Late yesterday the RTM of Operations Manager 2007 R2 was approved, which immediately initiated the next stage of the process … getting this latest version of Microsoft’s end-to-end monitoring product for IT environments and datacenters out to YOU! Read more in our overview whitepaper, What’s New datasheet, or download the trial, and see customer stories and more information on our pages on Microsoft.com and TechNet.

The trial version of Operations Manager 2007 R2 RTM (build 7221) is now available via the Microsoft Download Center. General Availability of the product will be 1st July 2009, at which point new and existing customers will be able to obtain the bits from their respective customer download centers, such as MVLS.

In addition to the updated product documentation, our overview whitepaper, and what’s new datasheet, newly released collateral includes a number of new datasheets that include:

Reducing the cost of data center management with Operations Manager 2007 R2
Monitoring UNIX/Linux with Operations Manager 2007 R2
Tracking Service Levels with Operations Manager 2007 R2
Interoperability Connectors for Operations Manager 2007 R2
Some of you have also have the opportunity to try our new hands on labs at our MMS and TechEd events this year, which cover topics such as installation, introduction, management pack authoring, and more. We’re busily upgrading these with the RTM bits, and they will be available for you to use via the TechNet Online virtual labs next month (June).

In addition to downloading the trial (or if you’re waiting for the upgrade or full product bits to arrive in your customer portal):

Check out our TechNet Webcast Series on Operations Manager 2007 R2:
Introducing Operations Manager 2007 R2 (Level 300)
Monitoring .NET and Web Applications with System Center Operations Manager 2007 R2
Operations Manager 2007 R2 Deployment and Upgrade Best Practices
Operations Manager 2007 R2 Agentless Client Monitoring
Successfully Monitor UNIX and Linux Alongside Your Windows Infrastructure with Operations Manager 2007 R2 (Level 300)
Developing Custom Reports and Operational Dashboards with Operations Manager 2007 R2 (Level 400)
Monitoring .NET and Web Applications with System Center Operations Manager 2007 R2
System Center Operations Manager 2007 R2 Interoperability Connectors

Watch our TechNet EDGE Video Blogs (more on their way!):
Introduction to Operations Manager R2
Visio Integration with Operations Manager 2007 R2
Microsoft Management Summit 2009 Day 1 Keynote Recap with Brad Anderson

Learn about v2.0 of the Service Level Dashboard from our Solution Accelerators team, which lets you measure and report application or system performance & availability in near real time across your organization through Microsoft SharePoint. Download the Service Level Dashboard from the System Center Catalog (available shortly).

Check out our new community portal, System Center Central for downloads, discussions with our MVPs, and much, much more!

Source: the system center team blog

By default Exchange 2007 only log logons to the server, not to which mailbox. With the following cmdlet we can enable mailbox access auditing on our mailbox servers.

Set-EventLogLevel “MSExchangeIS\9000 Private\Logons” –level low

Note that there might be times, special with older Outlook clients) when other users will access other mailboxes to see details about for example calendar appointments. So a login event can be a simple check in the calendar. When I booked a meeting between two users, with Outlook 2007, I did not notice a extra security extra.
When we have enable audit of mailbox access we can use a collection rule in Operations Manager to collect them and store them in the data warehouse. I will use event IT 1009 in this example, event ID 1009 is an indication that the specified user account logged into the specified mailbox.

Event ID 1016

Start by creating a new rule, authoring/rules/create a rule/collection rule/NT event log. The collection rule will only collect, not generate any alerts. In my example I used Windows Server 2008 Computer as target. I created the rule disable as default. Then override and enable it for a group including a couple of Exchange mailbox server computer objects.

Event ID 1016 is also interesting. When a user access a mailbox another mailbox, then its primary mailbox, you will see a event with ID 1016.
The next step is to create a report. You can use the generic Custom Event report to create a linked report showing all the events. Run the Custom Event report and select your windows server 2008 computers as objects, filter the report for example in my example Event ID equals 1009. Note that you have to check its checkbox for every report field you want to include. If you check any checkboxes you will get a empty report.

If you don’t like the default event report you can author a new in Visual Studio. You can read my guide about that here and use the following query when building the data set in Visual Studio. In this query I have two parameters, keyword01 and keyword02. That is two parameters that the report operator can input as words to search for in the event description, for example a username and a mailbox name.

