3 Monitor2005

Microsoft
Operations
Manager 2005
Operations Guide
Monitor
Author: Dan Wesley
Program Manager: Tom Keane
Published: December 2004
Applies To: Microsoft Operations Manager 2005
Document Version: Release 1.0
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or introduced
into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
 2004 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveSync, and
Windows Mobile are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Acknowledgments
Primary Reviewers: James R. Morey, Tom Keane, Doug Bradley, James Hedrick, Ian
Jirka
Managing Editor: Sandra Faucett
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Monitor
C H A P T E R 3
This chapter describes the monitoring functionality of Microsoft® Operations Manager
(MOM) 2005, and provides detailed information about monitoring specific MOM components to
ensure that MOM is operating correctly.
The chapter also provides information about using the Operator console, which is a new feature
in MOM 2005. Although the chapter’s scope is MOM 2005, many of the best practices,
recommendations, and tips can be used to monitor various applications in an IT environment,
such as domain controllers, Microsoft® SQL Server™, and Exchange Server.
In This Chapter
• Introduction
• Before You Begin
• Monitoring Overview
• The MOM Management Pack
• Configure the Monitoring Environment
• Work with Alerts
• Monitoring MOM
• Using Tracing and Log Files
• Additional Resources
Introduction
The following best practices are recommended to help you support MOM:
MOM Community
6 Chapter 3 Monitor
• Use the knowledge base. Encourage employees to enter their knowledge about resolving a
problem into the knowledge base, so that this knowledge is available for everyone, and is not
lost if the employee moves on.
• Enforce a policy that all resolved incidents in the ticketed system are transferred back to a
resolved resolution state in MOM by either the subject matter expert or the help desk.
• Document all processing rule changes, including newly added rules, previous and modified
threshold values, and modified or added scripts.
• Limit the number of MOM Administrator and MOM Author roles to a few individuals who
are responsible for rule changes. Other MOM users, such as Exchange or Active Directory®
Administrators, should only be members of the MOM Users group (unless these users need
to edit rules or runtime tasks).
The information in this chapter is based on a MOM deployment, with distributed components,
that is managing 20 computers. Although your organization’s IT group may support fewer or
more computers, this chapter provides guidance that you can use in your environment.
Before You Begin

Before you start setting up your monitoring environment, you should verify that you have
completed all of the tasks identified during deployment, and have implemented the recommended
settings for the various MOM components.
It is recommended that you review:
• The MOM 2005 release notes to identify any changes that could affect operations.
• The Microsoft Operations Manager 2005 Security Guide. This guide contains security best
practices and information about the level of privileges required to work with MOM
components.
For monitoring your MOM deployment, ensure that:
• You have deployed and configured MOM using the best practices and recommendations
documented in the Microsoft Operations Manager 2005 Deployment Guide. This guide also
provides information about:
• Supported deployment scenarios.
• Deploying agents automatically or manually.
• Installing Management Packs and reports.
• You have agents installed on distributed MOM components, such as the operational and
reporting database servers.
MOM Community
Work with Alerts 7
• You have installed all of the Management Packs that you want to use for monitoring MOM
servers.
It is recommended that you download the Microsoft Operations Manager 2005 Resource Kit,
which contains tools and best practices that you can use for monitoring, troubleshooting, and
optimizing your MOM environment. Chapter 8 of this guide, “Tools”, provides information
about the resource kit tools as well as the tools that ship on the product CD.
Monitoring Overview
Because operations management requires actionable data, monitoring is a critical component of
MOM 2005.
The role of MOM
In a monitoring role, MOM:
• Gathers computer attribute information and applies specific rules to monitor these
computers, based on their attributes.
• Obtains data from event logs and other providers, as defined by specific rules.
• Collects performance data based on performance counters.
• Generates alerts based on criteria specified in rules. Criteria are based on occurrence of
specific events or thresholds, which are based on the number of events or performance
counters (this includes combinations of performance counters).
The role of the IT Staff

Operations staff can use monitoring data to:
• Determine the state of a managed computer.
• Manage alerts.
• Run tasks on managed computers to diagnose or correct problem states.
• Generate reports to capture performance trends that can be used for capacity planning or
performance tuning.
How monitoring is used

Monitoring data is used to quantify, evaluate, and sustain a level of IT service. The level of
service is based on:
• Availability: communication and access monitoring.
MOM Community
8 Chapter 3 Monitor
• Performance: performance counters within acceptable parameters.

• Capacity: ensuring disk capacity is adequate, for example, and capacity analysis/planning.
• Identifying errors or conditions that affect the previous three aspects of service levels.
The role of Management Packs

Management Packs apply the discipline of monitoring to a specific technology. Each
Management Pack includes the rules and rule criteria, tasks, views, and reports that are tailored
to monitor the services provided by the technology.
This chapter specifically addresses using the MOM 2005 Management Pack to monitor your
MOM installation.
The MOM Management Pack

All of the Management Packs depend on the health and availability of the Microsoft® Operations
Manager (MOM) server components and agents, as well as the successful forwarding and
retention of monitoring data.
The MOM Management Pack monitors problems with agent deployment and configuration,
communications failures, security issues, and the MOM Connector framework. Automated tasks
provide easy access to common network administration and diagnostic tools. Reports call
attention to performance bottlenecks and provide data for capacity planning.
Table 3.1 summarizes the monitoring scenarios for the MOM Management Pack. The MOM
Management Pack has undergone extensive modeling and testing to ensure that minimal
configuration is required for most deployments.
Best Practices
It is recommended that you review the following best practices for Management Packs.
Changing Management Packs
It is recommended that you do not change any MOM Management Pack settings until you have
performed a thorough analysis to determine whether changes are required. If changes are
required, ensure that these changes are adequately tested.
• If you change company knowledge or enable a disabled setting, you can edit the original
rule. This is possible because these settings are preserved when you import the Management
Pack by using the update option.
• If you change an enabled rule, follow these guidelines:
• Make a copy of the rule that you want to change.
MOM Community
Work with Alerts 9
• Disable the original rule.

• Make changes to the copy of the rule, and commit these configuration changes.
• Conduct tests on the copy of the rule.
Important
• Before you change any of the MOM Management Pack
settings, refer to The Microsoft Operations Manager 2005
Management Pack Guide, which is available from the MOM
product Web site.
• Additional guidance for Management Pack authoring is
provided in the Microsoft® Operations Manager (MOM)
2005 Management Pack Development Guide.
• Guides for other Management Packs, such as Active
Directory and Exchange Server 2003 are also available at
the MOM Web site, and you should review these
documents before implementing any changes.
Additional Management Packs

