Operations Manager 2007 R2 configuration

This chapter excerpt on Operations Manager 2007 R2 offers information on Active Directory client monitoring configuration and monitoring DMZ Servers with certificates.

Solutions provider takeaway: A solutions provider needs to know how to configure Operations Manager 2007 R2 after installation, because performance is crucial to creating business opportunities. Get information on Operations Manager 2007 R2 and Active Directory client monitoring configuration as well as monitoring DMZ Servers with certificates.

About the book:
This chapter excerpt on Integrating System Center Operations Manager 2007 R2 with Windows Server 2008 R2 (download PDF) is taken from the book Windows Server 2008 R2 Unleashed. Solutions providers can use this book to learn about Windows Server 2008 R2 migration, administration, deployment and troubleshooting. This book also provides information on management and security tools and features, such as Hyper-V's Live Migration.

Configuring Operations Manager 2007 R2

After installing the Operations Manager 2007 R2 infrastructure, several configuration steps should be taken to have the system monitor properly, generate Active Directory synthetic transactions, and send out email notifications of alerts.

Agent Proxy Configuration

Operations Manager 2007 R2 has a variety of security measures built in to the product to prevent security breaches. One measure in particular is the prevention of impersonation of one agent by another. That is, an agent SERVER1 cannot insert operations data into the database about a domain controller DC1. This could constitute a security violation, where SERVER1 could maliciously generate fraudulent emergencies by making it appear that DC1 was having operational issues.

Although this is normally a good feature, this can be a problem if, in fact, SERVER1 is monitoring DC1 from a client perspective. The Operations Manager infrastructure would reject any information presented about DC1 by SERVER1. When this occurs, the system generates an alert to indicate that an attempt to proxy operations data has occurred. Figure 23.9 shows an example of the alert. In the normal course of events, this alert is not an indication of an attack but rather a configuration problem.

To get around this problem, Agent Proxy can be selectively enabled for agents that need to be able to present operational data about other agents. To enable Agent Proxy for a computer, run the following steps:

  1. Open the Operations Manager 2007 R2 console.
  2. Select the Administration section.
  3. Select the Agent Managed node.

    FIGURE 23.9 Agent Proxy alert.

  4. Right-click the agent in the right pane and select Properties.
  5. Click the Security tab.
  6. Check the Allow This Agent to Act as a Proxy and Discover Managed Objects on Other Computers check box.
  7. Click OK to save.

Repeat this for all agents that need to act as proxy agents.

Note:
Because the alerts generated by this condition are rule-based and not monitor-based, the alert needs to be manually resolved by right-clicking on it and selecting Close Alert.

Active Directory Client Monitoring Configuration

Although monitoring performance of Active Directory services is done by the domain controllers using a variety of measures, sometimes what really matters is how clients perceive the performance of the domain services. To measure that, the Windows Server 2008 Active Directory management pack can generate synthetic transactions from selected client systems. These transactions include ADSI bind and search times, LDAP ping and bind times, global catalog search times, and PDC ping and bind times. The clients execute tests and log the results, as well as alert on slow performance.

The Active Directory Server Client object discovery is disabled by default. The object discovery has to be overridden to discover objects that will then run the rules. To selectively override the Active Directory Server Client object discovery, run the following steps:

  1. Open the Operations Manager 2007 R2 console.
  2. Select the Authoring section.
  3. Expand the Management Pack Object node.
  4. Select the Object Discoveries node.
  5. Select View, Scope.
  6. In the Look For field, type Client Perspective. This narrows down the selections.
  7. Check the Active Directory Client Perspective target and click OK.
  8. Right-click the AD Client Monitoring Discovery and select Overrides, Override the Object Discovery, and For a Specific Object of Class: Windows Computer.
  9. A list of Windows Computer objects will be displayed. Select the computer that will act as an Active Directory client and click OK.
  10. Note:
    The selected Windows Computer should not be a domain controller.