SELECT Event.vEvent.DateTime, vEventPublisher.EventPublisherName AS 'EventSource', vEventLoggingComputer.ComputerName AS 'Computer',
Event.vEvent.EventDisplayNumber AS 'EventID', vEventChannel.EventChannelTitle, Event.vEventDetail.RenderedDescription AS 'EventDescription'
FROM Event.vEvent LEFT OUTER JOIN
vEventCategory ON Event.vEvent.EventCategoryRowId = vEventCategory.EventCategoryRowId LEFT OUTER JOIN
vEventPublisher ON Event.vEvent.EventPublisherRowId = vEventPublisher.EventPublisherRowId LEFT OUTER JOIN
vEventLoggingComputer ON Event.vEvent.LoggingComputerRowId = vEventLoggingComputer.EventLoggingComputerRowId LEFT OUTER JOIN
vEventLevel ON Event.vEvent.EventLevelId = vEventLevel.EventLevelId LEFT OUTER JOIN
vEventChannel ON Event.vEvent.EventChannelRowId = vEventChannel.EventChannelRowId LEFT OUTER JOIN
Event.vEventDetail ON Event.vEvent.EventOriginId = Event.vEventDetail.EventOriginId
WHERE (Event.vEvent.EventDisplayNumber = '1009' OR
Event.vEvent.EventDisplayNumber = '1016') AND (Event.vEventDetail.RenderedDescription LIKE '%' + @keyword01 + '%') AND
(Event.vEventDetail.RenderedDescription LIKE '%' + @keyword02 + '%')
ORDER BY Event.vEvent.DateTime DESC

When running a performance report against a group you get a average value for all the members of the group. Often you need the report to specify each member of the group in the report. You can of course add each member of the group as object to the report. Another solution is to build a report where you can input a group. That will save you some time if you already have updated groups you want to run reports against. The following query can be run against a group that contains computer objects, it will then find the members of the group and run the report against each of them.


SELECT vManagedEntity.ManagedEntityGuid, vManagedEntityTypeImage.Image, Perf.vPerfHourly.DateTime, Perf.vPerfHourly.SampleCount, Perf.vPerfHourly.AverageValue,
Perf.vPerfHourly.StandardDeviation, Perf.vPerfHourly.MaxValue, vManagedEntity.FullName, vManagedEntity.Path, vManagedEntity.Name,
vManagedEntity.DisplayName, vManagedEntity.ManagedEntityDefaultName, vPerformanceRuleInstance.InstanceName, vPerformanceRule.ObjectName,
vPerformanceRule.CounterName
FROM Perf.vPerfHourly INNER JOIN
vManagedEntity ON Perf.vPerfHourly.ManagedEntityRowId = vManagedEntity.ManagedEntityRowId INNER JOIN
vManagedEntityType ON vManagedEntity.ManagedEntityTypeRowId = vManagedEntityType.ManagedEntityTypeRowId LEFT OUTER JOIN
vManagedEntityTypeImage ON vManagedEntityType.ManagedEntityTypeRowId = vManagedEntityTypeImage.ManagedEntityTypeRowId INNER JOIN
vPerformanceRuleInstance ON vPerformanceRuleInstance.PerformanceRuleInstanceRowId = Perf.vPerfHourly.PerformanceRuleInstanceRowId INNER JOIN
vPerformanceRule ON vPerformanceRuleInstance.RuleRowId = vPerformanceRule.RuleRowId
WHERE (vPerformanceRule.CounterName LIKE N'%Available MBytes%') and (Perf.vPerfHourly.DateTime > @ReportParameter2 and Perf.vPerfHourly.DateTime < @ReportParameter3)

ORDER BY Perf.vPerfHourly.DateTime


In this example the report will show the “Available MBytes” performance counter for a group that you input as parameter @Group. It will show data between @ReportParameter2 and @ReportParameter3 (dates). I get all groups from the database by this query


Select DISTINCT BMESource.DisplayName as [Group Name]
From OperationsManager.dbo.BaseManagedEntity BMESource
Inner Join OperationsManager.dbo.Relationship R
On R.SourceEntityId = BMESource.BaseManagedEntityId
Inner Join OperationsManager.dbo.BaseManagedEntity BMETarget
On R.TargetEntityId = BMETarget.BaseManagedEntityId


The two date parameters, @ReportParameter2 and @ReportParameter3 I get from two queries that returns current data and current date minus seven days.

SELECT convert(date,getdate(),21)
SELECT convert(date,dateadd(day,-7,getdate()),21)

In my report I also added a matrix to show the values. I added the following line as BackgroundColor on the data value cell. This will give me a red background on every value below 100, in this example each time a machine had less than 100 Mb free memory. =iif(Fields!AverageValue.Value < 50, "Red", "White")
Big thanks to Mike Eisenstein for good ideas and SQL help.

You can use a basic service monitor to restart, but even if Ops Mgr restarts the service automatic you need to keep an eye on it. You don’t want Operations Manager to restart the service every two minute, if it does, you need to get notified and investigate the root cause. To keep an eye on this your can use a repeated event detection monitor, that will generate an alert if the service is restarted to often. In this example I will create a monitor to monitor the print spooler (spooler) service and restart it if needed. I will also create a monitor to look at “the print spooler service entered the running state” events. If there are more then four events within one hour Operations Manager will generate an alert.

