Managing and Maintaining a Microsoft-based Server Infrastructure

Objective 1.2: Design a monitoring strategy

As it pertains to the exam, Operations Manager is the primary tool used for enterprise monitoring. Operations Manager provides security logging (through Audit Collection Services) and performance monitoring and meets the criteria for centralized monitoring and reporting, which are all part of the objectives for this section.

Enabling Audit Collection Services (ACS)

Part of Operations Manager, Audit Collection Services (ACS) collects audit policy records for analysis and reporting. When used as part of an overall monitoring design strategy, ACS is responsible for collecting security-related events. This effectively means that you can gather security audit logs from multiple sources, including Linux and Unix–based computers, and access them from that centralized console for reporting and further action, as necessary.

ACS consists of the following:

• ACS forwarders The ACS forwarder is included, but not enabled, as part of the Operations Manager agent installation. Once enabled, security events are sent to the ACS collector and the local security event log.
• ACS collector The ACS collector is responsible for processing events from ACS forwarders so that the event can be entered into the database.
• ACS database The ACS database relies on SQL Server as its backend database and is responsible for holding the events sent to it from the ACS collector.

Each of these components can exist on the same server, though you’ll install ACS forwarders on each computer to be monitored. When considering performance and as the deployment grows, the collector and ACS database servers can be split onto separate servers. For many enterprise deployments, SQL Server will exist on a separate server as part of the initial rollout of Operations Manager.

ACS forwarders are not enabled as part of the normal health-monitoring agent in Operators Manager. Instead, ACS forwarders are enabled through the Monitoring, Operations Manager, Agent Health State section of the Operations Manager console. Within the details pane of this area, selecting the computers (agents) and then selecting Enable Audit Collection within the Health Service Tasks section of the Actions pane enables ACS to begin collecting from that computer.

When designing ACS-based solutions, the number of events sent by forwarders can overwhelm the ACS collector. Additionally, the ACS collector queues events when the ACS database server is offline, such as for maintenance. The collector queue has settings that can be adjusted for performance. These settings are in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtServer\Parameters. The settings are described in Table 1-9.

TABLE 1-9 ACS collector queue settings

Setting	Description	Default
MaximumQueueLength	The maximum number of events that can be held in the ACS collector queue if the database is offline.	0x40000
BackOffThreshold	The maximum number of queued events before the ACS collector denies new connections. The value is a percentage of the MaximumQueueLength.	75
DisconnectThreshold	The maximum number of queued events before the ACS collector begins disconnecting ACS forwarders. Like BackOffThreshold, this value is a percentage of the MaximumQueueLength.	90

ACS collects every Windows Security Event for each forwarder involved in the deployment. This can be a large amount of data and, in many instances, isn’t necessary. One approach is to create a filter to prevent unnecessary events from being logged to the ACS database. Combining a filter with a policy for archiving ACS events ensures that compliance is met while at the same time not overwhelming the ACS implementation (or the administrators responsible for it).

Management of ACS is accomplished using the AdtAdmin.exe command-line tool found in %WINDIR%\System32\Security\AdtServer. Using AdtAdmin, you can create groups, show information about forwarders, and filter audit event data.

You might filter event data if the ACS collector queue is becoming full. ACS event filters are defined using Windows Management Instrumentation Query Language (WQL), which is a subset of standard SQL.

Table 1-10 describes some of the parameters available for AdtAdmin.

TABLE 1-10 AdtAdmin parameters

Parameter	Description
/AddGroup	Creates a group of ACS forwarders.
/DelGroup	Deletes a group of ACD forwarders.
/Disconnect	Disconnects an ACS forwarder or group.
/GetDBAuth	Shows information regarding the connection between the collector and database.
/GetQuery	Shows the current WQL queries being used by the ACS collector.
/ListForwarders	Shows information about forwarders.
/ListGroups	Shows the groups available on the collector.
/SetDBAuth	Sets the authentication method (SQL or Windows authentication) between the collector and the database.
/SetQuery	Configures a WQL query for filtering audit events.
/Stats	Shows statistics about the forwarders.
/UpdForwarder	Makes changes to a forwarder, including its name or the group to which the forwarder belongs.
/UpdGroup	Renames a group.

As described in Table 1-10, the current value of the WQL query can be obtained using the command:

AdtAdmin /getquery

By default, the WQL query for events is:

select * from AdtsEvent

The performance of ACS can be monitored through the Operations Manager console. Several counters are included by default and can be used to help diagnose and monitor performance of ACS itself.