  11. Check the Override box next to Enabled and set the value to True.
  12. In the Select Destination Management Pack pull-down menu, select the appropriate override management pack. If none exists, create one for the Active Directory management pack by clicking New.
  13. Note:
    Never use the Default Management Pack for overrides. Always create an override management pack that corresponds to each imported management pack.

  14. Click OK to save the override.
  15. Repeat for each Windows computer that will be an Active Directory Server Client agent.

After a period of time, the selected agents will begin to generate Active Directory client perspective data and alerts. As a best practice, key Exchange servers are often selected as Active Directory Server Client agents. It is also a best practice to select at least one agent in each location to be an Active Directory Server Client agent as well.

Active Directory Replication Monitoring Configuration

The Active Directory management pack can monitor the replication latency between domain controllers in Active Directory. It uses sources and targets domain controllers, where the source domain controllers create objects in the OpsMgrLatencyMonitors container. These objects are read by the targets, which log performance data in the OpsMgr databases. There will be a replication counter for each domain partition, for the DomainDNSZones partition, and for the ForestDNSZones partition between each source and target pair. There will also be a counter for minimum replication latency and average replication latency.

The Active Directory management pack has the sources and targets disabled by default due to the number of counters that can potentially be created. Overrides need to be created for each source and each target domain controller to get the replication monitoring to function.

It is a best practice to reduce the number of sources and targets to a minimum, due to the number of counters that get created. An example of a source-target model might be to make all branch offices sources and a single central office DC as the target. Another example might be to pick a single DC in each site to be in both the source and target groups, assuming there are a limited number of sites.

The steps to set the source overrides are as follows:

  1. Launch the Operations Manager 2007 R2 console.
  2. Select the Authoring section.
  3. Expand the Management Pack Objects node.
  4. Ensure that the console is not scoped for any objects.
  5. Select the Rules node.
  6. In the Look For field, enter sources and click Find Now.
  7. Select the rule "AD Replication Monitoring Performance Collection (Sources)" in the "Type: Active Directory Domain Controller Server 2008 Computer Role".
  8. Right-click the rule and select Overrides, Override the Rule, and For a Specific Object of Class: Active Directory Domain Controller Server 2008 Computer Role.
  9. The Select Object window opens and shows matching objects. Select the domain controller that will be the source and click OK.
  10. Check the Override box next to Enabled and set the value to True.
  11. In the Select Destination Management Pack pull-down menu, select the appropriate override management pack. If none exists, create a new management pack named "Active Directory MP Overrides" by clicking New.
  12. Note:
    Never use the Default Management Pack for overrides. Always create an override management pack that corresponds to each imported management pack.

  13. Click OK to save the override.
  14. Repeat for each domain controller that will be a source.

The steps to set the target overrides are as follows:

  1. Launch the Operations Manager 2007 R2 console.
  2. Select the Authoring section.
  3. Expand the Management Pack Objects node.
  4. Ensure that the console is not scoped for any objects.
  5. Select the Rules node.
  6. In the Look For field, enter targets and click Find Now.
  7. Select the rule "AD Replication Monitoring Performance Collection (Targets)" in the "Type: Active Directory Domain Controller Server 2008 Computer Role".
  8. Right-click the rule and select Overrides, Override the Rule, and For a Specific Object of Class: Active Directory Domain Controller Server 2008 Computer Role.
  9. The Select Object window opens and shows matching objects. Select the domain controller that will be the source and click OK.
  10. Check the Override box next to Enabled and set the value to True.
  11. In the Select Destination Management Pack pull-down menu, select the appropriate override management pack. Use the same one from the previous steps when selecting the sources.
  12. Click OK to save the override.
  13. Repeat for each domain controller that will be a target.

After a period of time, monitoring will begin. Counters will be measuring the replication latency between the partitions. In addition, replication latency alerts will be triggered if latency falls below the predefined thresholds.

This sets the sources and targets for Windows Server 2008 domain controllers. For other versions such as Windows Server 2003 and Windows 2000 Server domain controllers, the overrides need to be created for those domain controllers separately. Also, the replication latency mechanism does not support cross-version replication latency measurement.

