You would probably have seen this by now as most SCOM bloggers have a post on it. For details on what it contains (KB974144) and link to download see
Before you install it be sure to check out Kevin’s post on the best way to install it.
And a tip from Daniele on updating the console.
http://nocentdocent.wordpress.com/2010/01/16/eventually-we-got-cumulative-1-for-r2/
This should now put OpsMgr up to v6.1.7221.13.
Just seen that the File Services MP for SCOM 2007 has been released as a beta (i.e. not supported).
It is on Connect if you want to try the beta. It is nice to see the Product Groups improving on the MPs and releasing betas for feedback.
The following table describes which File Services role service can be monitored with the beta management pack on various Windows Server versions:
Role Service and OS Version Supported
Here are several of the key features provided in this beta management pack:
Agentless Monitoring
Ability to monitor file services on servers without deploying a SCOM agent to the specific server
Highly Available Cluster Instance Monitoring
Ability to monitor the health status of a Highly Available File Server deployed on a Failover Cluster
NFS Role Service
Monitor activity logging, NIS configuration, port registration, portmaper service, NFS service driver, username mapping service, and more
FSRM Role Service
Monitor FSRM service, quota driver, filescreen driver, file classification task progress, and orphaned mountpoints
DFSR Role Service
Monitor the health of DFS Replication service, communications with replication partners, database recovery, communications with Domain Controllers, free space on volume containing a replicated folder, USN journal wrap events, overlap with FRS, inconsistent configuration, and more
DFSR Backlog Tracking
Ability to display the backlog count per connection for a DFS replication group
DFSR Performance Counters
Track data for bandwidth ravings, replication conflicts, deleted files and staging area
DFS Namespace Role Service
Monitor DFS namespace service, health of a single namespace hosted on multiple servers, health of the AD component of DFS namespaces, site table initialization, namespace initialization, Namespace Synchronization with AD, Folder Target Health and more
SMB Role Service
Monitor the health of Lanman server service, creation of shares at system startup, IRP stack overflow events, firewall port configuration
If you are testing out the new SharePoint 2010 betas then you may want to look at the beta MPs for them as well. They work with both SP1 and R2.
Details of the improvements to the packs are here which includes the links to the download locations.
The post highlights the fact that they have significantly increased the number of discoveries, classes and monitors but have reduced the rules. But as we all know more does not always mean better. In fact one of Microsoft’s big advertising themes for Windows Server was “Do More With Less”. I would rather have 1 good quality monitor than 10 poor ones. But it looks like they have improved the health monitoring as shown in the screenshots. Significant improvements for large SharePoint installations.
In 2010 you can monitor multiple farms, multiple servers, services, shared services, SharePoint Health Analyzer rules (Which saves you a trip to central admin which also means that System Center Operation Manager console is your one stop shop for all monitoring requirements) and web applications.
In case you were not aware SharePoint Foundation is the new name for Windows SharePoint services. So SharePoint Foundation 2010 is actually WSS v4.0. Note that the new versions of SharePoint are 64 bit only.
The main MP covers
I started to see this error as I moved servers in my test environment to Windows 2008 R2.
Alert
Name
DNS 2008 Monitor Zone Resolution Alert
Description
Zone TrustAnchors on DNS Server VDC01.Cosiris.local is not responding to queries.
Source
TrustAnchors (VDC01.Cosiris.local)
The MP is DNS 2008 MP v6.0.6480.0 and OpsMgr 2007R2.
I had not seen this before and as i was having some general problems with the test environment I thought that it might be linked. In fact it seems to be a new feature of Windows 2008 R2. A bit of searching brought in some more information on DNSSec (DNS Security).
http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-trust-anchor-03
http://www.dnssec-tools.org/wiki/index.php/Trust_Anchor
http://blogs.technet.com/sseshad/archive/2008/10/30/dnssec-in-windows-7.aspx
DNSSEC in Windows Server 2008 R2
From http://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx
A trust anchor is a preconfigured public key associated with a specific zone. Windows Server 2008 R2 supports the configuration of trust anchors by using DNSKEY resource records.
A validating DNS server must be configured with one or more trust anchors in order to perform validation. At least one trust anchor is required if any DNSSEC data is to be validated by the DNS server. Additional trust anchors can be deployed to support islands of trust. DNS server management tools (DNS Manager and Dnscmd.exe) can be used to locally or remotely view and modify trust anchors. Trust anchors apply only to the zone for which they are configured.
If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and will be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named TrustAnchors.dns in %windir%\System32\DNS.
The reason it shows up as an alert is that it appears to be a DNS zone in Windows 20089 R2. As I am not intending to run DNSSec I just put an override on this alert.
For a 12:47 video on DNSSec and a link to a deployment white paper go to this link http://edge.technet.com/Media/DNS-Security-DNSSec-Overview/.
Ian
Dec 2009
This error may occur on Windows 2008 servers
Group Policy Preprocessing (Active Directory) Alert
Alert Description
Source:
Server name
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
Active Directory Bind Monitor
Summary
Group Policy Preprocessing (Active Directory)
Group Policy processing requires Active Directory. The Group Policy service reads and updates information stored in Active Directory. The absence of Active Directory (or a domain controller) prevents Group Policy from applying to the computer or user.
