option screen.
Additional reports include virtual server machine utilization, service-level tracking information, and hardware and software inventory reports. SCE 2010 uses Microsoft SQL 2008 Reporting Services that can be configured to generate any type of report an administrator wants. Reports are frequently requested by compliance auditors who want to know security access control information, CFOs who want asset and inventory reports, security officers who want to know access rights information, and the like.
The Administration Option in the Management Console The Administration option in the SCE 2010 console, shown in Figure 19.11, has a number of common functions an administrator would do relative to systems management. The Device Management option shows an administrator which systems and devices have management agents installed and which systems do not have agents installed. The Settings function allows the administrator to set privacy of information settings, add users who can be assigned delegated administrator tasks, and set schedules on when SCE will download updates, patches, and management packs. Effectively, all of the settings that were selected during the initial installation can be reset and modified in one of the Settings options in the Administration option.
936
CHAPTER 19
Using System Center Essentials for Midsized Organizations
-:Sjx|
W S y s t e m Center Essentials - SCE2010_MG Hie
tdit
view
GO
tasks
LOOTS
< i
Admlrtórabon *
J
ji
NetiMik n e v k w
J
Pending Manaoemer
Settings
Administration
ÍI
Device Management B • Agent Managed
*
Help
*
Policy Moda: D o m a »
Run As Anraiints
Computers
a r p n r l w s F w r p i l m Monitoring:
Run As Piuffle,
0 Network Devices
Enabled
o
Monitoring Updates
' j
Configuration
b Agent Managed
** Computa« Il
M a m g p F s w n t i a l s settings. in l+w Administration S p a r e .
Computer and "
security
i
Administration Overview
Software Reporting
1 Computers Pending Krtrwiijrarirtil - "5 R..-i | II l PI s ISM
t*tl in
Da y Health Report! Seid doily M 7 : 0 0 AM Pi u i y S n v n : NIJI n a / i j i i r n l
a
Tasks H c m o w nr repair management a g e n t s
f Learn A b o u l Huw lu Atld
last 24 hours
Computers and
Search for new computers
Devk.es
and devices schodule For
Security
every ¿4 hours at 1 2 : 0 0 AM
MdmdgaiieriL Pdtks
Arid ww rompi iters and
Settings
devices
Monitoring Con ' W o n a e c m c r t Packs discover mid nicaiiiia r|i|iln i t J i a n i;r {¡evkea.
Essentials Licer ' Oient: 4 liccrses in use Server: 1 licenses in use
I Video Assistance The Administration Space Adding Computers and
Checking te' upcated
FIGURE 1 9 . 1 1
SCE 2010 management console Administration option screen.
An example of a setting that was configured during the initial configuration process was to have a daily report emailed to the administrator every day. Within the Administration option under Settings under Daily Health Report, the process of having a report automatically emailed to the administrator can be removed. Another common function used in the Administration option in the management console is the Security section, namely RunAs accounts and profiles. It is not always assumed that the SCE administrator has full access to all servers and applications. As an example, the SCE administrator might be restricted from specific administrative tasks on the organization's accounting, payroll, and human resources system. However, if the SCE administrator cannot access the systems, the administrator cannot perform monitoring and support tasks. The RunAs function allows the SCE to initiate a RunAs function to elevate the SCE administrator's privileges to run specific tasks. The use of the RunAs function is monitored and logged, and instead of providing the administrator direct access to applications, the RunAs function provides an audited and managed method of access. Also in the Administration option is a section on management packs. Management packs can be downloaded over the Internet to update existing management packs or to manually download a management pack for a new application. When an existing management pack does not exist to monitor specific system features, a management pack can be created by selecting the Create Management Pack option in the task options. Lastly, within the Administration option is the ability for an administrator to set different methods of notification in the event of a system problem, whether that is an email being sent out, an instant message, or a text message.
Performing Computer and Device Discovery
937
There are many different functions in the Administration option for the administrator to make modifications and changes.
The Authoring Option in the Management Console The Authoring option in the SCE 2010 management console, shown in Figure 19.12, is where an administrator can create additional components to monitor systems, devices, websites, or the like. It is common for an administrator to want to monitor something that is not directly supported by the Default Management Packs or might be specific to a unique environment. S y s t e m Center Essentials - 5CE2010_NG Hie !
bdit
View
Go
tasks
loots
-iff
m
Help
© Add Monitoring Wizard <
-
M a n a g e m e n t Pack Templates 8
Authomg
n33EBE5EE3J
^ Mai wuenioil Padi O b * s ±
.
:
ft
M r f r w y H f i i H i l P««k T n r i i f á r f i m •
F
3
1^1 i m k f u r : [ " "
újjit Distributed Asticotons
I
Exchange 2007 Client Access Server Moratorng
l l S Open
Exchange 2007 Intra-Orgnrvration Mod Tlow Monitamg
i ±r
í ¿ ) Aflfl Monitoring Wzartf
« F ™ rirttrt schjî r i*
Add Monitoring Wizard...
Ping Monitor
New Distributed Appllcad on...
Process Monitomg
New Croup™,
ZS TCP Port Computers H
Updates ' J
•I
Monitoring
E x c h a n g e 2 0 0 7 Client A c c e s s S e r v e r M o n i t o r i . D E
Software Management Packs Reporting Administration
I
.
[Authoring
FIGURE 1 9 . 1 2
Microsoft Exchange 5erver 2007 Templar*
This ter dlimi
provide ogent-r Exchan ± 1 _!Í
SCE 2010 management console Authoring option screen.
As an example, an organization wants to monitor the response time of their Exchange OWA environment. Unlike a lot of management tools that simply ping a server to see if it is running, SCE actually checks to see if a site is up, and even allows a test account to log on and test the response time a user would experience in accessing a site with logon credentials. The creation of the scripted process to access a site, log on to the site, and test the response time is created in the Authoring option in the SCE management console.
Performing Computer and Device Discovery One of the tasks that the SCE administrator might find themselves doing is adding systems to SCE for monitoring and management. During the initial installation, there was an option to scan the network to add systems to SCE as well as periodically scan the
938
CHAPTER 19
Using System Center Essentials for Midsized Organizations
network for additional systems. If the discovery was done during installation, within a few hours, SCE would have a handful of systems show up in the console for management. However, if you chose not to do the scan during the initial setup, you can easily do the scan now as well as set the option to have SCE periodically scan the network and add systems to SCE for ongoing management. Also, on occasion SCE does not automatically add systems for management and those systems will need to be added manually. This section of the book covers the process of discovering and adding systems to SCE for management.
Setting SCE to Autodiscover Systems First of all, during the initial configuration, you had the option of having SCE periodically add systems for management. You might or might not have selected the option, but it is easy to do so now. Having SCE periodically scan the network and add systems automatically means that in the future as you add new servers, within a day (usually a lot less), the system is automatically added to SCE, the agent is installed, and system management is started without administrator intervention.
NOTE Some administrators prefer to control when systems are added for management. If you are one of those administrators, you would not want to have SCE periodically scan and add servers. However, the whole goal of SCE is to minimize the administrator's time to do management tasks or even think about management tasks, and the simpler the better. So, you should seriously consider enabling the autodiscovery and autoaddition of systems to SCE for management.
To see what the configured settings are for periodic scanning and autoaddition of systems to SCE, do the following: 1. Launch the SCE management console. 2. Click the Administration option. 3. Click the Settings container. 4. Scroll down to the Type: Server section. 5. Double-click the Computer Discovery option. 6. To automatically discover new computers added to the network, choose Yes, Automatically Discover and Manage All Computers in My Domain. This will run a scan to find all systems in the network as well as periodically scan the network for new systems that can be added to SCE for management. By not choosing this option, any time you want to add systems for management, you need to manually scan the network using the Computer and Device Management Wizard covered in
Performing Computer and Device Discovery
939
the next section, "Manually Discovering Computers for Monitoring and Management." You can also choose how frequently you want to run the scan; the default is every 24 hours at 1:00 a.m. You can have it run every 4 hours if you frequently add/change system configurations. Make your selection on the screen similar to what is shown in Figure 19.13, and then click OK to save your settings.
OK
FIGURE 1 9 . 1 3
I
Caread
|
Autodiscovery and management of systems.
If you selected Yes, Automatically Discover and Manage All Computers in My Domain, within the next hour or so, new systems will start to appear in the Monitoring option under Discovered Inventory with the status of the system monitoring displayed in the State of Systems.
Manually Discovering Computers for Monitoring and Management If you chose to not periodically scan and automatically add systems to SCE for monitoring and management, you need to periodically scan and manually add systems to SCE for management. To discover systems, do the following: 1. Launch the SCE management console. 2. Click the Administration option. 3. Expand the Device Management container. 4. Right-click the Agent Managed container and choose Discover Computers.
940
CHAPTER 19
Using System Center Essentials for Midsized Organizations
NOTE You might get a notice that you need to make sure the computers you want to discover need to be on and the firewall settings for the systems need to be set to Allow for File Sharing and Remote Administration. Click OK to close the notice; however, do make sure firewall rules are set to Allow for File Sharing and Remote Administration. More details on how to manually set firewall rules can be found in the "Troubleshooting Common Problems in SCE" section later in this chapter.
5. Choose Windows Computers and click Next. 6. Choose Automatic Computer Discovery to run a scan of your Active Directory (you can choose Advanced Discovery and choose whether you want to only scan for servers, only scan for clients, or scan for both servers and clients). Click Next to continue. 7. Choose Use Selected Management Service Action Account, which will use the account set in the SCE management settings (or alternately enter an administrator logon and password you want to use), and click Discover to continue. 8. In Discovery Results, you will see a list of systems that are in Active Directory, that are on, and that are not currently being managed. Select the systems you want to manage and click Next. 9. After the systems are added, click Finish. Once you select the systems you want to manage, SCE pushes out a monitoring agent to the system and begins monitoring the system.
NOTE The time it takes to push the agent to the systems and for the monitoring to begin can be minutes but could take several hours before it begins. A rule of thumb is usually "wait a day" to let agents successfully deploy and monitoring statistics report back to the SCE console for all devices. If, after a day, the systems are still not being monitored, see the section "Troubleshooting Common Problems in SCE" later in this chapter.
Manually Discovering Network Devices for Monitoring and Management The process for discovering and adding network devices (like routers, switches, gateways) that are running SNMP is similar to discovering and adding computers to SCE. The process does require SNMP to be enabled on the devices as the mechanism for SCE to find and communicate with the devices. With SNMP enabled on the devices, do the following for SCE to find the devices: 1. Launch the SCE management console. 2. Click the Administration option. 3. Expand the Device Management container. 4. Right-click the Agent Managed container and choose Discover Computers. 5. Choose Network Devices and click Next.
Checking the Monitored Status of a Server and Application
941
6. Specify the start and end IP addresses of the network segment you want to scan to look for devices. Specify the SNMP community string that is set on the devices, the version of SNMP your devices are using, and a timeout of 2 minutes. 7. Click Discover to begin the scan. 8. In Discovery Results, you will see a list of devices that were found that are not currently being managed. Select the devices you want to manage and click Next. 9. After the devices are added, click Finish. Once you select the devices you want to manage, SCE adds the devices to the Network Devices container in the Monitoring tree. Click the Monitoring option on the lower left of the screen; in the upper-left monitoring pane, scroll down to Network Devices and click the device to view the detail of the device provided by SNMP, as shown in Figure 19.14. W System Center Essentials File
Edit
View
Go
Tads
5CE2010 look
-Iflfxl
HC Help etwork Devices S t a t e f!)
E Lá Microsoft Window* Uiert
-I. look F O R |
B L-Sj Nfcroeoft Window« Hyper-
State
E L j f Mcresoft Windows Heme
f)
P.
@ Healthy
E L . J Micfwoft Wtndows Server
1
• L£ Network Device yj Network Ltevicra Stal< E
fPOTtiona Manager
E L # Hing Monior
jJ
Computer Group
Oesgr-ate a Host "3New Yirtjol Machine import Virtual Hard U&k 71 Manage Template Edit Group
Show or I lide Views •Sj
• Computers in*
Í
Updates
; J Software
SUMP n e t w o r k Device p r o p e r t i e s of 1 1 . 0 , 0 . 1 0 0
Name
ILO. 0.100
Pathname
11 0 0 100
IP Address
ILO,0.100
Device Nome WIN2OO0ROUTER Flpvtre DMnption Hardware: ]ntt»lfi4 Family fi Mnriel 73 stepping fi AT/AT COMPATIBLE Software: Windows Version fi.t ( f t d l 71500 Mjllijiai r v a F r r r ) Device Contact
Rand Monmoto
Reporting
Device Location
CL'J
Administration
fflMPVnan 7
Authoring
FIGURE 1 9 . 1 4
Device 010
L 3.6,1.1.1.311.1.L3.L2
Community String cAD lAGlAbADpAGMA
¡K
Ueiete
^ Deploy Software Package & Group Summary Report Computer Groups
*
Add New Computers And Device (reale a Computer Group s o t e Actions
*
Ql Health Explorer for 1L00.H» SQrt Maintenance Mode_ i Edit Maintenance Mode Settireji.
Monitoring SNMP devices in SCE.
Checking the Monitored Status of a Server and Application Monitoring servers and applications is one of the key features in SCE. It helps an administrator know the status of systems before the system fails. SCE collects event information from servers, prioritizes the event information, and displays the information in the SCE console for the administrator to review and address. The first the time administrator enables SCE and looks at all the events, it could be overwhelming. If you haven't monitored or managed your event log in the past, remember, there could be weeks, months, or years of "issues" on your servers to deal with. It might
942
CHAPTER 19
Using System Center Essentials for Midsized Organizations
take you a few hours to clear the event queue—if you spend a little time every day you can clear up all of the events. Remember, the errors took a long time to come up and the events don't have to go away overnight, so plan the process of cleaning up the events. Just like the first time you ran Windows Update on your laptop or desktop and it found 40+ updates to apply and took a couple hours to do, it's the same thing on the servers— there are updates that don't automatically install through Windows Update on servers for your applications like SharePoint, Exchange, and so forth that SCE will identify and suggest to install. The whole idea of proactive maintenance is to clean up events and then in the future when events show up, you just have one or two to deal with. These events are telling you something is wrong. Many times, the servers need a hotfix or patch that is known to fix the problem. Many times, a security setting needs to be updated. Other times, a service needs to be disabled. SCE tells you what needs to be done, so it's really just an instruction list of going through the events. Remember, a big reason systems fail is because a patch, update, security hole, or something wasn't set up, maintained, or managed properly. SCE helps fix known problems, and once the events are clean, the system is truly running the way it's supposed to run. This section of the book walks you through the process of understanding the alerts and how to address them.
Understanding Alerts in SCE Alerts in SCE are nothing more than event log errors brought into the SCE console and displayed in a single view. SCE makes it easy to see all of the events and errors on all of the systems it is managing. To see the events, do the following: 1. Launch the SCE management console. 2. Click the Monitoring option. 3. Click the Active Alerts container. It is in this container that a list of all of the critical alerts and warnings from all of your managed servers are displayed in the middle pane of the console. The events in the "Critical" list are of most interest. When you double-click any of the events, the alert property page, as shown in Figure 19.15, displays more information about the event. Under the Event Description, you get information about the event. When you click the Product Knowledge tab, SCE will have information from Microsoft TechNet that provides you a summary of the problem, what Microsoft knows to be the cause of the problem, and the recommended resolution to the problem.
Resolving Critical Events on a Server To resolve critical events, the best process is to follow the resolutions recommended by SCE on the Product Knowledge page, as shown in Figure 19.16.
Checking the Monitored Status of a Server and Application
ia|
AI
f General ;] Product Knovfcdge ! Company Knowledge i l i s t o r y 1 A e r t Context 1 Custom Heids !
^
943
OIKRB RraullsFi
Key Details; Alert s o u r c e :
-jjjM.fc201D.companyabc.com
Severity;
Critical
Pnonty:
High
Age;
15 Hours, 13 Minutes
leucdL Count;
0
Owner:
J
Ticket iD:
1
Change...
|
Alert Description: •OleCb Modue encountered a foêure 0 * 0 f l 0 - w e 3 7 ckxhg execution and WFL post it as output d a t a item. : Invalid o b j e c t name ' V e t a . v t t s k h a i u r e A g y e g a t B n D s k ' .
1
Workflow name: Merosoft.Wndovis.Client.lAsto.ComputerCrotjp.DiskTTends&sk
Alert S t a t u * ; O i i r r y m i IIAVP idrnlifind tluf |iiiililnn «rid I t i k r l ( O n r t l i v R iiiliun, ytiu liin •. C!PII "Clcisrrl' which will rri go n t h e Alert from t h e s y s t e m once c h a n g e s are committed.
ï
d
FIGURE 1 9 . 1 5
Gemini
Alert property page in SCE.
product nw ledge [ ( d f n x m y Knowledge \ 1 ¡ s t o r y | Afert Cwitext | Custom Hetds ]
-I
Summary T h i s L u m u u l e r i s n u t L W i f i g u i e d t u uire l l i e E s s e n t i a l s u p d a t e s e r v e r . T h i s i s p r e v e n i n g t h i s r:
tttrvn.
Causes It Essentials is configured to u s e d o m a i n policy, t h e a f t c c t c d c o m p u t e r m a y not h a v e b e e n added to the S C E Managed C o m p u t e r s e c u n t y a roup, or it m a y be c x p c n c n c i n q i s s u e s applying t h e S C E Managed C o m p u t e r s security group. If E s s e n t i a l s is configured to u s e local or d o m a i n policy a n d if an e x i s t i n g policy o b j e c t that configures Windows Update settings, this policy's setting could be overriding t h e Essentials s e r v e r attempt to configure t h e s e settings.
Resolutions Restart the computer to force it to acguire the membership token in the s e t Managed c o m p u t e r s security group a n d apply t h e SCfc M a n a g e d c o m p u t e r s group policy. I f restarting t h e c o m p u t e r d o e s not r e s o l v e t h e issue, review t h e 5»wtndir% \WindoweUpdate.log on t h e affected c o m p u t e r to d e t e r m i n e if it is attempting to contact the Essenbate server. It t h e r e a r e existing group policies in Active Directory that configure t h e Windows Update s e t t i n g s , modify o r r e m o v e t h e s e s e t t i n g s t o allow t h e E s s e n t i a l s s e t t i n g s t o take effect.
FIGURE 1 9 . 1 6
Product knowledge cause and resolution recommendations by SCE.
(O
944
CHAPTER 19
Using System Center Essentials for Midsized Organizations
The resolution noted by SCE can include starting and stopping a service, adding a hotfix or patch, turning on or off a service, or simply rebooting a server. The resolution information in SCE is generally helpful in making progress on resolving the problem. The key to remember is that the error and events being recommended are for the target server, which might be your Exchange server or a remote file server. Sometimes, it gets confusing as you are sitting at the SCE server, applying the patch and rebooting the SCE server only to remember that the recommendation is likely for a target server somewhere else on your network. Remember to look at the source server to identify specifically which server the fix applies to.
IMPORTANT As with performing any updates, maintenance, reboots, or support on systems, make sure you have a good, clean backup of the system. If a system has not been maintained or updated in a long time, the system should be rebooted before any update is done to the system. A reboot ensures that any previous patches or updates actually (finally) get applied and the system can settle down from those updates. Adding updates on top of updates that haven't been applied can cause trouble on systems. Work methodically in applying fixes to systems, which usually means a few reboots to ensure all services come up and the system is in basic working order before applying additional fixes.
Once you resolve an alert, you can close the alert by right-clicking the alert and choosing Close Alert. SCE does not automatically close or delete alerts after you follow the instructions for resolution. Remember, the alerts are timed and sequential, so the alert is a notification at some time in the past. The fact that you applied an update, stopped/started a service, or rebooted the system as the resolution recommended doesn't go back into the logs and delete the event. So it is a trial-and-error process. Run through the recommendations and then close the historical alert. If what you tried did not solve the problem, a new alert will pop up in the next few hours or days and then you try something else.
NOTE Alerts based on monitored events close themselves out once the problem has been resolved. Rule alerts do not automatically clear out and need to be addressed and manually closed to get the alert off your screen after what you try fixes the problem.
Addressing Warning Events on a Server Although the preceding section covered resolving critical events on a server, there are also warning events that get logged in SCE. Warning events are typically events that require attention, but not immediately. A warning event is something like a server running low on disk space, however not to a critical level that will generate a critical event. Or a
Checking the Monitored Status of a Server and Application
945
warning might note that a process like trying to push out a software update to a system did not occur immediately possibly the server was temporarily offline or busy. If you look at a warning event and remember that the connection to the Internet was down for a couple hours and the warning is of a download not occurring during that time frame, you can simply close the warning, knowing that the event occurred and you have good knowledge that the issue was understandable. Typically, warning events turn to critical events when a trigger of urgency occurs; therefore, if a warning is expected, close it. If a warning isn't expected but doesn't sound critical, you can close the event unless it repeats and, most certainly, if it turns into a critical event, you need to address the problem.
Checking the Health of a Server Although Active Alerts gives you a list of error events across all servers, you can also look at a specific server and identify the health and status of events on a specific server. If a server is healthy with no critical events, the Health Explorer notes the server as healthy. If a server has critical events, you can drill down into the server and find the specific error events on the system to bring the system to a healthy state. Administrators frequently find the Health Explorer an easier way to triage and solve system problems as the administrator works system by system to address problems. The health report is also helpful in knowing over time whether a server is frequently unhealthy as a tracking of the state of a server from healthy to warning to healthy is logged. When you get a budget to purchase new hardware, you can look at the health logs to see which server might be due for a hardware refresh. To view the overall health of the servers on the network, do the following: 1. Launch the SCE management console. 2. Click the Monitoring option. 3. Click the Discovered Inventory container. You will see the name of your servers and the state of the servers whether they are deemed "Healthy" or if the server is flagged with a "Warning." 4. Click any of the servers and then choose Health Explorer in the Tasks pane on the right. When a system has warnings, as you get into the Health Explorer and it shows you the status of the server, clicking on one of the error events, as shown in Figure 19.17, provides you the same TechNet style Summary, Causes, and Resolution for the event on a server. Perform the tasks outlined in the Resolutions section to address the problem. After you perform the task on the remote server, while in the Health Explorer, you can simply rightclick and refresh the screen to see that the health status changes for the cleared-up event.
Putting a Server in Maintenance Mode Because SCE tracks the up-and-down status of servers and systems, when performing maintenance on a server, it is best to go into SCE and flag the server as being in
946
CHAPTER 19
Using System Center Essentials for Midsized Organizations
_•3
^ Health Explorer for SCE2010.companyabc-coin ; 0 Kecet Health
^ Kecalctfate Health
B
Proper ties
& Help
Hea th monisort fcr $CE20lO-e6mpanyabc.c«n 3 j\, fcrtfy Heath-SCfc2010.companyabc.com (fcrtfty} E Avaiabirty - SCfc2U10.cornpanyabc.com (fcnbty) 3 Q) Hardware Availably Koflup - SCfc2010.comp»-| 3 Q) Dperatng Syitem Avalabity Hoftup - SCfc2010. [ } hng Statue -SCt2010.companyabo.com (Wine 3 0 Window» Computer Role Health Hollup - SCfc2l 3 •
Wrxfowa Locat flpplcation Hearth Kafcjp - SCfc E (y) Avalablfiy - SCfc2010.companyabc.com (b Q AvaJabliy - MerowftSyttemCenter J4ob#ic< C Avolabiiy Microsoft.SyatemCenterfcascrti f\ Widows Update Agent Configuration I
'
E E E E
j
c z a c z T T E T :
[¿J Windows Update Agent Cormei Windows Update Agent Hrowl| tV) Windows Update Servicc stoic Configuration SjCfc2010.companyabc.com (brtiy) O MUM 2Wft Monioring Kellup SCfc2U10companya| (¿1 Performance SCfc2010.companyobc.com Ifcntity) @ Security SCfc201U.componyabc.com [fcntty)
FIGURE 1 9 . 1 7
Summary this computer ie not configured to use the fcccentialE update server, rhic is prevenirvg this computer from submitting inventory or obtaining software and updates from the fcseentials s e r v e r .
Causes If FfiwrnlirtK IN ciHificjiirttiJ til use lUuiirfiii |Hilu.y, llw! iiff^c leri c:tiiii|Hilt*r nirty rwjl tiiiur tw^n ndtlr-il In lltrf -Si"!F Msmrigrirl Cnjm[iiiln stnrurily iji[jii|i4 fir it rrwy tif^ eijieripirujiiy ivsur-N r a l l y i n g the S C F Mrtruiywl CnmjiLilf-rs s w u n l y gruti[i. If FssentiaLs is configured tn use local or dnmain policy anri if an existing policy nhject that configures Windows update settings, this policy's setting craifd he overriding the Fsspntinls s e r v e r attempt tn configure t h e s e settings.
Resolutions Restart the computer to force it to acquire the membership token in the 5CC Managed Computers security group and apply the 3CC Managed Computers group policy. If restarting the computer d o e s not resolve the issue, review the % windirTfeSWindowsUpdote.log on the affected computer to determine if it is attempting to contact the Essentials s e r v e r . If t h e r e d i e existing gruuu pulicies in Active Directory thai cunfiguie the Windows Update s»eUmy s r rnudify or l e m u v e Lheue setting:, to allow the Essentials settings Lu t a k e effect.
Health Explorer system view.
Maintenance mode. Maintenance mode suppresses the monitoring of the server so that the system can be patched, updated, rebooted, or maintained without all of the events reporting back to SCE as errors. To put a system into Maintenance mode, do the following: 1. Launch the SCE management console. 2. Click the Monitoring option. 3. Click the Discovered Inventory container. 4. Click to select the server that will have service performed on the system. 5. Click Start Maintenance Mode in the Tasks pane on the right. When you choose to start Maintenance mode, a Maintenance Mode Settings screen allows you to choose whether you want to put the selected object in Maintenance mode or if you want to put the selected object and all of its contained objects in Maintenance mode. Choose the latter, effectively choosing Selected Objects and All Their Contained Objects, which includes not only stopping the monitoring of the Windows server, but also if the system has Exchange running on it, it'll stop monitoring Exchange too. You are also given the option to specify if the maintenance is planned or not; this goes into the reporting process so that if you are tracking service levels of systems, you can track how often your systems have planned maintenance. You can also choose a duration that you plan to have the system in Maintenance mode. Make your settings and choose OK to set your selection.
Using Remote Assist and Remote Desktop
947
NOTE Even if you set the duration for the system to be in Maintenance mode, the system does not automatically switch back out of Maintenance mode after that period of time. You must manually take a system out of Maintenance mode by selecting the system and choosing Stop Maintenance Mode in the Tasks pane. The duration is merely a tracking mechanism that a planned maintenance has been issued for an intended period of time.
Using Remote Assist and Remote Desktop SCE has the ability to remotely access a server or workstation so that if a user is having problems, the administrator can provide assistance. Or likewise if a server needs to be accessed and managed, the Remote Assist function can be used to access the remote system console. For Remote Assist/Remote Desktop to work, the remote system needs to be configured to provide remote access capabilities.
