Windows Server 2008 R2 Unleashed (163 page)

able via ping but the Health Service is stopped, there is a recovery to restart the Health

Service. This allows the agent to recover automatically from stopped agent conditions.

The Restart Health Service Recovery is disabled by default. To enable the functionality, an

override can be created for the Health Service Watcher objects. To enable the recovery,

execute the following steps:

1. Open the Operations Manager 2007 R2 console.

2. Select the Authoring space.

ptg

3. Expand the Management Pack Objects node.

4. Select the Monitors node.

5. Select View, Scope.

6. Type health service watcher in the Look For field and click the View All Targets

option button.

7. Select the Health Service Watcher target. Don’t pick the ones with additional infor-

mation in parentheses.

8. Click OK.

9. Type Heartbeat Failure in the Look For field and click Find Now.

10. Right-click the Health Service Heartbeat Failure aggregate rollup node and select

Overrides, Override Recovery, Restart Health Service, and For All Objects of Class:

Health Service Watcher.

11. Check the Override box next to Enabled and set the value to True.

12. In the Select Destination Management Pack pull-down menu, select the appropriate

override management pack. If none exists, create a new management pack named

“Operations Manager MP Overrides” by clicking New.

NOTE

Never use the Default Management Pack for overrides. Always create an override man-

agement pack that corresponds to each imported management pack.

13. Click OK to save the override.

828

CHAPTER 23

Integrating System Center Operations Manager 2007 R2 with

Windows Server 2008 R2

Now if the Health Service is stopped on an agent, the Root Management Server will auto-

matically attempt to restart it.

Notifications and Subscriptions

When alerts are generated in the console, there is a wealth of information available about

the nature of the problem and how to troubleshoot and resolve it. However, most admin-

istrators will not be watching the console at all times. Operations Manager has a sophisti-

cated notification mechanism that allows alerts to be forwarded to email, SMS, IM, or

even a command-line interface. The most common method of alert notification is email.

However, Operations Manager generates a lot of alerts. If each one of these alerts were

forwarded, this would overwhelm the average administrator’s Inbox and prove totally

useless. Operations Manager has two alert parameters to help categorize the alerts. Each

alert has two parameters that help guide the notification process, severity and priority.

Alert Severity is the first and main parameter. There are three severity levels:

.
Critical (2)—
These alerts indicate that there is a problem that needs to be fixed

immediately and is directly actionable (that is, there is something that can be done).

ptg

.
Warning (1)—
These alerts indicate that there is a problem, but that it might not be

immediately impacting the environment or might not be directly actionable.

.
Information (0)—
These alerts indicate that there is something that is good to

know, but might not be a problem nor is actionable.

By the nature of things, there are a lot more warning alerts generated than critical alerts.

In general, notifications should only be sent out for critical alerts. That is, there should

never be an email sent for a warning or informational alert.

Alert Priority is the second parameter that qualifies the alert status. The priority allows

management pack authors to make some alerts more important than others. There are

three levels of priority as well:

. High

. Medium

. Low

In general, a high-priority, critical severity alert is very important. This includes events like

an agent down or a security breach. A medium-priority, critical severity alert is important.

Both are generally actionable.

The best practice is to create two SMTP channels to deliver the alert notification emails,

which are as follows:

.
SMTP (High Priority)—
High-priority email to an SMTP gateway

.
SMTP (Regular Priority)—
Regular email to an SMTP gateway

Configuring Operations Manager 2007 R2

829

Then, create two notification subscriptions that use the Severity and the Priority to select

the emails to be sent:

. Notification for All Critical Severity High-Priority Alerts

. Notification for All Critical Severity Medium-Priority Alerts

This provides a configuration that will deliver the very important alerts (high-priority crit-

ical severity alerts) via high-priority email and important alerts (medium-priority critical

severity alerts) via regular email. All other alerts will be available in the console and no

emails will be sent to notify of them.

23

The next sections will set up the notification infrastructure described previously.

The first step is to set up a channel, that is, how the emails will be sent. The steps are as

follows:

1. Launch the Operations Manager 2007 R2 console.

2. Select the Administration space.

3. Select the Channels node.

4. Right-click the Channels node and select New Channel, E-Mail (SMTP).

5. Enter SMTP Channel (High Priority) for the channel name and click Next.

ptg

6. Click the Add button, enter the FQDN of the SMTP server, and click OK.

7. Enter a return SMTP address and click Next.

8. Change the Importance to High and click Finish. Click Close to close wizard.

9. Right-click the Channels node and select New Channel, E-Mail (SMTP).

10. Enter SMTP Channel (Normal Priority) for the channel name and click Next.

11. Click the Add button, enter the FQDN of the SMTP server, and click OK.

12. Enter a return SMTP address and click Next.

13. Leave the Importance at Normal and click Finish. Click Close to close wizard.

The second step is to set up the subscriber, that is, to whom the emails will be sent. The

steps are as follows:

1. Launch the Operations Manager 2007 R2 console.

2. Select the Administration space.

3. Select the Subscribers node.

4. Right-click the Subscribers node and select New Subscriber.

5. Click the “...” button and select a user or distribution group. Click OK.

6. Click Next.

7. Click Next to always send notifications.

8. Click the Add button.

9. Type Email for the address name and click Next.

10. Select the Channel Type as E-Mail (SMTP) and enter the delivery email address.

11. Click Finish.

12. Click Finish again to save the subscriber. Click Close to exit the wizard.

830

CHAPTER 23

Integrating System Center Operations Manager 2007 R2 with

Windows Server 2008 R2

NOTE

It is a best practice to use distribution lists rather than user email addresses for

subscribers.