Note:
It might be tempting to make all domain controllers both sources and targets. Each domain controller would then be connected to every other domain controller. This is also known as a full mesh. However, the problem is that the number of connections grows as a power of 2. The general function for the number of connection in a full mesh is:

f(x)= (x^2-x)/2

where x is the number of domain controllers and f(x) is the number of connections.

This means that 2 DCs will have 1 connection, 3 DCs will have 3 connections, 4 DCs will have 6 connections, and so on. By the time you get to 20 domain controllers, you have 190 connections. The connections are bidirectional and there are at least 5 counters that are collected per source-target pair, so for 20 DCs in a full mesh, there would be 1,900 performance counters (190 connections x 2 bidirectional x 5 counters) gathering data. Full mesh is bad!

Agent Restart Recovery

Agents will heartbeat every 60 seconds by default, contacting their management server to check for new rules and upload data. On the Root Management Server, there is a Health Service Watcher corresponding to each managed agent. If the Health Service Watcher for an agent detects three missed heartbeats in a row (that is, 3 minutes without a heartbeat), the Health Service Watcher executes a pair of diagnostics:

  • First, the Health Service Watcher attempts to ping the agent.
  • Second, the Health Service Watcher checks to see if the Health Service is running on the agent.

An alert is then generated for each of the diagnostics if they failed. If the agent is reach-able via ping but the Health Service is stopped, there is a recovery to restart the Health Service. This allows the agent to recover automatically from stopped agent conditions.

The Restart Health Service Recovery is disabled by default. To enable the functionality, an override can be created for the Health Service Watcher objects. To enable the recovery, execute the following steps:

  1. Open the Operations Manager 2007 R2 console.
  2. Select the Authoring space.
  3. Expand the Management Pack Objects node.
  4. Select the Monitors node.
  5. Select View, Scope.
  6. Type health service watcher in the Look For field and click the View All Targets option button.
  7. Select the Health Service Watcher target. Don't pick the ones with additional information in parentheses.
  8. Click OK.
  9. Type Heartbeat Failure in the Look For field and click Find Now.
  10. Right-click the Health Service Heartbeat Failure aggregate rollup node and select Overrides, Override Recovery, Restart Health Service, and For All Objects of Class: Health Service Watcher.
  11. Check the Override box next to Enabled and set the value to True.
  12. In the Select Destination Management Pack pull-down menu, select the appropriate override management pack. If none exists, create a new management pack named "Operations Manager MP Overrides" by clicking New.
  13. Note:
    Never use the Default Management Pack for overrides. Always create an override management pack that corresponds to each imported management pack.

  14. Click OK to save the override.

Now if the Health Service is stopped on an agent, the Root Management Server will automatically attempt to restart it.

Notifications and Subscriptions

When alerts are generated in the console, there is a wealth of information available about the nature of the problem and how to troubleshoot and resolve it. However, most administrators will not be watching the console at all times. Operations Manager has a sophisticated notification mechanism that allows alerts to be forwarded to email, SMS, IM, or even a command-line interface. The most common method of alert notification is email.

However, Operations Manager generates a lot of alerts. If each one of these alerts were forwarded, this would overwhelm the average administrator's Inbox and prove totally useless. Operations Manager has two alert parameters to help categorize the alerts. Each alert has two parameters that help guide the notification process, severity and priority.

Alert Severity is the first and main parameter. There are three severity levels:

  • Critical (2) -- These alerts indicate that there is a problem that needs to be fixed immediately and is directly actionable (that is, there is something that can be done).
  • Warning (1) -- These alerts indicate that there is a problem, but that it might not be immediately impacting the environment or might not be directly actionable.
  • Information (0) -- These alerts indicate that there is something that is good to know, but might not be a problem nor is actionable.

By the nature of things, there are a lot more warning alerts generated than critical alerts. In general, notifications should only be sent out for critical alerts. That is, there should never be an email sent for a warning or informational alert.