NOTE Remote assistance is called different things for different operating systems. For servers, the use of the Remote Desktop Service (RDS), formerly known as Terminal Services, is the common method of remotely accessing a server console. For workstations, the same underlying technology is used but is commonly called Remote Assist. Being a workstation connection, Remote Assist has added controls that prompt the remote user on the workstation whether they will allow an administrator to access their system, whereas the server-based Remote Desktop just allows the administrator direct access to the system. SCE shows both Remote Assist and Remote Desktop on the console tasks options, and an SCE administrator can choose either one and will find that if Remote Assist errors, he can try Remote Desktop to remotely access a remote system.
Configuring a System to Be Remotely Managed Configuring a system to be remotely managed varies based on the remote system operating system. T h e processes for configuring Windows XP, Windows Vista, Windows 7, Windows Server 2 0 0 3 , Windows Server 2 0 0 8 , and Windows Server 2 0 0 8 R2 are addressed in the following section, along with configuring Remote Assist via Active Directory Group Policy. Configuring Windows X P for Remote A s s i s t A c c e s s To configure Windows XP to enable Remote Assist, do the following: 1. Click Start, Settings, Control Panel, System. 2. Click the Remote tab.
948
CHAPTER 19
Using System Center Essentials for Midsized Organizations
3. Click to select the Enable Remote Desktop on This Computer check box. 4. Click OK. Configuring Windows Vista for Remote Assist Access To configure Windows Vista to enable Remote Assist, do the following: 1. Click Start, Control Panel, System. 2. Click the Remote Settings option on the left side of the screen. 3. Click to select the Allow Remote Assistance Connections to This Computer option. You can also choose to set Allow Connections from Computers Running any Version of Remote Desktop (Less Secure) under Remote Desktop. 4. Click OK. Configuring Windows 7 for Remote Assist Access To configure Windows 7 to enable Remote Assist, do the following: 1. Click Start, Control Panel, System and Security. 2. Click System. 3. Click the Remote Settings option on the left side of the screen. 4. Click to select the Allow Remote Assistance Connections to This Computer option. You can also choose to set Allow Connections from Computers Running any Version of Remote Desktop (Less Secure) under Remote Desktop. 5. Click OK. Configuring Windows Server 2003 for Remote Desktop Access To configure Windows Server 2003 to enable Remote Desktop access, do the following: 1. Click Start, Settings, Control Panel, System. 2. Click the Remote tab. 3. Click to select the Enable Remote Desktop on This Computer check box. 4. Click OK. Configuring Windows Server 2008 for Remote Desktop Access To configure Windows Server 2008 to enable Remote Desktop access, do the following: 1. Click Start, Control Panel, System. 2. Click the Remote Settings option on the left side of the screen. 3. Click to select the Allow Connections from Computers Running any Version of Remote Desktop (Less Secure) option. 4. Click OK.
Using Remote Assist and Remote Desktop
949
Configuring Windows Server 2008 R2 for Remote Desktop Access To configure Windows Server 2008 R2 to enable Remote Desktop access, do the following: 1. Click Start, Control Panel, System. 2. Click the Remote Settings option on the left side of the screen. 3. Click to select the Allow Connections from Computers Running any Version of Remote Desktop (Less Secure) option. 4. Click OK. Configuring Remote Assist Via Active Directory Group Policy To configure Remote Assist using an Active Directory group policy, do the following: 1. On a server system that has the Group Policy Management Console software on it, run Group Policy Management. 2. Expand the forest and the domain. 3. Right-click the Group Policy Objects node to create a new group policy. 4. Right-click the newly created group policy and edit it. 5. Under the Computer Configuration node, Policy section, double-click Administrative Templates to expand the templates section. 6. Double-click System. 7. Double-click Remote Assistance. 8. Double-click Offer Remote Assistance and select Enabled, as shown in Figure 19.18. 9. Exit from the Group Policy Management Editor and console. EESESŒEESEEÛEïEIH^^^*:
j±Ï!
Setting ] EKptain j OffwRemoleAîsiïtârce
C
Not Configured United
r
[¡¡¡afclai Pennit lemote control ol thy- computer ¡ A l k w helper: to remotely conhol Ihe comp ^ | Helpers:
Supported on;
Show...
Al least Microsoft W i n d o w s X P Professional or W r i d o , ,
Previous Setting
|
OK
FIGURE 1 9 . 1 8
I
Cancel
|
Enabling Remote Assist via Active Directory group policy.
950
CHAPTER 19
Using System Center Essentials for Midsized Organizations
NOTE The preferred method is to create an Active Directory group policy to set the Remote Assist/Remote Desktop settings for all systems in the domain so that you do not have to set the configurations manually for each system individually.
Remotely Managing a System With the workstations and servers on the network set for remote assistance, the SCE administrator can now access a system remotely to either support a remote user or to take control of a system to perform administrative tasks. The experience is slightly different when using Remote Desktop versus Remote Assist, as noted previously. Remote Desktop is typically used on servers where there is no "user" on the other end of the session, so as long as the administrator has rights to the system, a remote desktop session will establish a connection. Remote Assist, on the other hand, is intended to be interactive with a user sitting at their system and as such, a Remote Assist request will have the user prompted to approve of the administrator taking control of their system (and potentially seeing private information on the system). Accessing a System Using Remote Desktop To access a system using Remote Desktop, do the following: 1. Launch and run the SCE management console. 2. Click the Monitoring option. 3. Click the Discovered Inventory container. 4. Click the name of the system you want to remotely access. 5. In the Tasks pane, scroll down to the Windows Computer Tasks section and click Remote Desktop. 6. When prompted, enter a valid logon and password to the system (if you want to make sure you log on as a domain user, make sure to enter a domain name to the logon). You gain control of the system. 7. To exit the system, either log out of the remote session or click the X on the RDP client software to close the connection but keep the session running.
NOTE In step 5, you have three different Remote Desktop options. One option is Remote Desktop, which allows the SCE administrator to enter a logon or password to log on to the remote session. The Remote Desktop (Admin) uses a RunAs account and passes the administrator logon and password credentials for remote access if the SCE administrator potentially does not have access rights to remote servers. The RunAs account
Using Essentials for Patching and Updating Systems
951
is pulled from the Administrator section of the SCE management console. The Remote Desktop (Console) should be used when someone is sitting at the remote server and needs assistance. Rather than establishing a new session for access to the server, the administrator takes control of an existing session also open on the remote system.
Accessing a System Using Remote Assist To access a system using Remote Assist, do the following: 1. Launch and run the SCE management console. 2. Click the Monitoring option. 3. Click the Discovered Inventory container. 4. Click the name of the system you want to remotely access. 5. In the Tasks pane, scroll down to the Windows Computer Tasks section and click Remote Assistance. 6. The remote user gets a pop-up telling them that a person is initiating a Remote Assistance request. If the user clicks to accept the assistance, the SCE administrator will have access to the remote user's session. 7. To exit the remote session connection, click the X to exit the session.
NOTE For Windows Server 2008 R2 systems, before you can use the Remote Assist feature, you need to install Remote Assist on the system. Remote Assist is found in the Server Manager tool under Features.
Using Essentials for Patching and Updating Systems SCE can be used to actively patch and update systems (both servers and workstations) throughout the enterprise. Many organizations use the free Windows Server Update Services (WSUS) for patching and updating, and, in fact, SCE leverages WSUS. The difference between SCE's use of WSUS and using WSUS natively is the control that the SCE administrator has in enforcing patches and updates. With WSUS, the WSUS administrator centralizes patches and updates and sets a policy that the remote system will download and install patches and updates. So if the WSUS administrator notes to have updates installed within five days of release, the update is downloaded by the remote system and applied. However, with WSUS, nothing forces the system to download the update, and nothing ensures that the remote system actually has the update installed and that a proper reboot is performed (if necessary) to have the update applied.
952
CHAPTER 19
Using System Center Essentials for Midsized Organizations
NOTE Many updates require a reboot for the update to apply, so for users who ignore the pop-up that tells them to restart their system and always put their computer to sleep or in hibernate and never reboot their system, the patch or update is installed, but not applied or active, and, thus, the patch or update is actually not enabled and working.
SCE uses the WSUS technology to have patches and updates downloaded to the organization's network and uses the WSUS technology to get the updates to the remote systems, but the big difference with SCE managing the updates is that an SCE policy can be enforced. When an SCE policy notes that a patch or update should be downloaded and installed within five days, SCE can begin sending the patch or update to the system, apply the update on the fifth day, and force a reboot on the remote system. The user gets a warning that a reboot will occur in a given amount of time; however, once that time is up, the system will be rebooted. The SCE agent has the ability to control the system for reboots, and as such, the user cannot override the forced reboot.
Configuring Update Management Settings Update management settings were initially configured during the initial setup wizard when SCE was installed. Some of the settings included the name of the proxy server (if one exists) where the SCE server would traverse to the Internet; the language set, applications, and operating systems that are supported and should be downloaded; and the autoapproval process where patches and updates will automatically be approved and applied to systems. If you don't remember what you selected at the time of installation, or you want to change the default settings for update management, simply go into the Settings option to make changes by doing the following: 1. Launch the SCE management console. 2. Click the Administration option. 3. Click the Settings container. 4. Scroll down to the Type: Update Management section to see a screen similar to Figure 19.19. 5. View, modify, or change the settings as desired. Under the Update Management Settings, you can change Proxy Server, Products and Classifications, Update Files and Languages, set a Synchronization Schedule, choose to have Auto-Approvals, or perform maintenance all from the Settings section. More specifically: • Proxy Server—If you have a proxy server in your environment, enter the name of the proxy server. If you are unsure, choose No. If you have a proxy, enter the Web URL for the proxy, and the port used for proxies, typically port 8080. If your proxy requires you to enter a logon and password, enter that information for credentials to
Using Essentials for Patching and Updating Systems
1
S y s t e m C e n t e r h s s e n b a l s - SCt¿UlU_MCj Rie
Edit
View
Go
Taste
Took
Administration *
<
J
j [i d
B
Type: S e r v e r ( 5 )
Agent Managed
S B heartbeat
Network Devices
Ûl Security
Pending Management
_
settings
i
Security
>Tökj
Actions
A
CtMrjiiIrr nîMcivny Darfy health Report
¡' -, Admnetration Account
Run As Accounts
T y p e : II|mI
^ Run As Profiles
Proxy Server
i f Management Pucks *
-
Hume
i ^ j Device Management •
a ä f x i l
Help
Settings (18)
i j j Administration
953
fv Products and Gassificabons
Notifications
Update r í e s and Languages
l_ j? Channels ^Subscribers
1^1 Sytirlntini/rtlniri Sdipilifr
j
"L"' Auto-Approvals
Suhutiiriiuri*
Mahtenance Ui
Selling Details
i
> r
-
Computers Monitoring t
S
B
0
p
*
Status; R u r i i i u
FIGURE 1 9 . 1 9
The Update Management section of the Administration settings.
access the Internet through the proxy. If you can just sit at the server, launch a browser, and access the Internet without having to configure anything special or enter a logon or password to access the Internet, you do not have a proxy and can simply choose No. • Products and Classifications—In this section, you can choose which products you want to download and have patches and updates available. By default, the option is Automatically, which grabs all of the products it has found in your network, such as Windows Server 2003, Windows Server 2008, Exchange Server 2007, Hyper-V, and the like. You can manually pick and choose products for which SCE downloads updates, but keep it set to an automatic update because SCE gets the patches and updates specific to the servers and applications in your environment. • Update Files and Languages—SCE downloads the patches and updates for all applications where the patches and updates are approved. This is the default behavior and ensures that files needed are available on SCE. • Synchronization Schedule—SCE synchronizes updates with Microsoft on a regular basis, by default it does it once a day. You can choose to have it update more frequently. • Auto-Approvals—This is an important setting because it allows SCE to automatically download and send out updates to client systems and servers. Auto-approving
954
CHAPTER 19
Using System Center Essentials for Midsized Organizations
critical and security updates minimizes the administrator's time and effort to manually choose updates to push to systems. The choice for autoupdates can be done for client systems, server systems, or both.
NOTE Automatically approving and forcing the installation on client systems ensures that workstations are up to date on patches and updates without having the administrator do anything. Some administrators might choose to have updates on servers not automatically approved nor forced, providing the administrator the opportunity to choose patches and updates to be applied. The key to this choice is if all you do is just approve updates today, or apply service packs and updates when they are available, then you might as well choose to have SCE automatically update your systems. However, if you methodically check the Internet to look for known problems, check to see if a patch or update is "safe" to apply to a system, and do a lot of due diligence to ensure the safety of updates before applying them, you don't want to have updates auto-approved and force installed.
• Maintenance—You can have SCE perform periodic maintenance on the database that SCE uses. By default, the maintenance is turned off; however, running the maintenance every month ensures that SCE continues to operate as you plan and expect.
Viewing Updates Once the settings are configured the way you want them configured for updates, you can view updates available for the systems you are managing. By clicking on the Updates option at the lower left of the SCE management console and then clicking on All Updates, you can see all of the updates downloaded from Microsoft for the applications that either SCE identified you had in your environment if you selected automatic downloads, or that you manually selected SCE to download for you.
NOTE Updates can take a while to download, so after installing SCE, wait at least a day before you expect to see all of the updates available for the systems and applications in your environment.
Approving and Declining Updates If you selected to auto-approve updates, you don't have to do anything; SCE automatically pushes out updates to your systems. If you chose to have SCE automatically push out updates but there is a specific update you do not want SCE to send out, you can simply right-click the update and select Decline Update, as shown in Figure 19.20, and the update will not be pushed out.
Using Essentials for Patching and Updating Systems
955
™ s y s t e m (.enter t s s e n t i a l s - S(.t2U10_HCj vtew
Go
Taste
Took <
EditCritcrio v
Name
it AM Updates [1750] it Critical Updates [19BJ t
All U p d a t e s ( 1 7 5 0 ) I fi/fcr
If Updates
Needed updates ( U / )
•
SCE Required Updates (5)
•
Security Updates (1240)
^ UrM|*Kcmnl I l|ni(itf-, (414)
Classification
IS 2
200/ Ktcrcecft office Servers bervi
Sen-ice p ^ f o
Bit
2007 tfoosott Office Servers Servi
Smrit r p« la
2007 Microsoft Office Suite Service
service Packs
Bj It
ifii
B
KB fi • B B* fi -
San «ttu 1 Irvlata rnr Mlrr™- r BUOMSI
£ "
Decline Update
QJ-nda
Uninda«
J
H 3 fit vt FIGURE 1 9 . 2 0
Decline update
Priipritin
^
Set Dead ine
CalHida
p
Cntical I
Properties
Critical I
Ke> ueadfene
Import Package Xf.
v ipriatF
rVfilnymrnS
Alt+Ketum
All Updates
Critical I
fi . , Deployment Status
Release Date: 4/V/2WM KB firtide: S23S59 CLwvlfc iiikn: Srturlty Updrfrs. Summary | Update Details
Description An identified security issue in Microsott Windows cotrfd allow fln ii'trti krr tu t caripi miiur n
Refresh Proper I i «
updates ^
Tlii\ it p h/is ln-t*ii rrpl.ii rtl by ullirr iipilnlrN. Pli-iiv select Related Updates Tab l o r more information.
Monitoring
Add ard Remove Approval
X
j..
823559; Security UpdaLe for Microsoft Windows
** Computers
e
^
Add and Remove Approvals
J
BUSHWS: ^
Critical l
m
Update
NrnUptMe New View
'
Q
Refreift
r *
Related Updates
Declining an update to be pushed to systems.
Likewise, if there are updates that are not approved sitting in the queue (typically service packs are not auto-approved) and you want to approve the update, do the following: 1. Highlight the update. 2. Right-click the update and choose Add or Remove Approvals. 3. Select whether you want the update to go out to all servers, all clients, or all systems (which includes both clients and servers). 4. Click OK to approve the update to be downloaded and applied.
Selectively Approving and Declining Updates By default, SCE bulks all clients together in one group, and bulks all servers into another group, and has a third group that includes both clients and servers. But say, for example, you want to patch and update a subset of systems separately than just clients or servers, possibly a group called "Exchange Front-end Servers" or a group called "SharePoint Database Servers." In that case, you can create new groups, place servers and/or workstations in this new group, and then apply a new update policy specific to that group. To create a new group to set new or different update policies, do the following: 1. In the Updates option, click All Updates. 2. Click Add or Remove Approvals in the Tasks pane.
956
CHAPTER 19
Using System Center Essentials for Midsized Organizations
3. Click Create New Group. 4. Type in the name of the new group you want to create, such as Exchange Servers, and select the servers that will be a part of this new group, click Create to create the group. 5. Click OK. You can now pick and choose which updates you want to apply to this group so that your patch and update policy will be unique for this group of systems.
Uninstalling an Update Suppose you find an update has been applied on systems and you are having problems with the systems and want to uninstall the update. If SCE installed the update, SCE will uninstall the update for you. To have SCE uninstall an update, do the following: 1. In the Updates option, click All Updates. 2. Click and highlight the update you want to uninstall and click Uninstall in the Tasks pane.
NOTE If the Uninstall task option is not available, the update has not been installed by SCE and, thus, SCE will be unable to automatically uninstall the update from the systems.
3. Select the group from which you want to uninstall the update (by default, you can choose to uninstall the update from client systems, server systems, or all Windows systems). 4. Click OK to have the update uninstalled from the systems specified.
Setting Deadlines on Updates During the middle of the day, you might find security experts are advising to push out a patch or update in the next few days due to a threat that a security attack might break out. Rather than waiting for your normal update policy to kick in, you can set a deadline on an update. The deadline forces the update out and forces the update to be applied; if that requires a reboot, a reboot will occur. To set a deadline on an update, do the following: 1. In the Updates option, click All Updates. 2. Click and highlight the update you want to put a deadline on and click Set Deadline in the Tasks pane. 3. Click the group for which you want the deadline set. 4. Click Set a Deadline for This Group.
Creating Packages to Push Out New Software
957
5. Enter the date and time you want the update to occur by. 6. Click OK.
NOTE As much as the "deadline" concept should apply the update before the deadline date, obviously if you set the deadline to occur in 1 minute and you have 2 5 0 systems, it won't apply to all 2 5 0 systems in 1 minute. In fact, the deadline process sets the target date and time and the push and update happens immediately, but it can take upward of a day for the request to get to all systems. Remember, systems have to be on, the update has to be downloaded, and then the update will be applied. A recommendation is to try the "deadline" process on a small update before you really need to have a deadline occur and determine the actual experience in your environment given the LAN and WAN speed of your network on how long it'll take for the update to apply to systems throughout your enterprise.
Creating Packages to Push Out New Software SCE has the ability to push out software to systems, not just patches and updates, but actual software programs, both Microsoft and non-Microsoft packages. SCE leverages packaging technologies like the Microsoft Installer (MSI) or EXE installers for applications. Common deployment packages include things like Adobe Acrobat, Firefox, or even something like a patch or update for a non-Microsoft product.
Creating a New Package to Push Creating a package starts with having a package installer available. Many applications come as a single MSI installer package or EXE package that can be launched and run on a system. If a product requires an entire DVD of software to install and the setup program is just one of many files, the software program will need to be packaged first. It is out of the scope of this chapter to cover how to take a program and make an MSI package. A number of resources on the Internet show how to create an MSI package from setup programs. Search the Internet for something like "how to create an MSI package" to find some options. Assuming you already have an MSI or EXE package available, do the following: 1. Click the Software option in the SCE management console. 2. Right-click the Software Packages container in the upper-left pane of the console screen and choose New Package. 3. When prompted for the Package Setup File, click Browse, select the MSI or EXE file that you want to install, and then click Next. 4. For the Package Name, enter a name that describes the package, such as FireFox 3.0 for Windows or Adobe Acrobat 9. Enter a better description in t h e Package
Description field and click Next.
958
CHAPTER 19
Using System Center Essentials for Midsized Organizations
5. If the package is an EXE, choose which systems you want the package to install on. If this is a client-based package, choose Yes, Only Offer This Package to the Following Types of Systems and then pick only the client operating systems. Also, if this is a 64-bit application, make sure to choose just x64 architecture. Click Next to continue. 6. If the package is an EXE and it has return codes for successful completion of various tasks, enter the code and values; otherwise, just click Next. 7. If the package requires parameters to be entered such as switch commands, enter them in the Specify Installation Parameters option. If there are no special switches, click No and then click Next. 8. A summary will be shown similar to the one shown in Figure 19.21; click Finish to build the package. Then click Finish again to have deployment options shown for which systems you want to now deploy this package.
Hew Software P a d t a g e Wizard
¿I
Setup file F l i r t y « cH/uIN Target System Types Return code
Ready t o C r e a t e Package
The f olio wing package vi
h e prep nred for deployment.
Install ! Uninstall Parameters Summary: Name:
FlrpFmr 3 . 5 3 fnr Wl nrtnws
I t : : : : : -;
Tirefox Code
Setup filename:
C:\Packaq cs\fireFox Setup 3.5.3.exe
Application lype:
fcxt Application
Size:
7.69 MB (8,057,224 bytes)
[itslitllrilimi PHIIIW((H I Unlnstoll Properties:
N/A
lo changetiiese settmgs, didcWevious. Io prepare tins package,dick Create.
< Prevwua |
FIGURE 1 9 . 2 1
Creating a software package for deployment.
9. On the Add and Remove Approvals page, choose the groups you want this package deployed to (client systems, server systems, or a custom group you might have created in the "Selectively Approving and Declining Updates" section). Click OK to advance the deployment process. 10. Click Close when prompted.
Creating Packages to Push Out New Software
959
Adding Approvals for Systems to Push a Package To At any point, you can choose which systems to deploy a package to, so even if you created the package in the previous section, if you didn't choose to push the package out to any particular group of servers or workstations, you can add or remove approvals for the package. To select a package for approval or to remove a package for approval to installation, do the following: 1. In the Software option, All Software Packages container, click a software package you want to manage. 2. Click Add and Remove Approvals. 3. Select the group (or deselect the group if removing a group from the approval process).
NOTE When you select a group to push an application out to, you have the ability to push the package out by default, or merely put the package in the user's Add/Remove Programs list so that the user can choose to pull down and install the package rather than having the package actually pushed to their system. To set the application to just show up in the user's Add/Remove Programs, add a check mark to the Publish Update(s) to "Add/Remove Programs."
4. If you want to set a deadline on when the software package will be deployed, you can add a check mark to the Set a Deadline for This Group and specify the date and time you want to request to have the package deployed by. 5. Click OK to set the configuration settings for the package.
Uninstalling a Deployed Package If you find a package has been installed on systems and you didn't want the package installed on the system, you can have SCE uninstall the package. To have SCE uninstall the package, do the following: 1. In the Software option, click All Software Packages. 2. Click and highlight the package you want to uninstall and click Uninstall in the Tasks pane.
NOTE If the Uninstall task option is not available, that means the package was not installed by SCE and, thus, SCE will be unable to automatically uninstall the package from the systems.
960
CHAPTER 19
Using System Center Essentials for Midsized Organizations
3. Select the group from which you want to uninstall the package (by default, you can choose to uninstall the package from client systems, server systems, or all Windows systems). 4. Click OK to have the package uninstalled from the systems specified.
Inventorying Systems Using System Center Essentials For systems management by SCE, after the agent is installed on the system, SCE performs an inventory of hardware and software on the system. This inventory is used by SCE to determine what patches and updates should be applied to the system, as well as which management packs should be installed to monitor key application information about the system. The inventory process is done in the background, and within a day or two, the inventory information from the managed systems will be collected and stored in the SCE database.
Viewing Inventory of Systems and Managed Assets To view the inventory of systems in the network, the information is made available through the reporting services function of SCE. Various reports can be generated that show the hardware, the software, updates applied, software deployed, and the like out of SCE. To quickly and easily view the hardware inventory of a series of systems, do the following: 1. In the Monitoring option, click the Discovered Inventory container. 2. In the Tasks pane, scroll down to the Windows Computer Reports section and click the Hardware Inventory report option. 3. From the list of systems, choose all of the systems for which you want to generate a report about hardware inventory, and then click Run. 4. Click the + next to Hardware Inventory in the report and click the + next to each server to individually view the hardware inventory information for each server, as shown in Figure 19.22. 5. Click File, Print to print the inventory report, or File, Export to PDF or an Excel spreadsheet. 6. Click File, Close to exit the hardware inventory report.
Manually Collecting Inventory for a System Usually when SCE installs an agent to a system, it inventories the system within the first few hours; however, there are times when the inventory information is not up to date, or possibly the system configuration has been recently changed before SCE automatically reupdates the inventory. The SCE administrator can launch a manual inventory collection of a system by doing the following: 1. In the Monitoring option, click the Discovered Inventory container and click/select the system for which you want to run an inventory.
Authoring an Agent to Monitor a Custom Website
? Hardware I n v e n t o r y Die
[jit
Sew
S y s t e m Center Essentials
ussm
S C E 2 0 1 0 HG
Lieb
j K u n O ^ J t
Report
Ü
of J
•
H
A
jk"
961
^ageVAdlh
Hardware Inventory i dpm2QUAcompanyabc.com
System Center
dpmXH /.compan yabc.com ManufactLrer Detais Operating System
Hardwar» inventory
BIOS
Dsk Drives Logical Disks Video Cards Network Interface Cards 3
sce2QlQ.companyabe.com
3
ocs.companyabc.com
FIGURE 1 9 . 2 2
Viewing hardware inventory information.
2. In the Tasks pane, scroll down to the Windows Computer tasks section and click Collect Inventory. 3. Click Run to begin the inventory process. 4. Click Close after the inventory collection has been completed. Now that a system has been inventoried, you can go to the previous "Viewing Inventory of Systems and Managed Assets" section to run a report on the inventory in the system.
Authoring an Agent to Monitor a Custom Website A common task that many administrators want to do is to monitor a website, and not just to make sure the server pings and responds, but to actually validate that a user can successfully log on to the site in a reasonable amount of time. This might be to monitor an Outlook Web Access site, an intranet site, a Great Plains accounting site, or the like. SCE has the ability to create a website monitoring agent that runs through the process of accessing a site and even entering logon credentials to log on to the site to validate access and performance.
962
CHAPTER 19
Using System Center Essentials for Midsized Organizations
Creating the Custom Web Management Component To monitor a site, a custom web management agent needs to be created. To create the custom website access agent, do the following: 1. In the Authoring option, expand the Management Pack Templates container. 2. Click the Web Application container. 3. Click Record a Browser Session in the Tasks pane. 4. Give it a n a m e like Test to make sure OWA is working, click Create a New
Management Pack and then click OK.
NOTE When creating a customer Web Management component or making any modification in management pack functions, it is a best practice to create a new management pack and save the modification or new rule in the new management pack instead of an existing management pack. That way, if a management pack comes out, you can simply replace an old management pack with a new one, and keep your custom modifications unaffected in the separate management pack you created.
5. Click Start Capture. This opens an Internet Explorer browser page in which you are supposed to start capturing your browser session; however, this is a 32-bit version of Internet Explorer, which does not capture your session, so close the browser. 6. Click Start, All Programs, Internet Explorer (64-bit). You will now see the Web Recorder on the left side of the browser page set in the Record mode, as shown in Figure 19.23. 7. Use the browser like you would normally launch OWA (like https://owa.companyabc.com/owa), enter your OWA logon name and password, and click Log On.
NOTE You can create different web sessions to test things like your intranet, accounting software, CRM software, or access to remote online services that aren't even your company websites you want to test. Simply run the Record a Browser Session and record any session to be rerun and tested end to end.