It is recommended that you install additional Management Packs for your MOM deployment.
The following Management Packs will extend the depth and breadth of monitoring for all of the
MOM components.
Note
Management Pack version numbers are provided to help you
locate the most recent version of the Management Packs. The
Management Packs listed are available from the Download
Center of the MOM Web site.
• Windows Base Operating System - Monitors the performance and availability of Microsoft
Windows Base Operating System 4.0 and later versions (MP version: 05.0.2803.0000).
• SQL Server 2000 - Detects and sends alerts about critical events. Helps indicate, correct, and
prevent service outages or configuration problems (MP version: 05.0.2803.0000).
• Internet Information Services (IIS) - Monitors IIS events in the Windows NT and IIS event
logs. For IIS 5.0 and IIS 6.0, it includes a script that polls and tracks the responsiveness of
your IIS server (MP version: 05.0.2803.0000).
• Microsoft Baseline Security Analyzer (MBSA) - Performs security vulnerability assessments
and security update scans of computers running Microsoft Windows 2000 or later (MP
version: 05.0.2803.0000).
MOM Community
10 Chapter 3 Monitor
• Microsoft Windows Server Clusters - Highlights events that may indicate possible service
outages or configuration problems, so that you can take action. The highlighted events
provide information about many parts of a server cluster (MP version: 05.0.2803.0000)
Installing and Tuning Management Packs
It is recommended that you install the Management Packs in batches, and then fine-tune and
optimize each one. This approach is considerably easier than enabling and disabling large
numbers of rules. Most Management Packs should not require you to make large-scale changes,
in order to optimize for your environment. Generally, changing less than 5 rules in an MP is the
most that is required. You can, typically, identify these rules by using the most common event
and alert reports.
If you want to disable multiple rules, either disable processing rule groups associated with
computer groups, or just computer groups, rather than disabling all processing rule groups or all
rules.
Importing and Exporting Reports
Note the following information related to importing and exporting reports:
• The report import/export component of the Import/Export Management Packs Wizard
does not support either the import or export of linked reports.
• When exporting reports using the import/export utility, password information is not exported
if the underlying data source uses Structured Query Language (SQL) authentication for
security reasons. When these reports are imported on a different computer, the reports will
be broken because they will not contain the password. In this scenario, the work-around is to
edit the data source and enter the required password.
Importing Management Packs with Custom Tasks
When you use MOM to import a Management Pack that contains a custom task, the custom task
is not visible in the Administrator console navigation pane after the import is completed.
Although the custom task is successfully imported and created, you may have to refresh the
Tasks folder, in the MOM 2005 Administrator console, for the custom task to be displayed
correctly. To do this, use the following procedure.
Refresh the Tasks list in the Administrator console
1. In the Navigation pane, expand the Management Packs node to show the Tasks folder.
2. Right-click Tasks, and then click Refresh.
Management Pack Monitoring Scenarios
The following tables provide summary information about the monitoring scenarios for each of
the recommended Management Packs including the Management Pack for MOM 2005. This
information is extracted from each of the guides that are available for each Management Pack.
MOM Community
Work with Alerts 11
Table 3.1 MOM 2005 Management Pack

Scenario Description
Agent deployment and • Installation success and failure
upgrade • Upgrade success and failure
• Uninstall success and failure
Agent monitoring • Heart beats
• Script failures
• Service discovery problems
• Managed code responses
• Task failures
• Provider problems
• Override issues
• Queues
Agentless monitoring • Agentless monitoring failures
• Permissions issues
Management Server • Response failures
monitoring • Computer discovery issues
• Service discovery issues
• Database communication issues
• Queues
• User Datagram Protocol (UDP) and
Transmission Control Protocol (TCP)
communication issues
Database monitoring • Database space issues
• Configuration issues
• Authentication issues
• Grooming issues
Reporting monitoring • Microsoft SQL Server™ Reporting Server
service issues
• Data warehouse grooming issues
MOM Connector framework • Forwarding and inserting issues
monitoring • Data configuration issues
Security • Legacy Client connections refused
MOM Community
• Large number of legacy connections refused

• Agents failing authentication
• Port floods and unauthorized access
attempts
• Connection negotiations failures
• Manual agent connections refused
Performance monitoring Agent:
• Processor time
• Private bytes
• Alert processing and incoming time
• Network bytes sent and received
Database:
• Insertion time for alert
• Performance
• Service discovery and event data
Management Server:
• Channel errors
• Fragmented packets
• Total connections (agents)
• Total legacy connections (MOM 2000 Service
Pack 1 (SP1) agents)
• Network bytes sent and received
MOM Community
Work with Alerts 13
Note
Previous versions of the Microsoft Management Packs, for
MOM 2000 and MOM 2000 SP1, will work with MOM 2005.
However, older Management Packs do not support new
features such as state awareness and run-time tasks.
Table 3.2 Windows Base Operating System Management Pack

Description Windo Windo Windo
ws NT ws ws
Scenario
4.0 2000 Sever
Server 2003
Service and • Core Windows service Core ● ●
application up/down status Windo
management • Unexpected service ws
terminations service
up/dow
• Service configuration
n
issues
status
• Service account and only
authentication issues
Reliability • Detection of reoccurring ● ●
application terminations
• Gathers data on system
shutdowns for shutdown
reporting
• Reports system failures
(for stop error reporting)
Storage • Share availability issues Local ● ●
• Share configuration issues storag
e free
• Local storage resource
space
availability
only
• Local storage free space
• File system integrity and
corruption issues
Networking • IP address conflicts ● ●
• Disconnected network
adapters
MOM Community
• Duplicate network names

Performance • For most commonly used ● ●
measuring performance data
Performance • Physical Disk — Avg. Disk ● ● ●
threshold sec.
monitoring • Physical Disk — Avg. Disk
sec./Read
• Memory — Pages/sec.
• Processor — % Processor
• Processor — % DPC
• Processor — % Interrupt
Time
• Memory — % Committed
bytes in use
• Memory — Available
megabytes
State monitoring • Base OS services ● ● ●
and service • Storage
discovery
• Messenger service
• Computer browser
• Logical Disk Manager
service
• Dynamic Host
Configuration Protocol
(DHCP) client
• Domain Name Service
(DNS) client
• Remote Procedure Call
(RPC) health
• Server service
• Transmission Control
Protocol/Internet Protocol
(TCP/IP) NetBIOS Helper
service
• Hardware discovery
• Event log
• Workstation service
MOM Community
Work with Alerts 15
Table 3.3 SQL Server Management Pack

Scenario Description
Enterprise configuration • Multiple instance-aware
support • 100% cluster-aware ( Active/Passive and
Active/Active)
• Monitors SQL Server 64- bit edition
Service and database • Availability of SQL Server
availability and health • SQL Agent services
• Full Text Search service
• Alerts on databases in suspect and
emergency states
Database connectivity • Local connectivity
• Database connectivity issues
• Port bind errors
• Configuration errors
• Protocol problems
• Corrupt system databases
Remote connectivity • Connects to SQL Server remotely to
simulate the client experience
• Tests database response time with custom
Transaction Structured Query Language
( TSQL) query
• Evaluates intermediate network
connectivity
• User-defined criteria:
• Query to execute
• Database to query
• Response time
• Client computers
Database space • Intelligent free space monitoring monitors
the remaining space in all databases and
transaction logs
• Files and file groups aware
• Enterprise adjustable warning and error
MOM Community
thresholds
• Separate threshold for:
• Logs and databases
• System databases
• TempDb
• User databases
Service pack compliance • Check computers running SQL Server for
compliance with a minimum (user-defined)
service pack or hotfix level
• Generate success and failure alerts for
auditing
• Service pack and compliance reports
display version, build, and service pack
levels
Configuration monitoring Alert on configuration inconsistencies in your
enterprise for each database, including:
• Auto Close
• Auto Create Stats
• Auto Shrink
• Auto Update Stats
• Cross Database Chaining
• Torn Page Detection
Blocked processes • Monitors blocking system process IDs
(SPIDs) based on a blocking duration
threshold time. Alert details include:
• Blocked SPID
• Blocked by SPID
• Program Name
• Block duration
• Login Name
• Database Name
• Resource
• Topped blocked report allows further
details on data, including top blocking
users, application, and average
blocking time
MOM Community
Work with Alerts 17
Replication monitoring • Monitors the health of SQL Server

replication and alerts on replication
failures.
Long running agent jobs • Job run time measured in real time, and
compared against a predetermined
threshold.
Security monitoring • Monitors SQL Server security and audit
events:
• Denied administrative functions
• Single-user mode startup
• License compliance
• Shutdowns
• Configuration problems
• Collection of audit data
• Successful and failed Logins
• Trusted and untrusted connections
Backups and jobs • Failed SQL Agent Jobs
• Job corruption
• Failed notifications
• SQL e-mail problems
• Failed backups
• Full backups
• Incremental/differential backups
• Restore errors
Server performance • Poor disk responses
• Excessive SQL process CPU use
• Deadlocks
• Excessive user connections
• Schema-specific performance problems
Table 3.4 IIS Management Pack