Alert Priority is the second parameter that qualifies the alert status. The priority allows management pack authors to make some alerts more important than others. There are three levels of priority as well:

  • High
  • Medium
  • Low

In general, a high-priority, critical severity alert is very important. This includes events like an agent down or a security breach. A medium-priority, critical severity alert is important. Both are generally actionable.

The best practice is to create two SMTP channels to deliver the alert notification emails, which are as follows:

  • SMTP (High Priority) -- High-priority email to an SMTP gateway
  • SMTP (Regular Priority) -- Regular email to an SMTP gateway

Then, create two notification subscriptions that use the Severity and the Priority to select the emails to be sent:

  • Notification for All Critical Severity High-Priority Alerts
  • Notification for All Critical Severity Medium-Priority Alerts

This provides a configuration that will deliver the very important alerts (high-priority critical severity alerts) via high-priority email and important alerts (medium-priority critical severity alerts) via regular email. All other alerts will be available in the console and no emails will be sent to notify of them.

The next sections will set up the notification infrastructure described previously.

The first step is to set up a channel, that is, how the emails will be sent. The steps are as follows:

  1. Launch the Operations Manager 2007 R2 console.
  2. Select the Administration space.
  3. Select the Channels node.
  4. Right-click the Channels node and select New Channel, E-Mail (SMTP).
  5. Enter SMTP Channel (High Priority) for the channel name and click Next.
  6. Click the Add button, enter the FQDN of the SMTP server, and click OK.
  7. Enter a return SMTP address and click Next.
  8. Change the Importance to High and click Finish. Click Close to close wizard.
  9. Right-click the Channels node and select New Channel, E-Mail (SMTP).
  10. Enter SMTP Channel (Normal Priority) for the channel name and click Next.
  11. Click the Add button, enter the FQDN of the SMTP server, and click OK.
  12. Enter a return SMTP address and click Next.
  13. Leave the Importance at Normal and click Finish. Click Close to close wizard.

The second step is to set up the subscriber, that is, to whom the emails will be sent. The steps are as follows:

  1. Launch the Operations Manager 2007 R2 console.
  2. Select the Administration space.
  3. Select the Subscribers node.
  4. Right-click the Subscribers node and select New Subscriber.
  5. Click the "..." button and select a user or distribution group. Click OK.
  6. Click Next.
  7. Click Next to always send notifications.
  8. Click the Add button.
  9. Type Email for the address name and click Next.
  10. Select the Channel Type as E-Mail (SMTP) and enter the delivery email address.
  11. Click Finish.
  12. Click Finish again to save the subscriber. Click Close to exit the wizard.

Note:
It is a best practice to use distribution lists rather than user email addresses for subscribers.

The last step is to set up the subscriptions, that is, what to notify on. The steps are as follows:

  1. Launch the Operations Manager 2007 R2 console.
  2. Select the Administration space.
  3. Select the Subscriptions node.
  4. Right-click the Subscriptions node and select New Subscription.
  5. Enter Notification for All Critical Severity High Priority Alerts for the subscription name and click Next.
  6. Check the Of a Specific Severity and the Of a Specific Priority check boxes.
  7. In the Criteria Description pane, click the "Specific Severity" link, check the Critical check box, and click OK.
  8. In the Criteria Description pane, click the "Specific Priority" link, check the High check box, and click OK.
  9. Click Next.
  10. Click the Add button, click Search, select the subscriber, click the Add button, and click OK.
  11. Click Next.
  12. Click the Add button, click Search, select the SMTP Channel (High Priority) channel, click the Add button, and click OK.
  13. Click Next and then click Finish.
  14. Right-click the Subscriptions node and select New Subscription.
  15. Enter Notification for All Critical Severity Medium Priority Alerts for the subscription name and click Next.
  16. Check the Of a Specific Severity and the Of a Specific Priority check boxes.
  17. In the Criteria Description pane, click the "Specific Severity" link, check the Critical check box, and click OK.
  18. In the Criteria Description pane, click the "Specific Priority" link, check the Medium check box, and click OK.
  19. Click Next.
  20. Click the Add button, click Search, select the subscriber, click the Add button, and click OK.
  21. Click Next.
  22. Click the Add button, click Search, select the SMTP Channel (Normal Priority) channel, click the Add button, and click OK.
  23. Click Next and then click Finish.