Understanding Global Service Monitor

Global Service Monitor is provided as a management pack for Operations Manager and as part of an online offering such as a cloud-based service. Global Service Monitor provides an external view of websites for an organization. Global Service Monitor has two primary components: an online component managed by Microsoft and an Operations Manager component, which is handled as a management pack.

It’s important to understand how Global Service Monitor fits within an enterprise scenario. Global Service Monitor is used for monitoring externally facing websites, such as those hosted through Microsoft Azure; as such, it fits within but isn’t intended to be a replacement for Operations Manager but rather an enhancement to an Operations Manager installation. Global Service Monitor facilitates and makes easy the process of setting up multiple, globally dispersed monitoring locations for web applications.

The next section describes importing management packs as well as additional monitoring scenarios discussed in the objective domain for the 70-414 exam. Once a management pack is imported and a subscription started, you can configure monitoring through Operations Manager. Tests run with Global Service Monitor can be executed from multiple locations around the world so that you can have a complete view into your web application.

The simplest of tests is the Web Application Availability Monitoring test, which performs a basic HTTP request from an external location. If you need a more complex test, such as when you need to view multistep transactions or provide authentication details, then the Visual Studio Web Test Monitoring scenario is the correct choice. Finally, Web Application Transaction Monitoring provides monitoring for internal web applications that aren’t available from external locations.

When configuring a test, you can set several parameters, such as the length of time that a request can take, the interval between requests, whether to look for specific text on the resulting page, and many additional settings, as shown in Figure 1-4.

These settings are useful when you need to ensure specific behavior of a webpage or ensure that the page is served in less than a certain number of seconds. You can even check portions of the request, such as the time it takes to receive the first byte, the time it takes for DNS resolution, and so on.

When integrating Global Service Monitor into a monitoring design, consider the areas from which your customers will most likely access your website. Choose external monitoring locations close to your customer base.

Implementing and optimizing Operations Manager management packs

Looking beyond performance monitoring of ACS, Operations Manager can provide performance monitoring, application monitoring, and reporting for Windows computers and the network as a whole. To do so, a System Center management pack can be installed. The management pack contains additional information about monitoring points for Windows Server.

Management packs provide information about how to monitor servers, applications, and services on a network. Management packs can also provide reports, tasks, and other components as defined by the management pack. For example, a management pack for a Windows Server might contain information on how to monitor disk performance. Management packs can be created by third parties to provide an integrated monitoring solution within Operations Manager.

The management pack lifecycle includes the following stages:

• Install the management pack in a nonproduction environment to ensure that the management pack is compatible and provides the desired functionality.
• Customize the management pack. Create overrides, add knowledge, and make other changes to the management pack for your environment.
• Deploy the management pack. Install the management pack and any changes in the production environment.
• Maintain the management pack. As your environment changes, you may need to make changes to the management pack. For example, you may require additional monitoring, or the application being monitored may change.

Implementing a Management Pack

Management packs are added through the Administration area of the Operations Manager console by clicking Import Management Packs. The Import Management Packs Wizard will begin and enable you to choose the location from which the management pack should be installed. You can choose an existing catalog or add from a file. Alternately, the Import-SCOMManagementPack cmdlet is used to import a management pack using Windows PowerShell.

Monitoring Windows servers requires the Windows Server Operating System Library, the Windows Server 2012 Operating System (Discovery), and the Windows Server 2012 Operating System (Monitoring) management packs. The Import Management Packs tool, shown in Figure 1-5, can resolve dependencies. For example, selecting the Windows Server 2012 Operating System (Monitoring) management pack requires that the additional management packs mentioned earlier be installed as well. The Import Management Packs tool can install those prerequisites.

Management Pack Optimization

An important step in deploying management packs is optimizing them for your environment. When first installed, management packs perform discovery to find applicable objects for monitoring. Those objects are then monitored according to the rules set forth in the management pack. The default management pack rules may not be appropriate for your environment and should therefore be changed as necessary.

The overall process for optimizing a management pack is to examine the highest severity alerts first and then proceed to the lowest severity. Alerts should be examined to ensure that they are both valid and actionable. In other words, if you don’t need to react when an event occurs, then it’s probably not worth alerting. That’s not to say that the event isn’t noteworthy, so it may need to be logged but not alerted. Related to alerting is ensuring that only one alert is generated for a given event.