Scenario Description IIS 5.0 IIS 6.0
Service availability • Monitors the availability and ● ●
health of the following services:
• World Wide Web Publishing
MOM Community
Service
• File Transfer Protocol (FTP)
• Network News Transport Protocol
(NNTP)
• Simple Mail Transfer Protocol
(SMTP)
• HTTP Filter
• IIS Admin
Application • Alerts and reports on client ● ●
availability and detected errors, including Server
integrity Too Busy
• Detects configuration problems
with Web sites and applications
Security • Performs basic detection of ● ●
unauthorized access attempts
• Detects brute force attacks and
denial of service attacks
• Automatically blocks attackers by
IP address
Site Integrity • Detects missing links from Web ● ●
logs
• Detects invalid URLs
• Detects de-activated Web sites
World Wide Web • Worker process failures ● ●
Publishing Service • Service configuration problems
specific with Web site stopped states
• Configuration issues
• Web site binding issues
• Misconfigured bindings
• Logging issues
Related services • Unexpected failures ●
• Configuration related failures
• Inability to create application
pools
• Identity issues
• Service startup and shutdown
MOM Community
Work with Alerts 19
timeouts
• Worker process recycle requests
and events
Table 3.5 MBSA Management Pack

Description Windo Windo
ws 200 ws
Scenario
0 Server
Server 2003
Set up of Microsoft • Places the MBSA binaries on ● ●
Baseline Security all agent computers
Analyzer (MBSA) • Automatically downloads
updated copies of the
Mssecure.cab file
Security Reporting • Reports missing security ● ●
patches
• Reports missing service packs
• Detects other security
vulnerabilities known to
Microsoft
MBSA Issues • MBSA setup issues on agent ● ●
computers
• Permissions issues on agents
that prevent MBSA from
scanning
• MBSA scanning issues on
agent computers
• Issues with reading the MBSA
output file on agents
Internet Explorer (IE) • IE zones not configured for ● ●
vulnerabilities security
• IE enhanced security
configuration not enabled for
administrators
• IE enhanced security
configuration not enabled for
non-administrators
Internet Information • MSADC and Scripts virtual ● ●
MOM Community
Services vulnerabilities directories are installed

• IIS parent paths are enabled
• IISADMPWD virtual directory
is installed
• IIS sample applications found
• IIS Lockdown Tool not run on
specific servers
• IIS logging is disabled
• IIS is installed on a domain
controller
Windows operating • Local account password is ● ●
system vulnerabilities blank or weak
• Windows Firewall is disabled
• Too many users in the local
administrators group
• Auto logon is enabled
• “Password never expires” is
set on local account
• Current RestrictAnonymous
registry setting presents a
high security risk
• Automatic updates are not
enabled
• Local guest account is
enabled
• Logon and logoff event
auditing is disabled
• File system is not NTFS
Microsoft SQL Server ™ • Everyone group has more ● ●
vulnerabilities than Read permissions to
SQL Server registry keys
• SQL Server or MSDE password
is exposed in clear text log
• SQL Server or MSDE local
password is weak
• BUILTIN\Administrators is a
member of SQL Server
SysAdmin role
MOM Community
Work with Alerts 21
• SQL Server or MSDE service

accounts are running as
LocalSystem
• Mixed-mode authentication
• SQL Server or MSDE directory
access is not secure
• Guest account has access to
one or more databases
• SQL Server or MSDE is
installed on a domain
controller
• Non-SysAdmin user has
CmdExec privileges
• Too many users are in the
SQL Server SysAdmin role
MOM Community
Table 3.6 Windows Server Clusters Management Pack

Description Windo Windo
ws200 ws
Scenario
0 Server
Server 2003
Service monitoring • Cluster service stopping or ● ●
stopped
• Cluster service failed to start
Resource groups and • Availability of resource groups ● ●
resource health • Resource group failover
• Availability of disk, name,
network and IP Address
resources
Quorum resource • Quorum dependency errors ● ●
monitoring • Quorum unavailable
• Corrupt quorums
• Read-only quorums
• Quorum space alerts
Cluster node • Node failures to join cluster ● ●
monitoring • Initialization failures
• Cluster node evictions and
eviction errors
Cluster network issues • Network configuration errors ● ●
• Network communication
failures
• DNS issues
• Kerberos authentication
problems
• Active Directory®
communication errors
• IP address issues
General resource issues • Account or password issues ● ●
• Disk corruption errors
• Failure to bring resources
online
MOM Community
Work with Alerts 23
• Failed resources
• Disk mount errors
Rule Overrides
Rule overrides is a valuable tool, provided by MOM, to enable you to override a rule for a
computer or computer group. Overrides can be used and shared by rules, scripts, and the MOM
APIs.
For example, in a scenario where there is a server with performance capabilities that are lower
than other servers in the group, it can trigger a performance alert before the other servers in the
same group. Rather than lower the performance threshold in the rule for all of the servers, you
can create an override that identifies the server and the rule.
You must be a member of, at a minimum, the MOM Authors group to create an override in the
Administrator console.
Use the following procedure to create an override for an event rule. You can use the same
procedure to create an override for alert rules and performance rules.
Create an override for an event rule
1. In the Navigation pane, locate the rule group for the rule.
2. In the Details pane, right-click the rule name and click Properties.
3. On the General tab, select the check-box for Enable rule-disable overrides for this rule.
Note
If the rule is disabled, the prompt for the check-box is Enable
rule-enable overrides for this rule.
4. Click the Set Criteria button to open the Set Override Criteria property page, and then
click Add.
5. Click the right-arrow button beside the Target: input area, and then pick Computer Group
or Computer to specify the target.
6. In the Add Computer property page, select a computer to add, and then click OK. Repeat
steps 5 and 6 if you want to add more computers.
7. By default, the Value: is Disable (0) if the rule is already enabled. Click OK.
8. Click OK to close the Set Override Criteria property page, and then click OK to close the
property page for the rule.
MOM Community
Configure the Monitoring

Environment
The extent to which you configure your monitoring environment depends on several factors, such
as business requirements, the complexity and size of your organization’s MOM deployment and
the level of MOM expertise in your IT support group.
Things to consider when configuring your monitoring environment:
• What user accounts do you need to implement for monitoring your computers?
• What individuals or groups of individuals in IT support do you need to notify?
• What computer groups and associated rules do you need for monitoring specific computers
or groups of computers?
• What information does your support staff need in order to do their job successfully?
• Are there any requirements or opportunities for using built-in or custom tasks to support
problem resolution?
• Do existing rules need to be customized to provide the best fit for the hardware and software
that you want to monitor?
Figure 3.1 illustrates the sequence of tasks that are used to configure a MOM monitoring
environment.
You can implement the configuration that is described, as appropriate for your MOM
deployment.
Figure 3.1 Configure the monitoring environment
MOM Community
Work with Alerts 25
The following tasks are labeled according to the process shown in Figure 3.1, and each task
heading identifies the minimum MOM local group membership that is required to undertake the
task.
MOM Community
Task 1 - Add users to MOM local groups (MOM Administrator)

IT support staff have to be added to one of the MOM local groups described in Chapter 2,
“MOM 2005 Feature Overview”. For more information about MOM security, see The Microsoft
Operations Manager 2005 Security Guide, which is available at the MOM product Web site.
Note
All members of the Local Administrators group are
automatically added to the MOM Administrators group.
Use the following procedure to add users or domain groups to the MOM Users group.
Add a user to the MOM Users group
1. Log on to the MOM Management Server with an account that has sufficient privileges to add
users to a local group.
2. On the Start menu, point to Programs, point to Administrative Tools, and then click
Computer Management.
3. Expand Local Users and Groups, and then click Groups.
4. Right-click MOM Users and pick Add to Group to open the MOM Users Properties page.
Note
In Windows Server 2000, the dialog is named Select Users or
Groups, and the format for adding a user is: domain\user.
5. Click Add to open the Select Users, Computers, or Groups dialog.