Now, the subscribers will get email notifications for alerts based on the severity and priority. These severities and priorities are based on the judgments of the authors of the management packs, which might or might not be optimal for any given organization. Later in the chapter, the priority and severity of alerts will be used to tune the management packs to reduce alert noise.

Monitoring DMZ Servers with Certificates

Servers in an organization's demilitarized zone (DMZ) are usually not domain members and, thus, cannot do automatic mutual authentication with the OpsMgr server. However, these servers are the most exposed in the organization and, thus, critical to be monitored. Thankfully, there is a well-defined process for using certificates to handle the mutual authentication.

Note:
This topic also applies to machines that are workgroup servers or servers that are members of domains where there is no trust to the OpsMgr domain.

Monitoring servers in the DMZ requires an install of certificate-based mutual authentication. This process has a lot of steps, but is straightforward. To install and configure certificates to allow the DMZ servers to use mutual authentication, the following five major tasks need to be completed:

  1. Create a certificate template to issue the correct format of X.509 certificates for Operations Manager to use for mutual authentication.
  2. Request the root CA certificate to trust the CA and the certificates it issues. This is done for each DMZ server and possibly for the management servers if not using an enterprise CA.
  3. Request a certificate from the root CA to use for mutual authentication. This is done for each DMZ server and for each management server.
  4. Install the Operations Manager agent manually. This is done for each DMZ server.
  5. Configure the agent to use the certificate. This is done for each DMZ server and for each management server.

These various X.509 certificates are issued from a certificate authority, which could be a Windows Server 2008 R2 CA.

Creating a Certificate Template

This step creates a certificate template named Operations Manager that can be issued from the Windows Server 2008 R2 certification authority web enrollment page. The certificate template will support Server Authentication (OID 1.3.6.1.5.5.7.3.1) and Client Authentication (OID 1.3.6.1.5.5.7.3.2) as well as allow the name to be manually entered rather than autogenerated from Active Directory because the DMZ server will not be an Active Directory domain member.

The steps to create the security template are as follows:

  1. Log on to the CA, which is DC1.companyabc.com in this example.
  2. Launch Server Manager.
  3. Expand Roles, Active Directory Certificate Services, and select Certificate Templates (fqdn).
  4. Right-click the Computer template and select Duplicate Template.
  5. Leave the version at Windows 2003 Server, Enterprise Edition and click OK.
  6. On the General tab in the Template Display Name field, enter Operation Manager.
  7. Select the Request Handling tab and mark the Allow Private Key to Be Exported option.
  8. Select the Subject Name tab and select Supply in the Request option. Click OK at the warning.
  9. Select the Security tab, select Authenticated Users, and check the Enroll right.
  10. Click OK to save the template.
  11. Select the Enterprise PKI to expose the CA.
  12. Right-click the CA and select Manage CA.
  13. In the certsrv console, expand the CA, right-click Certificates Templates, then select New, Certificate Template to Issue.
  14. Select the Operations Manager certificate template and click OK.

The new Operations Manager template will now be available in the Windows Server 2008 R2 web enrollment page.

Requesting the Root CA Server Certificate

This allows the DMZ server to trust the Windows Server 2008 R2 CA. This does not need to be done on the OpsMgr management servers, as the Windows Server 2008 R2 CA is an enterprise CA and all domain members automatically trust it. If the CA is not an enterprise CA, the steps need to be completed for the management servers as well.

