Home » System Center Operations Manager 2007 (Page 3)

Category Archives: System Center Operations Manager 2007


Welcome to contoso.se! My name is Anders Bengtsson and this is my blog about Azure infrastructure and system management. I am a senior engineer in the FastTrack for Azure team, part of Azure Engineering, at Microsoft.  Contoso.se has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.

Anders Bengtsson

MVP awarded 2007,2008,2009,2010

My Books
Service Manager Unleashed
Service Manager Unleashed
Orchestrator Unleashed
Orchestrator 2012 Unleashed
Inside the Microsoft Operations Management Suite

Update resolution state with a script

This is a script you can use to update resolution state. It will look at all new alerts (resolutionstate = 0) and see if the alert description contains “domain” or “AD”, if they do, the script will set a new resolution state. The ID for the resolution state can be found under alert settings in the administration workspace, in the Operations Manager console. You can schedule task to run this script every X minute to update all new alerts.

$RMS = “myRMSHost”

Add-PSSnapin “Microsoft.EnterpriseManagement.OperationsManager.Client”
Set-Location “OperationsManagerMonitoring::”
New-ManagementGroupConnection -ConnectionString:$RMS
Set-Location $RMS

$resState = 42 
$alerts = get-alert -criteria ‘ResolutionState =”0″‘ | where-object {($_.Description -match “AD”) -or ($_.Description -match “domain”)}
If ($alerts)  {
   foreach ($alert in $alerts)
    $alert.ResolutionState = $resState

The schedule task command can be

C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -command C:\myscripts\change_resolutionstate.ps1

The System Center Configuration Manager 2007 Dashboard with Operations Manager

The System Center Configuration Manager 2007 Dashboard can show you a web based status report, including system deployments, security updates, system health status and more for your Configuration Manager environment. More info about the dashboard at the System Center Team Blog. Timothy McFadden posted a good post about how to use this dashboard with Operations Manager 2007 R2. I have tried this in my sandbox and it works really good.

Here are some example queries to use

Total number of computers in the management group

SELECT COUNT(*) AS NumManagedComps FROM (
SELECT bme2.BaseManagedEntityID
FROM BaseManagedEntity bme WITH (NOLOCK)
INNER JOIN BaseManagedEntity bme2 WITH (NOLOCK) ON bme2.BaseManagedEntityID = bme.TopLevelHostEntityID
WHERE bme2.IsDeleted = 0
AND bme2.IsDeleted = 0
AND bme2.BaseManagedTypeID = (SELECT TOP 1 ManagedTypeID FROM ManagedType WHERE TypeName = ‘microsoft.windows.computer’)
GROUP BY bme2.BaseManagedEntityID
) AS Comps

Number of new active alerts

SELECT COUNT(1) AS ActiveAlerts FROM Alert WHERE ResolutionState = ‘0’

Health State summary of all Windows Computers based

SELECT [State] = CASE ManagedEntityGenericView.HealthState
WHEN 1 THEN ‘Healthy’
WHEN 2 THEN ‘Warning’
WHEN 3 THEN ‘Critical’
ELSE ‘Unknown’
, COUNT(1) AS GroupCount

FROM ManagedEntityGenericView INNER JOIN
ManagedTypeView ON ManagedEntityGenericView.MonitoringClassId = ManagedTypeView.Id
WHERE (ManagedTypeView.Name LIKE ‘Microsoft.Windows.Computer’)
GROUP BY ManagedEntityGenericView.HealthState
ORDER BY GroupCount

Top 10 alerts

SELECT TOP 10 SUM(1) AS AlertCount, AlertStringName
WHERE TimeRaised is not NULL
GROUP BY AlertStringName, AlertStringDescription, MonitoringRuleId, Name

If you would like to replace the banner you will find it in C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\IMAGES\Microsoft.DashboardFramework. One idea for a new banner could be

Thanks to my colleague Ola Ahrens for SQL support.

Investigate most common alert

The following SQL queries can be used to first list which machine or path and then rules or monitors that generate most alerts in your environment. The first query will show you which computer or path that generate most alerts. The second query will show you which rule or monitor that generate most alerts on one singel machine or path. Run both queries against your data warehouse database (OperationsManagerDW).


All Path
vManagedEntity.Path, COUNT(1) AS pathcount
FROM Alert.vAlertDetail INNER JOIN
Alert.vAlert ON Alert.vAlertDetail.AlertGuid = Alert.vAlert.AlertGuid INNER JOIN
vManagedEntity ON Alert.vAlert.ManagedEntityRowId =
GROUP BY vManagedEntity.Path
ORDER BY pathcount DESC


One Path
vManagedEntity.Path, COUNT(1) AS alertcount
FROM Alert.vAlertDetail INNER JOIN
Alert.vAlert ON Alert.vAlertDetail.AlertGuid = Alert.vAlert.AlertGuid INNER JOIN
vManagedEntity ON Alert.vAlert.ManagedEntityRowId =
WHERE Path = 'opsmgr29.hq.contoso.local'
GROUP BY Alert.vAlert.AlertName, Alert.vAlert.AlertDescription, vManagedEntity.Path
ORDER BY alertcount DESC

You could also use these queries in a report, take a look at this post about author custom reports.