1. Authoring > Monitors > New Monitor > Windows Services > Basic Service Monitor
2. General: Name, Description and target for example Windows Server 2008 Computer
3. Service Details: spooler
4. Configure Health: Next
5. Configure Alerts: Check generate alerts for this monitor, Create
6. Right-click the new monitor and select properties from the context menu
7. Click the Diagnostic and Recovery tab
8. Add a recovery task that (make sure to get the recovery target correct)
– Recalculate monitor state after recovery finishes
– Run a command
– Full path to file: C:\Windows\System32\cmd.exe
– Parameters: /C net start spooler
9. Create, Ok

… next step is create a monitor that will keep track service restarts

1. Authoring > Monitors > New Monitor > Windows Events > Repeated Event Detection
2. General: Name, Description and target for example Windows Server 2008 Computer
3. Event Log Name: System
-Event Expression:
-Event ID: 7036
-Event Level: Information
– EventDescription contains Spooler
- EventDescription contains running
4. Repeat Settings:
– Counting mode, trigger on count sliding, compare count 4
– based on items occurrence within a time interval, interval 1, hours
5. Configure Health: Next
6. Configure Alerts: Check generate alerts for this monitor, Create

Microsoft has released Visio Add-in for System Center Operations Manager 2007 R2 beta (1.0.0.1054). It is a add-on to Microsoft Office Visio 2007 Professional SP1. With this add-on you can link health state from components in Operations Manager 2007 R2 to objects in Visio. This is a great way to visualize complex systems and business processes. You can use the “view in fullscreen” option in Visio to show the Visio documents on a big screen in your IT office or call center.

The Visio Add-in has the following features:

*Distributed applications exported from System Center Operations Manager 2007 R2 (release candidate) as Visio documents automatically show live health state information on the exported objects when opened in Visio.
*You can easily create new Visio documents and link shapes to any managed object (computer, database, web site, perspective etc.) to show the current health state.
*You can automatically link entire existing Visio documents to the computer and network devices managed by Operations Manager by matching computer names or IP addresses.
*Health states can be automatically refreshed in Visio documents. You can use this option along with Visio’s full screen view to create dashboard views suitable for use as a summary display in a datacenter control room.
*Predefined data graphics enable you to toggle from Operations Manager health icons to shape color for health state.

Download the Visio add-in at Connect. (To get access to this release, apply to participate in the “Operations Manager Public Beta” at this site.)

Source: the Operations Manager team blog

Here are some screenshots of the Visio Add-in for Ops Mgr 2007 R2

Monitoring desktop client hardware, operating system and application faults can be of great value in terms of reducing total cost of ownership (TCO) through identification of widespread faults in the monitored environment. In Operations Manager 2007, there are actually three components for monitoring the client experience:

• Agentless Exception Monitoring (AEM)
• Customer Experience Improvement Program (CEIP)
• Management Packs for Windows-based workstation operating systems and applications

I have received a number of questions both from customers and in the community about custom AEM reports, including more information. In this post I will give you some tips how to write custom AEM reports. I wrote another post about author reports in general for Ops Mgr 2007.

I write my AEM reports in Microsoft Visual Studio 2008. When you start Visual Studio you can choose to start a new Report Server Project. When you blank project has opened you should start with creating a shared data source, specify your Operations Manager data warehouse database. Then add a new item, a report, under the Reports folder in the Solution Explorer window.

The example report below is a “per user” report, which will show you all AEM events for a specified username. I have included some numbers, with total number of users, total number of events, average number of events per user and total number of events for the specified user. I have also included info about the last event for the specified user and a table with all events for the specified user.

In my example report I use four dataset.

1. One to get all Aem users that have a event in the database
2. One to get info for the first table, for example total number of events
3. One to get last crash for the specified user
4. One to get all the events for the specified user

List usernames

SELECT DISTINCT AemUserName FROM [CM].[vCMAemRaw] Rw
INNER JOIN dbo.AemComputer Computer ON Computer.AemComputerRowID = Rw.AemComputerRowID
INNER JOIN dbo.AemUser Usr ON Usr.AemUserRowId = Rw.AemUserRowId
INNER JOIN dbo.AemErrorGroup EGrp ON Egrp.ErrorGroupRowId = Rw.ErrorGroupRowId
INNER JOIN dbo.AemApplication App ON App.ApplicationRowId = Egrp.ApplicationRowId