Resolutions
Correct binding to the directory
The Group Policy service logs the error code. This information appears on the Details tab of the error message in Event Viewer. The error code (displayed as a decimal) and error description fields further identify the reason for the failure. Evaluate the error code with the list below:
- Error code 5
- Error code 49
- Error code 258
Error code 5 (Access is denied)
This error code might indicate that the user does not have permission to Active Directory.
To correct permissions for accessing Active Directory:
Use Active Directory troubleshooting procedures to further diagnose the problem.
Error code 49 (Invalid credentials)
This error code might indicate that the user’s password expired while the user is still logged on the computer.
To correct invalid credentials:
- Change the user’s password.
- Lock/unlock the workstation.
- Check if there are any system services running as the user account.
- Verify the password in service configuration is correct for the user account.
Error code is 258 (Timeout)
This error code might indicate that the DNS configuration is incorrect.
To correct timeout issues:
Use the nslookup tool to confirm _ldap._tcp.<domain-dns-name> records are registered and point to correct servers (where domain-dns-name is the fully qualified domain name of your Active Directory domain).
Use Active Directory troubleshooting procedures to further diagnose the problem.
Note: These steps may have varying results if your network constrains or blocks ICMP packets.
This knowledge is identical to http://technet.microsoft.com/en-us/library/cc727283(WS.10).aspx about event ID 1006.
Additional error codes for event 1058 can be found at http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx
If you follow the link in the knowledge to do troubleshooting AD then you go to http://technet.microsoft.com/en-us/library/cc732148(WS.10).aspx and get told that “The document that you are attempting to access is not yet available.” even though it is dated 7th November 2008.
There is a hotfix for Windows 2008 servers that this applies to.
http://support.microsoft.com/default.aspx?scid=kb;en-us;950876&sd=rss&spid=12925
Information
Alert is “Active Directory Search Monitor” from Group Policy 2008 MP. It is looking for event 1080 in System and is a Manual Reset monitor. The same named alert is from “Active Directory Bind Monitor” and is looking for event 1006 and is also a Manual Reset.
NB as this is a monitor you have to do Reset Health in Health Explorer and not just Close the alert. These alerts rollup for Availability and will create the calculated alerts (AD Domain Availability Health Degraded and AD Site Availability Health Degraded) for the domain if more than 60% of DCs are affected.
OpsMgr is R2 and AD MP is v6.0.6452.0.
Patrick Pendergast (SCVMM Program Manager) has posted that there is a document out to help create PRO enabled MPs.
http://blogs.technet.com/scvmm/archive/2009/08/25/writing-pro-enabled-management-packs.aspx
This is a 32 page document starting with explaining what PRO is.
Physical Resource Optimization (PRO) is extended through a System Center Operations Manager 2007 management pack.
PRO enables you to augment the available knowledge in the management packs to make recommendations or take actions that take advantage of the additional capabilities available when workloads are running in a virtualized environment.
PRO relies on Operations Manager 2007 to monitor and collect performance data from hosts and virtual machines within an environment.
Nice diagram showing how it all fits together.
This document goes into a lot of XML and so is not for the faint hearted!
The alert “The SQL Server Service Broker or Database Mirroring transport is disabled or not configured” is one that pops up in new installations quite frequently. A typical answer is to look at the Broker part and check if it is set as in this post.
With SQL 2008 you do not have to run the SQL query as it is shown in the properties of the database. Open SQL Server Management Studio, select OperationsManager database and right click and chose Properties. Click Options and scroll down and there is a section called Service Broker.
On my default install this is set to true anyway. But the clue is in the alert. In the alert details it says “The Database Mirroring protocol transport is disabled or not configured.” Back in the database properties under Mirroring we can see that the database has not been configured for mirroring.
If you select Configure Security you will see the following error message.
In my test environment the database had defaulted to Simple Recovery Model. There are three – Simple, Full and Bulk-Logged. This is fine for a test environment but is unlikely in a production environment. With the Recovery Model at Simple you will need to override this SQL MP alert. It would have been nice if they had created two rules for this instead on just the one.
Anders used to do a monthly blog post called Links During Month. He has not done one for a while and so I thought that I would have a go to summarise all the new stuff for one month. I can see why he gave it up. It is quite time consuming!
The big news is that R2 is finally available. even though it went RTM in May. Although it did take a few days before it was available at all the download sites.
Could the delay in posting be due to the other July news that the OpsMgr licensing has changed. Again! Microsoft’s financial year starts on 1st July. Coincidence? See Emma’s posts on the changes from 1st July and about transitioning existing SC suite licences to the new version.
New Reporting Guide released. This is different to the Report Authoring Guide which had previously been released.
TechNet Virtual Labs available
Management Pack University Videos
Management Pack University is a training course aimed at developers working on building management packs for System Center Operations Manager 2007. These training videos walk you through the full process of development of a management pack.