6. At the Enter the object names to select prompt, type in name of the user that you want to
add, and then click OK to close the dialog.
7. Click OK to close the MOM Users Properties page.
You can use the preceding procedure to add users to the other MOM groups, based on the tasks
that the users need to perform. For example, any user who needs to edit rules or create a new rule
has to be added to the MOM Authors group.
Task 2 - Add Operators (MOM Author)

You need identify the operators that you want to notify, how they should be contacted, and when
they should be contacted. To do this, run the Create Operator dialog from the Administrator
console.
Use the following procedure to create an Operator.
MOM Community
Work with Alerts 27
To create an Operator
1. In the Navigation pane, expand Management Packs.
2. In the Navigation pane, right-click Operators.
3. Pick Create Operator to open the dialog for creating an operator.
4. Follow the instructions in the dialog.
Note
Any changes that you make to a Management Pack are not
immediately deployed to managed computers. By default, the
MOM Management Server scans for rule changes every five
minutes. Refer to Chapter 7, “Administrator Console
Reference” for more information about Global Settings. See
Also: “Commit Configuration Changes”.
Commit Configuration Changes (MOM Author)

If you want to commit Management Pack configuration changes immediately after they are
made, use the following procedure in the Administrator console.
Commit configuration changes.
1. In the navigation pane, right-click Management Packs.
2. Pick Commit Configuration Change.
Task 3 - Create Notification Groups (MOM Author)

Notification Groups support sending notifications to a group of operators, rather than individual
operations.
Note
MAPI notifications are not supported in MOM 2005. Use SMTP

or Exchange solutions for sending notifications.
After you have finished creating operators for your MOM environment, you can add them to one
of the existing Notification Groups provided by the MOM Management Pack, or you can create a
new notification group.
You use the Administrator console to create a notification group.
Note
Predefined notification groups are determined by the
Management Packs that you install. The MOM Management
Pack creates the Operations Manager Administrators group
Did you and
find the
thisOperations
informationManager Notification
useful? Please send Testing group. A and comments about
your suggestions
newly created notification group needs to be referenced by a
rule response before notifications are sent to the group.
MOM Community
Create a notification group

1. In the Navigation pane, expand Management Packs, and then expand Notification.
2. Expand Notification Groups to view the groups that are available.
3. Right-click Notification Groups and pick Create Notification Group to open the
Notification Group dialog.
4. Follow the instructions in the dialog to create the group and identify the operators that you
want to be members of the group.
Task 4 - Create new computer group (MOM Author)

By using custom computer groups, it is possible to further organize the monitoring and
management of computers in your organization. For example, you can create a computer group
that consists only of Web servers, and use a computer group as a container for the servers that
you specify.
Use the Administrator console to create a new computer group. After you create the computer
group, it is necessary to associate the computer group with a rule group.
Create a new computer group
2. Right-click Computer Groups and pick Create Computer Group to start the Create
Computer Group Wizard.
3. Follow the wizard steps to create a new computer group.
Task 5 - Associate rule group with computer group (MOM Author)

Use the Administrator console to associate a computer group with a rule group.
Associate rule group with new computer group
2. Expand Rule Groups and locate the rule group that you want to associate with a computer
group.
3. Right-click the rule group that you want to configure, and then pick Associate with
Computer Group to open the properties page for the rule group.
4. On the Computer Groups tab, click Add to view a list of available computer groups.
5. In the Select Item page, click the computer group that you want, and then click OK.
6. Click OK to save your changes and close the properties page.
MOM Community
Work with Alerts 29
Task 6 - Create/modify console scope (MOM Administrator)

Console scopes provide a way to partition operational responsibility within a Management Group
by filtering information for your operations support staff. This partitioning makes it easier for
your support staff to monitor the specific computer groups that they are responsible for.
Use console scopes to associate a set of computer groups with a list of users.
The console scope contains the assigned set of computer groups that the user can access through
either the Operator console or the Web console. These computer groups are used to populate the
list of computers displayed in the Computer Groups list in the console tree. This limits the users
to seeing only those computers that are in the computer groups associated with their console
scope. However, console scopes are not a security mechanism that you can use to limit user
access to computer groups.
When a user opens the Operator console, the console program establishes a connection with the
last MOM Management Server that it was connected to, and accesses the MOM database to
retrieve the console scope that is associated with the user.
MOM provides three console scopes that can be used immediately; the default settings for these
scopes are:
• MOM Administrator Scope - associated with all computer groups.
• MOM Author Scope - associated with all computer groups.
• MOM User Scope - not associated with any computer group.
Best practices
The following best practices are based on customer feedback.
• Map Operator roles and responsibilities to the Computer Group structure; this enables you to
integrate MOM with your existing processes.
• Create console scopes for each section of your IT Operations group that needs to view, and
work with operational data, such as alerts.
You use the Administrator console to create or modify a console scope.
Create a new console scope
1. In the Navigation pane, expand the Administration node.
2. Right-click Console Scopes and pick Create Console Scope to start the Create Console
Scope Wizard. Click Next to begin creating a console scope.
3. Follow the wizard steps to create a console scope.
Modify a console scope
1. In the Navigation pane, expand the Administration node.
MOM Community
2. Click Console Scopes to display the existing console scope in the Details pane.
3. In the Details pane, right-click the name of the scope that you want to modify, and then pick
Properties.
4. Use the General and Users tabs to make the changes that you want, and then click OK to
close the properties dialog box.
Task 7 - Create a new task (MOM Author)

You use the Administrator console to create a new task.
Create a task
1. In the Navigation pane, expand Management Packs.Right-click Tasks, and then pick
Create Task to start the Create Task Wizard.
Note
The task that you create will be saved at the location where
you started the wizard. For example, starting the wizard from
the Microsoft Operations Manager folder (below the Tasks
folder) results in the new task getting stored at that location in
the folder hierarchy.
Tip
When you right-click Tasks you also have the option to create
a folder that you can use for organizing any new tasks that
you create.
2. Follow the wizard steps to create a task.

After you create the task, it will appear in the Operator console Tasks pane, but will only be
active for the View type (Alerts, Events, Computers) that you configured.
Note
If the Operator console was open when the task was created,
you have to refresh the console to see the new task.
Task 8 - Add or modify rule groups and rules (MOM Author)

In addition to modifying any of the existing rules in MOM, you can create new rule groups and
rules. As noted in the “MOM Management Pack” section, consult the Microsoft Operations
Manager 2005 Management Pack Guide before modifying existing rules.
CreateNote
a rule group
Before you can modify existing rules you have to enable
Authoring mode. Authoring mode activates user interface
features in MOM that enable you to create and edit vendor
specific knowledge. Enabling Authoring mode also enables
Looking advanced
for more MOM information?
properties on rules,Experience
groups andthe power
other of customer
items that are communities!
read-only
MOM Community or disabled by default. The Microsoft Operations
Manager 2005 Management Pack Guide provides detailed
information about Authoring mode.
Work with Alerts 31
Create a rule group

1. In the navigation pane, expand Management Packs and click Rule Groups.
2. Expand Rule Groups and navigate to the location where you want to create a rule group.
3. Right-click the folder where you want to create a rule group and pick Create Rule Group to
open the Rule Group properties page.
4. Provide a name and description, and company knowledge, if you want.
5. Click Finish to save the Rule Group. You will be asked if you want to deploy the rules in the
rule group to a group of computers. It is recommended that you do not do this until you have
finished adding rules to the rule group.
Create a rule
1. In the Navigation pane, expand Management Packs and click Rule Groups.
2. Expand Rule Groups and navigate to the rule group where you want to create a rule.
3. Expand the rule group that you have selected and right-click the type of rule that you want to
create (Event Rules, Alert Rules, or Performance Rules).
4. Click Create Event|Alert|Performance Rule to open a rule dialog.
5. Follow the steps in the dialog to create and configure the rule that you want.
Note
If the Operator console was open when the rule was created,
you have to refresh the console to see the new rule.
Task 9 - Customize the Operator Console (MOM User)