All info for the first table in the example

SELECT (SELECT COUNT(CrashID) FROM CM.vCMAemRaw) AS TotalEvents, (SELECT COUNT(DISTINCT AemUserRowID) FROM CM.vCMAemRaw) AS TotalUsers, (SELECT (SELECT COUNT(CrashID) FROM CM.vCMAemRaw ) / (SELECT COUNT(DISTINCT AemUserRowID) FROM CM.vCMAemRaw)) AS TotalAverage, (SELECT COUNT(CrashID) FROM [CM].[vCMAemRaw] Rw
INNER JOIN dbo.AemComputer Computer ON Computer.AemComputerRowID = Rw.AemComputerRowID
INNER JOIN dbo.AemUser Usr ON Usr.AemUserRowId = Rw.AemUserRowId
WHERE AemUserName=@UserName) AS UserTotal

Note that I use a parameter, @UserName. Last problem for the specified user

SELECT top 1 CrashTime FROM [CM].[vCMAemRaw] Rw
INNER JOIN dbo.AemComputer Computer ON Computer.AemComputerRowID = Rw.AemComputerRowID
INNER JOIN dbo.AemUser Usr ON Usr.AemUserRowId = Rw.AemUserRowId
INNER JOIN dbo.AemErrorGroup EGrp ON Egrp.ErrorGroupRowId = Rw.ErrorGroupRowId
INNER JOIN dbo.AemApplication App ON App.ApplicationRowId = Egrp.ApplicationRowId
WHERE AemUserName = @UserName ORDER BY CrashTime desc

Info for the “all events for user” table

SELECT CrashTime, AemComputerName,BucketType,Parameter1,Parameter2,CompanyName, AemUserName FROM [CM].[vCMAemRaw] Rw
INNER JOIN dbo.AemComputer Computer ON Computer.AemComputerRowID = Rw.AemComputerRowID
INNER JOIN dbo.AemUser Usr ON Usr.AemUserRowId = Rw.AemUserRowId
INNER JOIN dbo.AemErrorGroup EGrp ON Egrp.ErrorGroupRowId = Rw.ErrorGroupRowId
INNER JOIN dbo.AemApplication App ON App.ApplicationRowId = Egrp.ApplicationRowId
WHERE AemUserName = @UserName

When you have added the fields from all datasets to your report, you can simple deploy it to your reporting server. The base SQL query I used is

select * from [CM].[vCMAemRaw] Rw
inner join dbo.AemComputer Computer on Computer.AemComputerRowID = Rw.AemComputerRowID
inner join dbo.AemUser Usr on Usr.AemUserRowId = Rw.AemUserRowId
inner join dbo.AemErrorGroup EGrp on Egrp.ErrorGroupRowId = Rw.ErrorGroupRowId
Inner join dbo.AemApplication App on App.ApplicationRowId = Egrp.ApplicationRowId

Thanks to Kevin Holman for that one. I think that with the base SQL query for AEM you can build all kind of AEM reports that your organization needs. And when doing that, check out all new cool gauges in Visual Studio 2008.

Yesterday Microsoft announced the availability of the Ops Mgr 2007 R2 RC (Release Candidate) on Connect.

News in this release are:

-New Power Management MP template (the monitored system must be either Windows Server 2008 R2 or Windows 7)
-Updated branding across all user interfaces, including a new skin (dark/black)
-Improved trace configuration tools to help support issues escalated to Customer Support (if applicable)
-Improved Run As Account Distribution Configuration
-Ability to run in-line tasks for non-Microsoft servers
-Support for upgrade from Beta deployments to the Release Candidate
-New and updated documentation, including the Usage Guide, Design Guide, Deployment Guide, Upgrade Guide, Security Guide, and Operations Guide

The RC should be upgradeable to the RTM version once that is available, but since this is a test version, do not run it in a production environment unless you have made special arrangements with Microsoft.

more info at the team blog here

In the release candidate documents there are also some news for example design documentation how to monitor non Microsoft devices and also info about the new security alternative for accounts. There is a new document named “Reporting Deployment and Usage Troubleshooting”, including several common configuration and usage issues that can cause Operations Manager Reporting errors. This document addresses the most common issues, solutions to those issues and tools that you can use to resolve these problems. The security guide includes some good info about “Authentication and Data Encryption for UNIX and Linux Operating Systems” works, also some good pictures how discovery works for non-Windows machines. The deployment guide has been updated with information how to install on Windows Server 2008 and SQL 2008.

In the “Supported configuration” document there are also some intresting info

Computers other than Windows-based computers per dedicated management server: 200
Computers other than Windows-based computers per management group: 500
Monitorable Operating Systems Other Then Windows
.AIX 5.3 (Power), 6.1 (Power)
.HP-UX 11iv2 (PA-RISC and IA64) and 11iv3 (PA-RISC and IA64)
.Red Hat Enterprise Server 4 (x64 and x86) and 5 (x64 and x86)
.Solaris 8 (SPARC), 9 (SPARC) and 10 (SPARC and X86 versions later than 120012-14)
.SUSE Linux Enterprise Server 9 (x86) and 10 SP1 (x86 and X64)