Windows Server 2008 R2 Unleashed (156 page)
Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
. BitLocker
. Password policies (such as length, strength, and age)
. GPO security-related policies
. Registry security
. Security breach identification procedures
. Lockdown procedures
Change Control
Although the documentation of policies and procedures to protect the system from exter-
nal security risks is of utmost importance, internal procedures and documents should also
be established. Developing, documenting, and enforcing a change-control process helps
protect the system from well-intentioned internal changes.
Best Practices
791
In environments with multiple administrators, it is very common to have the interests of
one administrator affect those of another. For instance, an administrator might make a
configuration change to limit volume size for a specific department. If this change is not
documented, a second administrator might spend a significant amount of time trying to
troubleshoot a user complaint from that department. Establishing a change-control
process that documents these types of changes eliminates confusion and wasted resources.
22
The change-control process should include an extensive testing process to reduce the risk
of production problems.
Reviewing Reports
A network environment might have many security mechanisms in place, but if the infor-
mation such as logs and events obtained from them isn’t reviewed, security is more
relaxed. Monitoring and management solutions (such as SCOM) can help consolidate this
information into a report that can be generated on a periodic basis. This report can be
invaluable to continuously evaluating the network’s security.
The reports should be reviewed daily and should include many details for the administra-
tors to analyze. SCOM, for example, can be customized to report on only the most perti-
nent events for keeping the environment secure.
ptg
Management-Level Reporting for Security Assessments
Management should be informed of any unauthorized access or attempts to compromise
security. The technical details that an administrator appreciates are usually too detailed for
management. Therefore, management-level reporting on security issues should contain
only vital statistics and any risks that might be present. Business policy and budget-related
decisions can then be made to strengthen the environment’s security.
Most, if not all, aspects of a Windows Server 2008 R2 network environment can be docu-
mented. However, the type of documentation that can benefit the environment depends
on each organization. Overall, documenting the environment is an important aspect of
the network and can assist all aspects of administration, maintenance, support, trou-
bleshooting, testing, and design.
The following are best practices from this chapter:
. Create documents that target a specific audience and meet a particular goal.
. Have documentation reviewed and approved by other stakeholders in the organiza-
tion to make sure that it meets their needs as well, and to simply get input from
another source. For technical procedures, the document also must be tested and
walked through.
792
CHAPTER 22
Documenting a Windows Server 2008 R2 Environment
. Consolidate and centralize documentation for the organization.
. Document the company’s policies and procedures for securing and maintaining the
Windows environment.
. Create well-thought-out and professional planning and design documentation to
avoid costly mistakes in the implementation or migration process, such as buying
too many server licenses or purchasing too many servers.
. Baseline and document the state of a Windows Server 2008 R2 server so that any
changes in its performance can be identified at a later date.
. Use tools such as Microsoft Project to facilitate the creation of project plans, enable
the assignment of one or more resources per task, and enable the assignment of
durations and links to key predecessors.
. Create disaster recovery documentation that includes step-by-step procedures for
rebuilding each server and network device to minimize downtime and administration.
. Document daily, weekly, monthly, and quarterly maintenance tasks to ensure the
health of the systems.
. Use documentation to facilitate training.
ptg
. Document business and technical policies for the organization.
. Establish a plan for reviewing and updating documents and make it a part of routine
maintenance.
IN THIS CHAPTER
. Windows Server 2008 R2
Monitoring
. What’s New in OpsMgr R2
. Explaining How OpsMgr Works
.
Outlining OpsMgr Architecture
. Understanding How to Use
OpsMgr
System Center Operations Manager (OpsMgr) 2007 R2
. Understanding OpsMgr
provides the best-of-breed approach to monitoring and
Component Requirements
managing Windows Server 2008 R2 within the environ-
ment. OpsMgr helps to identify specific environmental
. Understanding Advanced
conditions before they evolve into problems through the
OpsMgr Concepts
use of monitoring and alerting components.
. Securing OpsMgr
OpsMgr provides a timely view of important Windows
. Installing OpsMgr 2007 R2
Server 2008 R2 conditions and intelligently links problems
ptg
. Configuring Operations
to knowledge provided within the monitoring rules. Critical
Manager 2007 R2
events and known issues are identified and matched to
technical reference articles in the Microsoft Knowledge Base
. Monitoring DMZ Servers with
for troubleshooting and quick problem resolution.