Chapter 2, “MOM 2005 Feature Overview”, provided information about the different views, and
the various levels of filtering that an Operator console user can apply. This section builds on this
information to describe how you can customize the console.
Note
The supported number of Operator consoles per management
group is 15.
The default appearance of the Operator console is shown in Figure 3.2. The primary work areas
are labeled.
Figure 3.2 Primary work areas of the Operator console
MOM Community
In Figure 3.2, note that all of the panes are displayed, and a single pane is provided for results.
Also, by default, all of the available toolbars are visible. You can show or hide panes, configure
the display of information in the Results pane, save data in the results pane, and show or hide
toolbars. Use the following procedures to work with panes and toolbars.
Show or hide panes
• On the Menu and toolbar, click View and then select or deselect the check-box of the item
that you want to change. If you hide the Tasks pane, you can use the Tasks button to
show/hide this pane whenever you want.
Use the following procedure to configure the display of information in the Results pane for all of
the views except the Diagram view.
Configure the display of information in the Results pane
1. Right-click within the Results pane,and pick Personalize View to open the Personalize
View dialog box. This dialog displays Available columns: and Displayed columns:, areas
that list the information fields that are available for the view and that are currently displayed
in the view.
MOM Community
Work with Alerts 33
2. To change the order of a field that is displayed, click the field name and click either the
Move Up or Move Down button to move the item.
3. To remove a field that is displayed, click the field name and then click the Remove button.
4. To add a field to the displayed fields, click the field name shown in the Available columns:
list, and then click the Add button.
5. When you have finished customizing the view, click OK to save the results.
When you are working with items in the Results pane, you can copy all of the information that is
displayed for an item and save it as a text file.
To copy and save information displayed in the results pane
1. In the Results pane, click the name of the view item that you want to save.
2. Right-click the item and then click Copy Formatted Data.
3. Create a new file using any text editor and paste the data that you copied into the file.
Note
You can bulk-select items in the Results pane and copy
everything that you selected.
Show or hide toolbars

1. On the Menu and toolbar, click View and then pick Toolbars. Select or deselect the check-
box for the toolbar that you want to show or hide.
Note
Referring to Figure 3.2:
• The State Indicators toolbar consists of buttons A, B, and
C, which are health indicators. (A = Critical, B = Warning,
and C = Successful)
• The View toolbar consists of buttons D, E, and F. (D = Alert
View Properties, E = Personalize View, and F = Edit view
time filter)
2. An option that IT staff may want to use is the multi-pane capability of the Operator console.
This option is illustrated in Figure 3.3.
Figure 3.3 Customized Operator console
MOM Community
Using Figure 3.2 as a reference, follow these steps to create the three-pane view illustrated in
Figure 3.3.
Enable multiple Results panes
1. In the Menu and Command bar, click File and then pick Console Settings to open the
Console Settings dialog box.
2. At the View pane configuration: prompt, use the list box and select three panes.
3. Click OK to save the configuration.
There are now three results panes shown in the console, with the top one pre-selected for the
Alerts view.
Associate a view with a Results pane
1. Click the pane below the Alerts results pane and click the Computers and Groups
navigation button to associate that view with the second pane.
MOM Community
Work with Alerts 35
2. Click the pane below the Alerts results pane and click the Computers and Groups
navigation button to associate that view with the second pane.
3. Click the pane below the Computers results pane and click the State navigation button to
associate the State view with this active pane.
4. Click View on the Menu and Command bar; clear the check-box beside the Navigation
pane and the Tasks pane to hide these views.
5. Click File on the Menu and Command bar and then click Save As to save the current
Operator console configuration. The console is saved as an .omc file using the name that you
provide. Operators can create and save multiple custom consoles that they can either use
individually, or share.
In addition to the views that are provided, an Operator console user can create private or public
views.
All of the predefined views provided with MOM are public, and are created and populated by the
Management Packs that are installed. If a view is created in the Public Views folder, it is visible
to anyone who uses the Operator console. Private views must be created in the My Views folder,
and are only seen by the Operator who created the view. The following procedure for creating a
view can be used for creating a view for either the Public Views or My Views folders.
Create a view
1. Click the My Views navigation button to show the contents of the folder in the Navigation
pane.
2. In the Navigation pane, click All My Views and pick New. You have the option of creating
a new folder or picking the type of view that you want to create. If you plan to have many
views, it is recommended that you use folders to organize the views that you create.
3. Pick the type of view that you want to create to open a Create New - [View Type] dialog.
4. Use the dialog to create the new view.
Note
The MOM online Help provides detailed information about
criteria that are available for defining the different types of
views.
Work with Alerts

The Operator console is the primary interface for working with managed computers. Anyone
using this console can obtain different types of information about the computers that they
MOM Community
manage, resolve alerts, perform diagnostics, and run tasks against selected computers — within
the boundaries of the console scope that they are using.
Web Console Notes

As noted in Chapter 2 of this guide, the Web console provides the following subset of Operator
console views: Alerts, Computers, and Events. It does not provide the capability of running
predefined tasks against a managed computer.
Another important difference between the consoles is view filtering. A Web console user can
filter any of the views, but this information is not retained after the user navigates away from the
view.
You can configure the Web console to be Read-only by using the following procedure.
Configure Web console as Read-only
1. On the server where the console is installed, open the %INSTALLDRIVE%\Program
Files\Microsoft Operations Manager 2005\WebConsole\Web.config file in a text editor.
2. Locate this tag: <appSettings>
3. Remove the comment markers to enable addkey=”Readonly” value=”true”.
4. Save and close the file.
5. Stop and restart the Microsoft Operations Manager 2005 Web console application in the
Internet Information Services snap-in.
Operational data processing cycle

Managed computers are continuously sending data to the Management Server. Event,
performance, alert and discovery data originates on the managed computer. Although the internal
processing of each type of data is different, the data flow is the same.
Figure 3.4 illustrates how an alert is handled and processed by an operator. In this example, a
WMI event indicating high queue length on an Exchange server provides the starting point in the
process.
Figure 3.4 Alert processing cycle
MOM Community
Work with Alerts 37
Referring to Figure 3.4:

• The process described occurs, regardless of how MOM is deployed. For example,
communications between the DAS and the database is the same when the MOM Database
and MOM Management Server are installed on the same computer, or on different
computers.
• Given the steps in process, the display of new information in the Operator console is almost
real time, rather than actual real time. The refresh rate, especially for events, is directly
related to the size of the operational database and the refresh rate that is configured for the
Operator console.
MOM Community
• There are several points where latency can occur and where data transfer can be interrupted;
namely: between the agent and the Management Server, and between the Management
Server and the operational database. See also: Monitor MOM Components.
Important
Latency and potential disruption in the data flow are important
considerations for configuring high-service availability and
performance tuning.
The Alerts View

This section covers the following aspects of working with an alert:
• Obtaining information about an alert.
• Setting the alert resolution state.
• Adding comments to the Alert Details.
• Using maintenance mode.
• Running diagnostic tasks.
Service Level Exceptions
This is a subset of the Alerts view that is used to flag alerts that have exceeded a predefined
service level for the computer that is being monitored. You can change these settings by opening
the properties page for an alert view, and editing the settings. In order to change the default
settings you have to create a custom service level exception.
To create a custom service level exception
1. In the Alert View, click Service Level Exceptions.
2. In the Results pane, right-click the alert displayed as a service level exception to open the
alert property page.
3. Click the Criteria tab to display the View description.
4. The phrase that begins with “and that violated” will contain the phrase “default company” as
an active link. Click the link to open the Service Level Exception property page.
5. Click the radio button beside Custom service level agreement to display a list of service
level options.
6. Each of the service level options in the list contains minute, hour, or day settings displayed
as an active link. To change a setting, click the appropriate link to open the Service Level
Agreement property page.
7. Change the setting and click OK to return to the Service Level Exception property page.
MOM Community
Work with Alerts 39
8. When you finish configuring the custom service level exception, click OK.
View Alert summary