The last step is to set up the subscriptions, that is, what to notify on. The steps are as follows:

1. Launch the Operations Manager 2007 R2 console.

2. Select the Administration space.

3. Select the Subscriptions node.

4. Right-click the Subscriptions node and select New Subscription.

5. Enter Notification for All Critical Severity High Priority Alerts for the

subscription name and click Next.

6. Check the Of a Specific Severity and the Of a Specific Priority check boxes.

7. In the Criteria Description pane, click the “Specific Severity” link, check the Critical

check box, and click OK.

8. In the Criteria Description pane, click the “Specific Priority” link, check the High

check box, and click OK.

ptg

9. Click Next.

10. Click the Add button, click Search, select the subscriber, click the Add button, and

click OK.

11. Click Next.

12. Click the Add button, click Search, select the SMTP Channel (High Priority) channel,

click the Add button, and click OK.

13. Click Next and then click Finish.

14. Right-click the Subscriptions node and select New Subscription.

15. Enter Notification for All Critical Severity Medium Priority Alerts for the

subscription name and click Next.

16. Check the Of a Specific Severity and the Of a Specific Priority check boxes.

17. In the Criteria Description pane, click the “Specific Severity” link, check the Critical

check box, and click OK.

18. In the Criteria Description pane, click the “Specific Priority” link, check the Medium

check box, and click OK.

19. Click Next.

20. Click the Add button, click Search, select the subscriber, click the Add button, and

click OK.

21. Click Next.

22. Click the Add button, click Search, select the SMTP Channel (Normal Priority)

channel, click the Add button, and click OK.

23. Click Next and then click Finish.

Monitoring DMZ Servers with Certificates

831

Now, the subscribers will get email notifications for alerts based on the severity and prior-

ity. These severities and priorities are based on the judgments of the authors of the

management packs, which might or might not be optimal for any given organization.

Later in the chapter, the priority and severity of alerts will be used to tune the manage-

ment packs to reduce alert noise.

Monitoring DMZ Servers with Certificates

Servers in an organization’s demilitarized zone (DMZ) are usually not domain members

23

and, thus, cannot do automatic mutual authentication with the OpsMgr server. However,

these servers are the most exposed in the organization and, thus, critical to be monitored.

Thankfully, there is a well-defined process for using certificates to handle the mutual

authentication.

NOTE

This topic also applies to machines that are workgroup servers or servers that are

members of domains where there is no trust to the OpsMgr domain.

ptg

Monitoring servers in the DMZ requires an install of certificate-based mutual authentica-

tion. This process has a lot of steps, but is straightforward. To install and configure certifi-

cates to allow the DMZ servers to use mutual authentication, the following five major

tasks need to be completed:

1. Create a certificate template to issue the correct format of X.509 certificates for

Operations Manager to use for mutual authentication.

2. Request the root CA certificate to trust the CA and the certificates it issues. This is

done for each DMZ server and possibly for the management servers if not using an

enterprise CA.

3. Request a certificate from the root CA to use for mutual authentication. This is done

for each DMZ server and for each management server.

4. Install the Operations Manager agent manually. This is done for each DMZ server.

5. Configure the agent to use the certificate. This is done for each DMZ server and for

each management server.

These various X.509 certificates are issued from a certificate authority, which could be a

Windows Server 2008 R2 CA.

Creating a Certificate Template

This step creates a certificate template named Operations Manager that can be issued from

the Windows Server 2008 R2 certification authority web enrollment page. The certificate

template will support Server Authentication (OID 1.3.6.1.5.5.7.3.1) and Client

Authentication (OID 1.3.6.1.5.5.7.3.2) as well as allow the name to be manually entered

832

CHAPTER 23

Integrating System Center Operations Manager 2007 R2 with

Windows Server 2008 R2

rather than autogenerated from Active Directory because the DMZ server will not be an

Active Directory domain member.

The steps to create the security template are as follows:

1. Log on to the CA, which is DC1.companyabc.com in this example.

2. Launch Server Manager.

3. Expand Roles, Active Directory Certificate Services, and select Certificate Templates

(
fqdn
).

4. Right-click the Computer template and select Duplicate Template.

5. Leave the version at Windows 2003 Server, Enterprise Edition and click OK.

6. On the General tab in the Template Display Name field, enter Operation Manager.

7. Select the Request Handling tab and mark the Allow Private Key to Be Exported option.

8. Select the Subject Name tab and select Supply in the Request option. Click OK at

the warning.

9. Select the Security tab, select Authenticated Users, and check the Enroll right.

10. Click OK to save the template.

11. Select the Enterprise PKI to expose the CA.

12. Right-click the CA and select Manage CA.

ptg

13. In the certsrv console, expand the CA, right-click Certificates Templates, then select

New, Certificate Template to Issue.

14. Select the Operations Manager certificate template and click OK.

The new Operations Manager template will now be available in the Windows Server 2008

R2 web enrollment page.

Requesting the Root CA Server Certificate

This allows the DMZ server to trust the Windows Server 2008 R2 CA. This does not need

to be done on the OpsMgr management servers, as the Windows Server 2008 R2 CA is an

enterprise CA and all domain members automatically trust it. If the CA is not an enter-