Microsoft Audit Connection Service (ACS) is a new function in SCOM 2007 that can collect logs from machines. All logs are saved in a special Audit Collection database. You can then run reports against the database to see trends and do security analyzes. You can also for example trace a user activity over many systems. This is a general guide how to deploy ACS. The ACS collector is your management server that collects audit events from your agents, ACS forwarders.

COOPSMGR is my ACS server, you should replace that with your ACS server hostname.

The first step is to install Audit Collection Server. This can be done from the Ops Mgr 2007 Setup. On the last page of the wizard, before you click “Finish”, verify that the setup has been successfully.

The next step is to enable audit collection on an agent.  

1. Start the console, click monitoring and then state view
2. Right-click Monitoring and create a new state view, name ACS, choose to show data related to Agent. Then leave all default settings and click OK
3. Click on you new state view, right-click on a agent and choose Health Service Tasks, Enable Audit Collection
4. In the Run Task – Enable Audit Collection, verify your settings and click Run
5. In the Task Status – Enable Audit Collection, verify that the task output is successfully and then click Close

Now you have enable audit collection on that machine, audit events are forwarded to your collector in realtime. You need to verify that the Operations Manager Audit Collection Service is running on your collector. Look in the services console to verify that.

The next set is to setup ACS reporting. It is in ACS reporting you will see the result of the collected data.

1. Copy the X:\ReportModels\ACS directory from your installation source to a directory on your server, for example C:\ACS
2. Copy the X:\SupportTools\ReportingConfig.exe from your installation source to the same directory
3. Open a commando prompt and change to the C:\ACS directory
4. Run the following commando: UploadAuditReports.cmd COOpsMgr http://coopsmgr/reportserver C:\ACS .COOpsMgr is my ACS db server and http://coopsmgr/reportserver is the URL to my reporting service and C:\ is where is saved the files. (There might be a couple of warnings… but you can verify the commando in the next step if you find all objects)
5. Start Internet Explorer and open http://opsmgr/reports , click Audit Reports and then show details
6. Click Db Audit
7. Change “Connect using” to “Windows Integrated security”
8. Verify that the connection string is pointing at your database after catalog and data source is pointing to your servername
9. Click Apply and then go back to the Audit Reports folder (there is a link at the top of the page)
10. Close Internet Explorer

You can now, or at least after a while, open ACS report in the Console and see collected data the ACS reports. The prefered way is to look at reports in the Console, not as in MOM 2005 where you used Internet Explorer and SQL Reporting Console (http://coopsmgr/Reports)

 

 

I saw a question about disaster recovery, how to deploy a new root management server (RMS) if the first goes down. In this post I will tell about a test I did regarding this topic.

The RMS is the first management server installed in the management group. The RMS hold some special roles, if these roles are offline, the management group will not work. One of the steps during deployment are to backup the root management server key. This key will be used when promote another server to RMS, if the first RMS goes down. This means that you must have the key to recover, do not forget to backup it. If you don´t have the key there is no way to promote another server to become root management server. The root management server support cluster, so there don´t need to be a single point of failure, remember this when you design your Operations Manager 2007 environment. 

First I took a backup of the key on my RMS.

1. Copy SecureStorageBackup.exe from the installation CD (X:\SupportTools) to the Ops Mgr installation directory (C:\Program Files\System Center Operations Manager 2007\)
2. Open a command prompt and go to the installation directory
3. Run the following commando: SecureStorageBackup.exe Backup C:\BackupOfKey.bin
4. You will be asked to input a password to protect the file

Now I have a backup of my RMS, C:\BackupOfKey.bin. I took a copy of this file to another machine.
The next step was to shutdown my RMS server. After that I could see that my agents had lost connection to the management server. A member server with Ops Mgr console could not start the console anymore, “Failed to connect to server COOPSMGR02, The sdk service is either not running or not yet initialized”.