Management packs are customized through overrides. Overrides change the configuration of a monitor or diagnostic. When configuring an override, you choose whether the override will apply to all objects of the current class (such as all Windows Server 2012 computers), to a group, to a specific object of the current class, or to all objects of another class. This gives you the flexibility to gather objects for which you don’t need alerts, such as nonproduction Windows servers.

Classes, sometimes called targets, are used to help define the items that can be discovered and managed. Groups are sets of objects that help define the scope of an override.

Another optimization for management packs is achieved through knowledge. Knowledge is used to provide notes and other information about a monitor or rule. Adding knowledge is accomplished in the Authoring workspace of the Operations Manager console within the properties settings for a given monitor or rule. However, as of this writing, adding or editing knowledge requires the Operations Manager console on a 32-bit operating system with the 32-bit version of Microsoft Word 2010 and other prerequisites as described at http://technet.microsoft.com/en-us/library/hh212900.aspx. Adding or editing knowledge requires the Author or Administrator role.

Planning for Active Directory monitoring

The AD DS management pack for System Center enables monitoring of several aspects of an AD DS environment. Several key monitoring scenarios for Active Directory monitoring are identified at http://technet.microsoft.com/library/dd262116.aspx and described in Table 1-11.

TABLE 1-11 Active Directory monitoring scenarios

Scenario	Description
Multi-forest monitoring	Gather health and performance data from remote forests through two workflows, Microsoft.AD.Topology.Discovery and Microsoft.AD.Remote.Topology.Discovery. Note that AgentProxySetting must be enabled on all domain controllers for this scenario.
Replication	Gather health of data replication between domain controllers. You can monitor both health and performance of replication. See http://technet.microsoft.com/en-us/library/dd262066.aspx and http://technet.microsoft.com/en-us/library/ee662305.aspx for more information on each of these aspects of replication monitoring.
Essential services	Gather health information on the following services, which are vital to the operation of Active Directory: NT File Replication Service (NTFRS) Distributed File System Replication (DFSR) Windows Time Service (W32Time) Intersite Messaging (ISM) Key Distribution Center (KDC) NT Directory Services (NTDS) Net Logon (NetLogon) Active Directory Web Service (ADWS)
Trust monitoring	Gather trust information using the TrustMon WMI provider.
Directory service availability	Gather various metrics on the availability of Active Directory, including: GC Response - The time it takes to load the global catalog GC Search Time - The time it takes to return a search result from a global catalog Lost & Found Count - The number of Lost and Found objects DNS Verification - Verify DNS records AD General Response - The time it takes to do a serverless bind
Active Directory database monitoring	Verify the health of the Active Directory database, including its size, consistency, and that there is sufficient space available for the database to grow.
Time skew monitoring	Gather information on the time skew or difference between computers taking part in authentication. The authoritative time source is chosen as follows: The primary domain control (PDC) for the root domain is authoritative in all instances. If a computer is a PDC for a nonroot domain, the PDC for the root domain is authoritative. If a computer is not a PDC then its own local PDC is authoritative.
Operations Master monitoring	Gather information on availability of the following Operations Master roles: Schema Operations Master Domain Naming Operations Master Infrastructure Operations Master Relative ID (RID) Operations Master PDC Emulator Operations Master

Objective summary

• Management packs are configured using overrides, which include customizations for your infrastructure.
• ACS is composed of one or more forwarders, an ACS collector, and an ACS database.
• The AdtAdmin.exe program can be used to configure ACS.
• The Active Directory management pack enables advanced performance monitoring and alerting for an Active Directory domain.
• Global Service Manager provides an external view of web application performance from multiple geographically dispersed locations.

Objective review

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

1. Which of the following commands would be used to change the audit event filter for ACS?

   1. AdtAdmin /setquery
   2. AdtAdmin /addFilter
   3. AcsAdmin /addFilter
   4. AcsFilter /add

2. Which of the following roles is required to add or edit company knowledge for a management pack?

   1. Operator
   2. Knowledge Administrator
   3. Author
   4. Management Pack Administrator

3. Which of the following is not an essential service for Active Directory monitoring?

   1. NTDS
   2. NetLogon
   3. DFSR
   4. ADMon

4. What is the correct registry path for collector queue settings?

   1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADT \Parameters
   2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtServer\Parameters
   3. HKEY_LOCAL_MACHINE\User\CurrentWindowsServices\AdtServicer\Parameters
   4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtSvc\Parameters