Certificates
The monitoring is accomplished using standard operating
. Using Operations Manager
2007 R2
system components such as Windows Management
Instrumentation (WMI), Windows event logs, and
Windows performance counters, along with Windows
Server 2008 R2 specific API calls and scripts. OpsMgr-
specific components are also designed to perform synthetic
transaction and track the health and availability of
network services. In addition, OpsMgr provides a reporting
feature that allows administrators to track problems and
trends occurring on the network. Reports can be generated
automatically, providing network administrators, managers,
and decision makers with a current and long-term histori-
cal view of environmental trends. These reports can be
delivered via email or stored on file shares for archive to
power web pages.
The following sections focus on defining OpsMgr as a
monitoring system for Windows Server 2008 R2. This
chapter provides specific analysis of the way OpsMgr
794
CHAPTER 23
Integrating System Center Operations Manager 2007 R2 with
Windows Server 2008 R2
operates and presents OpsMgr design best practices, specific to deployment for Windows
Server 2008 R2 monitoring.
Windows Server 2008 R2 Monitoring
The Operations Manager 2007 R2 monitoring is organized into management packs (MPs)
for ease of installation and versioning. The Operations Manager 2007 R2 includes some of
the best management packs for monitoring and maintaining Windows Server 2008 R2.
These include the following:
. Windows Server Operating System MPs
. Active Directory Server MPs
. Windows Cluster Management MPs
. Microsoft Windows DNS Server MPs
. Microsoft Windows DHCP Server MPs
. Microsoft Windows Group Policy MPs
ptg
. Microsoft Windows Hyper-V MPs
. Windows Server Internet Information Services MPs
. Windows Server Network Load Balancing MPs
. Windows Server Print Server MPs
. Windows Terminal Services MPs
Each of the preceding categories includes several different management packs to support
monitoring, discovery, and libraries. These management packs were developed by the
product groups and include deep knowledge about the product.
The features of the management packs for the following major systems are as follows:
.
Windows Operating System Management Pack—
Monitors and alerts all the
major elements that Windows Server 2008 R2 runs on, including processor, memory,
network, disk, and event logs. It gathers performance metrics and alerts on thresh-
olds, as well as critical events.
.
Active Directory Management Pack—
Monitors and alerts on Active Directory key
metrics, such as replication latency, domain controller response times, and critical
events. The management pack generates synthetic transactions to test the response
time of the PDC, LDAP, and other domain services.
.
DNS Management Pack—
Monitors and alerts on DNS servers for resolution fail-
ures and latency as well as critical events.
.
IIS Management Pack—
Monitors and alerts on IIS services, application pools, per-
formance, and critical events.
Windows Server 2008 R2 Monitoring
795
On all these elements, administrators can generate Availability reports to ensure that the
servers and systems are meeting the service-level agreements (SLAs) set by the organization.
The management pack includes a comprehensive set of reports that are specific to
Windows Server 2008 R2. These include reports on performance, availability, events, and
even configuration for the various Windows Server 2008 R2 roles. These reports can be
generated ad hoc, scheduled for email delivery on a regular basis, or even generated into
web pages for portal viewing. Figure 23.1 shows a Performance report for a server. The
report shows that processor utilization is low and that memory utilization is steady, with
regular skips of activity in the pages per sec, which correspond to available memory dips.
23
ptg
FIGURE 23.1
Sample Performance report.
This kind of summary Performance report is invaluable to reporting on the Windows
Server 2008 R2 infrastructure and really ties together the low-level technical monitoring
into a high-level view that support personnel can use.
796
CHAPTER 23
Integrating System Center Operations Manager 2007 R2 with
Windows Server 2008 R2
System Center Operations Manager 2007 R2 was released in the spring of 2009 and
includes many new improvements on the previous version, Operations Manager 2007
Service Pack 1. Some of these improvements include the following:
.
Cross-platform support—
This is support for non-Microsoft platforms, such as
UNIX and Linux. This allows administrators to have a single-pane view of their
entire IT environment in OpsMgr.
.
Integration with System Center Virtual Machine Manager 2008—
This inte-
grates with the VMM 2008 and allows synergies such as Performance Resource and
Optimization (PRO) Tips, which provides virtual machine recommendations based
on observed performance and the ability to implement the recommendation at the
click of a button.
.
Notifications—
The notification system has been revamped and now sports an
Outlook rule style interface. Notifications can be generated for specific alerts and can
be sent out as high-priority emails.
.
Overrides view—
Rather than hunt for overrides within all the management packs,
OpsMgr R2 has an authoring view that shows all the overrides defined in the system.
ptg
.
Improved Management Pack maintenance—
OpsMgr 2007 R2 allows Microsoft
management packs to be browsed, downloaded, and imported directly from the
console. It even includes versioning and dependency checks, as well as the ability to
search from management pack updates.
.
Service-level monitoring—
Applications can be defined from various monitored
objects and the service level of the application can be monitored and reported on
against defined target SLAs.