I installed a new 2003 Server (with the same IP and hostname), ran all updates, joined the domain and install Ops Mgr 2007 again. Choose to install all the components that the RMS had before for example web console, console, server and power shell.
After the installation the console started on the new server. All agents was connected again and could receive new rules, if I looked in the services console I could see that the SDK Service and Config Service was running, I could verify that the servers was RMS by looking in the console. I had a new RMS, and I didn’t needed the key.

I read that all run-as accounts are lost if the key is not restored, but I tried uninstall a agent with the management action account and it was successfully. But that account could also be saved somewhere else and therefore work. To test that I did some more operations.
I setup a simple task to do something at a machine. I configure the task to run with a new run as profile. I ran the task and verified that the task was using the new run as account. The next step was to do everything one more time to see if my new run-as account disappear during the reinstallation of the RMS, at least if the password disappear.

1. I shut down my RMS
2. My member server could no longer start the console, my agents could no longer connect to a management server
3. I installed a new server with the same OS, IP and hostname
4. I installed Ops Mgr 2007 with all components that I had before on my RMS

I started the console on my new RMS, everything seems fine and the machine is root management server according to the console. I run my special task and I could see in the output that it was running with my run as account. In other words, the password or account information had not disappear during the restore, and I had not restore the key from the first RMS.

 

In this post I will short show you how to setup a notification only for health service heartbeat failure. I have seen a number of questions in the groups about this. If you haven´t configure notification channels yet, you can follow my other guide about that, here.

1. Start the console, click Administration, expand notifications and right-click subscriptions, choose to create a new notification subscription
2. Create Notification Subscription Wizard – General: Input a name and add recipients, click Next
3. Create Notification Subscription Wizard – User Role Filter: Click Next
4. Create Notification Subscription Wizard – Groups: Leave default settings, all groups. We want notification from all machines, click Next
5. Create Notification Subscription Wizard – Classes: Choose only “Health Service Watcher”, click Next
6. Create Notification Subscription Wizard – Alert Criteria: Choose, Only Errors, with high priority, both new and closed resolution state and all category. Click Next
7. Create Notification Subscription Wizard – Alert Aging: Leave default setting, do not… , click Next
8. Create Notification Subscription Wizard – Formats: Coose to use the default e-mail format, click Finish

If you want to narrow down category too, you can choose only “StateCollection” as category.

This short article will show you how to populate a group in Ops Mgr 2007 based on a OU in your Active Directory.

1. Start the console and click Authoring, then right-click Groups and choose to create a new group
2. Create Group Wizard – General Properties: Input a name and description for your group, also choose a management pack to store the group in, click Next
3. Create Group Wizard – Explicit Members: Click next
4. Create Group Wizard – Dynamic Members: Click Create/Edit Rules…
5. Create Group Wizard – Query Builder: Choose Windows Computer from the class drop down menu, click Add. Then choose Organizational Unit from the property drop down menu. In the Operator colum choose “Matches wildcard” and then inbut a OU in the Value column, for example OU=Domain Controllers,DC=contoso,DC=internal , click OK
6. Create Group Wizard – Dynamic Members: click next
7. Create Group Wizard – Subgroups, click Next
8. Create Group Wizard - Excluded Members, click create

Please not that it will not include machines in child OU. You can right-click your new group, under groups in the console, and choose “View group members” to verify your group members. If you dont know the name of your OU or how to input your OU name you can look under Monitoring, Computers, click on a computer and look in the detail view.

I saw a question about including a custom service in a distributed application. This is a short step by step guide to include a custom service into a distributed application.