8. Click Log Off from OWA. 9. Click Stop on the Web Recorder. 10. Click Apply at the bottom of the page to save your session and you'll get an error that you need to choose a Watcher node.
Authoring an Agent to Monitor a Custom Website
jzim*!
f I n t e r n e t Explorer Enhanced S e c u r i t y Configuration If not e n a b l e d - Windows I n t e r n e t Lxpkirer *es:Wesetuo.cf/SoftAdrmn.htm ., Favorites
I & ^ Suggested S-tes ».
X
ii Pause
:
Web Sice Gafery »
Internet Exptorer Enhanced Security Configuration »
* Record
|tE>ü
963
|
Ö
*
©
'
—
-
Page -
Safety -
Tods *
tri -
Caution: Internet Explorer Enhanced security Configuration Is not enabled
J Stop
will be aha«n here
I n t e r n e t Explorer E n h a n c e d S e c u r i t y Configuration is an opbon that >s provided in Windows S e r v e r 2 0 0 3 o p e r o b n g s y s t e m s a n d a b o v e . You c a n u s e it to quickly e n h a n c e I n t e r n e t Explorer s e c u r i t y s e t t i n g s for all u s e r s . W h e n you e n a b l e i n t e r n e t Explorer E n h a n c e d S e c u r i t y Configuration, it sees I n t e r n e t Explorer s e c u r i t y s e t t i n g s to limit bow u s e r s b r o w s e I n t e r n e t and ntranet W e b s i t « . This r e d u c e s t h e e x p o s u r e o f yCwjr s e r v e r to Web s i t e s that might p o s e a s e c u r i t y risk. For m o r e informobon, including t h e c o m p l e t e list of c h a n g e s t h a t o r e i m p l e m e n t e d b y I n t e r n e t Explorer E n h a n c e d S e c u r i t y Configuration, s e e I n t e r n e t Explorer E n h a n c e d S e o j r i t v C o r t i j L r a t i o n over'. 1 e . v
To enable IE ESC for all users
rrr
1.
C l o s e all i n s t a n c e s of I n t e r n e t Explorer.
1.
Cfick S t a r t , point t o
internet I Protected Mode: Off
^J
\
100^
Brows er f «ordfflfl in p r o g r e i s - ,
FIGURE 1 9 . 2 3
Recording a web session for SCE monitoring.
11. Choose a server that you want to use as the Watcher node. The Watcher node is a system that runs this test. Although you can run the test on the SCE server, you might want to choose a server that is outside your network as a node testing access—that way you can confirm that access to your site can be done both internal to your network as well as external to your network. You can also choose how often to run the test. Typically choose 2 minutes as the default—that'll be long enough to allow minor network glitches to not be alerted, but quick enough that if a problem exists, you can be notified before users start to bombard the help desk with calls of problems. Click OK. 12. Click Apply again to save your session. You can test to make sure the web application test you created works by double-clicking the session you just created (stored in the Authoring/Web Application) and clicking Run Test.
Configuring Response Time Alerts for a Web Application Once you create the web application tests, one of the things you might want to do is test the session for response time. It's not good enough to just have the website viewed and that a user can log on (eventually), but to have a reasonable response time for their session experience. By running the test session several times, you'll begin to see the Transaction Response Time, as shown in Figure 19.24.
964
CHAPTER 19
Using System Center Essentials for Midsized Organizations
J b | x | W e b Application R e s p o n s e D a t o
a
y T e n to É ffl ffi
Make Sure OWA Is Worfdng
https.//owa.eompanyabe. https j'/owa companyabc com/owa https~.//owa.company3bc.eom/awa/auävtogon a ! p ï ?rep I aceCurrert 1 i>j\ hc p s 3a '. 2f ". 2fo
ffi
https^/owa.cofnpanyabc.com/owa/auäi^pretoaditm
a
https^/owa eompanyabc com/owa/auth/bwaauih dll
yy
https:i 7owa.eompanyabc.com./owa-'T3e FoWeril fPF.t
fcti
httpB://Qwa.companyabc.com/owa/7ae-temta-fVeviewll H P M . ^ t e l d - R ^
itl
httpBy/owa.corripanyabc.com/owa/
l+j
httpE j'/owa.companyabc.com/owi'
j J
[ eat to Make Sure OWA t3 Working This is the aggregated data of al I requests. This includes b a s e page, links, and resources data. R/iri stKXRWifully
t rarraaction Response 1 imc |
FIGURE 1 9 . 2 4
Checking the response time on a web application run.
In this example, the response time is 227.85 milliseconds. Running this test several times produces response times of 183 to 320 milliseconds. I can then go into the web application test and set a response time threshold that will send an alert if the response time on one of the tests exceeds a threshold I specify. To set the response time threshold, do the following: 1. Double-click to open the web application you just created in SCE. 2. Click Configure Settings in the Actions pane. 3. Select the Performance Criteria tab. 4. Check the top check box for Transaction Response Time, choose Greater Than or Equals, and enter 0.4 for the number of seconds (if you want to set the threshold to notify you that the site is responding slower than 400 milliseconds). 5. Click Apply to save the settings. Now, every 2 minutes, a test will be made against the site, and if the site responds slower than 400 milliseconds, an alert will be triggered in SCE.
Using the Virtualization Management Features of Essentials
965
Using the Virtualization Management Features of Essentials System Center Essentials 2010 added virtualization management to the set of features it supports, so it now includes key components that are in the full-blown System Center Virtual Machine Manager 2008 R2 product, including virtual host management and physical-to-virtual session migration.
Setting Essentials to Manage Hyper-V Host Servers The first thing that needs to be done is to designate a Hyper-V host server as a system that SCE can manage. The Hyper-V host must be a member of the Active Directory that SCE belongs to and the system needs to have the Hyper-V role installed on the system. SCE can manage Hyper-V hosts running either Windows Server 2008 R2 or Windows Server 2008; in addition, it can manage Virtual Server 2005 hosts if an organization chooses to use an older Virtual Server 2005 host system.
NOTE Unless you have an existing Virtual Server 2005 host you want to manage, if you are creating a virtual environment, build the environment on Windows Server 2 0 0 8 or Windows Server 2008 R2 Hyper-V. Hyper-V supports both 32-bit and 64-bit guests (Virtual Server 2005 only supports 32-bit guests, which does not support some of the current applications today that are 64-bit only), and Hyper-V can support 8GB, 16GB, 32GB or more of memory providing 4, 8, 12, or more guest sessions running on a single system (Virtual Server 2 0 0 5 typically maxed out after 3 or 4 sessions were installed on a system).
To add a Hyper-V host server, do the following: 1. Click the Computers option at the lower left of the SCE management console. 2. Click All Virtual Machines in the upper-left pane. 3. Click Designate a Host in the upper-right Tasks pane. 4. From the list of servers, select which system is a Hyper-V host server that you want to associate as a Hyper-V host for SCE to manage, and then click Select. 5. Enter administrator credentials for the system and click Next. 6. After the host servers are added to SCE, click Close.
Creating and Managing Virtual Guest Sessions Once a Hyper-V host server has been designated in the SCE environment, new virtual machines can be created. SCE centralizes the creation of guest sessions in the Computers option of the console. To create a new virtual guest session, do the following:
966
CHAPTER 19
Using System Center Essentials for Midsized Organizations
1. Click the Computers options at the lower left of the SCE management console. 2. Click All Virtual Machines in the upper-left pane. 3. Click New Virtual Machine to begin the virtual machine creation process. 4. The New Virtual Machine Wizard prompts you if you want to choose the recommended configuration template, typically composed of a guest session with 1GB of memory, 1 core process, 16GB of disk space, and using the network adapter from the host server. If this is acceptable, click Next; otherwise, click Change Properties, make changes to the configuration, and then click Next. 5. To install an operating system, choose an operating system from the network or from a DVD in the drive of the host server. A more common option is to use ISO files stored on disk. You'll find the first time you run the wizard to create a guest session that the Select from the Available ISO Images option is grayed out, which is because no ISO files are on the server. Copy your ISO files to the \SCE\Virtual Machine Library\ of your SCE server. This might be on the C: or on the D: or E:—wherever you chose (or the SCE installer chose) as your default drive for the storage of files. If you copy over ISO files to the library directory, click Refresh List and the ISO option becomes available to choose an operating system. Choose an operating system and click Next. 6. On the next screen, SCE automatically finds a host server for you to use that has the capacity to build a guest session of the size and scope you selected. The server is shown in Figure 19.25. SCE chooses among the designated servers you configured earlier. Assuming SCE selected a Hyper-V host server that is acceptable to you, click Next. g - Convert to Virtual Machine
Scicct a Host FVA«« Ywr Ffcyiri Fute* Cinimlirds Source Details
Virtual Machino Name Summary Completion
Select a host for this virtual machine A host is u computer that nuns one or more virtual machines, Select a host that has sutfWtCfii resources to host the virtual machines you want to run. Available computers: 1 NODO 1 Technology Cninpatlhlllly- HfiraimmRnrtprl
Operating System
Processor
B LAB H VO1. compare 123.0 _ Hyp«-V
Windows Server 2Q0_
iNMffi) C_ 83.09 GB
Tree Space
Memory
6.00 GB
Compatibility criteria:
I
"3
frhts host meets all the requrements of tfus virtual machine
d Trans ten* i ssues can affect Iftc calculation of host compatibility. H you do not sec a host computer that you were expecting, click Previous arfid then Next to refresh the list More about selecting a host
< Previous
FIGURE 1 9 . 2 5
Not >
Choosing a Hyper-V host server for the virtual session host.
Using the Virtualization Management Features of Essentials
967
7. For the Virtual Machine Name, enter a name that is descriptive of the guest session y o u h a v e created, such as Exchange 2010 CAS Server or Intranet Server. T h e
default host folder is likely acceptable as that is the folder configured on the HyperV host where guest sessions are stored. Click Next to continue. 8. Review the summary and click Create to begin the installation of the OS on the guest session. 9. During the creation process, you need to click Connect to Virtual Machine to access the virtual machine to complete the setup (such as choosing the version of Windows you want to install and adding the system name, IP address, and so on that you normally do when creating a Windows system). 10. Upon completion of creating the guest session, the New Virtual Machine Wizard prompts you to close the wizard.
Converting Physical Servers to Virtual Guest Sessions (P2V) A huge benefit of SCE 2010 is its built-in ability to convert a physical host server system to a virtual guest session. For organizations looking to minimize the number of physical servers from a dozen or two physical systems to just two or three physical servers with virtual guest sessions running on the systems, the P2V capability of SCE assists with the conversion process. To convert a physical server to a virtual guest session, do the following: 1. Click the Computers options at the lower left of the SCE management console. 2. Click All Windows Computers in the upper-left pane. 3. Select a system you want to convert in the middle window. 4. Click Convert to Virtual Machine in the Tasks pane. 5. Click Next on the conversion screen. 6. Enter the credentials of the system you are converting, and then click Next. 7. After analysis of the source computer, a summary of the guest session configuration is displayed, as shown in Figure 19.26. Click Next to continue. 8. On the next screen, SCE automatically finds a host server for you to use that has the capacity to build a guest session of the size and scope you selected. SCE chooses among the designated servers you configured earlier. Assuming SCE selected a Hyper V host server that is acceptable to you, click Next. 9. For the Virtual Machine Name, enter a name that is descriptive of the guest session y o u are migrating, such as Exchange 2010 CAS Server or Intranet Server. T h e
default host folder is likely acceptable as that is the folder configured on the HyperV host where guest sessions are stored. Click Next to continue. 10. Review the summary and click Create to begin the installation of the OS on the guest session.
968
CHAPTER 19
Using System Center Essentials for Midsized Organizations
Ë - Convert to Virtual Machine
FWUMYIII Rwjiri Fiitr* Cinlmlirdn Source Details
Review the details for the selected source computer O
These are the recommended configuration properties based on the source computer.
Select a I lost Virtual Machine Name Summary Completion
Processor
Memory &OOGB
Network Not
rjvttwJfiif
I Change Properties...
FIGURE 1 9 . 2 6
P2V session configuration.
NOTE The conversion process from physical to virtual guest sessions could take 20 minutes to over an hour to complete. The conversion process has to capture the state of a fully running system and perform the migration to a virtual guest session. Be patient; it does take a while!
11. During the creation process, you need to click Connect to Virtual Machine to access the virtual machine to complete the setup (such as choosing the version of Windows you want to install and adding the system name, IP address, and so on that you normally do when creating a Windows system). 12. Upon completion of creating the guest session, the New Virtual Machine Wizard prompts you to close the wizard.
Importing VMware Guest Sessions to Hyper-V Using Essentials SCE provides the ability to import a VMware guest session (as well as other Microsoft virtual guest sessions) to SCE. The process is using the Import Virtual Hard Disk option in SCE. To import a virtual guest into Hyper-V/Essentials, the VMware .vmdk or the Microsoft .vhd file needs to be in t h e \SCE\Virtual Machine Library\ on t h e SCE server. If t h e
image file is not in that directory, when you run the import tool, all of the options for selecting a virtual guest will be grayed out.
Using the Virtualization Management Features of Essentials
969
To import a virtual guest session to SCE, do the following: 1. Go to the Computers option in the SCE management console. 2. Click Import Virtual Hard Disk in the Tasks pane. 3. From the list of virtual guest sessions that are in the Virtual Machine Library, choose the virtual guest session file you want to migrate, and then click Next. 4. Review the configuration of the virtual guest session that SCE will create for the destination system, and then click Next to continue. 5. On the next screen, SCE automatically finds a host server for you to use that has the capacity to build a guest session of the size and scope you selected. SCE chooses among the designated servers you configured earlier. Assuming SCE selected a Hyper V host server that is acceptable to you, click Next. 6. For the Virtual Machine Name, enter a name that is descriptive of the guest session y o u are migrating, such as Exchange 2010 CAS Server or Intranet Server. T h e
default host folder is likely acceptable as that is the folder configured on the HyperV host where guest sessions are stored. Click Next to continue. 7. Review the summary and click Create to begin the installation of the OS on the guest session. 8. Click Close after the guest session has been converted.
Getting Familiar with Using Virtual Guest Sessions from SCE Once you've created or migrated guest sessions to SCE, the next step is to actually use the guest sessions. The guest sessions running on SCE are nothing more than full-blown copies of Windows running on a virtual guest session, so the actual Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 all work the same: You log on to the operating system, join the system to a domain (if it is not joined already), load software applications (if applications aren't already installed), and have users access the server like a regular physical server. Some of the tasks that are done with a virtual guest session include accessing the guest session to manage applications on the system, running snapshot guest sessions as interim backups, and powering on/off the guest session as well as making configuration changes to the guest session. Powering On/Powering Off/Saving a Virtual Guest Session To power on, power off, or save a guest session, these tasks are performed from the SCE console under the Virtual Machines container. Specifically, the steps are as follows: 1. Go to the Computers option in the SCE management console. 2. Click the All Virtual Machines container to see the virtual guest sessions. 3. Click to highlight a guest session. 4. If the session is off, you can click Start in the Tasks pane on the right to turn on the guest session. 5. If the session is on, you can click Stop in the Tasks pane to power off the guest session. Likewise, you can choose to Power Off a guest session as well.
970
CHAPTER 19
Using System Center Essentials for Midsized Organizations
NOTE Powering off a running guest session is just like pushing the power off switch on a physical computer. It'll shut the system down without properly "shutting down" the operating system. This is not recommended as you can lose data or corrupt the system. It is best to go into the guest session and run the proper shutdown process for the operating system.
6. For a running session, you can click the More option in the Tasks pane, which shows you the option to Save or to Pause a guest session. Saving a guest session is like "hibernate" on a system; it writes the content of the session out to a file and stops the session. When you start a saved session, the session starts up exactly where it left off. When you pause a guest session, this is like a "sleep" of a guest session. The session is still semirunning and never stopped, so a paused session is still taking up RAM and CPU of the host server and a loss of power can lose any information not saved. It is better to save a guest session as it saves the content of the session and releases RAM and CPU of the session; furthermore, a power outage doesn't impact the ability for the administrator to pick up the guest session where it was last saved. Accessing a Virtual Guest Session Virtual guest sessions are running on a Hyper-V host somewhere in the environment, and likely on a different physical system than the SCE server or console. When an administrator wants to access the virtual guest session, the administrator can sit at the SCE console (or any system with the SCE console installed) and access the virtual guest session. To do so, do the following: 1. Go to the Computers option in the SCE management console. 2. Click the All Virtual Machines container to see the virtual guest sessions. 3. Click to highlight the guest session you want to access. 4. Click Connect to Virtual Machine in the Tasks pane. A remote desktop guest session is started, and the SCE administrator can log on to the guest session.
NOTE When accessing a virtual guest session, you will notice a Ctrl+Alt+Del option in the upper-left corner of the screen. Click this to be able to send a Ctrl+Alt+Del to the virtual guest session to log on to the guest session.
Changing the "Hardware" of the Virtual Guest Session After you create the virtual guest session, if you want to change the "hardware" of the guest session, such as add more memory, dedicate core processors, increase disk space, or change the virtual CD/DVD that the guest session is connected to, do the following: 1. Go to the Computers option in the SCE management console. 2. Click the All Virtual Machines container to see the virtual guest sessions.
Using the Virtualization Management Features of Essentials
971
3. Right-click the guest session you want to change properties. 4. Change the configuration settings of the guest session, including increasing/decreasing allocated memory, increasing disk space, and so on.
NOTE You can only make property changes to guest sessions that are powered off. If a guest session is running, paused, or in a saved state, you cannot make configuration changes to the system other than changing the CD/DVD drive to install software onto the system. The other configuration changes need to be done in a powered-off state, and the next time the power is turned on for the guest session, the change in resources takes place. Also note that when managing the network adapter for the guest session, you might find the network adapter for the guest session shows as Not Connected. Within the SCE console, there's not much that can be done to address this. The solution is noted in the "Troubleshooting Common Problems in SCE" section later in this chapter.
Managing Snapshots of a Guest Session Snapshots in a virtual guest session are backed-up session states. When you invoke a new snapshot, you are capturing the state of the guest session at a point in time. If you want to go back to that point in time, you can access a previous snapshot. Snapshots are commonly used to back up a system before patches or updates are applied. If after applying a patch or update a system fails, the administrator can go back to a previous snapshot before the patch or update occurred. Other uses of snapshots are to back up a system before a product is upgraded, before a large batch of data is deleted for housekeeping purposes, and so forth. To manage snapshots, do the following: 1. Go to the Computers option in the SCE management console. 2. Click the All Virtual Machines container to see the virtual guest sessions. 3. Click to highlight the guest session you want to access. 4. Click Manage Snapshots in the Tasks pane. 5. A Manage Snapshots window pops up and you can take a "New" snapshot that'll take a point in time of your current session, you can highlight a snapshot and choose to restore a snapshot to the point in time of that snapshot, or you can delete a snapshot.
NOTE If you restore a previous snapshot, any work done since that snapshot will be lost. The current state of the session is erased and you will be back to the time of the snapshot you restored. If you think you might want to roll forward to the time before you restored the snapshot, take a new snapshot and then restore an old snapshot so you can roll forward or backward between multiple snapshots.
972
CHAPTER 19
Using System Center Essentials for Midsized Organizations
Also note that if you have some data on the virtual guest session and some data on a database on a different snapshot, if you only snapshot and roll back one server and not the other server, you will potentially have a mismatch in data. As an example, if you snapshot only one of two databases in use, the information stored in one database will be mismatched from the data stored in the other database. This can cause significant corruption of data and it is highly suggested the administrator give serious consideration to the location of data and the state of the system before doing a rollback of a snapshot.
Generating Reports Out of Essentials Already covered briefly in this chapter in the "Inventorying Systems Using System Center Essentials" section is the method in which reports can be generated out of SCE. The reports covered earlier were specifically focused on inventory reporting for hardware and software; however, SCE has many different reports out of the box to choose from. Some of the reports available include the following: • AD Domain Changes • AD Machine Account Authentication Failures • Microsoft Critical and Security Updates Status • Software Deployment for Approved Software • Exchange Average Mailbox Size • Exchange Mailbox Messages Delivered • Server Disk Free Space • Service Level Tracking Summary • Operating System Configuration These reports, among the other several dozen reports available, help administrators better understand system and application configurations, operations, errors, and reliability.
Creating a Report from a Built-in Report Template To create a report using an existing built-in report in SCE, it's a matter of selecting the report, choosing which systems or devices you want the report to apply to, and then running the report. The specific process is as follows: 1. Go to the Reporting option in the SCE management console. 2. Expand the Reporting container by double-clicking on the container. 3. Click any of the report containers, for example the Active Directory Server Common Library container. 4. Double-click any of the reports, such as the AD Role Holders report.
Installing Agents on Target Systems
973
5. Enter information, such as From (yesterday) and To (Today) dates, and enter a server object such as the name of one of your domain controllers, similar to what is shown in Figure 19.27. 6. Click Run to generate the report.
y«»,.;
n
From™-.
Tn |T«kv Time Zone
j - I ; « PM ¿J
ICLTTC 03:00] PodticTime (US & Canada}
FIGURE 1 9 . 2 7
Objects
1 *4HPM
Object f,
od200d.comcHnYabc.coni
Add Gl ciii|i
j 1
Add Ohjr»l„.
]
Include
Object dass
The object
Windows Comcxj,..
Rnunvp
|
Ctoject parti |
"ZI
Filling in metrics for a report.
Installing Agents on Target Systems If during the installation process you chose to have SCE automatically discover systems as well as automatically install agents, this process is not required. This section only applies to systems that were not automatically discovered and managed.
Installing Agents on Domain-Attached Systems To discover and install agents on domain-attached systems—if for some reason SCE did not automatically find the device and install the agent directly—the administrator can scan Active Directory for all computers and choose to install the agent and manage the domain-attached system. To discover systems, do the following: 1. Launch the SCE management console. 2. Click the Administration option. 3. Expand the Device Management container. 4. Right-click the Agent Managed container and choose Discover Computers.
974
CHAPTER 19
Using System Center Essentials for Midsized Organizations
NOTE You will get a notice that you need to make sure the computers you want to discover need to be on and the firewall settings for the systems need to be set to Allow for File Sharing and Remote Administration. Click OK to close the notice.
5. Choose Windows Computers and click Next 6. Choose Automatic Computer Discovery to run a scan of your Active Directory (you can choose Advanced Discovery and choose whether you want to only scan for servers, only scan for clients, or scan for both servers and clients). Click Next to continue. 7. Choose Use Selected Management Service Action Account, which uses the account that was set in the SCE management settings (or alternately enter an administrator logon and password you want to use), and then click Discover to continue. 8. In Discovery Results, a list is displayed, showing systems that are in Active Directory, that are on, and that are not currently being managed. Select the systems you want to manage and click Next. 9. After the systems are added, click Finish.
Installing Agents on Non-Domain Joined Systems A domain-attached system automatically has a trust associated between the system and SCE, but a system that is not joined to a domain, which is effectively standalone, has no connection directly to the domain. In this case, a PKI certificate needs to be installed on the system so that there is an association between the system and the SCE server. The process of connecting a workgroup system to SCE involves the following: 1. Having a root certificate installed in the trusted root certification authority store on the SCE management server 2. Using a certificate created and installed on the non-domain joined system that associates the system to the SCE server Downloading and Installing a Root CA to the SCE Server The first step is to install a root CA onto the SCE server. The organization needs to have a Certificate of Authority installed in the environment. The design, planning, and implementation of a Microsoft Certificate of Authority system is beyond the scope of this chapter—instead, refer to Windows Server 2008 R2 Unleashed, Windows Server 2008 Unleashed, or Windows Server 2003 Unleashed, all books by Sams Publishing, for the installation of Microsoft Certificate Services. Alternately, guides on the Internet from Microsoft can be found at http://technet.microsoft.com/en-us/library/cc700804.aspx. Assuming the organization already has Microsoft Certificate Services installed in the environment, to install the root CA, do the following: 1. From the SCE management server, open a browser session and enter the URL https://{yourCertServerName}/certsrv.
2. On the Welcome page, click Download a CA Certificate, Certificate Chain, or CRL.
Installing Agents on Target Systems
975
NOTE When notified that you are attempting to perform a digital certificate operation, choose Yes to continue with the operation.
3. Click Download CA Certificate Chain and choose Open. 4. Click down the tree to the Certificates container and double-click the certificate in that container; a certificate appears, as shown in Figure 19.28.
General 1 De tais | Certification Path ]
J-. ^
Certificate I n f o r m a t i o n
This certificate is intended for the followina puroose(s): • All issuance policies • All appkaüon policies
Issued to:
ccrt
Issued by: cert valid f r o m
3/ 16/ 2005 to
3/ 16/ 2013
[instalCertificate...]
Issuer itateTien1: |
Leom more about Certificate^
FIGURE 1 9 . 2 8
Certificate in the certificate chain.
5. Click Install Certificate and the Certificate Installation Wizard begins. 6. At the Welcome screen, click Next. 7. For the Certificate Store, click Place All Certificates in the Following Store. 8. Click Browse, check Show Physical Stores, expand Trusted Root Certification Authorities, select Local Computer, click OK, and then click Next. 9. Click Finish. A pop-up appears stating the import was successful. Click OK on the popup and click OK again to close the certificate and File, Exit out of the certmgr screen. Installing an S C E Agent on the Non-Domain Joined System Once the root CA has been imported into the SCE server and a certificate has been created for the non-domain joined system, the next step is to install the SCE agent on the nondomain joined system. The process for installing the SCE agent on the non-domain joined system is as follows:
976
CHAPTER 19
Using System Center Essentials for Midsized Organizations
1. Insert the SCE 2010 installation disc into the DVD/CD drive and the installer begins (if not, run SETUPSCE on the disc). 2. From the System Center Essentials 2010 Setup screen, click Install Essentials Agent. 3. You will be prompted to choose the server running System Center Essentials and the management group you want to put the system into. Enter the FQDN of the SCE server and for Management Group, enter the name of the management group on the SCE server.
NOTE To find the name of the management group, go to your SCE server and launch the SCE management console. At the top of the management console window is the name "System Center Essentials -" followed by the name of your management group. It is typically the name of your server plus an underscore plus the letters MG (so SCE2010_MG). So in step 3, when prompted for the management group, enter SCE2010_MG or whatever is noted for your management group at the top of the SCE management console interface.
4. On the same installer screen, you are prompted for the location of where the agent files should be installed; the default C: is fine. 5. For Certificates, you need to import two certificates from the SCE server. The certificates are located on the SCE server in the c : \Program Files\System Center E s s e n t i a l s \ C e r t i f i c a t e s \ folder. The Update Services SSL Certificate is named WSUSSSLCert. cer and the Update Services Code Signing Certificate is named WSUSCodeSigningCert. cer. Browse the SCE server for each of the certificates so that the agent installer screen looks similar to what is shown in Figure 19.29. Click Install to continue. 6. After the agent installs, a pop-up notes "Essentials Agent Installed Successfully." Click Close. After completing the manual installation of the non-domain joined system to SCE, you need to approve the system in the SCE console to approve the system connection to SCE. To approve the system for management, do the following: 1. Launch the SCE management console. 2. Click the Administration option. 3. Expand the Device Management container and click Pending Management. 4. You will see the computer you just added with a notation "Manual Agent Installation," as shown in Figure 19.30. Highlight the device and click Approve in the Tasks pane. You are prompted to approve the addition of the system; click Approve to accept.