MPs
Jalasoft – NetIQ Aegis Adapter
Community connector – Nagios
Tools
GreenMachine R2 updated.
Visio 2007 Add-In for R2 released. 11 min video demonstration. Use Visio instead of the OpsMgr console!
As an added bonus Windows 7 and Windows 2008 Server R2 RTMed but availability will not be until August.
And finally Brad Anderson who took over the System Center Management Division a couple of years ago must be doing well as he has been promoted.
Markus Baeker has posted a connector to link SCOM and Nagios. Normally the blog is in German but this post is in English as there is now an English instruction manual and you can define English status messages.
http://www.mbaeker.de/2009/07/scom2nagios-1-2/
It is released under the terms of the GNU General Public License.
There is a thread on the OpsMgr forum about the pros and cons of having the MPs directly imported in from the web catalogue in R2. Marnix Wolf has a good post about it that summarises the issue. One of the key ones being that it bypasses the manual which is needed in most cases to know how to configure the MP – RTFM. It is useful for me to download known MPs when I create a new installation but for a production environment change control is essential.
One of the other things that happens if you do not test it is that you could get flooded with alerts as I found out recently when importing the DFS MP at a customer site. Luckily I was not the one that received the 600 e-mails from the alerts created. In a new installation the agents are pushed out a few at a time and an MP is added and then tuned. So it is easier for new installation plus it is not in production yet so no-one is looking at the console and subscriptions have not been setup for e-mail alerts. If you have a system where all the agents are already out and it is in production then you need to be careful before importing a new MP. Here are some suggestions that I have developed or picked up from others that should be used to ensure a new MP does not create a flood of alerts.
Method 1 – Don’t Import
Just because you can import an MP does not mean that you should. If you are not interested in monitoring a particular area then why import the MP? I always say to customers that the only alerts that you should see in the console are actionable alerts otherwise the console gets cluttered as people rarely keep it tidy and the Ops guys start to discount the console as they see too many alerts which don’t mean anything to them.
Method 2 – Use Silect
Silect have been making MP Studio for years. It allows you to test an MP without actually deploying to tell you about what alerts would have been created. It does other stuff as well like tracking changes but the problem is that it does cost money which puts some customers off. But if you have invested in Operations Manager rather than one of the other expensive monitoring frameworks then you should have some spare money to buy this.
Method 3 – Create an override MP in test
This method assumes that you have a test environment. Even a single OpsMgr server in a virtual environment would do. With many versions of virtualisation being free (Virtual PC, Virtual Server, Hyper-V Server, VMWare Server, VMware ESXi and Citrix XenServer amongst others) and a 180 evaluation copy of OpsMgr being available most organisations should be able to set up a single server test.
OpsMgr allows you to multi home up to 4 management groups. When the agent is first deployed to a server it does the actual install. When you “install” the 2nd, 3rd and 4th agent it does not install another agent but creates new registry keys and keeps the rules from one management group separate from another. This means that you can push the agent out from your test server to servers that have the application of the MP you are testing and you can find out what alerts are created without those alerts (and potential subscription e-mails) going into the production console.
Now you can create an override MP for those alerts and when you import the MP into production you import your override MP in at the same time so that the MP is already tuned for production. You can then remove the agents from the test management groups until you need to do another test. This may not be feasible for some environments with strong change control as even deploying those reg keys as a 2nd agent is seen as a change that needs to go through the process.
Method 4 – Disable discoveries
Most MPs start discovery as soon as they are imported and so rules and monitors go to the agents and start running and creating alerts. New MPs like the Exchange 2007 MP for R2 are different. It only has a lightweight discovery that discovers the components. If you want these components actually managed then you have to switch them on which means that you can control the alerts coming out. I hope all future MPS use this method.
You can import the MP in and quickly try and do an override to disable discoveries but you may not be fast enough. Use a test environment like above and then import the MP into that. Create an override MP and disable discoveries. Created a group in this MP and switch on discoveries for this group. Now import the MP and override MP into production. You can now add agents one at a time into the group so that only a subset of servers are running the MP. This should help control the number of alerts that you see. As a new “agent” is not put on production servers then this is one less change control to do.
Tools
A couple of tools that you can use to help with this are Silect MP Studio Lite. This is a free cot down version that allows you to examine an MP file so you can see what discoveries, rules and monitors are in the MP. Boris Yanushpolsky from the Product Group created MP Viewer. The latest is version 1.7. This allows you to point to an XML or MP (without having to convert it to XML first) file and open it up to view the contents in a structured manner. Stefan Stranger keeps a good list of OpsMgr tools.
Summary
Examine the MP and decide whether or not you actually want to import it.
Read the MP Guide before importing the MP. You will find out what needs to be configured.
Use a tool to examine an MP before importing it. You will get an idea of the number of rules and monitors as well as discoveries in the MP.
Use one of the methods to above to reduce potential alerts before importing the MP. If you have the money Silect is a good way to go but otherwise method 3 is best as you are actually doing the tuning without impacting production.
Remember tuning is an ongoing activity and not a one off. You should have a process for it.