If the Alerts view is not active in the Results pane, click the Alerts navigation button. The
columns in Table 3.7 are displayed by default for each alert.
Table 3.7 Columns displayed for an alert
Column name Description
Severity Indicates the severity of the alert,
such as Service Unavailable or
Success.
Maintenance Mode Indicates whether the alert is in
maintenance mode.
Domain Specifies the domain to which the
computer belongs.
Computer Specifies the computer on which an
agent generated the alert.
Time Last Modified Specifies the date and time that the
alert was last changed.
Resolution State Indicates the status of the resolution
process of the alert, such as New or
Resolved. The resolution state
indicates whether the resolution
process has begun.
Time in State Specifies the amount of time that the
alert has been in the current
resolution state.
Problem State Indicates what problem state the
alert is in.
Repeat Count Specifies the number of identical
duplicate alerts that this instance
represents.
Name Specifies the name of the rule that
generated the alert.
Source Indicates where the alert was
generated, for example, from MOM,
or a specific server.
MOM Community
Ticket Id Specifies the ticket ID assigned to

the alert.
Owner Specifies the person responsible for
tracking and resolving the alert
Note
The enabled columns only display data that is available. For
example, if an Owner is not assigned to the alert, no
information is displayed.
View Alert details

To view the details for an alert, click the alert in the Results pane.
After a specific alert is selected, the tabbed view, illustrated in Figure 3.3,
is dynamically generated for the alert. The following tabs are provided.
See also: Alert View Sample.
Properties
Describes the alert and provides additional details, such as the Alert Id and the rule that generated
the alert. From this tab you can:
• Copy all or some of the information and paste it into a text file.
• Print the information.
• Disable the rule that generated the alert.
To undertake any of the preceding tasks, right-click anywhere in the display area and pick the
action that you want to perform.
Custom Properties
Enables the user to provide additional information about the alert, including:
• The alert owner
• The ticket ID
MOM Community
Work with Alerts 41
Note
This information can be generated programmatically by
integrating a ticketing system with MOM 2005. For guidance
on ticketing solutions, refer to the “Autoticketing Solution”
described in Chapter 8 of this guide.
• Custom Fields (5) for adding information that can be used by other users in the IT support
group.
Events
Provides the following summary information about the event that generated the alert: Type
(Information, Error or Warning), Time, Source Computer, Provider Type, Provider Name, and
Source.
To view more information about the event, right-click anywhere in the display area and pick
View Events.
Product Knowledge
Displays the appropriate Management Pack knowledge for the alert.
To view the knowledge in the browser window, click the View button.
Company Knowledge
Depending on the console scope, enables the user to view, copy, print, or add to the company
knowledge base.
If the user is a member of the MOM Authors or MOM Administrators groups, they can click Edit
to open a text editor and create knowledge for the alert.
Note
When changes are made to the company knowledge, these
changes are not tracked in the alert history.
History
Displays summary information about the history of the alert, such as the management group it
was created in and the notification group.
A user can add comments to the alert history by clicking the Append button to open the Alert
History dialog box.
MOM Community
Alert view sample

The following sample is typical, and represents the type of information that you can obtain in the
Details pane of an Alert.
Properties Tab
Error Alert
Description:
The host process host process for script responses (3036) will be restarted
because it is using 20480 more bytes than its limit of 104857600. To adjust this
limit, edit the Software\Mission Critical
Software\OnePoint\MaxScriptHostPrivateBytes registry key.
Management Group: MG2749 Name: The MOM Host process was consuming too much memory
and will be terminated
Severity: Error
Resolution State: New
Domain: SMX
Computer: WOW406D
Time of First Event: 11/23/2004 5:52:00 PM
Time of Last Event: 11/23/2004 5:52:00 PM
Alert latency: 0 sec
Problem State: Investigate
Repeat Count: 0
Age:
Source: Microsoft Operations Manager
Alert Id: 618b8e08-7e14-4778-87f6-d4ed5eeea89e
Rule (enabled): Microsoft Operations Manager\Operations Manager 2005\Agents on
all MOM roles\The MOM Host process was consuming too much memory and will be
terminated
Product Knowledge Tab
Related Knowledge
MOM OnlineManagement Pack
Summary
The Action Account (MOMHost.exe) process was consuming too much RAM (physical)
memory and was restarted by MOM. The MOMHost.exe process is run under the agent
Action Account and is used to gather information about, and perform actions on,
the managed computer.
This restart might signify a problem with the managed computer, especially if the
host process is restarted often, this might indicate a problem with the managed
computer.
Causes
This could be caused by any of the following:
The amount of memory allotted to the process is too small and needs to be
increased.
MOM Community
Work with Alerts 43
The host process is running too many tasks or is gathering data form too many
providers at one time.
The host process is running scripts that are not freeing resources.
Resolutions
To troubleshoot and fix this problem:
1. Make sure that the managed computer is not low on resources.
2. If the managed computer rarely uses more than 70% of its RAM memory, you can
increase the amount of memory allotted to the MOMHost.exe process.
To increase or decrease the amount of memory allotted to the MOMHost.exe process:
In Regedit.exe (or some similar Registry editor), change the following registry
key:
HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint
MaxDefaultHostPrivateBytes REG_DWORD <bytes>
NOTE - the default setting for this key value is 0x6400000 (100MB).
3. Continue to monitor the process by looking for this alert. If you see this
alert for the host process on a specific computer and you have already increased
the memory allocation, consider enabling tracing for the computer.
To enable or disable tracing for a specific agent:
In Regedit.exe (or some similar Registry editor), change the following registry
key:
HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software
TraceLevel REG_DWORD = 1 - 6
-1 = disabled (default)
0-2 = error level tracing only
3-5 = error and warning level tracing only
6 = error, warning and information level tracing
NOTE - Setting the registry key value to 4 or higher will affect the performance
of the MOM Service on the managed computer.
Set Alert Resolution State

When an alert is first received, its Resolution State is automatically set to New. Support staff can
change this state, as appropriate.
Set alert resolution state
1. In the Results pane, click the alert that you want to set a resolution state for.
Tip
If there are multiple alerts that originate from a single
computer, you can bulk-select the alerts and set a resolution
state for all of them.
2. Right-click and then pick Set Alert Resolution State.
MOM Community
3. Click the state that you want, on the list that is provided, to set the state for the alert.
Note
Some alerts will automatically be resolved when the alert
state changes, or might get removed from the operational
database during database grooming.
Use Maintenance Mode

Maintenance mode provides a means of stopping the insertion of alerts in the operational
database. This mode does not take the computer that is generating alerts offline; maintenance
mode only instructs the Management Server to set all new, incoming alerts from the computer to
Resolved. As a result, the new alerts are not included in health calculations, and responses are
not run on the Management Server.
Put a computer in maintenance mode
1. In the Results pane, click the alert for the computer that you want to put in maintenance
mode.
2. Right-click the alert that you select and pick Put Computer in Maintenance Mode to open
the Maintenance Mode property page.
3. You can provide a reason for putting the computer in maintenance mode, adjust the time the
computer is in maintenance mode (the default is 20 minutes), or you can specify an ending
date and time for maintenance mode.
Note
It is recommended that you do not use a time interval of less
than 5 minutes for maintenance mode. Due to timing cycles,
the Management Server can keep a computer in maintenance
mode for a minimum of 5 minutes.
4. Click OK to close the property page and put the computer in maintenance mode.
Tip
The Microsoft Operations Manager 2005 SDK contains a
sample that shows how to put a computer in maintenance
mode, programmatically.
Run tasks
The tasks that are provided in the Operator console enable an operator, depending on their
console scope, to run preliminary diagnostics to determine the cause of a problem. Table 3.8
summarizes all of the tasks that are provided with MOM 2005.
MOM Community
Work with Alerts 45
The availability of a task to an Operator console user is determined by:

• The console scope that they are using.
• The computer group filter that they are using.
Run a task
• In the Tasks pane, click the task name or right-click the task name and pick Run.
Table 3.8 Available tasks in Operator console
Name Description
Computer Management Opens the Computer Management
snap-in on a specified computer.
Event Viewer Opens the Event Viewer for a
specified computer.
IP Configuration Runs the ipconfig command against
a specified computer.
Ping Runs the ping command against a
specified computer.
Remote Desktop Opens a Remote Desktop session to
a specified computer.
Start MOM 2005 Service Starts the local MOM service
Stop MOM 2005 Service Stops the local MOM service
Test end-to-end monitoring Creates an event on a managed
computer to test the end-to-end
monitoring of the MOM system.
MOM Community
Note
Tasks that are not available to the current scope will either
have the Run option grayed out, or else nothing happens
when you click the task name.
Tasks that require a higher level of privilege will display an
“Access is denied” error message when you run them. In some
cases, you may have to look at the Task Status view to obtain
this information.
Notes on other Views