Installing Agents on Target Systems
S y s l r m f m l r r F w u l u U A i j r r i l Tn\l/illí-r
xj
System Center Essentials Agent Installer This program wfl foetal and configure the Essentials agent on this computer.
Essentials Server HJIy t^uafefied Domain Name fKJON):
i srFTOlO.t r n q w " ^ * -t cm
Management Group name:
| SC£2010_External
P r o g r a m Files Location System Center Esten-bals program liles VM! be retailed in the following folder: C:'iProqram Filcs'Systcm Center Essentials Requred d sk space:
512 MB
Tree dak space:
110.5 GO
Browse...
Certificates The Essentials aaent uses certificates to com nunca tc secuntY v.ith the Essenbols server. See hdp fw details on how to obtain tfn-M-trrJifitrtlrs. update Services SSL Certificate:
j \Vice2D10VSVVoarsn ResNSystnm C
Update Services Code Stgning Certificate:
| VneaOlOtSfrtvan Fks$ystan C
Browse... [[
RTJHWP...
J
l~ Tha corrputer is joined to a workgroup PawndComputa Califícate:
]
Personal Computer Certificate Password;
I
QrOVpc ..
Brovtps
Trusted Root Certificate; ¡ratal
FIGURE 1 9 . 2 9
™ S v s t c m Center Essentials Fie
Edit
V>ew
Go
Tads
Carmel
Agent installer screen.
-Ulxil
5CE2010 HC Took
Befo
j Management (7) Name J
•
Agent Managed
^ ad2UOtt.companyabc.com
J¿_ Network Devices j
Primary Management Server
U
Pending MutiauaiienL
DPM2D07.CDtroanyabc.com
SCk201U.companyabc.com
SCC2010.cwnpanyabc.com
$
Actions •>/ Approve
Type: Manual Agent Install ( 1 }
|71 SettinQ3 *
Management State II JÜ
Type* Fa lied Agent Installation (1)
-
l ^ j Device Maraqcment
X J
Rtiect
Manual Agent III lh*t
A Security ; , Run As A c c c j r s
3
Run A.s Piuli1r%
Ig 3
Computers
Allium..
ft
A el Loçgmg La Alnlv Ava a b ity fcn-rijurrtlicHi TI
1
Monitoring
¡3 Event Analyses
^
Updates
M
; j Software Reporting
Details: DPM2007.companyabc.coim Description:
FIGURE 1 9 . 3 0
Manual agent install approval.
Management S t a t e
NMitn
977
978
CHAPTER 19
Using System Center Essentials for Midsized Organizations
Troubleshooting Common Problems in SCE As with working with any product, things that are supposed to work don't work, and it takes a little troubleshooting to get things working. SCE is no different as some of the tasks don't work and there are known fixes to the common problems. Some of the common problems are addressed in this section of the chapter.
Fixing Firewall Rules to Allow Agent Installation SCE requires Firewall Rule exceptions for SCE to be able to push the agent. If you selected to have group policies set, the policy will have been applied to systems and the firewall rules will have been enabled. If you elected to not use group policies to open up the necessary ports or you want to manually configure firewall ports, the following need to be configured on each workstation and server you want to manage: 1. On the server or workstation, open Control Panel and then choose Windows Firewall. 2. Click the Exceptions tab. 3. Make sure the File and Printer Sharing check box is selected. 4. Click Add Port and then create the following TCP port exceptions: • Name=Portl35: Port Number=135 • Name=Portl39: Port Number=139 • Name=Port445: Port Number=445 • Name=Port6270: Port Number=6270 5. Create the following UDP port exceptions: • Name=Portl37: Port Number=137 • Name=Portl38: Port Number=138 For each of these exceptions, do the following: • Click Change Scope • Select Custom List • Limit the scope to the SCE server's IP address Additionally, each of the managed systems needs to allow remote WMI calls to work. To allow WMI calls, do the following: • On Windows XP clients and Windows Server 2003 servers • Open Windows Firewall and choose the Allow Remote Administration Exception option. • On Windows Vista clients and Windows Server 2008 servers or later
Troubleshooting Common Problems in SCE
979
• Open Windows Firewall, click the Exceptions tab, and select Windows Management Instrumentation (WMI) check box.
Changing Email Host Server Address For Daily Health reports, an email is generated that is sent to the individual identified during the initial setup of SCE. The host server that receives the email as well as the recipient who receives the daily report can be changed. To change the server or mailbox that gets the Daily Health Report, do the following: 1. Go into the Administration option in the SCE management console, and click Settings. 2. Scroll down to the Type: Server section. 3. Double-click Daily Health Report. 4. If you want to eliminate the Daily Health Report being sent to anything, choose No, I Will Setup Notifications Later and then click OK. 5. If you want the Daily Health Report to be sent to a different server, enter the FQDN of the SMTP server you want to use to deliver the Daily Health Report. 6. If you want the Daily Health Report to be sent to a different individual, enter the email address of the recipient you want the Daily Health Report to go to in the To field along with when you want the report to be sent. 7. Click OK to save the settings.
Network Connection of a Virtual Guest Session Shows "Not Connected" If you are working with virtual guest sessions in SCE and you find that your guest session is not communicating with the network and you go into the Properties configuration of the guest session and the network adapter in the virtual guest session shows "Not Connected," the solution to the problem is as follows: 1. Remote into the Hyper-V host server by going into the Monitoring option of the SCE management console. 2. Click the Discovered Inventory container. 3. Click the Hyper-V host server in the middle pane. 4. Scroll down the Tasks pane to the Windows Computer Tasks and choose Remote Desktop. 5. Log on to the Hyper-V host server. 6. Launch the Hyper-V console by clicking Start, Administrative Tools, Hyper-V Manager. 7. Click the name of the Hyper-V host server in the Hyper-V Manager console. 8. Right-click the guest session that you need network connectivity for and choose Settings.
980
CHAPTER 19
Using System Center Essentials for Midsized Organizations
9. Click the Network Adapter or Ethernet Port shown in the Hardware section on the left side of the Settings screen. 10. For Network, change the network setting from "Not Connected" to a network configuration setting on the Hyper-V host that has a valid network connection. 11. Click OK to save the change. 12. Go back to the SCE console and access the guest session to verify that you have network connectivity now.
NOTE If you are on step 10 and there are no virtual network switches to connect to (basically just "Not Connected"), see the "Creating a Virtual Network Manager in Hyper-V" section.
Creating a Virtual Network Manager in Hyper-V If you find you are trying to connect a guest session in the Hyper-V Manager to a virtual network switch and a virtual network switch does not exist, you need to create a virtual network switch to connect the Hyper-V host server to the network. To create a virtual network switch, do the following: 1. Remote into the Hyper-V host server by going into the Monitoring option of the SCE management console. 2. Click the Discovered Inventory container. 3. Click the Hyper-V host server in the middle pane. 4. Scroll down the Tasks pane to the Windows Computer Tasks and choose Remote Desktop. 5. Log on to the Hyper-V host server. 6. Launch the Hyper-V console by clicking Start, Administrative Tools, Hyper-V Manager. 7. From the Hyper-V Manager, click Virtual Network Manager in the Actions pane. 8. Check to see if there is a virtual network that is connected to "External." 9. If there is not a virtual network that is connected to External, create one by clicking on New Virtual Network. 10. Choose External, and then click Add. 11. Choose the network adapter that connects the server to the network. 12. Make sure the Allow Management Operating System to Share This Network Adapter check box is checked, and then click OK. 13. Now go back to connecting your virtual guest session to the virtual network switch in step 10 of the "Network Connection of a Virtual Guest Session Shows 'Not Connected'" section.
Regular (Every 2 - 3 Days) Tasks an Administrator Should Perform
981
Regular (Every 2 - 3 Days) Tasks an Administrator Should Perform With System Center Essentials 2010, the whole goal of the product is to off-load routine management tasks to SCE so that the administrator does not have to actually do anything to keep servers and workstations patched and updated, as well as do nothing to proactively monitor servers and applications. However, as much as SCE automatically takes care of the mundane tasks, there are regular tasks an administrator should add to their "to-do list" to be done every 2-3 days.
Checking for System Alerts and Troublesome Operations Usually, users will inform the network administrator if there are problems; however, System Center Essentials proactively monitors servers and devices and generates error reports in the event that a problem occurs that is troubling but not service debilitating. A good task for an administrator to do every 2-3 days is to check in on SCE to see if there are any system alerts that require attention. SCE should be set to notify the administrator should there be an important event that requires attention; however, just in case the administrator did not get the notification or an event occurred that was minor and did not invoke an alert, scanning the console is a helpful task to do. The "Checking the Monitored Status of a Server and Application" section covers the procedure for looking through event errors and updates. An even easier process is to look at the Health Status Report of the servers in the environment covered in the section "Checking the Health of a Server."
Checking for New Patches and Updates Patching and updating of servers should be automatic in SCE as well, downloading updates regularly and pushing the updates out to client systems and servers on a regularly scheduled basis. However, rather than assuming that systems are being updated regularly, the administrator can review the Updates Overview screen in the SCE management console, as shown in Figure 19.31. In this single view, the administrator can see new updates that have been downloaded, client and server updates that have been successful, and the events that have failed or that are pending. If there are a lot of failed updates noted, the administrator should check to try to identify the cause of the errors. More information on patching and updating can be found in the section "Using Essentials for Patching and Updating Systems."
982
CHAPTER 19
Updates Overview
t Updates •f" Al Updates ( 1 7 5 0 ) "f •
D w . n l o . f l J , view, d p p r u w , cjrrd dtt-duy Uití b u f l w d i e u j j d d l e b l l u l < s e HAJUÎIWJ by rrid'wyt
CntKal updates ( i y a ) Nmtallfprfat«(l!7)
^
5CC Required Updates ( 5 )
£
Security Updates (12-10)
"f
Using System Center Essentials for Midsized Organizations
7]
Unapproved Updates ( 4 1 4 )
I asks View unapproved Create new update Conhqurc Microsott tJ|*lrt1f *J*I Itiïjr. Import f r o n Microsoft Update ratalnrj import updates from
configura Windows S n u r r Ujjiirilr Services Maintenance
H All Updates l o t d on wrvíír: l ^ i u L.pd
FIGURE 1 9 . 3 1
Reports Croup Update nppkïynvnr ^rmtiK Minradft t r i b a l « i d security updates Status
Updates Overview screen.
Weekly Tasks an Administrator Should Perform There are a number of weekly tasks an administrator can perform to check on the information coming in to SCE and to determine what information is important for further investigation and review.
Confirming That New Systems Added to the Network Are Being Managed On a weekly basis, the administrator should check to see if SCE has successfully picked up the new servers added to the network and is now monitoring and managing those systems. If no new servers or applications have been added, nothing needs to be checked. However, if the administrator added a couple of new servers, SCE should have found those systems nightly and automatically added the systems to the monitoring system. Checking the monitored status of a server and application is done as follows: 1. Go to the Monitoring option in the SCE management console. 2. Click the Discovered Inventory container in the upper-left Monitoring pane of the console. 3. Scroll up and down through the middle pane with the Discovered Inventory to see the servers being monitored by SCE.
Monthly Tasks an Administrator Should Perform
983
More information on the automatic addition of servers for management is found in the "Performing Computer and Device Discovery" section of this chapter.
Confirming That New Applications Added to the Network Are Being Managed As new applications are added to the network, SCE should automatically download management packs and add new applications into the server monitoring list. If new applications have been added (for example, Exchange Server 2007 was upgraded to Exchange Server 2010, or SharePoint 2010 was recently added to the network), the management packs for those applications should show up when the administrator performs the following steps: 1. Go to the Monitoring option in the SCE management console. 2. Scroll up and down through the upper-left Monitoring pane to see that applications that are installed in the environment are displayed in the Monitoring tree. More information on application monitoring is covered in the section "Checking the Monitored Status of a Server and Application."
Monthly Tasks an Administrator Should Perform On a monthly basis, a handful of tasks can be performed to make sure that SCE is working properly and that the environment is being managed and maintained on a regular basis.
Ensuring That the Essentials Server Is Up to Date As much as SCE is monitoring servers for patches and updates, it's important that the SCE system itself is up to date both on patches and updates, but also on the SCE 2010 program itself. Because service packs and rollups generally do not update automatically, it is up to the administrator to approve the installation of major updates. Because SCE is the basis of the monitoring and management of systems throughout the enterprise, having SCE updated with the latest rollup and/or service pack ensures that SCE is performing its task of monitoring, managing, and maintaining servers throughout the organization.
Converting Physical Servers to Virtual Guest Sessions One of the best ways for an organization to improve efficiencies and cost savings in IT is to virtualize server systems. Getting rid of several physical servers and consolidating them down to a handful of virtual servers minimizes an organization's cost in maintenance, management, and support of racks of physical systems. SCE has tools built in that allow an administrator the ability to convert physical servers to virtual guest sessions; however, the conversion is not automatic, so the administrator
984
CHAPTER 19
Using System Center Essentials for Midsized Organizations
needs to convert physical servers to virtual guest sessions. On a regular basis, the administrator should run the migration tools and get physical systems converted to running as virtual guests.
Summary This chapter, dedicated to System Center Essentials 2010, hopefully provided a soup-tonuts understanding of the Essentials product—everything from planning and implementing the Essentials 2010 server, through to the daily, weekly, and monthly management tasks an administrator might undergo in the routine management operations of their network. System Center Essentials is an extremely powerful tool that simplifies tasks for patching, software deployment, monitoring, physical-to-virtual server conversion, and reporting in a single tool. For an organization with fewer than 500 users and 50 servers, Essentials provides key management tasks without the overhead of burdening IT personnel with more tasks, features, and functions than the individual can realistically do in the course of a normal day. For organizations that are looking for management without the complexities, System Center Essentials is a product that provides simplified management functions in an all-inone server configuration.
Best Practices The following are best practices from this chapter: • For an organization with fewer than 500 users and fewer than 50 servers, System Center Essentials 2010 provides tools to help perform routine systems management tasks. • When installing System Center Essentials, choose to install all of the components on a single server unless there are extenuating circumstances that suggest the installation should be split across multiple servers. • If you have the choice of building application servers versus SCE first, build out the application servers (Exchange, SharePoint, SQL, and so on) first so that when SCE is installed, it can automatically discover the application servers and begin monitoring and managing them. • When installing SCE, choose to have SCE automatically do things such as autodiscover systems, autoconfigure monitoring, autodownload updates, and autoadd new systems so that SCE does as many things as possible automatically without having the administrator involved each and every time to approve a patch, update, or system to operate. • For systems that are not part of the domain, you can use certificates to associate a non-domain-attached server to SCE.
Best Practices
985
• Use the P2V feature in SCE to convert physical servers to virtual guest sessions to consolidate physical servers and improve the overall cost of operations by eliminating physical servers where possible. • Create packages within SCE to deploy software applications to workstations and servers. • Use SCE to automatically uninstall a software application that is causing problems or not working properly. • Leverage the authoring capabilities of SCE to create a Web Monitoring component that can track the response time of a web server to ensure successful operation of things like intranet sites, OWA sites, or the like. • Use out-of-the-box reports or create custom reports that the organization can use for compliance, audit, or security management purposes. • Use RunAs accounts to control the security access to applications from within the SCE management console.
Index A Access Violation reports, 5 2 3 Account Management reports, 5 2 3 accounts
Action Agent, 282 Client Push Installation, 84 Data Warehouse Reader, 282 Data Warehouse Write Action, 282 Domain Join, 84 Local Administrator, 282 Management Server Action, 282 Network Access, 84 Non-Privileged User, 464 OS Capture Account, 84 Privileged User, 462-463 RunAs, 283 SDK and Configuration service accounts, 282 UNIX Action Account profile, assigning Linux Non-Privileged Users to, 464 UNIX Privileged Account profile, assigning Linux Privileged Users to, 464-465 ACS (Audit Collection Services)
ACS Reporting, 276-277 audit collection database, 275-276, 287 audit collector, 275 audit forwarder, 274 OpsMgr 2007 R2 ACS (Audit Collection Services) install, 337-343 reports Access Violation reports, 523 Account Management reports, 523 custom reports, 525-528 explained, 522-523 Forensic reports, 523 generating, 524-525 Planning reports, 523-524 Policy reports, 524 System Integrity reports, 524 Usage reports, 524
988
Action Agent account
Action Agent account, 2 8 2
Add Hosts Wizard, 6 5 7 - 6 5 9
Active Alerts view, 447, 4 5 7
Additional Properties page
Active Directory. See AD (Active Directory)
Convert Physical Server Wizard, 677
Active Directory Management Pack
Convert Virtual Server Wizard, 682
client monitoring, 426-427
Deploy Virtual Machine Wizard, 696-697
configuring, 423-424
AddNewClusteredVM.psl script, 6 1 7 - 6 1 8
domain controller performance collection,
AddNewStandAloneVM.psl script, 6 1 7 - 6 1 8
431-433 explained, 423
administration
DPM (Data Protection Manager) 2010
replication monitoring, 427-431
Administrator Console, 575-577
reports, 437-438
custom volumes, 579-580
tasks, 436-437
data recovery, 580-581
views, 432-436 activities
activity prefixes, 813
Management Shell, 577-578 OpsMgr daily tasks, 368-369
explained, 810-811
explained, 390
MAs (manual activities), 831-832
file exclusions for antivirus and defragmentation applications, 376-377 importing management packs, 369-371 management pack updates, 371-372 Management Packs tree item, 393, 399-400
RAs (review activities), 828 returning to, 825-828 Activity Distribution report, 8 4 1 Activity Management Report Library, 8 4 1 AD (Active Directory)
Active Directory connector deployment, 747-748 Active Directory Management Pack client monitoring, 426-427 configuring, 423-424 domain controller performance collection, 431-433 explained, 423 replication monitoring, 427-431 reports, 437-438 tasks, 436-437 views, 432-436 configuring, 134-135 configuring Remote Assist with, 949-950 extending AD schema, 56-57, 133-134 in MDM (Mobile Device Manager), 871-872 site topology, 116-117 AD Generated Response Task, 4 3 6 AD Users and Computers Snap-in Console Task, 4 3 6 ADConfig c o m m a n d , 8 7 8 - 8 7 9
notification and alert tuning, 372-376 Notifications tree item, 393-395 Pending Management tree item, 392-393 performance monitoring, 395-399 Web console performance view time frame, 377-378 System Center Essentials monthly tasks, 983-984 regular tasks, 9 8 1 weekly tasks, 982-983 Administration option (SCE), 9 3 5 - 9 3 7 Administrator Console (DPM), 5 7 5 - 5 7 7 Administrator Console (VMM)
explained, 631, 666-667 hardware requirements, 642 installing, 654-656 software requirements, 642 supported operating systems, 642 Administrator role (VMM)
defined, 684 managing, 684-686
Allow Browser setting (Exchange Server 2 0 0 7 )
Administrator Tools (MDM), installing, 8 8 5 - 8 8 6
989
website monitoring agents creating, 961-963
ADSI Edit
ADSI Edit Snap-in Console Task, 436 creating System Management container with, 134-135
response time alerts, 963-964 Windows agents, 343-345 Al (Asset Intelligence)
Advertised Programs Client Agent, 9 6 , 1 7 4 , 1 8 0
Al catalog, 235-236, 245-246
advertisements, 5 8 , 1 8 5
Asset Intelligence Synchronization Points
Agent Health view, 4 5 8 Agent Proxy, configuring, 3 6 2 - 3 6 3 agents
Advertised Programs Client Agent, 96, 174, 180 Agent Proxy configuration, 362-363 agent restart recovery, 363-364 Computer Client Agent, 96, 174, 178-181 controlling bandwidth, 180-181 network access and policy retrieval, 178 user experience, 179 Configuration Manager Agent package, 206-207 configuring to use certificates, 358 Desired Configuration Management Client Agent, 96 explained, 263-265 Hardware Inventory Client Agent, 96 installing, 166-167 on DMZ servers, 356-357 on domain-attached systems, 973-974 Firewall Rule exceptions, 978-979 on non-domain joined systems, 974-977 manual agents, 359-360 Mobile Device Client Agent, 96 Network Access Protection Client Agent, 73 Remote Tools Client Agent, 97 security, 280 Software Inventory Client Agent, 97 Software Metering Client Agent, 97 Software Update Client Agent, 97 Software Updates Client Agent, 196-197 UNIX/Linux agents, 349-352 VMM Agent explained, 632 installing, 657-661
enabling, 236 explained, 71-72, 158 CAL license tracking, 241-242 explained, 61-63, 234-235 logon auditing, 242-243 report categories, 247 reporting classes, 236-241 System Center Online Services, 246-247 AIUpdateSvc.log log file, 2 3 6 alert forwarders, configuring, 3 4 6 - 3 4 9 Alert Logging Latency report, 5 1 3 , 5 1 5 - 5 1 6 Alert reports, 5 0 6 - 5 0 8 Alert view (Operations Manager console), 3 8 9 alerts, 44
alert forwarders, 346-349 Alert Logging Latency report, 513, 515-516 Alert reports, 506-508 alert tuning, 405-408 creating incidents with, 777-780 Daily Alert report, 513, 519-521 explained, 258 generating, 2 6 1 Most Common Alerts report, 514-515 priority levels, 365 response time alerts, 963-964 severity levels, 365 in System Center Essentials, 942 tuning, 372-376 All Open Unassigned Incidents folder, 7 8 4 All Performance Data view, 4 5 8 Allow BITS Download Outside of Throttling Window setting (Computer Client Agent), 1 8 0 Allow Bluetooth setting (Exchange Server 2007), 905 Allow Browser setting (Exchange Server 2007), 905
How can we make this index more useful? Email us at ¡[email protected]
990
Allow Camera s e t t i n g (Exchange Server 2 0 0 7 )
Allow Camera setting (Exchange Server 2007), 905
Asset Intelligence (AI). See AI (Asset
Allow Consumer Mail setting (Exchange Server 2007), 9 0 5
assets
Intelligence) AI (Asset Intelligence). See AI (Asset
Allow Desktop Sync setting (Exchange Server 2007), 9 0 5
Intelligence) asset management
Allow HTML E-mail setting (Exchange Server
explained, 6 1
2007), 9 0 5
hardware/software inventory, 6 1 - 6 2
Allow Internet Sharing setting (Exchange Server
managing, 1 5 8
2007), 9 0 5 Allow non-provisionable devices setting (Exchange Server 2 0 0 7 ) , 9 0 6 Allow POPIMAPEmail setting (Exchange Server 2007), 9 0 6 Allow Remote Desktop setting (Exchange Server 2 0 0 7 ) , 9 0 6 Allow Simple Password setting (Exchange Server 2 0 0 7 ) , 9 0 6 Allow S / M I M E Software Certificates setting (Exchange Server 2 0 0 7 ) , 9 0 6
tracking, 1 0 , 4 4 assigning incidents, 7 8 3 - 7 8 4 Attachments Enabled setting (Exchange Server 2007), 9 0 6 audit collection database, 2 7 5 - 2 7 6 Audit Collection Services. See ACS (Audit Collection Services) audit collector, 2 7 5 audit forwarder, 2 7 4 audits
Allow Storage Card setting (Exchange Server
ACS (Audit Collection Services). See ACS
2007), 9 0 6 Allow Text Messaging setting (Exchange Server 2 0 0 7Unsigned ), 9 0 6 Allow Applications setting (Exchange
audit collector, 2 7 5
(Audit Collection Services) audit forwarder, 2 7 4
Server 2 0 0 7 ) , 9 0 6 Allow Wi-Fi setting (Exchange Server 2 0 0 7 ) , 906 AllowlrDA setting (Exchange Server 2 0 0 7 ) , 9 0 5 Alphanumeric Password Required setting (Exchange Server 2 0 0 7 ) , 9 0 6 analyzing incidents, 7 8 4 - 7 8 7 problems, 7 9 7 - 7 9 8 announcements, publishing, 7 8 7 - 7 8 8 antivirus applications, file exclusions for, 376-377 application monitoring, 1 7 - 1 8
logon auditing, 2 4 2 - 2 4 3 Authoring Console, 4 8 1 Authoring option (SCE), 9 3 7 autodiscover (SCE), 9 3 8 - 9 3 9 automatic client installation, 1 6 7 automatic placement of VMs (virtual machines), 692-693 automatically deploying software, 1 9 3 - 1 9 4 Availability reports, 2 6 1 - 2 6 2 , 4 9 7 - 4 9 8 , 5 0 8 - 5 1 2
B
Application page (Model Wizard), 8 5 8 - 8 5 9
Back Up Database dialog box, 7 5 4
applications, disabling, 9 0 1 - 9 0 2
backing up
Approved Application List setting (Exchange Server 2 0 0 7 ) , 9 0 6 approving packages, 8 9 7 - 8 9 8 , 9 5 9
ConfigMgr, 8 5 - 8 6 with DPM (Data Protection Manager) 2 0 1 0 . See DPM (Data Protection Manager) 2 0 1 0 OpsMgr
RAs (review activities), 8 2 8
backup schedules, 3 7 8
updates, 9 5 4 - 9 5 6
explained, 2 8 7 - 2 8 9
certificates
IIS 6.0 metabase backup, 383-384
creating with Model Wizard, 853-860
IIS 7.x configuration backup, 385
Application page, 858-859
OperationsManager database, 379-380
Client-Only Sites page, 854-855
OperationsManagerAC database backup,
Hardware page, 857-858
383-384 OperationsManagerDW database backup, 381-383 RMS encryption key backup, 380-381 Service Manager backup schedules, 753-754 encryption key, 756 ServiceManager database, 754-756 System State, 587 tape-based backup technologies, 545-546 bandwidth
991
Mailbox Sites page, 853-854 Model Summary page, 859-860 Networks page, 855-856 editing with Model Editor, 860-862 simulations, 862-863 capturing performance information into OpsMgr, 396-397 CAS role monitor and rule sync times, 4 4 1 CAS Synthetic Transaction State view, 447 catalogs (Al), 235-236, 2 4 5 - 2 4 6 ccm.log file, 1 6 6
controlling with Computer Client Agent, 180-181
CCR (Client Configuration Request) files, 167
controlling with site deployment, 93-94
CDP (CRL Distribution Point) settings, 119-120
OpsMgr requirements, 291-293 baselines
CDP (Continuous Data Protection), 5 4 7 - 5 4 8 Central Sites
applying to collections, 251-252
Configuration Manager 2007 R2 upgrade, 147
defining, 2 5 1
configuring WSUS website for SSL, 139-140
monitoring, 246-253
explained, 68, 114, 137-138
BITS tab (Computer Client Agent), 1 7 9
installing, 143-145
BITS-enabled Distribution Points, 73 blocking device connections, 892-893
requesting Document Signing certificate, 140-143
boot images, configuring, 2 0 9
requesting OS Deployment certificate, 143 reviewing site status, 146
boundaries
configuring, 153-155 establishing, 94-96 Branch Distribution Points, 73 BranchCache, 74
validating installation, 145-147 WSUS 3.0 SP2, 138-139 Certificate Auto-Enrollment GPO, 120-122 Certificate Services website for SSL, 128-129 certificates, 120
Certificate Auto-Enrollment GPO, 120-122 Certificate Services website for SSL, 128-129
c CAL license tracking, 241-242
Client Authentication certificate template, 122-123
calculating storage requirements, 5 5 7 - 5 5 8
Client Certificate, 103, 115
capacity models, 38-39
ConfigMgr Native mode requirements, 102
basic infrastructure requirements, 8 5 1
Document Signing Certificate
capabilities, 8 5 0
explained, 103, 115, 126
constructing, 846
requesting, 140-143
How can we make this index more useful? Email us at ¡[email protected]
992
certificates
monitoring DMZ servers with configuring agents to use certificates, 358 creating certificate templates, 353 explained, 352-353 installing agents on DMZ servers, 356-357 requesting certificates from root CA for mutual authentication, 355-356 requesting root CA certificates, 353-355 OS Deployment certificate explained, 124 requesting, 143 publishing certificate templates, 126-127 root CA certificates, installing on SCE server, 974-975 securing DMZ servers with, 283 Server Authentication certificate templates, 124-126 Server Certificate, 103, 115 templates creating, 353 explained, 103-104 certreq c o m m a n d , 8 8 2 Certreq TechNet site, 1 0 4 Certreq.exe command-line tool, 1 0 4 , 1 1 9 CFS (Sanbolic Clustered File System), 6 3 9 - 6 4 0 change m a n a g e m e n t
activities, 810-811 activity prefixes, 813 MAs (manual activities), 831-832 RAs (review activities), 828 change requests adding reviewers to change requests, 824-825 automatic notifications of change request status, 833-834 closing, 832-833 creating from configuration items, 818 creating from incidents/problems, 819 creating from scratch, 817 creating from Self-Service Web Portal, 819-821 explained, 810 holding, 825-826
investigating change requests, 822-824 resuming, 826-827 returning to activities, 690-828 templates, 814-815 change settings activity prefixes, 813 Change Request Prefix, 811-812 file attachment limits, 812-813 CIs (configuration items) creating change requests from, 818 deleting, 836-838 explained, 835 searching, 836-837 explained, 34, 807-810 reports Activity Management Report Library, 8 4 1 Change Management Report Library, 840-841 Configuration Management Report Library, 842-843 explained, 838-839 Service Manager report controls, 839 workflows, 815-816 Change Management KPI Trend report, 8 4 0 Change Management Report Library, 8 4 0 - 8 4 1 Change Request Prefix, 8 1 1 - 8 1 2 change requests
adding reviewers to, 824-825 automatic notifications of change request status, 833-834 closing, 832-833 creating from configuration items, 818 from incidents/problems, 819 from scratch, 817 from Self-Service Web Portal, 819-821 explained, 810 holding, 825-826 investigating, 822-824 resuming, 826-827 returning to activities, 825-828 templates, 814-815 workflows, 815-816 channels, 3 6 6
Computer Client Agent
993
Check Catalog (DBCC) task, 459
client roaming, 56-57
Check Database (DBCC) task, 459
client schedules, 104-105
Check Disk (DBCC) task, 459
controlling client access to regional servers,
child Primary Sites deployment, 1 4 8 CIs (configuration items)
162-163 creating Registry keys on, 223-224
deleting, 836-838
discovery methods, 91, 164-165
explained, 8 3 5
explained, 66-67
searching, 836-837
locating content with, 174-176 monitoring, 17
classes
Al (Asset Intelligence) reporting classes, 236-241 Win32Reg_CompanyABC_Warranty, validating, 227 Client Access Server Active Alerts view, 447
port requirements, 82-83 site assignment, 107 closing change requests, 8 3 2 - 8 3 3 cloud-based storage, 5 4 7 clusters
Client Access Server Monitoring, 445-447
explained, 285-286
Client Access Servers State view, 447
host clusters, 667-668
Client Agents
configuring for inventory collection explained, 221-222 Hardware Inventory Client Agent, 222-223 Software Inventory Client Agent, 222 Desired Configuration Management Client Agent, 247-248 enabling, 157 Software Metering Client Agent, 234 Client Alerts view, 434 Client Authentication certificate template, creating, 122-123 Client Certificate, 103, 115 Client Configuration Request (CCR) files, 167 Client Health Components, 7 0 - 7 1 Client Installation Methods, 1 6 4 Client Performance Overview view, 435 Client Push Installation accounts, 84 Client RPC Latency view, 4 5 0 Client RPC Succeeded view, 4 5 0 Client State view, 4 3 5 Client-Only Sites page (Model Wizard), 8 5 4 - 8 5 5 clients. See a/so specific clients
automatic client installation, 167 Client Health Components, 70-71 Client Installation Methods, 164
protecting data on, 585 VMM support for, 634-635 CMDB (configuration management database), 711 cmdlets
Disable-NotificationSubscription, 3 9 4 Enable-NotificationSubscription, 394 Get-Help, 578 Get-NotificationSubscription, 394-395 New-DeviceDiscoveryConfiguration, 489 collecting inventory, 220, 9 6 0 - 9 6 1 collections
configuring, 165-166 creating, 182-185 designing, 90-91 maintenance windows, 184 command shells
OpsMgr, 272-273, 391-392 VMM (Virtual Machine Manager), 670-671 commands.