To request and install the root CA certificate on the DMZ server, execute the following steps:

  1. Log on to a DMZ server with local administrator rights.
  2. Open a web browser and point it to the certificate server, in this case https://dc1.companyabc.com/certsrv. Enter credentials if prompted.
  3. Click the Download a CA Certificate, Certificate Chain, or CRL link (shown in Figure 23.10).
  4. Click the Download CA Certificate link. Note: If the certificate does not download, add the site to the Local Intranet list of sites in Internet Explorer.
  5. Click Open to open the CA certificate.
  6. Click Install Certificate to install the CA certificate.
  7. FIGURE 23.10 Downloading a root CA certificate.

  8. At the Certificate Import Wizard screen, click Next.
  9. Select Place All Certificates in the Following Store option button.
  10. Click Browse.
  11. Click the Show Physical Stores check box.
  12. Expand the Trusted Root Certification Authorities folder and select the local computer store.
  13. Click OK.
  14. Click Next, Finish, and OK to install the CA certificate.
  15. Close any open windows.

Repeat for all DMZ servers. Now the DMZ servers will trust certificates issued by the certification authority. The next step is to request the certificates to use for the mutual authentication for all servers.

Requesting a Certificate from the Root CA Server

Each of the management servers and the servers in the DMZ will need to be issued certificates to use for communication.

The steps to request a certificate are as follows:

  1. Log on as an administrator, then open a web browser and point it to the certificate server (in this case, https://dc1.companyabc.com/certsrv).
  2. Click the Request a Certificate link.
  3. Click the Advanced Certificate Request link.
  4. Click the Create and Submit a Request to This CA link.
  5. In the Type of Certificate Template field, select Operations Manager.
  6. In the Name field, enter the FQDN (fully qualified domain name) of the target server.
  7. Note:
    Go to the actual server to get the name! On the server, go to Computer Properties, Computer Name. Copy the full computer name and paste it into the Name field of the form.

  8. Click Submit.
  9. Click Yes when you get the warning pop-up.
  10. Click Install This Certificate.
  11. Click Yes when you see the warning pop-up. The certificate is now installed in the user certificate store.
  12. Note:
    The certificate was installed in the user certificate store, but needs to be in the local computer store for Operations Manager. The ability to use web enrollment to directly place the certificate into the local computer store was removed from the Windows Server 2008 web enrollment, so the certificate needs to be moved manually.

  13. Select Start, Run and then enter mmc to launch an MMC console.
  14. Select File and Add/Remove Snap-In.
  15. Select Certificates and click the Add button.
  16. Select My User Account and click Finish.
  17. Select Certificates again and click the Add button.
  18. Select Computer Account and click Next.
  19. Select the local computer, click Finish, and then click OK.
  20. Expand the Certificates -- Current User, Personal, and select the Certificates folder.
  21. In the right pane, right-click the certificate issued earlier and select All Tasks, Export. The certificate can be recognized by the certificate template name Operations Manager.
  22. At the Certificate Export Wizard, click Next.
  23. Select Yes, Export the Private Key. Click Next.
  24. Click Next.
  25. Enter in a password and click Next.
  26. Enter in a directory and filename and click Next.
  27. Click Finish to export the certificate. Click OK at the pop-up.
  28. Expand the Certificates (Local Computer), Personal, and select the Certificates folder.
  29. About the authors:

    Rand Morimoto has been in the IT industry for more than 25 years and is the president of Convergent Computing, an IT-consulting firm. Morimoto has also co-authored Exchange Server 2010 Unleashed.

    Michael Noel is an IT expert and partner at Convergent Computing and co-wrote Microsoft SharePoint 2007 Unleashed.

    Chris Amaris cofounded Convergent Computing and serves as the chief technology officer. Amaris has also co-authored Microsoft Exchange Server 2007 Unleashed.

    Omar Droubi has been in the computer industry for more than 15 years and has co-authored Windows 2003 Unleashed.

    Ross Mistry has spent more than a decade in the computer industry and has also published Microsoft SQL Server 2008 Management and Administration.