Query a database with a monitor – part two

In this post I wrote about a script that you can use to query a databas. The script in this post will count number of fields, if there are more then four, status of the monitor will be changed. It will also include number of rows in the alert description. I use the following settings on the monitor, a scripting/timed script two state monitor. In the following example I have a database on my root management server. The database is named TechDaysdb and includes a table named OpsMgrV. The name of the root management server is mobile-opsmgr.

  • General
    • Name: Contoso – query db monitor
    • Monitor Target: for Root Management Server
    • Management Pack: TechDays demo
  • Schedule
    • Run every 2 Minutes
  • Script
    • File Name: TechDaysmonitor.vbs
    • Script: see below
  • Unhealthy Expression
    • Property[@Name=’Status’] does not contain Ok
  • Healthy Expression
    • Property[@Name=’Status’] contain Ok
  • Health
    • Healthy Healthy Healthy
    • Unhealthy Unhealthy Warning
  • Alerting
    • check Generate alerts fort this monitor
    • check Automatically resolve the alert when the monitor returns to a healthy state
    • Alert Name: TechDays – db monitor
    • Alert Description: There are to many rows in the database. There are $Date/Context/Property[@Name=’Rows’]$ rows.


Const adOpenStatic = 3

Const adLockOptimistic = 3
Set oAPI = CreateObject(“MOM.ScriptAPI”)
Set oBag = oAPI.CreatePropertyBag()
Set objConnection = CreateObject(“ADODB.Connection”)
Set objRecordSet = CreateObject(“ADODB.Recordset”)
objConnection.Open _
“Provider=SQLOLEDB;Data Source=mobile-opsmgr;” & _
“Trusted_Connection=Yes;Initial Catalog=TechDaysdb;” & _
“User ID=domain\username;Password=password;”
objRecordSet.Open “SELECT * FROM OpsMgrV”, _
objConnection, adOpenStatic, adLockOptimistic
varNo = objRecordSet.RecordCount
If varNO > 4 Then
Rows = varNo
Call oBag.AddValue(“Status”,”Error”)
Call oBag.AddValue(“Rows”,Rows)
Call oAPI.Return(oBag)
Call oBag.AddValue(“Status”,”Ok”)
Call oAPI.Return(oBag)
End If

Port 1434 UDP

Some time ago I installed a management server in a network different that the one where the Operations Manager 2007 database and root management server was installed. According to the guide I would need to open port 1434 between management server and database, 5723/5724 between management server and root management server and 1433 between management server and data warehouse.

But we also found out that when using named SQL instances you will need to open port 1434 UDP between the management server and the SQL database. In our scenario we used named instances on the data warehouse machine. The management server knew about it and tried to query the SQL Browser service on port 1434 UDP to get the correct network port for the SQL instance. Even if the instance is using the default port, the management server needs to query the SQL Browser service to get it. That query is sent on port 1434 UDP.

Auditing files in Windows with ACS

I have been doing some tests for file auditing with Audit Collection Services (ACS). Unfortunately Windows file auditing doesn´t really generate informative logs. It is most often the same event ID and the event description is very technical. I did some file operations and reviewed all events in the security event log. I think I have found a way to almost sort all the different file operations in different ACS reports. The first thing you need to do is enable auditing in both a policy and on the folder. I have used the built-in Microsoft Report Builder to create my new ACS reports. You can read more about creating ACS reports here. I have built four reports. You could merge them into one and you can add/remove any parameter you want. It could be nice with relative dates and an input field for user name and object name. One of the first thing I did was match ACS report parameters with parameters in security events, below is the result from that exercise

  • String01 – Object Type
  • String02 – Object Name
  • String03 – Process ID
  • String04 – Process Name
  • String05 – Accesses
  • String06 – Object Server
  • String07 – Handle ID
  • String08 – Transaction ID
  • String09 – Access Mask
  • String10 – Privileges Used for Access Check
  • String11 – Restricted SID Count

For the four reports I use the following filter

  • Contoso – File – Created Files
    • Event ID equals 4656
      • String 09 equals 0x6019f
      • or
      • String 09 equals 0x16019f
  • Contoso – File – Delete
    • Event ID equals 4663
    • String 05 contains DELETE
  • Contoso – File – Modified Files
    • Event ID 4656
      • String 09 equals 0x2019f
      • or
      • String 09 equals 0x12019f
  • Contoso – File – Open/Read Files
    • Event ID equals 4656
      • String 09 equals 0x120089
      • or
      • String 09 equals 0x20089

Summary: You read the step by step guide about ACS reports in my ACS report post and you apply the filter is this post.

Infrastructure Planning and Design Guide Series

I want to tip you about a serie of documents that I often use in System Center projects.

The Infrastructure Planning and Design (IPD) series provides guidance for Microsoft infrastructure products. The series is a collection of documents that leads the reader through a sequence of core decision points to design an infrastructure for Microsoft products. It also provides a means to validate design decisions with the business to ensure that the solution meets the requirements for both business and infrastructure stakeholders.