See specific
commands
communication ports (OpsMgr), 2 8 0 - 2 8 1 compliance, monitoring, 2 4 6 - 2 5 3 Component Servers, 114 Component Status page (ConfigMgr), 145-147 Computer Client Agent
controlling bandwidth, 180-181 explained, 96, 174, 178-181
How can we make this index more useful? Email us at ¡[email protected]
994
Computer Client Agent
network access and policy retrieval, 178-181 user experience, 179 Computer Details report, 8 4 2 computer discovery. See discovery Computer Inventory report, 8 4 2 computer management (ConfigMgr), 177-178 Computer Management task, 413 computers, adding/modifying with Capacity Planner Hardware Editor, 8 5 2 Computers Diagram view, 4 6 6 Computers option (SCE management console), 9 3 1 Computers view, 457 ConfigMgr
AD (Active Directory) configuring, 134-135 extending AD schema, 56-57, 133-134 site topology, 116-117 agents Advertised Programs Client Agent, 180 Computer Client Agent, configuring, 178-181 installing, 166-167 Software Updates Client Agent, 196-197 AI (Asset Intelligence). See AI (Asset Intelligence) architecture, 115-116 asset management. See assets asset tracking, 10 business solutions addressed by, 9-10 Central Site deployment Configuration Manager 2007 R2 upgrade, 147 configuring WSUS website for SSL, 139-140 explained, 68, 138 installing Central Site Server, 143-145 requesting 140-143 Document Signing certificate, requesting OS Deployment certificate, 143 reviewing site status, 146 validating installation, 145-147 WSUS 3.0 SP2 installation, 138-139
certificate deployment Certificate Auto-Enrollment GPO, 120-122 Certificate Services website for SSL, 128-129 Client Authentication certificate template, 122-123 Document Signing Certificate template, 126 explained, 120 OS Deployment certificate, 124 publishing certificate templates, 126-127 Server Authentication certificate templates, 124-126 child Primary Site deployment, 148 Client Health Components, 70-71 clients automatic client installation, 167 client installation methods, 164 client roaming, 56-57 client schedules, 104-105 discovery methods, 164-165 explained, 66-67 locating content with, 174-176 collections configuring, 165-166 creating, 182-185 maintenance windows, 184 components summary, 65-66 computer management, 177-178 Configuration Manager connector deployment, 752-753 configuring hierarchy boundaries, 153-155 Client Agents, 157 Distribution Points, 155 explained, 54-55, 148-149 FSP (Fallback Status Point), 1 5 1 IBCM (Internet-Based Client Management), 156-157 RP (Reporting Point), 151-152 RSP (Reporting Service Point), 152-153 Site System roles, 149-150 SLP (Server Locator Point), 150-151
ConfigMgr
console, 9
explained, 72-73, 181-182
content distribution
Protected Distribution Points, 74
operating system deployment, 59-60 software distribution, 58 software update distribution, 59 databases
selecting, 190-191 Standard (SMB) Distribution Points, 73 explained, 7, 50-53, fault tolerance, 84-85
explained, 219-220
FSP (Fallback Status Point), 74
sizing, 89-90
hardware requirements, 86-87
DOM (Desired Configuration Management) applying baselines to collections, 251-252
Health Validator Point, 74-75 history and revisions, 12-14 IBCM (Internet-Based Client Management)
Client Agent, 247-248
client site assignment, 107
defining configuration baselines, 2 5 1
explained, 105
defining configuration items to monitor, 248-251 explained, 63, 247-248 monitoring baselines and compliance, 246-253 design considerations bandwidth control, 93-94 boundaries, 94-96 client discovery and deployment, 91 client settings, 96-97 collections, 90-91 data flow, 97-98 disk performance, 98 multiple sites, 92 PXE Service Points (PSPs), 94 SAN versus DAS, 98-100 site-specific configuration settings, 92-93 SQL versions, 100-101 State Migration Points (SMPs), 94 user/group discovery, 91-92 design scenarios, 107 large enterprise, 108-109 small and medium enterprise, 108 Desired Configuration Management, 11 disaster recovery, 85-86 Distribution Points BITS-enabled Distribution Points, 73 Branch Distribution Points, 73 BranchCache, 74
995
requirements and limitations, 105-106 site system placement, 106-107 IIS (Internet Information Services), 135-136 Internet Client, 11 inventory configuring Client Agents for, 221-223 customizing hardware inventory, 223-226 IDMIF files, 2 2 1 inventory collection process, 220 NOIDMIF files, 2 2 1 validating inventory data, 227 viewing inventory data, 228 Management Point (MP), 75 and MDM (Mobile Device Manager), 78-79, 908-909 Native mode certificate requirements, 102 certificate templates, 103-104 explained, 79-80, 102 PKI (Public Key Infrastructure), 103 network bandwidth requirements, 88-89 operating system deployment common scenarios, 204-205 creating software packages, 206-207 custom operating system images, 213-214 deployment technologies, 203-204 explained, 10, 160, 203 monitoring, 213 OS install packages, 207-210
How can we make this index more useful? Email us at ¡[email protected]
996
ConfigMgr
requirements, 205
software distribution
software distribution packages, 206
configuring package programs, 189-190
troubleshooting, 212-213
configuring software sources, 186
unknown computer support, 210-212
creating software packages, 189
Out-of-Band Service Point, 75
customizing installation, 187-188
patch management, 158-160
deploying software automatically,
patching/updating systems, 10-11 PKI (Public Key Infrastructure), creating deploying Enterprise Root OA, 118-120
193-194 explained, 11, 185-186 monitoring software deployment, 195
explained, 118
publishing software, 191-192
validating Enterprise Root OA, 120
selecting Distribution Points, 190-191
Primary Site Server, 68
software licensing data, importing, 243-245
Proxy Management Points, 55-56
software metering
PSP (PXE Service Point), 75-76
explained, 63, 234
regional server infrastructure
reports, 234-235
controlling client access to regional servers, 162-163 deploying regional site components, 161-162
Software Metering Client Agent, 234 software requirements, 87-88 SQL Server installing, 130-132
explained, 1 6 1
local firewall configuration, 132-133
WDS (Windows Deployment Service), 1 6 1
SQL service accounts, creating, 129
remote control, 10
SSL configuration, 136-137
reporting
SUP (Software Update Point), 78
custom reports, 2 3 1 explained, 12, 64, 228-231 legacy reports, 2 3 1 Reporting Services reports, 231-234 software metering reports, 234-235
System Center Online Services, 246-247 update distribution deploying software updates, 200-201 deployment templates, 197-198
RSP (Reporting Service Point), 77
explained, 196 managing update deployment, 201-202 monitoring software update deployment, 202-203
Secondary Sites, 55-56
Software Updates Client Agent, 196-197
roles, 113-115, 173-174 RP (Reporting Point), 77
security management console, 80-82 Mixed versus Native mode, 79-80 port requirements, 82-83
update lists, 198-199 WebDAV configuration, 137-138 WOL (Wake On LAN), 71 configuration baselines
server communication, 80
applying to collections, 251-252
service account security, 83-84
defining, 2 5 1
Site Server databases, 69-70 SLP (Server Locator Point), 77-78 SMP (State Migration Point), 76 SMS Provider, 68-69
monitoring, 246-253 configuration items. See CIs (configuration items) Configuration Items (CIs) with Most Incidents report, 8 0 4
configuring
Configuration Management Report Library, 842-843
explained, 149
Configuration Manager.
IBCM (Internet-Based Client
See ConfigMgr
Configuration Manager Agent package, 206-207 configuration.mof file, editing, 2 2 5 - 2 2 6 , 241-242 ConfigureSharePoint.exe utility, 6 0 6 configuring
AD (Active Directory), 134-135 agents to use certificates, 358 Al (Asset Intelligence) Al catalog, 235-236 Asset Intelligence Synchronization Point, 236 logon auditing, 242-243 reporting classes, 236 alert forwarders, 346-349 boot images, 209 Certificate Services website for SSL, 128-129 change settings activity prefixes, 813 Change Request Prefix, 811-812 file attachment limits, 812-813 channels, 366 Client Access Server Monitoring, 445-447 Client Agents for inventory collection explained, 221-222 Hardware Inventory Client Agent, 222-223 Software Inventory Client Agent, 222 Client Installation Methods, 164 client monitoring, 426-427 cluster configuration, 285-286 collections, 165-166 Computer Client Agent, 178-181 network access and policy retrieval, 178-181 policy retrieval, 178-181 user experience, 179 ConfigMgr console Client Agents, 157 Distribution Points, 155
997
FSP (Fallback Status Point), 151 Management), 156-157 RP (Reporting Point), 151-152 RSP (Reporting Service Point), 152-153 Site System roles, 149-150 SLP (Server Locator Point), 150-151 DCM (Desired Configuration Management) applying baselines to collections, 251-252 Client Agent, 247-248 defining configuration baselines, 2 5 1 defining configuration items to monitor, 248-251 explained, 247-248 monitoring baselines and compliance, 246-253 Desired Configuration Management, 11 discovery methods, 164-165 DPM (Data Protection Manager) 2010 disks, 563-564 protection agent deployment, 565-570 protection groups, 570-574 tape library, 564-565 IBCM (Internet-Based Client Management), 156-157 incident settings, 7 6 1 file attachment limits, 761-762 inbound email settings, 766-769 incident prefix, 761 Operations Manager Web console settings, 765-766 priority calculation, 762-764 resolution times, 764-765 Internet mail flow, 443-444 intraorganization synthetic transactions, 443-444 management packs Active Directory Management Pack, 423-424 Cross Platform Management Packs, 461-465 Exchange 2007 Management Pack, 438-442
How can we make this index more useful? Email us at ¡[email protected]
998
configuring
Operations Manager Management Pack, 408-410 SQL Server Management Pack, 455 Non-Privileged User accounts, 4 6 4 notifications SMTP notification channel, 771-772 templates, 772-773 OpsMgr Agent Proxy configuration, 362-363 agent restart recovery, 363-364 Global Management Group Settings, 359-361 notifications and subscriptions, 364-367 package programs, 189-190 Privileged User accounts, 462-463 problem settings explained, 793 file attachment limits, 794 priority calculation, 795-796 problem prefix, 793 Remote Assist, 947-948, 949-950 Remote Desktop, 948-949 response time alerts, 963-964 site boundaries, 153-155 software sources, 185 SSL, 136-137 System Center Essentials on single server, 924-928 VMM library, 668-669 WebDAV, 137-138 Windows Management Pack, 4 1 5 Connector Framework, 277-278, 7 1 1 connectors (Service Manager)
Configuration Manager connector deployment, 752-753 deployment Active Directory connector, 747-748 Operations Manager connector, 748-752 consoles. See specific consoles consolidated reporting, 34 containers
content, locating with clients, 1 7 4 - 1 7 6 content distribution
operating system deployment, 59-60 software distribution, 58 software update distribution, 59 Continuous Data Protection (CDP), 5 4 7 - 5 4 8 Conversion Information page (Convert Physical Server Wizard), 677 Convert Physical Server Wizard, 673-679
Additional Properties page, 677 Conversion Information page, 677 Gather System Information page, 674-675 Select Networks page, 677 Select Path page, 676 Select Source page, 674, 6 7 6 Summary page, 678-679 Virtual Machine Identity page, 674 Volume Configuration page, 675-676 Convert Virtual Server Wizard, 679-683
Additional Properties page, 682 Select Host page, 681-682 Select Networks page, 682 Select Path page, 682 Summary page, 682-683 Virtual Machine Identity page, 680-681 converting servers to virtual guest sessions, 967-968 core client access licenses, 47 Create New Protection Group Wizard, 570-574, 589-592, 616-617 Create User Role Wizard, 687-690 CreatingCustomReportsByUsingSQLViews.msi, 229 Critical alerts, 3 6 5 critical events, resolving, 9 4 2 - 9 4 4 CRL Distribution Point (CDP) settings, 119-120 Cross Platform Management Packs
configuring, 461-465 explained, 4 6 1 reports, 467-468 views, 465-466
Discovered Inventory, 960
current usage analysis, 39
System Management container, creating
custom ACS (Audit Collection Services) reports,
with ADSI Edit, 134-135 Update Repository, 59
525-528
DCDIAG task
custom Al (Asset Intelligence) catalogs, 245-246 custom collections, creating, 1 8 2 - 1 8 5 custom host ratings (VMs), 6 9 3 - 6 9 5 custom m a n a g e m e n t packs, 2 8 8
Authoring Console, 4 8 1 creating, 481-485 editing existing XML management pack files, 485-486 sealing management packs via command line, 486 custom operating system images, 2 1 3 - 2 1 4 custom reports, 2 3 1 custom volumes (DPM), 5 7 9 - 5 8 0 Customization tab (Computer Client Agent), 1 7 9
D D2D (disk-to-disk), 5 4 6 D2D2T (disk-to-disk-to-tape), 5 4 6 DA (Distributed Application) object, 4 8 6 - 4 8 7 Daily Alert report, 5 1 3 , 5 1 9 - 5 2 1 DAS (Direct Attached Storage), 9 8 - 1 0 0 , 297-299, 717 Dashboard view (Operations Manager console), 390 dashboards. See SLDs (Service Level Dashboards) data flow, 9 7 - 9 8 Data Protection Manager. See DPM (Data Protection Manager) 2 0 1 0 data recovery, DPM (Data Protection Manager) 2010, 580-581 data warehouse (Service Manager), 7 1 1 , 738-741
databases
audit collection database, 275-276, 287 CMDB (configuration management database), 711 Configuration Manager databases, 219-220 Database Grooming settings, 360-361 Exchange databases protecting, 589-592 restoring, 592-594 integrated solutions databases, 19 master database, 287 operations database, 296 Operations Manager database, 287 backing up, 379-384 explained, 268-269 hardware/software requirements, 268-269 recovering, 6 1 1 Reporting data warehouse, 269-270 reporting database, 296 Service Manager database, backing up, 754-756 Site Server databases, 69-70 sizing, 89-90, 292-294 SQL Server databases protecting, 598-600 restoring, 600-602 SQL End User Recovery, 602-605 VMM database deployment, 650 designing, 648 dataldr.log file, 2 4 2 DB Space Free (%) monitor, 4 5 6 DC Active Alerts view, 4 3 2 DC Events view, 4 3 3 DC Performance Data view, 4 3 3
Data Warehouse Write Action account, 2 8 2
999
DC Server 2 0 0 8 Active Alerts view, 4 3 3
Database Engine Health view, 4 5 8
DC Server 2 0 0 8 Events view, 4 3 3
Database Free Space view, 4 5 8
DC Server 2 0 0 8 State view, 4 3 3
Database Grooming settings (OpsMgr), 3 6 0 - 3 6 1
DC State view, 4 3 3
database server (VMM), designing, 6 4 8
DCDIAG task, 4 3 6
Database State view, 450, 4 5 7
How can we make this index more useful? Email us at ¡[email protected]
1000
DCM (Desired Configuration Management)
DCM (Desired Configuration Management)
applying baselines to collections, 251-252
project scope, 554 protection agents, 565-570
Client Agent, 247-248
protection groups, 555-557
defining configuration baselines, 2 5 1
remote SQL instance, 560
defining configuration items to monitor, 248-251 explained, 63, 247-248 monitoring baselines and compliance, 246-253 deadlines, setting on updates, 956-957 declining updates, 9 5 4 - 9 5 6 Default Management Point, 1 7 4 defragmentation applications, file exclusions for, 376-377 Delegated Administrator role (VMM), 684, 686-687 Delete Aged Client Access License Data Properties task, 2 4 2 deleting CIs (configuration items), 8 3 6 - 8 3 8 delivering
reports Alert reports, 507-508 Performance reports, 502-503 delivering reports, 496-497 Deploy Virtual Machine Wizard, 695-697 deployment
Central Sites. See Central Sites certificates Certificate Auto-Enrollment GPO, 120-122 Document Signing Certificate, 126 explained, 120 OS Deployment certificate, 124 publishing certificate templates, 126-127 Server Authentication certificate templates, 124-126 child Primary Sites, 148
running DPM installation, 560-562 storage requirements, 557-558 Enterprise Root CA, 118-120 FSP (Fallback Status Point), 1 5 1 operating systems common scenarios, 204-205 common technologies, 59-60 creating software packages, 206-207 custom operating system images, 213-214 deployment technologies, 203-204 explained, 10, 203 monitoring, 213 requirements, 205 software distribution packages, 206 troubleshooting, 212-213 unknown computer support, 210-212 OpsMgr design and planning phase, 313-315 design principles training, 313 explained, 312-313 pilot phase, 317-319 POC (proof of concept) phase, 315-317 production phase, 3 1 9 time estimates per phase, 319 regional site components, 161-162 RP (Reporting Point), 151-152 RSP (Reporting Service Point), 152-153 Service Manager Active Directory connector, 747-748 components, 735-738 Configuration Manager connectors, 752-753
Distribution Points, 155
data warehouse, 738-741
DPM (Data Protection Manager) 2010
Design and Planning phase, 728-730
DPM server design, 558-559 DPM server preparation, 559-560 environment concerns, 553-554 explained, 552
Design Principles Training phase, 728 Extract, Transform, and Load (ETL) jobs, 743-744 management group registration, 741-743
devices
Operations Manager connector, 748-752 Pilot phase, 732-734 POC (proof of concept) phase, 730-732 Production phase, 734 steps, 734-735 time estimates per phase, 734-735 Web Portals, 744-746 Site System roles, 149-150 SLP (Server Locator Point), 150-151 software. See software distribution VMM (Virtual Machine Manager) Administrator Console, 654-656 Agent, 657-661 multiple-server deployment, 650 Self-Service Portal, 656-657 single-server deployment, 650 understanding environment, 644-649 VMM Server, 649-654 VMs (virtual machines), 695-697 WDS (Windows Deployment Service), 161 deployment templates, 5 9 , 1 9 6 - 1 9 7 deprovisioning process, managing, 8 6 7 - 8 6 8 Design and Planning phase
OpsMgr deployment, 313-315 Service Manager deployment, 728-730 Design Principles Training phase
OpsMgr deployment, 313 Service Manager deployment, 728 designing
site-specific configuration settings, 92-93 small and medium enterprise, 107 SQL versions, 100-101 State Migration Points (SMPs), 94 user/group discovery, 91-92 DPM (Data Protection Manager) server, 558-559 MDM (Mobile Device Manager) implementation medium to large environment with extensive enrollment requirements, 874-875 small environment with advanced IPSec VPN security requirements, 873 small environment with basic SSL security requirements, 872 OpsMgr implementation large enterprise design, 308-312 medium enterprise design, 305-308 small enterprise design, 303-305 Service Manager architecture explained, 719 large enterprise design, 724-726 medium enterprise design, 722-724 small enterprise design, 720-722 Desired Configuration Management. See DCM (Desired Configuration Management) Desired Configuration Management Client Agent, 9 6 device discovery.