The Alerts view may be the primary view used by IT support staff, but the other views provide a
means for isolating a problem, as well as meeting the information requirements of different users.
The following table adds to the information already provided in Chapter 2 of this guide.
Table 3.9 Summary of Operator console views
Personalize Link to other Enable/disabl Comments
views e
View
maintenance
mode
State Y Y Y Aggregates
information
about alerts
and
associated
entities to
display the
state (health)
of a computer
group. See:
State Icons,
State Alert,
State Rollup
Events Y Y Y See: Time
Filtering.
Performance Y N N See:
Performance
data view
Computers Y Y Y
and Groups
Diagram N Y - Computer N See: Diagram
MOM Community
Work with Alerts 47
groups View
State Icons
When an agent heartbeat has a Service Unavailable error for a computer, every state icon for the
other roles (for example, Exchange Server and Active Directory) associated the other are suspect,
and are visually depicted as gray line icons that are identical representations of the full color
ones. For example, the gray circle-x is interpreted as follows: the last known state for this role is
critical error, but since the agent is either not heart-beating, or the agent is flagged as service
unavailable, the data for the other role is suspect.
Until the MOM agent is up again, and heart-beating normally, the gray versions of the state icons
will remain. When the agent is OK again, the icons will return to the colored versions. The logic
is that, since the agent performs the communication, if it is down, information that it
communicates is also suspect.
State Alert
MOM 2005 provides an alert named the state alert. This alert has two problem state values:
Active and Inactive. Each of this states handle rule response processing differently.
For example:
When % Processor time crosses a specified threshold, an alert is created with a problem state of
Active, and any specified responses are run. If the counter drops below the threshold, another
alert with a problem state of Inactive is created; however, none of the responses specified for the
rule are run.
State Rollup
The state of a computer group is based on a roll-up policy, which can be configured by MOM
authors using the State Roll-up Policy tab of the Computer Group property sheet.
Authors have three possible roll-up polices that they can define for their computer groups. These
include:
• Most Severe of any Server
This policy indicates that the state of the computer group will be equal to the most severe
state of any one of the members of the computer group.
• Most Severe of the Healthiest X % of Servers
This policy indicates that the state of the computer group will be equal to the most severe
state of some % of the healthiest servers.
Example: A computer group with 10 members has a policy set to 50%. If 5 have Warning
states, and 5 have Service Unavailable states, then the state of the computer group would be
Warning.
MOM Community
• Least Severe of any Server

This policy indicates that the state of the computer group will be equal to the least severe
state of any one of the members of the computer group.
Important
At times, the state view in the Operator console gets out of
synchronization with the database. Some of the reasons for
this are:
• Queues get full (because a block of data from an agent
will get inserted to server queue at same time, and likely
get processed at same time).
• The MOM server goes down, causing the agents to
failover. (One server might have the red alerts for an
agent; another might get the green alerts. Because the
server was rebooted, alerts get inserted out of order).
• The operational database is unavailable.
The best work-around is to resolve the alert.
Time Filtering
Time filtering is a mechanism for determining how many days worth of information you want to
see in the Results pane for the Alerts and Events views. The default setting is seven days, but you
may want to consider changing this because:
• In the case of alerts, the actual number of active alerts may appear to be higher than it
actually is.
• In the case of events, which generate more data than alerts, viewing response time is affected
by the number of days of data that has to be retrieved from the database and displayed in the
console.
To change the time filter
1. On the Menu and toolbar, click the Edit view time filter button to open the View Date and
Time Filter property page. (This button is labeled “F” in Figure 3.3).
2. By default, Alert and Event data is set to be displayed for within the last seven days.
• You can change the number of days by typing in a lower value. You can also use the list
box to select hours, minutes or seconds.
• Another option is to specify a time range. To do so, click the radio button beside Within
the time range, and set the After or Before date and time.
3. When you finish configuring the time filter, click OK.
MOM Community
Work with Alerts 49
Performance data view

Rather than selecting a computer, picking counters, and then drawing a graph, you can use the
Performance Data view to identify specific counters for a computer.
Use the following procedure to create this view. When you are finished, save it in All My Views
or Public Views.
Create performance data view
1. Click the My Views navigation button.
2. In the Navigation pane, right-click My Views, click New and then select Performance
Data View.
3. In the Create View - Performance Data View dialog, identify the type of performance data
view that you want to create.
4. When you select an item (step 3), the corresponding View description: area displays the
description with hyperlinks that you will use later. Click Next to continue.
5. Click the box beside each type of performance data that you want to include (for example,
for specified counter, measured on specified computer.) When you select an item, a
hyperlink is displayed in the corresponding View description (click the underlined value
to edit): input area.
6. Click each hyperlink to open a dialog box and provide the required information. Click Next
to continue.
7. Type a View name and Description for the view, and then click Finish.
Tip
Expand the Performance Views navigation tree to include
Agent Performance. You can use the Performance Data
views that are already constructed as a model for creating
your own views.
Diagram View
The diagram view provides an ideal visual representation, complete with state indicators, of a
MOM computer group. You can use the Group: list in the Menu and toolbar to diagram specific
computer groups that are provided for the console scope that you are using.
If more than one object is shown on the screen, you can arrange the layout by clicking an object
and dragging it to a new location. If you want to reset the diagram layout to the default layout,
click the Relayout diagram button in the Menu and toolbar area of the console.
Exporting the View
MOM Community
You can export the diagram view and save it as a Visio drawing (.vdx) file.
Export the current diagram
1. With Diagram as the active view, click the Export to Microsoft Visio button in the Menu
and toolbar area of the console. This opens the Save diagram as a Visio .VDX file property
page.
2. Navigate to the location where you want to save the file, provide a filename, and then click
Save.
Background Images
Background images are not provided for the diagram view. In order to add a background image,
you must be a member of MOM Administrators, and must provide the image. The recommended
image size is 640 x 480 pixels. Image quality and distortion will vary depending on how much
you zoom in or out.
Note
A management group can only have one image displayed for
it.
Add background image

1. Open the Operator console as a member of the MOM Administrators group.
2. Click the Diagram navigation button.
3. Right-click anywhere on the diagram and click Diagram View Properties to open the
properties page for the view.
4. In Diagram View Properties, click the Diagram Settings tab.
5. Click the Background Images button to open the Diagram Background Images property
page.
6. Click Add to locate and specify the image that you want to add.
7. After you finish adding images, you can use any of the selected images as a background
image for the diagram view.
Monitoring MOM
The section provides guidance for:
• Monitoring the various MOM components and MOM processing activities.
MOM Community
Work with Alerts 51
• Monitoring Windows service availability.

