Confusing Overrides

Clive mentions that there is a KB for doing Override best practice – http://support.microsoft.com/kb/943239/en-us.

I had this on my list of things to blog about but it is worth pointing out a key area that confuses people and the KB tells you not to do.

If you want to just disable a rule then it looks logical to pick the first object on the override list – Disable the ObjectName. This does actually work but when you do it it just disappears. There is no choice about where to put the override. What it does do is put it in the Default MP. This is against Microsoft best practice which says that you should create a new unsealed MP for overrides belonging to a sealed MP. So for instance you would create an MP called Exchange 2003 Overrides for the Exchange 2003 MP and so on. You can create the MP on the fly when you do the first override or go to the Administration tab and create it under Management Packs. I prefer the second as I can then create the new MP with exactly the same name as the original MP and put Overrides at the end. In an alphabetical list you will see which MPs have override MPs and which ones don’t. If you want to see all the override MPs together you can sort on management packs to show all unsealed ones.

The way to disable a rule is to use the Override option which gives you all the options you can override and for the Enabled parameter change that to False and choose the unsealed MP to save it.

The KB also mentions that the override may need changing in multiple places. Kudos to the SystemCenterForum.org team as their spreadsheet is referenced in the KB.

It does not mention if this is fixed in SP1.

Faster Console

I heard from a couple of contacts within Microsoft that the SCOM 2007 SP1 console is much better. They are using the IDS build. A blog post from Satya Vel who is now in charge of performance and scale for OpsMgr compares the old and new to cars. While I understand how fast a BMW M3 is I have no idea what a Geo Metro is never mind how fast (or slow) it goes. Step in Wikipedia – http://en.wikipedia.org/wiki/Geo_Metro. This says it is 1.o litre engine that can do 0-60 in just over ten seconds. So slow then. But an M3 comparison sounds good. Looks like we can disband the green bar watcher’s club when SP1 arrives.

By the way Satya was talking about bandwidth utilisation. A good sign as usually the US ignores bandwidth as they have plenty of it but in Europe that is not always the case.

IDS information – the Product Groups use build numbers to show the incremental changes in code. Not all builds have the full code. The ones that are destined to become final builds are designated IDS for servers and IDW for workstations.

Alerts and State

One area that causes confusion is about alerts and how they are displayed. In 2007 the product has moved towards health monitoring and so the Computers view (this was the State view in 2005) using monitors is the way forward. But there are still a number of MPs that have rules.

A rule is simple. It will look for a particular event, a performance counter threshold, WMI etc and create an alert. This alert gets updated with the repeat count. If it is being generated by a script running every 5 minutes then the repeat count will increment every 5 minutes. If the repeat counter stops incrementing it is a good sign, but not infallible, that the problem has stopped. An alert from a rule ONLY shows in the Active Alerts view and NOT in the Computers view. This is different from MOM 2005 where the State view also had a column for alerts generated by rules. Rule alerts must be closed by an operator. They do not auto resolve.

A monitor can be 2 state (green – red or amber) or 3 state (green – amber – red). Unlike a rule a monitor knows when the problem has gone away and will auto resolve the alert in the Active Alerts view and return the appropriate component back to green in the Computers view.

One issue is that the creator of the monitor does not have to chose to create an alert. It is an option. Also the alert created by the monitor will never increment. It is a one off alert even though the problem may be continually happening. The Repeat Count was a useful indicator of what was happening in MOM 2005. The big problem is that if the agent misses the event that turns it back to green it still thinks it is in the red state and will not change back. People think that the Reset button in Health Explorer will clear it back to green but it does not.

In the Active Alerts view when you highlight an alert you will get the description box at the bottom. The rule/monitor that created the alert is shown and it will either say Rule Alert or Monitor Alert so you know whether it should auto resolve or you need to resolve it.

Summary

A rule will only create alerts and will not affect the Computer view.
A monitor will update the Computer view and may or may not create an alert in the Active Alerts view.
An alert created by a rule needs to be manually resolved.
An alert created by a monitor will auto resolve.

So you can have alerts in the Alert View but the State View is all green. Likewise you can have red components in the State view without any alerts in the Alert View. Which is bizarre. There is no single view in 2007 (unlike 2005) that you can see the total state of the computers. You can create a dashboard view with both views in it but I find that unsatisfactory.

For the Product Group

What I would like to see is the ability to have a column in the Computers view that is the roll-up of all rule alerts so that there is one view to see everything.