ConfigMgr architecture bandwidth control, 93-94 boundaries, 94-96 client discovery and deployment, 91 client settings, 96-97 collections, 90-91
See discovery
Device Encryption Enabled setting (Exchange Server 2 0 0 7 ) , 9 0 6 Device Management server
explained, 870-871 prerequisites, 875 device monitoring (SNMP)
data flow, 97-98
explained, 489-490
disk performance, 98
troubleshooting, 490-491
explained, 107
Device Status Details report, 8 9 8
large enterprise, 108-109
Device Status S u m m a r y report, 8 9 8
multiple sites, 92
devices
PXE Service Points (PSPs), 94 SAN versus DAS, 98-100
1001
adding/modifying with Capacity Planner Hardware Editor, 852 blocking device connections, 892-893
How can we make this index more useful? Email us at ¡[email protected]
1002
devices
device groups approving packages to be deployed to device groups, 897-898 creating with Model Wizard, 896-897
disk performance
ConfigMgr, 98 OpsMgr, 296-297 Service Manager, 717
device inventory and tracking, 41
disk-based storage, 5 4 6
device provisioning, 41, 886-887
disks, adding to storage pool, 5 6 3 - 5 6 4
device wipe and deprovisioning, 41
disk-to-disk (D2D), 5 4 6
disabling applications on, 901-902
disk-to-disk-to-tape (D2D2T), 5 4 6
discovery
Display Account Settings task, 4 2 0
autodiscover, 938-939
Display Active Connections task, 4 2 0
manual discovery, 940-941
Display Active Sessions task, 4 2 0
enforcing policies to, 866-867, 902
Display Local Users task, 4 2 0
identifying devices that are pending
Display Network Shares task, 4 2 0
enrollment, 888-889
Display Server Statistics task, 4 2 0
locking down, 9 0 1
Display Workstation Statistics task, 4 2 0
managing with MDM (Mobile Device
Distributed Application (DA) object, 4 8 6 - 4 8 7
Manager), 866 Mobile VPN connections, 904 mobility access controls, 903-904 pre-enrolling, 887-888 setting password policies for, 902-903
distributed application monitoring
building distributed application model, 487-488 explained, 486-487 sample distributed applications, 488-489
tracking, 867
distributing software. See software distribution
wiping, 890-892
Distribution Points, 1 1 5
DFS namespace, protecting data in, 5 8 5
BITS-enabled Distribution Points, 73
Diagram view (Operations Manager
Branch Distribution Points, 73
console), 3 9 0
BranchCache, 74
"dip stick" health checks, 3 6 8 - 3 6 9
deployment, 155
Direct Attached Storage (DAS), 98-100,
explained, 72-73, 174, 181-182
297-299, 717 Disable Audit Collection task, 4 1 3 Disable-NotificationSubscription cmdlet, 3 9 4
Protected Distribution Points, 74 selecting, 190-191 Standard (SMB) Distribution Points, 73
disabling applications, 9 0 1 - 9 0 2
Distributor State view, 4 5 8
disaster recovery
DMZ servers
backups ConfigMgr, 85-86 OpsMgr, 287-289 defined, 283 Discovered Inventory container, 9 6 0 discovery
autodiscover, 938-939 discovery methods, 164-165 explained, 937-938 manually discovering computers, 939-940 manually discovering network devices, 940-941
monitoring with certificates configuring agents to use certificates, 358 creating certificate templates, 353 explained, 352-353 installing agents on DMZ servers, 356-357 requesting certificates from root CA for mutual authentication, 355-356 requesting root CA certificates, 353-355 securing with certificates, 283
DPM (Data Protection Manager) 2 0 1 0
D o c u m e n t S i g n i n g Certificate
explained, 103, 115 requesting, 140-143 d o m a i n controller p e r f o r m a n c e collection, 431-433 D o m a i n Join accounts, 8 4 d o m a i n - a t t a c h e d s y s t e m s , i n s t a l l i n g a g e n t s on, 973-974 d o w n l o a d i n g m a n a g e m e n t p a c k s (OpsMgr), 401-402 DPM (Data Protection Manager) 2 0 1 0
Administrator Console, 575-577 business solutions addressed by, 23-24 capabilities, 24-27 CDP (Continuous Data Protection), 547-548 cloud-based storage, 547 configuring disks, 563-564 protection agent deployment, 565-570 protection groups, 570-574 tape library, 564-565 console, 23 custom volumes, 579-580 D2D2T (disk-to-disk-to-tape), 546 data recovery, 580-581 deployment DPM server design, 558-559 DPM server preparation, 559-560 environment concerns, 553-554 explained, 553 project scope, 554 protection agents, 565-570 protection groups, 555-557 remote SQL instance, 560 running DPM installation, 560-562 storage requirements, 557-558 disk-based storage, 546 Exchange Server protection additional considerations, 597-598 high-availability considerations, 596-597 protecting Exchange databases, 589-592 recoverable, 588-589
1003
restoring Exchange databases, 592-594 restoring mailboxes, 594-596 explained, 7, 22, 542-544, 582-583 file server protection data in DFS namespaces, 585 data on file server clusters, 586 data on mount points, 586 data sources and recoverable data, 584-585 hardware requirements, 552 history and revisions, 27 DPM 2006, 548 DPM 2006 SP1, 548-549 DPM 2007, 549-550 DPM 2007 SP1, 550 DPM 2010, 550-552 installation, 560-562 integrating with Operations Manager, 620-624 Management Shell, 577-578 modern data recovery needs, 544-545 protection groups creating, 570-574 designing, 555-557 SharePoint farm protection data sources and recoverable data, 605 preparing SharePoint for protection, 606-607 protecting SharePoint farms, 607-609 recovering content databases, 6 1 1 recovering SharePoint farms, 609-611 recovering sites, lists, and items, 611-615 software requirements, 552-553 SQL Server protection EUR Client, 603-604 explained, 598 protecting SQL Server databases, 598-600 restoring SQL Server databases, 600-602
SQL End User Recovery feature, 602-605 System State protection, 586-587
How can we make this index more useful? Email us at ¡[email protected]
1004
DPM (Data Protection Manager) 2 0 1 0
virtualized environment protection automatically protecting new machines, 617-618 explained, 615 ILR (item-level recovery), 620-619 protecting Hyper-V virtual machines, 615-617 recovering Hyper-V virtual machines, 618-619 DPM Setup Wizard, 5 6 1 - 5 6 2 DPMRecoveryWebApplication, 6 0 6 - 6 0 7 dragging and dropping VM onto host server, 7 0 4 drivers, managing, 2 0 8
enforcing policies to mobile devices, 866-867, 902 Enrollment server
explained, 8 7 1 installing, 880 prerequisites, 876 Enterprise Edition (SQL Server), 1 0 0 Enterprise Root CA, 103, 1 1 5
deployment, 118-120 validating, 120 Enumerate Trusts task, 4 3 6 ETL (Extract, Transform, and Load) jobs, 743-744 EUR Client, 6 0 3 - 6 0 4 evaluating incidents, 7 8 3 - 7 8 4 Event view (Operations Manager console), 3 8 9
E
events
critical events, resolving, 942-944
Edge Servers Alerts view, 4 4 9
event correlation, 17
Edge Servers State view, 4 4 9
event log collection, 17
editing
warning events, 944-945
capacity models, 860-862
ExBPA Events view, 4 4 7
configuration.mof file, 225-226
Exchange 2 0 0 7 Management Pack
sms_def.mof, 226
Client Access Server Monitoring, 445-447
XML management pack files, 485-486
configuring, 438-442 explained, 433
editors
Capacity Planner Hardware Editor, 847
Internet mail flow, 443-444
Capacity Planner Model Editor, 847
intraorganization synthetic transactions,
Hardware Editor
443-444
adding/modifying computers, 852
reports, 453-454
adding/modifying devices, 852
tasks, 452-453
explained, 851-852 list icons, 852 Model Editor, 860-862 email
creating incidents from, 782-783 email host server addresses, changing, 979 inbound email settings, 766-769 Enable Audit Collection task, 4 0 7 Enable-NotificationSubscription cmdlet, 3 9 4 enabling.
See configuring
encryption keys, backing up, 7 5 6 end-to-end service monitoring, 2 5 9
views, 447-452 Exchange Server
and MDM (Mobile Device Manager), 904-908 protecting with DPM (Data Protection Manager) additional considerations, 597-598 high-availability considerations, 596-597 protecting Exchange databases, 589-592 recoverable, 588-589 restoring Exchange databases, 592-594 restoring mailboxes, 594-596
Get-Command command
1005
IDMIF files, 2 2 1
exporting
management packs, 403-404
lnventoryAgent.log, 220
reports from OpsMgr, 496
NOIDMIF files, 2 2 1 ReportingServicesService.exe.config,
Export-MDMGatewayConfig c o m m a n d , 8 8 2
512-513
EXTADSCH.exe, 1 3 3 - 1 3 4 ExtADSch.log file, 1 3 4
Rsetup.log, 151-152
extending AD (Active Directory) schema, 56-57, 133-134
sms_def.mof, editing, 226
Extract, Transform, and Load (ETL) jobs, 743-744
SMSReportinglnstall.log, 151-152
SMSFSPSetup.log, 1 5 1 SNK (Strong Name Key) files, 486 SUPSetup.log, 159 WSUSCtrl.log, 159 Firewall Rule exceptions, 9 7 8 - 9 7 9 firewalls
configuring for SQL Server, 132-133
Fallback Status Point (FSP), 74, 1 1 4
Firewall Rule exceptions, 978-979
fault tolerance
clustering, 285-286 defined, 283 explained, 84-85, 284-285 management group redundancy, 284 NLB (Network Load Balancing), 85
OpsMgr communication ports, 280-281 Flush Health Service State and Cache task, 4 1 3 folders
All Open Unassigned Incidents, 784 My Incidents, 785 Software Updates - A Compliance folder, 202
file exclusions for antivirus and defragmentation applications, 3 7 6 - 3 7 7 file servers
clusters, protecting data on, 585 protecting with DPM (Data Protection Manager) data in DFS namespaces, 585 data on file server clusters, 585 data on mount points, 586 recoverable, 584-585 files
AIUpdateSvc.log, 236 ccm.log, 166 OCR (Client Configuration Request) files, 167 configuration.mof file, editing, 225-226, 241-242 dataldr.log, 242 ExtADSch.log file, 134 file attachment limits, 761-762, 794, 812-813 fspmgr.log, 151, 166 fspMSI.log, 1 5 1
Forensic reports, 5 2 3 FSP (Fallback Status Point), 74, 1 1 4 , 1 5 1 fspmgr.log file, 1 5 1 , 1 6 6 fspMSI.log file, 1 5 1
G Gateway server
explained, 273-274, 8 7 1 hardware/software requirements, 274 installing, 880-884 prerequisites, 876 Gather System Information page (Convert Physical Server Wizard), 6 7 4 - 6 7 5 General tab (Computer Client Agent), 1 7 8 geographic-based m a n a g e m e n t groups, 301-302 Get-Command c o m m a n d , 6 7 1
How can we make this index more useful? Email us at ¡[email protected]
1006
Get-Help cmdlet
Get-Help cmdlet, 5 7 8 Get-Help command, 6 7 1 Get-NotificationSubscription cmdlet, 394-395 Get-NotificationSubscriptions cmdlet, 3 9 4 Global Configuration Setting ( 2 0 0 5 / 2 0 0 8 ) task, 459 Global Management Group Settings (OpsMgr), 359-361 Global Topology view (Model Editor), 8 6 0 - 8 6 1 GP Update task, 4 3 6 Group Policy templates, installing, 898-900 groups
adding users to, 5 4 1 creating for SLD sites, 540 device groups approving packages to be deployed to device groups, 897-898 creating with Model Wizard, 896-897 discovery, 91-92 group policies Certificate Auto-Enrollment GPO, 120-122 Group Policy templates, installing, 898-900 in MDM (Mobile Device Manager), 871-872 host groups creating, 666-667 dragging and dropping VMs onto, 705 management groups defining, 295 geographic-based management groups, 301-302 Global Management Group Settings, 359-361 multiple management groups, 3 0 1 political or security-based management groups, 302 redundancy, 284 registering, 741-743 protection groups creating, 570-574 designing, 555-557
H Hardware 03A-10C reporting classes, 2 3 7 - 2 3 8 Hardware Editor
adding/modifying computers, 852 adding/modifying devices, 852 explained, 847, 851-852 list icons, 852 hardware inventory
customizing creating Registry keys on client, 223-224 editing configuration.mof file, 225-226 editing sms_def.mof file, 226 explained, 223 explained, 61-62 viewing, 960 Hardware Inventory Client Agent, 96, 2 2 2 - 2 2 3 Hardware page (Model Wizard), 8 5 7 - 8 5 8 hardware reports (Al), 2 4 7 hardware requirements
for ConfigMgr, 86-87 for DPM (Data Protection Manager), 552 for OpsMgr, 290 ACS (Audit Collection Services), 277 audit collection database, 276 audit collector, 275 Connector Framework, 278 Gateway server, 274 management server, 267 Operations Console, 2 7 1 Operations Manager database, 268 Reporting data warehouse, 270 Reporting Server, 270 Root Management Server, 266 Web console, 272 for SCCP (System Center Capacity Planner), 848-849 for Service Manager, 714-715 for System Center Essentials multiserver configuration, 918 multisite configuration, 919 single-server configuration, 918
incident management
for VMM (Virtual Machine Manager) Administrator Console, 642 Self-Service Portal, 643 VMM server, 640
explained, 105 requirements and limitations, 105-106 site system placement, 106-107 icons, Hardware Editor list icons, 8 5 2
Health Service Heartbeat Failure monitor, 4 0 9
IDMIF files, 2 2 1
Health Service tasks, 4 1 2 - 4 1 4
IIS (Internet Information Services), 2 8 7
Health Service Watcher, 3 6 3
IIS 6.0 metabase backup, 383-384
Health Validator Point, 7 4 - 7 5
IIS 7.x configuration backup, 385
high-availability scenarios and DPM (Data
implementing, 134-135
Protection Manager), 5 9 6 - 5 9 7 holding change requests, 8 2 5 - 8 2 6
1007
SSL configuration, 136-137 WebDAV, 137-138 ILR (item-level recovery), 6 2 0 - 6 1 9
hosts
dragging and dropping VMs onto, 704
images, 8 5 2
host clusters, 667-668
importing
host groups
management packs, 369-371
creating, 666-667
management packs (OpsMgr), 400
dragging and dropping VMs onto, 705
software licensing data, 243-245
host ratings, customizing for VMs (virtual machines), 693-695 managing, 667-668 virtual host management, 44-45 Hub Server Alerts view, 4 4 9
inbound email settings, 7 6 6 - 7 6 9 Incident Analyst report, 8 0 0 , 8 0 3 Incident Detail report, 8 0 0 Incident KPI Trend report, 8 0 0 incident m a n a g e m e n t
Hub Server State view, 4 4 9
announcements, publishing, 787-788
Hyper-V host servers
creating with OpsMgr alerts, 777-780
adding, 965
explained, 34-35, 757-760
automatically protecting new machines,
incident settings, 7 6 1
617-618 host clusters, 667-668
file attachment limits, 761-762 inbound email settings, 766-769
host groups, creating, 666-667
incident prefix, 761
importing VMware guest sessions to, 968-969 managing, 667-668 protecting, 615-617 recovering, 618-619 virtual network switches, creating, 980 VMM (Virtual Machine Manager). See VMM (Virtual Machine Manager)
Operations Manager Web console settings, 765-766 priority calculation, 762-764 resolution times, 764-765 incidents analyzing, 784-787 creating from emails, 782-783 creating manually, 775-777 creating with Self-Service Web Portal, 779-781 defined, 760
IBCM (Internet-Based Client Management)
client site assignment, 107 configuring, 156-157
evaluating and assigning, 783-784 resolving, 791-793
How can we make this index more useful? Email us at ¡[email protected]
1008
incident management
notifications explained, 770 Service Manager notification architecture, 770-771 SMTP notification channel, 771-772 subscriptions, 773-775 templates, 772-773 problem settings explained, 793 file attachment limits, 794 priority calculation, 795-796 problem prefix, 793 problems analyzing, 797-798 creating, 796-797 defined, 760, 796 resolving, 799 reports explained, 799 Incident Management Report Library, 800-804 Problem Management Report Library, 804-805 Service Manager report controls, 799-800 troubleshooting tasks, 788-791 Incident Management Report Library, 8 0 0 - 8 0 4 Incident Resolution report, 8 0 3 - 8 0 4 incidents. See a/so incident m a n a g e m e n t
analyzing, 784-787 creating from emails, 782-783 manually, 775-777 with OpsMgr alerts, 777-780 with Self-Service Portal, 779-781 creating change requests from, 819 evaluating and assigning, 783-784 resolving, 791-793 troubleshooting, 788-791 Information alerts, 3 6 5 installing
Administrator Console (VMM), 654-656 agents, 166-167
on DMZ servers, 356-357 on domain-attached systems, 973-974 Firewall Rule exceptions, 978-979 on nondomain joined systems, 974-977 Central Site Server, 143-145 Configuration Manager 2007 R2 upgrade, 147 DPM (Data Protection Manager) 2010, 560-562 FSP (Fallback Status Point), 151 Group Policy templates, 898-900 management packs (OpsMgr), 402-403 MDM (Mobile Device Manager) Administrator Tools, 885-886 Enrollment server, 880 Gateway server, 880-884 initial MDM acquisition and setup options, 877-879 Self-Service Portal, 884-885 step-by-step installation process, 879-880 OpsMgr explained, 321-324 multiserver OpsMgr 2007 R2 install, 329-337 OpsMgr 2007 R2 ACS (Audit Collection Services) install, 337-343 single-server OpsMgr 2007 R2 install, 324-329 UNIX/Linux agents, 349-352 Windows agent installation, 343-345 RP (Reporting Point), 151-152 RSP (Reporting Service Point), 152-153 SCCP (System Center Capacity Planner), 849-850 Self-Service Portal (VMM), 656-657 SLDs (Service Level Dashboards), 537-539 SLP (Server Locator Point), 150-151 SQL Server, 130-132 System Center Essentials on separate servers management console tools, 928-929 SCE Reporting Services, 929-930
licensing
System Center Essentials on single server preparation, 920
1009
lnventoryAgent.log file, 2 2 0 investigating change requests, 8 2 2 - 8 2 4
running SCE Configuration Wizard, 924-928
Ipconfig task, 4 2 0 item-level recovery (ILR), 6 2 0
running SCE installation, 921-923 VMM Agent, 657-661 VMM Server, 651-692
J-K
Web Portals, 744-746 WSUS 3.0 SP2, 138-139
Jobs dialog box, 7 0 3
integrated solutions databases, 19
KB (knowledge base), 7 1 1
Internet
downloading management packs from, 401-402
knowledge base (KB), 7 1 1
importing management packs from, 400 Internet Client, 1 1 Internet Information Services. See IIS (Internet Information Services) Internet mail flow, configuring, 4 4 3 - 4 4 4 Internet Management Point, 1 7 4 Internet-Based Client Management.
See IBCM
(Internet-Based Client Management)
large enterprise design
ConfigMgr, 108-109 OpsMgr, 308-312 Service Manager, 724-726
Intersite Replication Traffic view, 4 3 5
LDP Tool Console Task, 4 3 6
intraorganization synthetic transactions, config-
legacy reports, 2 3 1
uring, 4 4 3 - 4 4 4 inventory
collecting manually, 960-961 configuring Client Agents for explained, 221-222 Hardware Inventory Client Agent, 222-223 Software Inventory Client Agent, 222 customizing hardware inventory creating Registry keys on client, 223-224 editing configuraton.mof file, 225-226 editing sms_def.mof file, 226 explained, 223 of devices, 41 explained, 61-62, 960 IDMIF files, 2 2 1 inventory collection process, 220 NOIDMIF files, 2 2 1 validating inventory data, 227 viewing, 228, 960
libraries
Activity Management Report Library, 8 4 1 Change Management Report Library, 840-841 Configuration Management Report Library, 842-843 Incident Management Report Library, 800-804 Problem Management Report Library, 800-804 tape libraries, configuring, 564-565 VMM library configuring, 668-669 designing, 643-649 explained, 632-633 License 01A-15B reporting classes, 2 3 8 - 2 3 9 licensing
CAL license tracking, 241-242 core client access licenses, 47 explained, 46
How can we make this index more useful? Email us at ¡[email protected]
1010
licensing
license reports (Al), 247
Mailbox Servers State view, 4 5 0
Server Management Suite licenses, 47
Mailbox Sites page (Model Wizard), 8 5 3 - 8 5 4
software licensing data, importing, 243-245
mailboxes
Linux agents, installing, 3 4 9 - 3 5 2 Linux Non-Privileged Users, assigning to UNIX Action Account profile, 4 6 4 Linux Privileged Users, assigning to UNIX Privileged Account profile, 4 6 4 - 4 6 5
monitor and rule sync times, 442 restoring, 594-596 Maintenance m o d e
putting servers into, 945-947 in VMM 2008 R2, 639
List of Activities report, 8 4 1
maintenance windows for collections, 1 8 4
List of Incidents report, 8 0 1 - 8 0 2
Management Configuration Service - Windows
List of Manual Activities report, 8 4 1
Service State monitor, 4 0 9 - 4 1 0
List of Problems report, 8 0 4 - 8 0 6
m a n a g e m e n t console (MDM), 8 7 0
List of Review Activities report, 8 4 1
m a n a g e m e n t console (SCE)
List of RFCs report, 8 4 0
Administration option, 935-937
List Processes task, 4 2 0
Authoring option, 937
List Services task, 4 2 0
Computers option, 9 3 1
List Top Processes on DC task, 4 3 6
explained, 930-931
Local Administrator account, 2 8 2
installing console tools, 928-929
Local Latency view, 4 5 0
Monitoring option, 932-933
locking devices, 9 0 1
Reporting option, 934-935
log files
Software option, 933-934
AIUpdateSvc.log, 236 ccm.log, 166 dataldr.log, 242 ExtADSch.log file, 134 fspmgr.log, 166 fspmgr.log file, 151 fspMSI.log, 151 lnventoryAgent.log, 220 Rsetup.log, 151-152 SMSFSPSetup.log, 151 SMSReportinglnstall.log, 151-152 SUPSetup.log, 159 WSUSCtrl.log, 159 Logical Disk Defragmentation, 4 2 0 Logical Disk Free Space monitor, 4 1 6 Logical Disk State view, 4 6 6 logon auditing, 2 4 2 - 2 4 3
Updates option, 933-934 m a n a g e m e n t groups
defining, 295 geographic-based management groups, 301-302 Global Management Group Settings, 359-361 multiple management groups, 3 0 1 political or security-based management groups, 302 redundancy, 284 registering, 741-743 Management Information Format (MIF) files
IDMIF files, 2 2 1 NOIDMIF files, 2 2 1 Management Pack Templates
explained, 468-469 OLE DB Data Source Template, 474-476 Process Monitoring Template, 476-478
M
TCP Port Template, 477-479 Unix/Linux Log File Template, 478-479 Unix/Linux Service Template, 480
Mail Flow State view, 4 5 0
Web Application Template, 469-471
Mailbox Servers Active Alerts view, 4 4 9
Windows Service Template, 471-474
master database
management packs
Active Directory Management Pack client monitoring, 426-427
Process Monitoring Template, 476-478 TCP Port Template, 477-479 Unix/Linux Log File Template, 478-479
configuring, 423-424
Unix/Linux Service Template, 4 8 0
domain controller performance collec-
Web Application Template, 469-471
tion, 431-433
1011
Windows Service Template, 471-474
explained, 423
Management Pack tree item, 393, 399-400
replication monitoring, 427-431
Operations Manager Management Pack
reports, 437-438
configuring, 408-410
tasks, 436-437
explained, 420-408
views, 432-436
tasks, 412-414
alert tuning, 405-408 Cross Platform Management Packs configuring, 461-465
views, 410-412 override management packs, 287, 404-405 SQL Server Management Pack
explained, 4 6 1
configuring, 455
reports, 467-468
explained, 454-455
views, 465-466 custom management packs, 288 Authoring Console, 4 8 1 creating, 481-485 editing existing XML management pack files, 485-486 sealing management packs via command line, 4 8 6
reports, 460-461 tasks, 459-460 tuning, 455-457 views, 457-459 updating, 371-372 Windows Management Pack configuring, 415 explained, 4 1 5
downloading, 401-402
reports, 421-423
Exchange 2007 Management Pack
tasks, 418-421
Client Access Server Monitoring, 445-447 configuring, 438-442 explained, 433 Internet mail flow, 443-444 intraorganization synthetic transactions, 443-444 reports, 453-454 tasks, 452-453 views, 447-452 explained, 258, 386-388 exporting, 403-404 importing, 369-371, 4 0 0 installing manually, 402-403 Management Pack Templates explained, 468-469 OLE DB Data Source Template, 474-476
tuning, 416 views, 416-419 Management Packs tree item (OpsMgr), 393, 399-400 management points. See specific management
points Management Server
explained, 266-268 hardware/software requirements, 267-268 Management Server Action account, 282 Management Shell (DPM), 5 7 7 - 5 7 8 manual activities (MAs), 831-832 Manual Activity Details report, 8 4 1 manual agents, accepting, 3 5 9 - 3 6 0 MAs (manual activities), 831-832 master database, 2 8 7
How can we make this index more useful? Email us at ¡[email protected]
1012
Maximum Attachment Size setting (Exchange Server 2 0 0 7 )
M a x i m u m A t t a c h m e n t Size setting (Exchange Server 2 0 0 7 ) , 9 0 7 M a x i m u m Calendar Age setting (Exchange Server 2 0 0 7 ) , 9 0 7 M a x i m u m E-mail Age Filter setting (Exchange Server 2 0 0 7 ) , 9 0 7 M a x i m u m E-mail Body Truncation Size setting (Exchange Server 2 0 0 7 ) , 9 0 7 M a x i m u m Failed Password A t t e m p t s setting (Exchange Server 2 0 0 7 ) , 9 0 7 M a x i m u m HTML E-mail Body Truncation Size setting (Exchange Server 2 0 0 7 ) , 9 0 7 M a x i m u m Inactivity Time Lock setting (Exchange Server 2 0 0 7 ) , 9 0 7 MDM (Mobile Device Manager)
active updates and device management, 41 business solutions addressed by, 40-41 capabilities, 864-868 help desk tools, 867-868 mobile device management, 866 mobile device tracking, 867 policy enforcement, 866-867 provisioning and deprovisioning management, 867-868 console, 40 designing implementation of medium to large environment with extensive enrollment requirements, 874-875 small environment with advanced IPSec VPN security requirements, 873 small environment with basic SSL security requirements, 872 devices approving packages to be deployed to device groups, 897-898 blocking device connections, 892-893 creating device groups, 896-897 device provisioning, 41 disabling applications on, 901-902 enforcing policies to, 902 identifying devices that are pending enrollment, 888-889 inventory and tracking, 41 locking down, 9 0 1
pre-enrolling, 887-888 provisioning through Self-Service Portal, 886-887 setting password policies for, 902-903 wipe and deprovisioning, 41 wiping, 890-892 explained, 8, 40 Group Policy templates, installing, 898-900 history and revisions, 42, 868 initial release of MDM 2008, 868 MDM 2008 SP1, 868-870 installing Administrator Tools, 885-886 Enrollment server, 880 Gateway server, 880-884 initial MDM acquisition and setup options, 877-879 Self-Service Portal, 884-885 step-by-step installation process, 879-880 and Microsoft Exchange Server, 904-908 Mobile VPN connections, 904 mobility access controls, 903-904 packages approving packages to be deployed to device groups, 897-898 checking status of, 898 password and PIN control, 41 preparing server for, 877 prerequisites for MDM Device Management Server, 875 for MDM Enrollment server, 876 for MDM Gateway server, 876 for SQL Database Server component, 875-876 reports, 898 resetting passwords with, 889-890 and SCCM (System Center Configuration Manager) 2007, 908-909 self-service management, 41-42 Self-Service Portal device provisioning through, 886-887 installing, 884-885
monitoring
server roles Active Directory and group policies, 871-872 Device Management server, 870-871 Enrollment server, 8 7 1 explained, 870 Gateway server, 8 7 1 management console, 870 SQL Server, 8 7 1 software packaging, 894-896 MDT (Microsoft Deployment Toolkit), 60 m e d i u m enterprise design
ConfigMgr, 107 OpsMgr, 305-308 Service Manager, 722-724 Memory Pool Non-Paged Bytes rule, 4 1 6 Memory Pool Paged Bytes rule, 4 1 6 metering.
See software m e t e r i n g
Microsoft Deployment Toolkit (MDT), 60 Microsoft Exchange Server and MDM (Mobile Device Manager), 9 0 4 - 9 0 8 Microsoft Operations Manager (MOM) 2 0 0 0 , 20 Microsoft Operations Manager (MOM) 2 0 0 5 , 20 MIF (Management Information Format) files
IDMIF files, 2 2 1 NOIDMIF files, 2 2 1 Migrate Storage action (VMM), 7 0 2 - 7 0 3 Migrate Virtual Machine Wizard, 7 0 1 - 7 0 2 migrating VMs (virtual machines), 6 9 9 - 7 0 5
dragging and dropping VM onto host group, 705 dragging and dropping VM onto host server, 704 Migrate Storage action, 702-703 Migrate Virtual Machine Wizard, 701-702 supported storage migration technologies, 701 supported virtual machine migration technologies, 700-706 M i n i m u m Device Password Complex Characters setting (Exchange Server 2 0 0 7 ) , 9 0 7 M i n i m u m Password Length setting (Exchange Server 2 0 0 7 ) , 9 0 7
1013
Mixed mode security (ConfigMgr), 7 9 - 8 0 Mobile Device Client Agent, 96 Mobile Device Management features (ConfigMgr), 7 8 - 7 9 Mobile Device Manager. See MDM (Mobile Device Manager) mobile devices. See devices Mobile VPN connections, creating, 9 0 4 mobility access controls, 9 0 3 - 9 0 4 Model Editor, 8 4 7 , 8 6 0 - 8 6 2 Model S u m m a r y page (Model Wizard), 8 5 9 - 8 6 0 Model Wizard
Application page, 858-859 Client-Only Sites page, 854-855 explained, 853 Hardware page, 857-858 Mailbox Sites page, 853-854 Model Summary page, 859-860 Networks page, 855-856 starting, 853 Model Wizard (Capacity Planner), 8 4 7 models.