    Note:
    If this is the first certificate in the local computer store, the Certificates folder will not exist. Simply select the Personal folder instead and the Certificates folder will be created automatically.

  30. Right-click in the right pane and select All Tasks, Import.
  31. At the Certificate Import Wizard, select Next.
  32. Click Browse to locate the certificate file saved earlier. Change the file type to Personal Information Exchange (.pfx) to see the file. Click Next.
  33. Enter in the password used earlier, select the Mark This Key as Exportable, and click Next.
  34. Click Next.
  35. Click Finish and then click OK at the pop-up to complete the import.

The preceding steps need to be completed for each DMZ server and for each management server.

Installing the Agent on the DMZ Server

The agent needs to be installed manually on each DMZ server. Normally, agents would be pushed by the Operations Manager console, but DMZ servers typically reside in the DMZ and are not members of the domain.

The steps to manually install the agent are as follows:

  1. Log on as an administrator and insert the OpsMgr 2007 R2 installation media.
  2. At the AutoPlay menu, select Run SetupOM.exe.
  3. Select Install Operations Manager 2007 R2 Agent from the menu.
  4. Click Next.
  5. Click Next to accept the default directory.
  6. Click Next to specify management group information.
  7. Type in the management group name and FQDN of the management server. Keep the default management server port as 5723. The example shown in Figure 23.11 has COMPANYABC as the management group name and omr2.companyabc.com as the management server.

    FIGURE 23.11 Manually entered management group information.

  8. Click Next.
  9. Click Next at the Agent Action Account page to leave the local system as the action account.
  10. Click Install to complete the installation.
  11. When the installer is finished, click Finish.

The preceding steps need to be completed for each DMZ server.

The agent is installed, but will not communicate correctly with the management server. This is because the agent has not been configured to use the certificate for mutual authentication. This will be done in the next section.

Configuring the Agent to Use the Certificate

After the agent is installed, the agent still needs to be configured to use the correct certificate. The OpsMgr installation includes a utility called MOMCertImport.exe that configures the agent to use certificates for authentication and specifies which certificate in the local computer store to use. The tool does not do any validation checking of the certificate itself, so care needs to be taken that the correct certificate is selected.

The steps to configure the agent to use a certificate are as follows:

  1. Log on as an administrator on the DMZ server and insert the OpsMgr 2007 R2 installation media.
  2. At the AutoPlay menu, select Run SetupOM.exe.
  3. Select Browse This CD from the menu.
  4. Select the SupportTools directory and then the AMD64 directory.
  5. Note:
    Windows Server 2008 R2 is a 64-bit operating system, so the AMD64 is the correct folder for the 64-bit binaries. If the procedure is being run for 32-bit servers, select the appropriate directory for the binaries such as i386.

  6. In the directory, double-click MOMCertImport.exe.
  7. In the pop-up window, select the certificate issued previously and click OK. The View Certificate button can be used to view the certificate details if the correct certificate is not obvious.

The Operation Manager service will restart automatically to have the certificate selection take effect. The preceding steps need to be repeated for each DMZ server and for each management server.

The Operations Manager event log can be viewed with the Windows Event Viewer. It is named Operations Manager and is located in the Applications and Services Logs folder in the tool. Any problems with the certificate will be shown in the log immediately following the start of the System Center Management service.


Integrating System Center Operations Manager 2007 R2 with Windows Server 2008 R2
  Using OpsMgr 2007 R2 to monitor Windows Server 2008 R2
  OpsMgr 2007 R2 hardware, software, security requirements
  OpsMgr 2007 R2 installation steps
  Operations Manager 2007 R2 configuration
  Operations Manager 2007 R2: Using alerts, running reports

Printed with permission from Sams Publishing. Copyright 2010. Windows Server 2008 R2 Unleashed by Rand Morimoto, Michael Noel, Omar Droubi and Ross Mistry. For more information about this title and other similar books, please visit Sams Publishing.

This was first published in May 2010

Dig deeper on Server Operating Systems: Windows, Linux and Unix

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close