The IPD documents are designed to be used by the following IT personnel:

  • Infrastructure planners and architects who have a firm operational grasp of the technology.
  • Partners and consultants who design infrastructure solutions.
  • Business managers who want to understand how the technology decisions being made both support and affect the business.

You will find the documents here

Reading a logfile with a 3 state monitor

If you build a monitor to monitor a logfile, Operations Manager will remember which line it was reading last. Operations Manager will only look for new keyword below that line, it will not read the whole file again. I did a lot of tests with logfile monitoring, read more about them here. If you need to get Operations Manager to read the whole logfile each time, you can use a scrip like this:

Const ForReading = 1
Set oAPI = CreateObject(“MOM.ScriptAPI”)
Set oBag = oAPI.CreatePropertyBag()

Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objTextFile = objFSO.OpenTextFile _
(“c:\temp\file.txt”, ForReading)

Do Until objTextFile.AtEndOfStream
strText = objTextFile.ReadLine

varWarPos = Instr(strText, “Warning”)
If varWarPos > 0 Then
varStatus = “Warning”
varLine = strText
End If

varCriPos = Instr(strText, “Critical”)
If varCriPos > 0 Then
Call oBag.AddValue(“Line”, strText)
Call oBag.AddValue(“Status”,”critical”)
Call oAPI.Return(oBag)
End If


If varStatus = “Warning” Then
Call oBag.AddValue(“Line”, varLine)
Call oBag.AddValue(“Status”,”warning”)
Call oAPI.Return(oBag)
Call oBag.AddValue(“Status”,”ok”)
Call oAPI.Return(oBag)
End If

This script will read the file (c:\temp\file.txt) line by line. The script is looking for two keywords in the logfile, “Warning” and “Critical”. If there is a “Critical” in a line the script will send back a bag with status=Critical and the script will stop. If there is a “Warning” in the line the script will continue, as there might be a “critical” somewhere too. If there was only “Warning” the script will send back status=Warning. If there was no “Warning” or “Critical” the script will send back status=ok.

If there is a “Warning” or “Critical” the script will also put that line into a bag, and send it back to Operations Manager. You will see this line in the alert description. To use this script, you can configure a monitor like this:

  • Create a new monitor of type Scripting/Generic/Timed Script Three State Monitor. Input a suitable name and target. More about targeting here.
  • Schedule
    • Configure your script to run every X minute. The script will rad the whole logfile each time
  • Script
    • Filename and Timeout, for example CheckFile.vbs and 2 minutes
    • Paste the script in the script field
  • Unhealthy expression
    • Property[@Name=’Status’]
    • Equals
    • Warning
  • Degraded expression
    • Property[@Name=’Status’]
    • Equals
    • Critical
  • Healthy expression
    • Property[@Name=’Status’]
    • Equals
    • ok
  • Alerting
    • Check Generate alerts for this monitor
    • Generate an alert when: The monitor is in a critical or warning health state
    • Check Automatically resolve the alert when the monitor returns to a healthy state
    • Alert name: Input an alert name
    • Alert Description
      • State $Data/Context/Property[@Name=’Status’]$
      • Line $Data/Context/Property[@Name=’Line’]$

Summary: This monitor, including the script, will read a logfile and generate alerts based on keywords. In will read the whole logfile each time and look for two different keywords.

Custom alerting based on distributed applications

I ran into a interesting scenario some time ago. A customer have first line operators online 24/7. During none business hours they receive all alerts and needs to call the on-call engineer if needed. But first line don’t have deep knowledge about the environment so sometimes the alerts from Operations Manager is a bit complicated to connect to a service, for example if the alert only tells you that database Y has a problem, and also to understand how critical the alerts are. For example if only one IIS in the IIS farm goes offline, they should not call the on-call engineer in the middle of the night.

We had for example a service including two Windows services. As long as one of them are running, there should not be an alert, and if there is an alert, it should include a simple non-technical description. First we needed to create a distributed application with the two services. We used the Configure Health Rollup feature to configure rollup algorithm to “best health state”. As long as any service is health, the component box will be healthy.


When one of the services are stopped, you will receive an alert telling you for example “the print spooler service on computer X has stopped running”. If you don’t need it you can override the monitor and configure it not to generate alerts. When booth services are down the distributed application will switch to critical status. But you will not receive an alert, only for the two services included in the distributed application.

If you need an alert when both services are offline, when the component box switch state, you can override the aggregate rollup monitor in the distributed application. Override it to both configure the alert description and also rename the alert to get a better alert name in the console. In this scenario I override the aggregate monitor on top of my two Availability monitors.


Now when both services are offline I get one alert, saying that first line should contact the on-call engineer.


Where did I put my distributed application?

When you create a new distributed application you need to select a management pack to store it in. If you later would like to see in which management pack you stored it, it can be difficult to find a way in the console. But there is at least one way:

  1. Navigate to Authoring, Distributed Applications
  2. Right-click the distributed  application and select Edit… from the menu
  3.  In the Distributed Application Designer Window, select a component group
  4. In the component group details pane, click Configure Health Rollup
  5. In the Override Properties window, you will see the management pack under “select destination management pack”