See capacity models
modifying
devices with Capacity Planner Hardware Editor, 852 VMM (Virtual Machine Manager) user roles, 690-691 MOM (Microsoft Operations Manager) 2 0 0 0 , 20 MOM (Microsoft Operations Manager) 2 0 0 5 , 20 monitoring
Active Directory clients, 426-427 Active Directory replication monitoring, 427-431 applications, 17-18 automatic client installation, 167 baselines and compliance, 246-253 clients, 17 distributed application monitoring building distributed application model, 487-488 explained, 486-487 sample distributed applications, 488-489
How can we make this index more useful? Email us at ¡[email protected]
1014
monitoring
DMZ servers with certificates
multiple management groups, 3 0 1
configuring agents to use certificates, 358
multiple-server VMM deployment, 650
creating certificate templates, 353 explained, 352-353 installing agents on DMZ servers, 356-357
multisite Configuration Manager hierarchy, 92
requesting certificates from root CA for mutual authentication, 355-356 requesting root CA certificates, 353-355 end-to-end service monitoring, 259 network monitoring, 352 nondomain member considerations, 294-295 operating system deployment, 213 performance, 395-399 servers, 17, 44 SNMP device monitoring explained, 489-490 troubleshooting, 490-491 software deployment, 195 software update deployment, 202-203 with System Center Essentials alerts, 942 checking health of servers, 945 explained, 941-942 handling warning events, 944-945 putting servers in Maintenance mode, 945-947 resolving critical events, 942-944 systems, 17-18 with VMM (Virtual Machine Manager), 669 websites configuring response time alerts, 963-964 creating website monitoring agents, 961-963 Monitoring option (SCE), 9 3 2 - 9 3 3 monitors, 258. See a/so specific monitors monthly administration tasks (SCE), 983-984 Most Common Alerts report, 513, 514-515 mount points, protecting data on, 5 8 6 MP (Management Point), 75 MPSEAL.EXE, 4 8 6 MSDB database, 2 8 7
multiserver OpsMgr 2 0 0 7 R2 install, 329-337 My Incidents folder, 7 8 5
N namespaces, DFS, 5 8 5 Native mode security (ConfigMgr)
certificate requirements, 102 certificate templates, 103-104 explained, 79-80, 102 PKI (Public Key Infrastructure), 103 NETDOM Query FSMO task, 4 3 6 NetlQ Enterprise Event Manager, 19-20 Network Access accounts, 84 network access, configuring, 1 7 8 - 1 8 1 Network Access Protection Client Agent, 73 Network Adapter State view, 4 6 6 network bandwidth requirements
for ConfigMgr, 88-89 for OpsMgr, 291-293 Network Load Balancing (NLB), 85 Networks page (Model Wizard), 8 5 5 - 8 5 6 New Package Wizard, 1 8 9 New Site Role wizard, 158-159 New-DeviceDiscoveryConfiguration cmdlet, 489 NLB (Network Load Balancing), 85 NLTEST task, 4 3 6 nodes, Watcher, 9 6 2 - 9 6 3 NOIDMIF files, 2 2 1 nondomain joined systems, installing agents on, 974-977 nondomain member considerations, monitoring, 294-295 Non-Privileged User accounts, configuring, 464 Not Connected errors, troubleshooting, 9 7 9 - 9 8 0 notifications
automatic notifications of change request status, 833-834 configuring, 364-367
OpsMgr
1015
explained, 260, 770 OpsMgr administration, 393-395 Service Manager notification architecture, 770-771
operational data, processing with OpsMgr, 2 6 0
SMTP notification channel, 771-772
Operations Console, 3 8 8 - 3 9 0
templates, 772-773 tuning, 372-376 Notifications tree item (OpsMgr), 3 9 3 - 3 9 5
Operational Database Watchers Group to Management Group Availability Health Rollup Monitor, 4 0 9
explained, 259, 270-271 hardware/software requirements, 2 7 1 operations database, 2 9 6 Operations Manager database
backing up, 379-380 explained, 268-269, 287 hardware/software requirements, 268-269
0
Operations Manager Management Pack Object Identifiers (OlDs), 1 0 2 , 1 1 8 Office Customization Wizard, 1 8 7 - 1 8 8 OlDs (Object Identifiers), 1 0 2 , 1 1 8 OLE DB Data Source Template, 4 7 4 - 4 7 6
configuring, 408-410 explained, 420-408 tasks, 412-414 views, 410-412
Operating System Performance view, 4 6 6
OperationsManagerAC database, 3 8 3 - 3 8 4
operating systems
OperationsManagerDW database, 3 8 1 - 3 8 3
deployment, 10 common scenarios, 204-205 common technologies, 59-60 creating software packages, 206-207 custom operating system images, 213-214 deployment technologies, 203-204 explained, 203 monitoring, 213 OS install packages, 207-210 requirements, 205 software distribution packages, 206 troubleshooting, 212-213 unknown computer support, 210-212 DPM (Data Protection Manager) 2010 support for, 552 SCOP (System Center Capacity Planner) support for, 849 supporting OS deployment, 160 System Center Essentials support for, 915-916 VMM support for Administrator Console, 642
OpsMgr
ACS (Audit Collection Services) ACS Reporting, 276-277 audit collection database, 275-276 audit collector, 275 audit forwarder, 274 database, 287 administration daily tasks, 368-369 explained, 390 file exclusions for antivirus and defragmentation applications, 376-377 importing management packs, 369-371 management pack updates, 371-372 Management Packs tree item, 393, 399-400 notification and alert tuning, 372-376 Notifications tree item, 393-395 Pending Management tree item, 392-393 performance monitoring, 395-399 Web console performance view time frame, 377-378
Self-Service Portal, 643 VMM Server, 6 4 1 How can we make this index more useful? Email us at ¡[email protected]
1016
OpsMgr
agents
SAN versus DAS, 297-299
configuring to use certificates, 358 explained, 263-265 installing on DMZ servers, 356-357 UNIX/Linux agent installation, 349-352 Windows agent installation, 343-345 alerts
SQL versions, 299-301
alert forwarder configuration, 346-349 creating incidents with, 777-780 explained, 259 generating, 2 6 1 tuning, 372-376 application monitoring, 17-18 backing up backup schedules, 378 IIS 6.0 metabase backup, 384-385 IIS 7.x configuration backup, 385 OperationsManager database backup, 379-380 OperationsManagerAC database backup, 383-384 OperationsManagerDW database backup, 381-383 RMS encryption key backup, 380-381 business solutions addressed by, 16 client system monitoring, 17 command shell, 272-273, 391-392 components summary, 262-263 configuring Agent Proxy configuration, 362-363 agent restart recovery, 363-364 Global Management Group Settings, 359-361 notifications and subscriptions, 364-367 Connector Framework, 277-278 consoles explained, 259, 388 operations console, 388-390 Web console, 390-391 dashboards, 260 data storage disk performance, 296-297 explained, 296
databases ACS (Audit Collection Services), 287 master database, 287 MSDB database, 287 operations database, 296 Operations Manager database, 287 reporting database, 296 sizing, 292-294 disaster recovery backups, 287-289 defined, 283 distributed application monitoring building distributed application model, 487-488 explained, 486-487 sample distributed applications, 488-489 DMZ servers, monitoring with certificates configuring agents to use certificates, 358 installing agents on DMZ servers, 356-357 requesting certificates from root CA for mutual authentication, 355-356 requesting root CA certificates, 353-355 end-to-end service monitoring, 259 event correlation, 17 event log collection, 17 explained, 7, 15-16, 255-258 fault tolerance clustering, 285-286 defined, 283 explained, 284-285 management group redundancy, 284 Gateway server explained, 273-274 hardware/software requirements, 274 hardware requirements, 290 history and revisions, 19-20 IIS (Internet Information Services), 287
OpsMgr
installing explained, 321-324 multiserver OpsMgr 2007 R2 install, 329-337 OpsMgr 2007 R2 ACS (Audit Collection Services) install, 337-343 single-server OpsMgr 2007 R2 install, 324-329 integrated solutions databases, 19 integrating with DPM (Data Protection Manager), 620-624 integrating with VMM (Virtual Machine Manager), 646 large enterprise design, 308-312 management groups defining, 295 geographic-based management groups, 301-302 multiple management groups, 3 0 1 political or security-based management groups, 302 management packs. See management packs Management Server explained, 266-268 hardware/software requirements, 267-268 medium enterprise design, 305-308 monitoring DMZ servers with, 352-353 monitors, 258 network bandwidth requirements, 291-293 network monitoring, 352 nondomain member considerations, monitoring, 294-295 notifications explained, 260 tuning, 372-376 Operations Console explained, 270-271 hardware/software requirements, 2 7 1 Operations Manager connector, 748-752 Operations Manager database, 268-269 performance monitoring, 395-399
1017
phases of project deployment design and planning, 313-315 design principles training, 313 explained, 312-313 pilot phase, 317-319 POC (proof of concept) phase, 315-317 production phase, 319 time estimates per phase, 320 processing operational data, 260 Reporting data warehouse explained, 269-270 hardware/software requirements, 270 Reporting Server explained, 270 hardware/software requirements, 270 reports, 19 ACS (Audit Collection Services) reports, 522-528 Alert Logging Latency report, 513, 515-516 Alert reports, 506-508 Availability reports, 261-262, 497-498, 508-512 Daily Alert report, 513, 519-521 delivering, 496-497 explained, 260, 493-496 exporting, 496 Most Common Alerts report, 513, 514-515 Performance reports, 498-503 Performance Top Objects reports, 504-506 running, 261-262 Send Queue % Used Top 10 report, 513, 517-519 SLT (Service Level Tracking) reports, 532-534 SQL Database Space report, 513, 521-522 troubleshooting reports that don't show charts, 512-513 Root Management Server encryption key, 287 explained, 265-266 hardware/software requirements, 266
How can we make this index more useful? Email us at ¡[email protected]
1018
OpsMgr
rules, 258 security action and RunAs account security, 282-283 agents, 280 firewalls, 280-281 role-based security model, 278-280 securing DMZ servers with certificates, 283 server and client system monitoring, 17 service-oriented management, 18-19 SLA tracking and reporting, 19 SLDs (Service Level Dashboards) architecture, 535-537 creating, 539-540 explained, 534-535 installing, 537-539 securing, 540-541 SLT (Service Level Tracking) explained, 529-530 reports, 532-534 SLOs (Service Level Objectives), 530-531 small enterprise design, 303-305 SNMP device monitoring explained, 489-490 troubleshooting, 490-491 software requirements, 290-291 synthetic transactions, creating, 621-622 system monitoring, 17-18 Web console configuring, 765-766 explained, 272 hardware/software requirements, 272 performance view time frame, 377-378 OpsMgrLatencyMonitors container object, configuring, 4 2 7 - 4 2 8 Organization State view, 4 4 7 OS Capture Account, 84 OS Deployment certificate, 1 2 4 , 1 4 3 OS Deployment Wizard, 2 0 6 Out-of-Band Service Point, 75 override m a n a g e m e n t packs, 2 8 7 , 4 0 4 - 4 0 5 overrides, alert tuning with, 4 0 5 - 4 0 8
P P2V (physical-to-virtual) conversions
Convert Physical Server Wizard, 673-679 Additional Properties page, 677 Conversion Information page, 677 Gather System Information page, 674-675 Select Host page, 676 Select Networks page, 677 Select Path page, 676 Select Source page, 674 Summary page, 678-679 Virtual Machine Identity page, 674 Volume Configuration page, 675-676 explained, 45, 672-679 supported operating systems, 672-673 system requirements, 672 Package Status Details report, 8 9 8 Package Status S u m m a r y report, 8 9 8 packages
approving packages to be deployed to device groups, 897-898 checking status of, 898 configuring package programs, 189-190 creating, 189, 206-207, 894, 957-958 defined, 58, 185 OS Deployment certificate, driver management, 208 OS install packages boot image management, 209 explained, 207-208 task sequence management, 209-210 selecting for approval, 959 uninstalling, 959-960 Password Enabled setting (Exchange Server 2007), 9 0 6 Password Expiration setting (Exchange Server 2007), 907 Password History setting (Exchange Server 2007), 907 Password Recovery setting (Exchange Server 2007), 907
programs
passwords
control configuration options, 41 resetting, 888-889 setting password policies for mobile devices, 902-903 patch m a n a g e m e n t , 1 5 8 - 1 6 0 patching systems, 10-11, 44, 9 5 1 - 9 5 2 Pending Management tree item (OpsMgr), 392-393
1019
password policies, setting for mobile devices, 902-903 Policy reports, 524 policy retrieval, 178-181 Policy Refresh Interval setting (Exchange Server 2007), 907 Policy reports, 5 2 4 PolicySpy, 67 political m a n a g e m e n t groups, 3 0 2
performance assessment modeling, 3 8
ports (client communication), 8 2 - 8 3
performance monitoring, 3 9 5 - 3 9 9
powering o n / o f f virtual guest sessions, 9 6 9 - 9 7 0
Performance Reporting view, 4 5 1
PowerShell, VMM support for, 6 3 3 , 6 4 0
Performance reports (OpsMgr), 4 9 8 - 5 0 3
pre-enrolling devices, 8 8 7 - 8 8 8
Performance Top Objects reports, 5 0 4 - 5 0 6
prefixes
Performance view (Operations Manager console)
creating, 396-397 explained, 390 Physical Disk State view, 4 6 6 Pilot phase
OpsMgr deployment, 317-319 Service Manager deployment, 732-734 PIN control configuration options, 41 Ping Computer Continuously (ping -t) task, 4 1 3 Ping Computer task, 4 1 3 Ping Computer (with Route) task, 4 1 3 PKI (Public Key Infrastructure)
deploying Enterprise Root CA, 118-120 explained, 118 planning, 103 validating Enterprise Root CA, 120 placement
of IBCM servers, 106-107 of VMs (virtual machines) automatic placement, 692-693 explained, 692 Placement Settings dialog box, 6 9 3 - 6 9 4 Planning reports, 5 2 3 - 5 2 4 POC (proof of concept) phase
OpsMgr deployment, 315-317 Service Manager deployment, 730-732 policies
enforcing to mobile devices, 866-867, 902 group policies, 871-872
activity prefixes, 813 change request prefix, 811-812 incident prefixes, 7 6 1 problem prefix, 793 Primary Site Server, 68, 1 1 4 priority levels
alerts, 365 incident priorities, 762-764 problem priorities, 795-796 Privileged User accounts, configuring, 4 6 2 - 4 6 3 Problem Details report, 8 0 4 Problem Management Report Library, 8 0 0 - 8 0 4 problems (Service Manager)
analyzing, 797-798 creating, 796-797 creating change requests from, 819 defined, 760, 796 resolving, 799 settings explained, 793 file attachment limits, 794 priority calculation, 795-796 problem prefix, 793 Process Monitoring Template, 4 7 6 - 4 7 8 processes (Service Manager), 7 1 0 - 7 1 1 Production phase
OpsMgr deployment, 319 Service Manager deployment, 734 programs, 5 8 , 1 8 5
How can we make this index more useful? Email us at ¡[email protected]
1020
proof of concept (POC) phase
proof of concept (POC) phase
OpsMgr deployment, 315-317 Service Manager deployment, 730-732 Protected Distribution Points, 74 protecting data. See DPM (Data Protection Manager) 2 0 1 0 Protection Agent Installation Wizard, 5 6 6 - 5 6 7 protection agents, 5 6 5 - 5 7 0 protection groups
creating, 570-574 designing, 555-557 provisioning process
managing, 867-868 through MDM Self-Service Portal, 886-887 Proxy Management Points, 5 5 - 5 6 PSP (PXE Service Point), 75-76, 9 4 , 1 1 5 Public Key Infrastructure. See PKI (Public Key Infrastructure) Public Receive Queue Size view, 4 5 0 Publication State view, 4 5 8 Publisher State view, 4 5 8 publishing
announcements, 787-788 certificate templates, 126-127 CRL, 119-120 software, 191-192 PXE Service Point (PSP), 75-76, 9 4 , 1 1 5
Recovery Wizard, 5 8 1 , 6 1 9
recovering databases, 592-594 recovering mailboxes, 594-596 redundancy for OpsMgr
clustering, 285-286 explained, 284-285 management group redundancy, 284 regedit.exe, creating Registry keys with, 223-224 regional server infrastructure
controlling client access to regional servers, 162-163 deploying regional site components, 161-162 explained, 1 6 1 WDS (Windows Deployment Service), 161
registering m a n a g e m e n t groups, 7 4 1 - 7 4 3 Registry keys, creating, 2 2 3 - 2 2 4 rejecting RAs (review activities), 8 2 8 Reload Configuration task, 4 1 3 Remote Assist
accessing systems with, 9 5 1 configuring, 947-950 explained, 947 remote control, 10, 44 Remote Data Access Service Check monitor, 4 1 0 Remote Desktop
accessing systems with, 933-951 configuring, 948-949 explained, 947
R
Remote Desktop (Admin) task, 4 1 4
RAID, 99
RAID 1, 298 RAID 10, 299 RAID 5, 298
Remote Desktop (Console) task, 4 1 4 Remote Desktop task, 4 1 3 Remote Latency view, 4 5 1 remote SQL instance, preparing, 5 6 0
RAs (review activities), 8 2 8
Remote Tools Client Agent, 97
recovering
removing
Hyper-V host servers, 618-619 ILR (item-level recovery), 620-619 SharePoint farms, 609-611 recovering data, DPM (Data Protection Manager) 2 0 1 0 , 5 8 0 - 5 8 1
CIs (configuration items), 836-838 VMM (Virtual Machine Manager) user roles, 692 REPADMIN Replsum task, 4 3 6 REPADMIN task, 4 3 6
Reporting Point (RP)
Replication Alerts Last 7 Days view, 4 3 5 Replication Inbound Bytes/Sec view, 4 3 5 Replication Latency view, 4 3 5 replication monitoring, 4 2 7 - 4 3 1 Replication Performance Overview view, 4 3 5
1021
Package Status Summary, 898 with OpsMgr ACS (Audit Collection Services) reports, 522-528 Alert Logging Latency report, 513, 515-516
reporting
ACS Reporting, 276-277
Alert reports, 506-508
Active Directory Management Pack reports,
Availability reports, 261-262, 497-498,
437-438 Al (Asset Intelligence)
508-512 Daily Alert report, 513, 519-521
report categories, 247
delivering reports, 496-497
reporting classes, 236-241
explained, 19, 260, 493-496
change management reports Activity Management Report Library, 8 4 1 Change Management Report Library, 840-841 Configuration Management Report Library, 842-843
exporting reports, 496 Most Common Alerts report, 513, 514-515 Performance reports, 498-503 Performance Top Objects reports, 504-506
explained, 838-839
running reports, 261-262
Service Manager report controls, 839
Send Queue % Used Top 10 report,
with Configuration Manager explained, 64, 228-231 legacy reports, 2 3 1 Reporting Services reports, 231-234 software metering reports, 234-235 consolidated reporting, 34 with Cross Platform Management Packs, 467-468 custom reports, 2 3 1 DCM Compliance reports, 246-253 with Exchange 2007 Management Pack, 453-454 incident and problem reports explained, 799 Incident Management Report Library, 800-804Management Report Library, Problem 800-804 Service Manager report controls, 799-800 with MDM (Mobile Device Manager) Device Status Details, 898 Device Status Summary, 898 Package Status Details, 898
513, 517-519 SLT (Service Level Tracking) reports, 532-534 SQL Database Space report, 513, 521-522 troubleshooting reports that don't show charts, 512-513 with SCCM (System Center Configuration Manager), 12 with SCCP (System Center Capacity Planner), 39 SLA tracking and reporting, 19 with SQL Server Management Pack, 460-461 with System Center Essentials, 45, 972-973 with VMM (Virtual Machine Manager), 669 with Windows Management Pack, 421-423 Reporting data warehouse
explained, 269-270 hardware/software requirements, 270 reporting database, 2 9 6 Reporting option (SCE), 9 3 4 - 9 3 5 Reporting Point (RP), 7 7 , 1 1 5
How can we make this index more useful? Email us at ¡[email protected]
1022
Reporting Server
Reporting Server
r o a m i n g (client), 56-57
explained, 2 7 0
role-based access control, 6 3 5 - 6 3 7
hardware/software requirements, 2 7 0
role-based security model, 2 7 8 - 2 8 0
Reporting Service Point (RSP), 7 7 , 1 1 5
roles, server. See servers
Reporting Services reports
root CA certificates
creating, 2 3 1 - 2 3 2
installing on SCE server, 9 7 4 - 9 7 5
scheduling, 2 3 2 - 2 3 4
requesting, 3 5 3 - 3 5 5
ReportingServicesService.exe.config file,
Root Management Server encryption key, 2 8 7 , 3 8 0 - 3 8 1
512-513 requesting certificates for mutual authentication, 355-356 Document Signing Certificate, 1 4 0 - 1 4 3 OS Deployment certificate, 1 4 3 root CA certificates, 3 5 3 - 3 5 5 Require Device Encryption setting (Exchange Server 2 0 0 7 ) , 9 0 7 Require encrypted S/MIME messages setting
explained, 2 6 5 - 2 6 6 hardware/software requirements, 2 6 6 RoutePrint task, 4 2 0 RP (Reporting Point), 7 7 , 1 1 5 , 1 5 1 - 1 5 2 Rsetup.log files, 1 5 1 - 1 5 2 RSP (Reporting Service Point), 7 7 , 1 1 5 , 152-153 rules explained, 2 5 8
(Exchange Server 2 0 0 7 ) , 9 0 8
Memory Pool Non-Paged Bytes, 4 1 6
Require Manual Synchronization While
Memory Pool Paged Bytes, 4 1 6
Roaming setting (Exchange Server 2 0 0 7 ) , 9 0 8
performance collection rules, 3 9 5 - 3 9 6
Require Storage Card Encryption setting
SQL Server Service Broker Manager Has
(Exchange Server 2 0 0 7 ) , 9 0 8
Shutdown, 4 5 6
resetting passwords, 8 8 8 - 8 8 9 Resident Management Point, 1 7 4 resolution times, 7 6 4 - 7 6 5 resolving critical events, 9 4 2 - 9 4 4 incidents, 7 9 1 - 7 9 3
Total Processor % Interrupt Time, 4 1 6 Run Chkdsk, 4 2 0 Run Chkntfs, 4 2 0 Run Home Page Summarization action, 1 9 5 RunAs accounts, 2 8 3
problems, 7 9 9 response t i m e alerts, configuring, 9 6 3 - 9 6 4 Restart Health Service Recovery, 3 6 3 - 3 6 4 restoring Exchange d a t a b a s e s , 5 9 2 - 5 9 4 mailboxes, 5 9 4 - 5 9 6 SQL Server d a t a b a s e s , 6 0 0 - 6 0 2 resuming change requests, 8 2 6 - 8 2 7 returning to activities, 8 2 7 - 8 2 8 review activities (RAs), 8 2 8 Review Activity Details report, 8 4 1 reviewers, adding to change requests, 8 2 4 - 8 2 5 reviewing Central Site status, 1 4 6 RFC Details report, 8 4 0 RMS. See Root Management Server
S s a m p l e distributed applications, 4 8 8 - 4 8 9 SAN (storage area network), 2 9 7 - 2 9 9 , 7 1 7 SAN transfers, 6 3 9 when to use, 9 8 - 1 0 0 Sanbolic Clustered File System (CFS), 6 3 9 - 6 4 0 saving incident and problem reports, 8 0 3 virtual g u e s t s e s s i o n s , 9 7 0 SCCM (System Center Configuration Manager) 2 0 0 7 . See ConfigMgr
security
SCCP (System Center Capacity Planner)
business solutions addressed by, 37-38 capacity models, 38-39 basic infrastructure requirements, 8 5 1 capabilities, 850 creating with Model Wizard, 853-860 editing with Model Editor, 860-862 simulations, 862-863 current usage analysis, 39 explained, 8, 37, 844-846 Hardware Editor adding/modifying computers, 852 adding/modifying devices, 852 explained, 847, 851-852 list icons, 852 hardware requirements, 848-849 history and revisions, 39 installing, 849-850 main screen, 37 Model Editor, 847, 860-862 Model Wizard Application page, 858-859 Client-Only Sites page, 854-855 explained, 847, 853 Hardware page, 857-858 Mailbox Sites page, 853-854 Model Summary page, 859-860 Networks page, 855-856 starting, 853 performance assessment modeling, 38 reporting, 39 SCCP 2006, 847 SCCP 2006 SP1, 848 SCCP 2007, 848 Simulation, 847 software requirements, 849 supported operating systems, 849 SCE (System Center Essentials) 2 0 1 0 . See System Center Essentials SCE Configuration Wizard, 9 2 4 - 9 2 8 SCE Reporting Services, installing, 9 2 9 - 9 3 0
1023
scheduling
Alert Logging Latency report, 515-516 Availability reports, 510-512 client schedules, 104-105 Daily Alert report, 519-521 Most Common Alerts report, 514-515 Performance reports, 499-503 Performance Top Objects reports, 505-506 Reporting Services reports, 232-234 Send Queue % Used Top 10 report, 517-519 SQL Database Space report, 521-522 SCOM (System Center Operations Manager) 2007.