First I created a new service at one of my machines, CODC01. The new service was named SuperService. This is a service created only for this test. Then I created a process to monitor that service

1. Start the console, go to Authoring, expand management pack templates, right-click Windows Service and choose “add monitoring wizard…”
2. Add Monitoring Wizard – Monitoring Type: Choose Windows Service and click Next
3. Add Monitoring Wizard – General Properties: Input name, description and choose a destination management pack, click Next
4. Add Monitoring Wizard – Service Name: Input the name of the service or browse to pick it up, then click Create

Now we need to create a distributed application including this new service

1. Start the console, go to Authoring, right-click Distributed Applications and choose to create a new
2. Distributed Application Designer: Input a name and a description for your new distributed application. Choose “Blank” as template, choose a management pack to store your distributed application and then click OK
3. Distributed Application Designer: If you now serach for a object, for example in my case I search for “Super” I will see my SuperService object. If I click “Add Component” and add a component group I can then drag and drog the SuperService object from the search result to the new component group.
4. Distributed Application Designer: Click save and then move over to the monitoring part of the console, click Distributed Applications, open your new distributed application. As you can see, your custom service is included.

Remeber that after you create a new object it can take some time before you can add it in the Distributed Application Designer.

 

A new version of the Microsoft Exchange Server 2003 Management Pack 

Version: 6.0.5000.11
Date Published: 6/29/2007

Update version addressing problems with empty alert parameter data in self-tuning threshold monitors, and discovery issues on Exchange 2003 running in a clustered setup. The library MP is unchanged from the initial release.

Download here

A time ago I wrote a simple ping script for MOM 2005. Today I needed a script like that in Ops Mgr 2007, this is how I implemented it in Ops Mgr 2007.

1. Start the console, click Authoring and then expand Management Pack Objects, right-click Rules and choose Create a new rule…
2. Create Rule Wizard – Rule Type: Choose Timed Command/Execute a script, choose management pack and click Next
3. Create Rule Wizard – General: Input a name, description and choose target. In this example I have create a small group of machines that will be the target. Click Next
4. Create Rule Wizard – Schedule: Choose how often the script should be executed, click Next
5. Create Rule Wizard – Script: Paste the following script in the script box, input a filename (for example ping_script.vbs) and then click Create. In this example I ping two machines, CODC99 and ping.sunet.se.

Hosts = "CODC99,ping.sunet.se"aMachines = Split(Hosts, ",")
strLog = "1"
For Each machine in aMachines
Set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}")._
ExecQuery("select * from Win32_PingStatus where address = '"_
& machine & "'")
For Each objStatus in objPing
If IsNull(objStatus.StatusCode) or objStatus.StatusCode<>0 Then
        Const EVENT_WARNING = 2
 Set objShell = CreateObject("Wscript.Shell")
 objShell.LogEvent EVENT_WARNING, _
 "Computer " & machine & " is not reachable (" & strLog & ")"
ELSE
 IF strLog = 1 Then
  Const EVENT_SUCCESS = 0
  Set objShell = CreateObject("Wscript.Shell")
  objShell.LogEvent EVENT_SUCCESS, _
  "Computer " & machine & " is reachable"
 End If
End If
Next
Next

If you set strLog = “1” you will get a local event for every sucessfully ping. If a machine is not reachable you will get a local event with event ID 2, type=warning and source=WSH. To get this into your console you will have to create a rule to collect them too. 

This is a general guide how to monitor a web site with Operations Manager 2007.

1. Start the console, click Authoring and then expand Management Pack Templates
2. Right-click Web Application and choose add monitoring wizard
3. Add monitoring Wizard – Monitoring Type: Select Web Application and click Next
4. Add monitoring Wizard – General Properties: Input name, description and select a management pack, then click Next
5. Add monitoring Wizard – Web Address: Input the URL, click test and verify that the URL works, then click Next
6. Add monitoring Wizard – Watcher Node: Select the machine that will as watcher node, click Next
7. Add monitoring Wizard – Summary: Verify your settings and then click Create

You can click on your new web application and then click “Record a browser session” or “Edit web application settings” to setup more advanced configuration for your web application monitoring.

System Center Operations Manager 2007 are now available at Technet Download and MSDN. You will find it under System Center.