See OpsMgr
scope
defining for VMM (Virtual Machine Manager), 644-645 of DPM (Data Protection Manager) projects, 554 scripts
AddNewClusteredVM.psl, 617-618 AddNewStandAloneVM.psl, 617-618 SCSM (System Center Service Manager) 2 0 1 0 . See Service Manager SDK and Configuration service account, 2 8 2 sealing m a n a g e m e n t packs via c o m m a n d line, 4 8 6 searching CIs (configuration items), 8 3 6 - 8 3 7 Secondary Sites, 5 5 - 5 6 , 1 1 4 SecureStorageBackup tool, 7 5 4 security
ConfigMgr management console, 80-82 Mixed mode security, 79-80 Native mode security, 79-80, 102-104 port requirements, 82-83 server communication, 80 service account security, 83-84 OpsMgr security action and RunAs account security, 282-283 agents, 280
Schedule Home Page Summarization action, 1 9 5
How can we make this index more useful? Email us at ¡[email protected]
1024
security
firewalls, 280-281
Server State view, 447, 4 6 6
role-based security model, 278-280
servers
SLDs (Service Level Dashboards), 540-541 security-based management groups, 3 0 2 Select Backup Destination dialog box, 7 5 4 Select Host page
Convert Virtual Server Wizard, 681-682 Deploy Virtual Machine Wizard, 695 Select Networks page
Convert Virtual Server Wizard, 682 Deploy Virtual Machine Wizard, 696 Select Path page
Convert Physical Server Wizard, 676 Convert Virtual Server Wizard, 682 Deploy Virtual Machine Wizard, 696 Select Source page (Convert Physical Server Wizard), 674, 6 7 6 Select Virtual Machine Source dialog box,
681-680 self-service access (SCSM), 34-35 self-service management (MDM), 41-42 Self-Service Portal
creating change requests from, 819-821 creating incidents with, 779-781 creating VMs with, 703-699 designing, 648 device provisioning through, 886-887 explained, 632 hardware requirements, 643 installing, 656-657, 884-885 software requirements, 643-644 supported operating systems, 643 Self-Service User role (VMM), 684, 686-687 Send Queue % Used Top 10 report, 513, 517-519 Server Authentication certificate templates, 124-126 Server Certificate, 103, 115 Server Locator Point (SLP), 77-78, 114 Server Management Suite Datacenter (SMSD) licenses, 47 Server Management Suite Enterprise (SMSE) licenses, 47 Server Management Suite licenses, 47
Active Directory and group policies, 871-872 CAS Server role, monitor and rule sync times, 4 4 1 Central Site Server, 68, 114, 143-145 checking health of, 945 Component Servers, 114 converting to virtual guest sessions, 967-968 Device Management server, 870-871 DMZ servers, monitoring with certificates, 283 configuring agents to use certificates, 358 creating certificate templates, 353 explained, 352-353 installing agents on DMZ servers, 356-357 requesting certificates from root CA for mutual authentication, 355-356 requesting root CA certificates, 353-355 DPM (Data Protection Manager) server designing, 558-559 preparation, 559-560 Enrollment server, 8 7 1 Exchange Server and MDM (Mobile Device Manager), 904-908 protecting with DPM (Data Protection Manager), 588-598 explained, 8 7 0 file servers, protecting with DPM (Data Protection Manager), 584-586 Gateway server, 8 7 1 explained, 273-274 hardware/software requirements, 274 Hyper-V host servers adding, 965 automatically protecting new machines, 617-618 creating host groups, 666-667 host clusters, 667-668 managing, 667-668
Service Manager
protecting, 615-617 recovering, 618-619 VMM (Virtual Machine Manager). See VMM (Virtual Machine Manager) installing for MDM (Mobile Device Manager), 880-884 management console, 870 Management Server explained, 266-268 hardware/software requirements, 267-268 MDM SQL Server, 8 7 1 monitoring with SCOM (System Center Operations Manager), 17 preparing for MDM (Mobile Device Manager), 877 prerequisites, 875-876 Primary Site Server, 68, 114 putting into Maintenance mode, 945-947 regional server infrastructure controlling client access to regional servers, 162-163 deploying regional site components, 161-162 explained, 1 6 1 WDS (Windows Deployment Service), 161 Reporting Server explained, 270 hardware/software requirements, 270 Root Management Server encryption key, 287
protecting with DPM (Data Protection Manager), 598-605 SQL service accounts, creating, 129 VMM Server deployment, 649-654 designing, 647-648 explained, 631-633 hardware requirements, 640 installing, 651-654 remote SQL instance requirements, 6 4 1 software requirements, 6 4 1 supported operating systems, 6 4 1 Service Level Dashboards. See SLDs (Service Level Dashboards) Service Level Dashboards Solution Accelerator, 2 6 0 Service Level Objectives (SLOs), 5 3 0 - 5 3 1 Service Level Tracking. See SLT (Service Level Tracking) Service Manager
architecture, 711-713 backing up backup schedules, 753-754 encryption key, 756 ServiceManager database, 754-756 business solutions addressed by, 33-34 change management. See change management console, 33 consolidated reporting, 34 deployment
explained, 265-266
Active Directory connector, 747-748
hardware/software requirements, 266
components, 735-738
Secondary Site Servers, 114 securing server communication, 80
1025
Configuration Manager connectors, 752-753
Site Database, 114
data warehouse, 738-741
Site System, 114
Extract, Transform, and Load (ETL) jobs, 743-744 management group registration, 741-743 Operations Manager connector, 748-752 steps, 735 Web Portals, 744-746
SLP (Server Locator Point), 114 SMS Provider, 114 SQL Server EUR Client, 603-604 installing, 130-132 local firewall configuration, 132-133
How can we make this index more useful? Email us at ¡[email protected]
1026
Service Manager
design scenarios, 719
Simulation (Capacity Planner), 8 4 7
large enterprise design, 724-726
simulations of capacity models, 8 6 2 - 8 6 3
medium enterprise design, 722-724
single-server OpsMgr 2 0 0 7 R2 install, 3 2 4 - 3 2 9
small enterprise design, 720-722
single-server VMM deployment, 6 5 0
disk performance, 717
Site Databases, 1 1 4
explained, 8, 33, 707-710
Site Server databases, 69-70
hardware requirements, 714-715
Site Service State view, 4 4 7
history and revisions, 35-36
Site System, 1 1 4 , 1 4 9 - 1 5 0
incident management. See incident management phases of project deployment
Site System Status page (ConfigMgr), 1 4 6 site topology (AD), 1 1 6 - 1 1 7 Site Topology view (Model Editor), 8 6 0 - 8 6 1
Design and Planning phase, 728-730
sites (SharePoint), recovering, 6 1 1
Design Principles Training phase, 728
site-specific configuration settings, 9 2 - 9 3
Pilot phase, 732-734
sizing databases, 89-90, 2 9 2 - 2 9 4
POC (proof of concept) phase, 730-732
SLA (service-level agreement), tracking and
Production phase, 734 time estimates per phase, 734-735
reporting, 19 SLDs (Service Level Dashboards)
processes, 710-711
architecture, 535-537
project phases, 726-727
creating, 539-540
SAN versus DAS, 717
explained, 534-535
self-service access, 34-35
installing, 537-539
software requirements, 716-717
securing, 540-541
SQL versions, choosing, 717-719
SLOs (Service Level Objectives), 5 3 0 - 5 3 1
technologies, 711
SLP (Server Locator Point)
service-level agreement, 19 service-oriented m a n a g e m e n t , 18-19 Set Database Offline task, 4 5 9
deployment, 150-151 explained, 77-78, 114 SLT (Service Level Tracking)
Set Database Online task, 4 5 9
explained, 529-530
Set Database to Emergency State task, 4 5 9
reports, 532-534
Set-EnrollmentConfig c o m m a n d , 8 8 4 SETSPN task, 4 3 6 SFW (Veritas Storage Foundation 5 . 1 for Windows), 6 4 0 SharePoint f a r m s
content database recovery, recovering, 6 1 1 data sources and recoverable data, 605 item-level recovery, 6 1 1 preparing for protection, 606-607 protecting with DPM (Data Protection Manager), 607-609 recovering, 609-611 Show Failed Rules and Monitors for This Health Service task, 4 1 4 Show Running Rules and Monitors for This Health Service task, 4 1 4
SLOs (Service Level Objectives), 530-531 small enterprise design
ConfigMgr, 107 OpsMgr, 303-305 Service Manager, 720-722 SMP (State Migration Point)
explained, 76, 115 placement of, 94 SMS (Systems Management Server)
SMS 2003 (SMS v3.0), 13 SMS Provider, 68-69, 114 SMS vl.x, 12-13 SMS v2.0, 13 sms_def.mof file, editing, 2 2 6
SQL Server
SMSD (Server Management Suite Datacenter) licenses, 47 SMSE (Server Management Suite Enterprise) licenses, 47 SMSFSPSetup.log file, 1 5 1 SMSReportinglnstall.log file, 1 5 1 - 1 5 2
1027
software reports (Al), 2 4 7 software requirements
ConfigMgr, 87-88 for DPM (Data Protection Manager), 552-553 for OpsMgr, 290-291
SMTP notification channel, configuring, 7 7 1 - 7 7 2
ACS (Audit Collection Services), 277
snapshots of virtual guest sessions, managing,
audit collection database, 276 audit collector, 275
971-972 SNK (Strong Name Key) files, 4 8 6
Connector Framework, 278
SNMP
Gateway server, 274
device monitoring, 489-490
management server, 268
troubleshooting, 490-491
Operations Console, 2 7 1
Software 01A-12A reporting classes, 2 3 9 - 2 4 1
Operations Manager database, 268-269
software distribution
Reporting data warehouse, 270
configuring package programs, 189-190
Reporting Server, 270
configuring software sources, 185
Root Management Server, 266
creating software packages, 189, 894
Web console, 272
customizing installation, 187-188 deploying software automatically, 193-194
for SCCP (System Center Capacity Planner), 849
explained, 11, 44, 58, 185-186
for Service Manager, 716-717
monitoring software deployment, 195
for VMM (Virtual Machine Manager)
publishing software, 191-192
Administrator Console, 642
selecting Distribution Points, 190-191
Self-Service Portal, 643-644
update distribution
VMM Server, 6 4 1
deploying software updates, 200-201
software sources, configuring, 1 8 5
deployment templates, 196-197
Software Update Client Agent, 97
explained, 196 managing update deployment, 201-202 monitoring software update deployment, 202-203 Software Updates Client Agent, 196-197
Software Update Point (SUP), 7 8 , 1 1 5 , 1 5 8 - 1 6 0
update lists, 198-199 software inventory, 61-62 Software Inventory Client Agent, 97 software licensing data, importing, 2 4 3 - 2 4 5 software m e t e r i n g
explained, 61-63, 234 reports, 234-235 Software Metering Client Agent, 234 Software Metering Client Agent, 97, 2 3 4 Software option (SCE), 9 3 3 - 9 3 4 software packages. See packages
Software Updates - A Compliance folder, 2 0 2 Software Updates Client Agent, 1 9 6 - 1 9 7 , 2 2 2 Software Updates h o m e page, 1 9 6 SPN Health task, 4 3 6 SQL Database Space report, 5 1 3 , 5 2 1 - 5 2 2 SQL Management Studio task, 4 5 9 SQL Profiler task, 4 5 9 SQL Server
choosing version of ConfigMgr, 100-101 Service Manager, 717-719 databases protecting, 598-600 restoring, 600-602 SQL End User Recovery, 602-605
How can we make this index more useful? Email us at ¡[email protected]
1028
SQL Server
Enterprise Edition, 100, 299-301 EUR Client, 603-604
storage area network (SAN), 9 8 - 1 0 0 , 297-299, 717
explained, 8 7 1
storage pool, adding disks to, 5 6 3 - 5 6 4
installing, 130-132
storage requirements, calculating, 5 5 7 - 5 5 8
licensing costs, 99-101
Strong Name Key (SNK) files, 4 8 6
local firewall configuration, 132-133
Subscription State view, 4 5 8
prerequisites, 875-876
subscriptions, configuring, 3 6 4 - 3 6 7
remote SQL instance
S u m m a r y page
preparing, 560
Convert Physical Server Wizard, 678-679
VMM Server requirements, 6 4 1
Convert Virtual Server Wizard, 682-683
SQL Server Management Pack
Deploy Virtual Machine Wizard, 697
configuring, 455
SUP (Software Update Point), 7 8 , 1 1 5 , 1 5 8 - 1 6 0
explained, 454-455
SUPSetup.log file, 1 5 9
reports, 460-461
SvcMgr. See Service Manager
tasks, 459-460
synchronization
tuning, 455-457
Al (Asset Intelligence) catalog, 235-236
views, 457-459
CAS role monitor and rule sync times, 4 4 1
SQL service accounts, creating, 129 Standard Edition, 100, 299-301 System Center Essentials support for, 918 SQL Server Management Pack
configuring, 455 explained, 454-455 reports, 460-461 tasks, 459-460 tuning, 455-457 views, 457-459 SQL Server Service Broker Manager Has Shutdown rule, 4 5 6 SSL
Certificate Services website for SSL, 128-129 configuring, 136-137 Standard (SMB) Distribution Points, 73 Standard Edition (SQL Server), 1 0 0 Start Audit Collection task, 4 1 4 Start Online Store Maintenance task, 4 1 4 Start W M I Service task, 4 1 4 s t a r t i n g Model Wizard, 8 5 3 State Migration Point (SMP), 76, 94, 1 1 5 State view (Operations Manager console), 3 8 9 status of packages, checking with MDM (Mobile Device Manager), 8 9 8
mailbox monitor and rule sync times, 442 SUP (Software Update Point), 159-160 synthetic transactions, creating, 6 2 1 - 6 2 2 System Center Configuration Manager (SCCM) 2007.
See ConfigMgr
System Center Data Protection Manager. See DPM (Data Protection Manager) 2 0 1 0 System Center Essentials
administration monthly tasks, 983-984 regular tasks, 9 8 1 weekly tasks, 982-983 agents installing on domain-attached systems, 973-974 installing on nondomain joined systems, 974-977 asset tracking, 44 business solutions addressed by, 43-44, 912 computer and device discovery autodiscover, 938-939 explained, 937-938 manually discovering computers, 939-940 manually discovering network devices, 940-941
System Center Essentials
console, 43
packages
explained, 8, 43, 910-911
creating, 957-958
history and revisions, 45-46
selecting for approval, 959
System Center Essentials 2007, 913-914 System Center Essentials 2007 SP1, 914-915 System Center Essentials 2010, 915-916 installing on separate servers management console tools, 928-929 SCE Reporting Services, 929-930 installing on single server preparation, 920 running SCE Configuration Wizard, 924-928 running SCE installation, 921-923 inventory collecting manually, 960-961 explained, 960 viewing, 960 management console Administration option, 935-937 Authoring option, 937 Computers option, 9 3 1 explained, 930-931 installing management console tools, 928-929 Monitoring option, 932-933 Reporting option, 934-935 Software option, 934 Updates option, 933-934 monitoring alerts, 942 checking health of servers, 945 explained, 941-942 handling warning events, 944-945 putting servers in Maintenance mode, 945-947 resolving critical events, 942-944 monitoring and alerting, 44 P2V (physical-to-virtual) conversions, 45
1029
uninstalling, 959-960 patching/updating systems, 44, 951-952 prerequisites hardware requirements for multiserver configuration, 918 hardware requirements for single-server configuration, 918 multisite configuration, 919 supported and unsupported scenarios, 919-920 supported operating systems, 917-918 supported versions of SQL Server, 918 Remote Assist accessing systems with, 9 5 1 configuring, 947-950 explained, 947 Remote Desktop accessing systems with, 933-951 configuring, 948-949 explained, 947 remote support, 44 reporting, 45, 972-973 root CA certificates, installing, 974-975 software distribution, 44 technical solutions addressed by, 912-913 troubleshooting email host server addresses, 979 Firewall Rule exceptions, 978-979 Not Connected errors, 979-980 virtual network switches, 980 updates approving/declining, 954-956 explained, 951-952 setting deadlines on, 956-957 uninstalling, 956 update management settings, 952-954 viewing, 954 virtual host management, 44-45 visualization management accessing virtual guest sessions, 970
How can we make this index more useful? Email us at ¡[email protected]
1030
System Center Essentials
changing "hardware" of virtual guest sessions, 970-971 converting physical servers to virtual guest sessions, 967-968 creating virtual guest sessions, 965-967 designating Hyper-V host servers, 965 importing VMware guest sessions to Hyper-V, 968-969 managing snapshots of guest sessions, 971-972 powering on/off virtual guest sessions, 969-970 saving virtual guest sessions, 970 website monitoring agents creating, 961-963 response time alerts, 963-964 System Center Mobile Device Manager. See MDM (Mobile Device Manager) System Center Online Services, 2 4 6 - 2 4 7 System Center Operations Manager See OpsMgr System Center Service Manager. See Service Manager System Center Virtual Machine Manager. See VMM (Virtual Machine Manager) System Integrity reports, 5 2 4 system inventory. See inventory System Management container, creating with ADSI Edit, 1 3 4 - 1 3 5 system monitoring.
See monitoring
System State
backing up, 587 protecting with DPM (Data Protection Manager), 586-587 systems m a n a g e m e n t in the enterprise, 6-7 Systems Management Server.
See SMS
(Systems Management Server)
tasks
in Active Directory Management Pack, 436-437 in Exchange 2007 Management Pack, 452-453 in Operations Manager Management Pack, 412-414 in SQL Server Management Pack, 459-460 in Windows Management Pack, 418-421 TCP Port Template, 4 7 7 - 4 7 9 templates
certificate templates creating, 353 explained, 103-104 change request templates, 814-815 Client Authentication certificate template, 122-123 deployment templates, 59, 196-197 Document Signing Certificate template, 126 Group Policy templates, installing, 898-900 Management Pack Templates explained, 468-469 OLE DB Data Source Template, 474-476 Process Monitoring Template, 476-478 TCP Port Template, 477-479 Unix/Linux Log File Template, 478-479 Unix/Linux Service Template, 480 Web Application Template, 469-471 Windows Service Template, 471-474 notification templates, 772-773 publishing certificate templates, 126-127 report templates, 972-973 t i m e estimates for OpsMgr project deployment, 3 2 0 Total Processor % Interrupt Time rule, 4 1 6 Trace32.exe, 1 4 6 , 1 4 9 tracking
T tape libraries, configuring, 5 6 4 - 5 6 5 tape-based backup technologies, 5 4 5 - 5 4 6 task sequences, creating, 2 0 9 - 2 1 0 Task Status view, 3 9 0 , 4 5 7
assets, 10, 44 CAL license tracking, 241-242 devices, 41 mobile devices, 867 SLA tracking and reporting, 19 SLT (Service Level Tracking), 529-530
USMT (User State Migration Tool) package
Transaction Log Free Space view, 4 5 7 - 4 5 8
Update Repository container, 59
transactions
updates
intraorganization synthetic transactions, configuring, 443-444 synthetic transactions, creating, 621-622
approving/declining, 954-956 for devices, 41 for management packs, 371-372
Transport DSN view, 4 4 9
software update distribution, 59
Transport Queues view, 4 4 9
for systems, 10-11
troubleshooting. See a/so incident m a n a g e m e n t
update distribution
operating system deployment, 212-213 reports that don't show charts, 512-513 Service Manager troubleshooting tasks, 788-791 SNMP device monitoring, 490-491 System Center Essentials email host server addresses, 979 Firewall Rule exceptions, 978-979 Not Connected errors, 979-980 virtual network switches, 980
1031
deploying software updates, 200-201 deployment templates, 196-197 explained, 196 managing update deployment, 201-202 monitoring software update deployment, 202-203 Software Updates Client Agent, 196-197 update lists, 198-199 update lists, 59, 198-199 via System Center Essentials
tuning
explained, 951-952
SQL Server Management Pack, 455-457 Windows Management Pack, 416-415
setting deadlines on updates, 956-957 uninstalling updates, 956 update management settings, 952-954 viewing updates, 954
u
Updates option (SCE), 9 3 3 - 9 3 4 updating systems, 44
UM Connectivity Call Latency view, 4 5 1 Unapproved InROM application list setting (Exchange Server 2 0 0 7 ) , 9 0 8 Unified Messaging Server Alerts view, 4 5 1 Unified Messaging Server State view, 4 5 1 uninstalling
packages, 959-960 updates, 956 UNIX Action Account profile, assigning Linux Non-Privileged Users to, 4 6 4 UNIX agents, installing, 3 4 9 - 3 5 2 UNIX Privileged Account profile, assigning Linux Privileged Users to, 4 6 4 - 4 6 5 Unix/Linux Log File Template, 4 7 8 - 4 7 9 Unix/Linux Service Template, 4 8 0
Usage reports, 5 2 4 User Connection view, 4 5 8 User Role Properties dialog box, 6 8 5 , 6 9 1 User State Migration Tool (USMT) package, creating, 2 0 7 users
adding to groups, 5 4 1 discovery, 91-92 user roles (VMM) Administrator, 684-686 Delegated Administrator, 684, 686-687 modifying roles, 690-691 removing roles, 692 Self-Service User, 684, 686-687 USMT (User State Migration Tool) package, creating, 2 0 7
unknown computer support, 2 1 0 - 2 1 2
How can we make this index more useful? Email us at ¡[email protected]
1032
V2V conversions
V
virtualization m a n a g e m e n t
with System Center Essentials
V2V conversions, 6 7 9 - 6 8 3 validating
Central Site installation, 145-147 Enterprise Root CA, 120 inventory data, 227 Veritas Storage Foundation 5 . 1 for Windows (SFW), 6 4 0 viewing
inventory, 228, 960 updates, 954 views
in Active Directory Management Pack, 432-436 in Cross Platform Management Packs, 465-466 in Exchange 2007 Management Pack, 447-452 in Model Editor, 860-861 in Operations Manager Management Pack, 410-412 in SQL Server Management Pack, 457-459 in Windows Management Pack, 416-419 virtual guest sessions
accessing, 970 changing "hardware" of, 970-971 converting physical servers to, 967-968 creating, 965-967 importing VMware guest sessions to Hyper-V, 968-969 managing snapshots of, 971-972 powering on/off, 969-970 saving, 970 virtual host m a n a g e m e n t , 44-45 virtual machine hosts, 6 4 4 Virtual Machine Identity page
Convert Physical Server Wizard, 674 Convert Virtual Server Wizard, 680-681 Virtual Machine Manager. See VMM (Virtual Machine Manager) virtual network switches, 9 8 0
accessing virtual guest sessions, 970 changing "hardware" of virtual guest sessions, 970-971 converting physical servers to virtual guest sessions, 967-968 creating virtual guest sessions, 965-967 designating Hyper-V host servers, 965 importing VMware guest sessions to Hyper-V, 968-969 managing snapshots of guest sessions, 971-972 powering on/off virtual guest sessions, 969-970 saving virtual guest sessions, 970 virtual network switches, 980 virtualized environments, protecting with DPM (Data Projection Manager) automatically protecting new machines, 617-618 explained, 615 ILR (item-level recovery), 620-619 protecting Hyper-V virtual machines, 615-617 recovering Hyper-V virtual machines, 618-619 with VMM (Virtual Machine Manager). See VMM (Virtual Machine Manager) VMM (Virtual Machine Manager)
Administrator Console explained, 631, 666-667 hardware requirements, 642 installing, 654-656 software requirements, 642 supported operating systems, 642 Agent explained, 632 installing, 657-661 business solutions addressed by, 29-30, 628-629 capabilities, 30-31 cluster support, 634-635
VMM (Virtual Machine Manager)
command shell, 670-671 console, 29 deployment Administrator Console, 654-656 Agent, 657-661 database considerations, 650 multiple-server deployment, 650 Self-Service Portal, 656-657 single-server deployment, 650 VMM Server, 649-654 environment, 644-645 explained, 7-8, 28-29, 626-628, 631, 663-665 heterogeneous management, 634 history and revisions, 31-32 early virtualization management techniques, 637 VMM 2007, 637 VMM 2008, 637-638 VMM 2008 R2, 638-640 hosts creating host groups, 666-667 host clusters, 667-668 managing, 667-668 library configuring, 668-669 designing, 643-649 explained, 632-633 Maintenance mode, 639 managing, 670 monitoring capabilities, 669 P2V (physical-to-virtual) conversions Convert Physical Server Wizard, 673-679 explained, 672-679 supported operating systems, 672-673 system requirements, 672 planning for deployment defining project scope, 645-646 designing database server and database, 648 designing library servers and libraries, 643-649
1033
designing Self-Service Portal, 648 designing VMM Server, 647-648 determining number of VMM instances, 646-647 determining Operation Manager integration, 646 understanding environment, 644-645 PowerShell support, 633 reporting, 669 role-based access control, 635-637 Self-Service Portal designing, 648 explained, 632 hardware requirements, 643 installing, 656-657 software requirements, 643-644 supported operating systems, 643 technical solutions addressed by, 629-630 user roles Administrator, 684-686 Delegated Administrator, 684, 686-687 modifying, 690-691 removing, 692 Self-Service User, 684, 687-690 V2V conversions, 679-683 VMM Server designing, 647-648 explained, 631-633 hardware requirements, 640-641 installing, 651-654 preparing for deployment, 649-650 remote SQL instance requirements, 6 4 1 software requirements, 6 4 1 supported operating systems, 6 4 1 VMs (virtual machines) automatic placement, 692-693 creating with Self-Service Portal, 697-699 customizing host ratings for, 693-695 deploying with Administrator Console, 695-697 managing, 669
How can we make this index more useful? Email us at ¡[email protected]
1034
VMM (Virtual Machine Manager)
migrating, 699-705
WDS (Windows Deployment Service), 1 6 1
system requirements, 644
Web Application Template, 4 6 9 - 4 7 1
VMs (virtual machines)
Web console
creating with Self-Service Portal, 697-699
explained, 259, 272, 390-391
customizing host ratings for, 693-695
hardware/software requirements, 272
deploying with Administrator Console, 695-697 managing, 669 migrating, 699-705 dragging and dropping VM onto host group, 705 dragging and dropping VM onto host server, 704
performance view time frame, 377-378 Web Page view (Operations Manager console), 3 9 0 Web Portals, installing, 7 4 4 - 7 4 6 WebDAV, configuring, 1 3 7 - 1 3 8 website monitoring agents
creating, 961-963 response time alerts, 963-964
Migrate Storage action, 702-703
weekly administration tasks (SCE), 9 8 2 - 9 8 3
Migrate Virtual Machine Wizard, 701-702
Win32Reg_CompanyABC_Warranty class,
supported storage migration technologies, 701 supported virtual machine migration technologies, 700-706 P2V (physical-to-virtual) conversions, 672-679 Convert Physical Server Wizard, 673-679 explained, 672 supported operating systems, 672-673 system requirements, 672 placement automatic placement, 692-693 explained, 692 V2V conversions, 679-683 VMware guest sessions, i m p o r t i n g to Hyper-V, 968-969 Volume Configuration page (Convert Physical Server Wizard), 6 7 5 - 6 7 6 Volume Information task, 4 2 0
w Wake On LAN (WOL), 71 warning alerts, 3 6 5 warning events, 9 4 4 - 9 4 5 Watcher nodes, 9 6 2 - 9 6 3
validating, 2 2 7 Windows 7, Remote Assist configuration, 9 4 8 Windows Computers tasks, 4 1 8 - 4 2 1 Windows Deployment Service (WDS), 1 6 1 Windows Management Pack
configuring, 415 explained, 415 reports, 421-423 tasks, 418-421 tuning, 416 views, 416-419 Windows Preinstallation Environment, 60 Windows Server 2 0 0 3 , Remote Desktop configuration, 9 4 8 Windows Server 2 0 0 8 R2, Remote Desktop configuration, 9 4 9 Windows Server 2 0 0 8 , Remote Desktop configuration, 9 4 8 Windows Server Update Services (WSUS)
configuring WSUS website for SSL, 139-140 installing, 138-139 Windows Service Template, 4 7 1 - 4 7 4 Windows Vista, Remote Assist configuration, 9 4 8 Windows XP, Remote Assist configuration, 947-948 WinPE, 60, 2 0 3 w i p i n g devices, 8 9 0 - 8 9 2
WSUSUtil.exe
1035
Recovery Wizard, 619
wizards
Add Hosts Wizard, 657-659 Capacity Planner Model Wizard, 847 Convert Physical Server Wizard, 673-679
recovering databases, 592-594 recovering mailboxes, 594-596 Recovery Wizard (DPM), 5 8 1
Additional Properties page, 677
SCE Configuration Wizard, 924-928
Conversion Information page, 677
WSUS Configuration Wizard, 139
Gather System Information page, 674-675
WOL (Wake On LAN), 71 w o r k f l o w engine (Service Manager), 7 1 1
Select Networks page, 677
workflows (change request), 8 1 5 - 8 1 6
Select Path page, 676, 682
WSUS (Windows Server Update Services)
Select Source page, 674, 676 Summary page, 678-679, 682-683 Virtual Machine Identity page, 674 Volume Configuration page, 675-676 Convert Virtual Server Wizard, 679-683 Additional Properties page, 682
configuring WSUS website for SSL, 139-140 installing, 138-139 WSUS Configuration Wizard, 1 3 9 WSUSCtrl.log file, 1 5 9 WSUSUtil.exe, 1 4 0
Select Host page, 681-682 Select Networks page, 682 Virtual Machine Identity page, 680-681 Create New Protection Group Wizard, 570-574, 589-592, 616-617 Create User Role Wizard, 687-690 Deploy Virtual Machine Wizard, 695-697 DPM Setup Wizard, 561-562 Migrate Virtual Machine Wizard, 701-702 Model Wizard Application page, 858-859 Client-Only Sites page, 854-855 explained, 853 Hardware page, 857-858 Mailbox Sites page, 853-854 Model Summary page, 859-860 Networks page, 855-856 starting, 853 New Package Wizard, 189 New Site Role wizard, 158-159 Office Customization Wizard, 187-188 OS Deployment Wizard, 206 Protection Agent Installation Wizard, 566-567
How can we make this index more useful? Email us at ¡[email protected]