• Monitoring communications and access.
• Safeguarding operational data.
• Monitoring performance.
• Job failures and other error conditions.
The monitoring topics in this chapter are based on the MOM deployment scenario referred to, at
the beginning of this chapter, and illustrated in Figure 3.5.
Figure 3.5 MOM deployment scenario
MOM Community
Referring to the callouts in Figure 3.5:

• At the agent level (Agent 1, Agent n), the monitoring focus is on the remote agent.
• At the Management Server level (MS01, MS02), the monitoring focus is on the DAS, the
local agent, and IIS-- if the Web console is installed on the Management Server.
• For the operational database (DB01), the monitoring focus is on the remote agent and
SQL Server.
MOM Community
Work with Alerts 53
• For MOM Reporting (DB02), the monitoring focus is on the remote agent, the reporting
server, the reporting database, SQL Server, SQL Reporting Services, and IIS.
• In some cases, denoted by an asterisk (*), it is recommended that additional Management
Packs are installed to enable more in depth monitoring of a server.
The MOM deployment in your organization may not be as distributed as the one in Figure 3.5,
but as indicated in the “Operational data processing cycle” section, every MOM deployment has
to collect data from a managed computer, send the data that is collected to a Management Server,
and store data in the operational database.
At a minimum, a MOM deployment will have:
• Agent-managed or agentless managed computers
• A Management Server
• An operational database
In the topics that follow, use the information and guidance that is applicable to your MOM
deployment.
The Agents
The process of managing computers may require the installation and, in some instances, the
removal of agents after the initial deployment. The frequency and extent of this activity depends
on the size, distribution, and dynamics of the IT infrastructure.
Agent deployment
Agents are installed when:
• An existing computer discovery rule is run and new computers are discovered.
• The administrator creates and runs a discovery rule or uses the Install/Uninstall Agents
Wizard.
Agents are uninstalled when:
• An agent-managed computer no longer matches a computer discovery rule.
MOM Community
Note
By default, the Management Server will wait 48 hours before
automatically uninstalling an agent.
• An administrator uses the Uninstall Agents option for an agent-managed computer to

immediately uninstall an agent, or the administrator can use the Install/Uninstall Agents
Wizard to remove agents.
Tip
Use bulk-select on managed computers to uninstall agents,
update agent settings, or run attribute discovery.
Because a healthy MOM system depends on successfully installed agents, it is important to

verify that agents are being successfully discovered, installed, and configured. Monitoring for
successful installation includes verifying that:
• Computer discovery completed successfully.
• The computers identified by computer discovery rules have been discovered and agents are
installed.
• Agents are sending a heartbeat.
Tip
At times, agent configuration data gets corrupted or the agent
simply disappears from a computer. Use the Agent Helper tool
in the MOM 2005 Resource Kit to troubleshoot and correct this
situation.
• Agents belong to the appropriate computer groups.

• Agents have received processing rules, and are sending event, alert, and performance data.
Note
The items identified for verifying successful agent installations
should also be monitored daily, on an ongoing basis, to ensure
that your agents are healthy.
You can use the Administrator console to verify discovery and deployment. First, if you use the
wizard to install agents, use the following procedure.
MOM Community
Work with Alerts 55
Verify computer discovery in the Administrator console - Wizard task

progress
1. Use the Install/Uninstall Agents Wizard to identify computers and install agents.
2. Monitor the progress, and final status, of the deployment in the Microsoft Operations
Manager Task Progress page.
3. When the deployment is finished, click the Details button to view more information about
the deployment.
In scenarios where a large number of agents are deployed, monitoring the wizard task progress
indicator may not be practical. Use the following procedure to perform a visual check on the
results of your deployment.
Verify computer discovery in the Administrator console - Computers

node
1. After deployment is finished, navigate to the Computers node in the Navigation pane.
2. Click the management type that you selected for the deployment (for example, Agent-
managed) and perform a visual check of the computers listed in the details pane.
Note
When agents are uninstalled from a computer, the computer’s
management state is automatically changed to Unmanaged.
You can also use the views in the Operator console to verify computer discovery and agent
deployment.
First, use the Alerts view to see if any Errors or Critical Errors were generated by discovery
and agent deployment. If there were no errors, and you want to get more information about agent
deployment, use the following procedure to obtain a task status view.
Use the Task Status view to verify discovery and installation
1. Click the Events navigation button.
2. In the navigation pane, expand All: Event Views and click Task Status. All task related
events are displayed in the Results pane and detailed information for each task is shown in
the Details pane.
When agents are not being installed or uninstalled you have to monitor agent configuration and
connectivity on an ongoing basis.
MOM Community
Agent communication and connectivity

Table 3.10 lists the agent configuration and connectivity rules.
Note
There are disabled rules in the MOM Management Pack that
collect these events. These rules can be enabled for
troubleshooting purposes. See also: Enabling Agent
Communication Failure Troubleshooting.
Table 3.10 Agent configuration and connectivity events

Rule/cause of failure Event Id
Agent communication failure 26008, 26009, 26011, 26020, 26021,
troubleshooting events 26022, 26023, 26025, 21217, 21236,
21237, 21248, 21249, 21250, 21292,
22087, 26010, 22088, 26024
Agent communication failures 22085
Agent queue and cache events 21219, 22087, 22088, 21371, 21372,
21375, 21216, 21218, 21219, 21268,
21269, 22061, 21373, 21374
Agent received new rules and 21240, 22152, 21218
configuration
Refused MOM 2000 agent 26005
connections
Tip
The Microsoft Operations Manager 2005 Resource Kit contains
a Microsoft Excel spreadsheet named
“MOMEventMessages.xls” that lists all the MOM 2005 Event
Ids and their descriptions.
The alerts described in Table 3.11 may be generated when there is a configuration or connectivity
issue.
Table 3.11 Agent configuration and connectivity events
Alerts Description
MOM Community
Work with Alerts 57
Agent heartbeat failures Indicates a heartbeat failure on an

agent-managed computer.
Agentless heartbeat failures Indicates a heartbeat failure on an
agentless managed computer.
Agentless management problems Indicates a communication problem
on an agentless managed computer.
Agents without WMI running Lists all active alerts indicating the
WMI service is not running on the
MOM Agent.
Enabling Agent Communication Failure Troubleshooting

You can enable an event rule to assist in troubleshooting agent communication failures. To do so,
use the Administrator console, and follow these steps:
Enable Agent communication failure troubleshooting events
1. In the Navigation pane, expand the Management Packs node to include the Agents on All
MOM Roles folder.
2. In the Navigation pane, click Event Rules.
3. In the Details pane, locate Agent communication failure troubleshooting events.
4. Right-click Agent communication failure troubleshooting events, and then click
Properties.
5. On the General tab, click the check-box beside This rule is enabled to enable the rule, and
then click OK to close the properties page for the rule.
6. Right-click Management Packs and then click Commit Configuration Change.
The Management Server

The MOM Administrator console is the central configuration point for management groups.
There are many ways that you can view and modify settings to assist you in monitoring this
server.
The DAS component on the Management Server relies on proper access to the MOM Database to
store monitoring data from the agents. In scenarios where the MOM Database is installed on a
dedicated server, it is important to watch for the following access issues between the
Management Server and the operational database.
You should monitor for availability first, then performance.
MOM Community
• The MOM service on the Management Server

• The incoming MOM server queue is full. This alert is associated with event 21268.
• The outgoing MOM server queue is full. This alert is associated with events 220061,
220062, and 21269.
• The MOM server loses its connection with the operational database.
Note
In a scenario where the Management Server cannot connect
to the operational database, alert delivery is guaranteed.
However, event and performance data may be lost if the DAS
cannot bulk-insert event and performance data until the
database connection is re-established.
• Other valuable events that you can monitor are listed in Table 3.12.
Table 3.12 Management server events
Rule/cause of failure Event Id
Failed to insert events into the 25101
database.
Unrecoverable database error; the 25102
system will continue processing
events and alerts.
The MOM Server was unable to 25103, 25106, 25107
retrieve data or prepare data for
insertion in the database.
The MOM Server failed to locate any 25105
DAS servers
The MOM Database

MOM can monitor your database servers, and many monitoring tools are available.
Best Practices
In addition to monitoring for access issues, availability, and performance, it is important to
identify job failures and other error conditions. The following guidelines are recommended:
• Install the SQL Server Management Pack.
MOM Community
Work with Alerts 59
• Know your most common events and their pattern, because deviations from this pattern can
provide a key indicator of a potential issue. Use MOM Reporting to obtain this information
on a daily basis. If MOM Reporting is not available, your database support team can query
the database to obtain this information.
Important
As a best practice, do not run reporting queries directly
against the operational database if MOM Reporting is
available. This has a negative impact on MOM Database
performance; which in turn will affect performance on the
Administrator and Operator consoles.
• Know your top event-generating servers, because an anomaly on this list can help isolate
problem servers. If MOM Reporting is not available, your database support team can query
the database to obtain this information
• Ensure that job owners have sufficient rights to run their jobs.
• Set a low threshold for database free space for early notification so you can make
adjustments before you reach the 40 percent mark. This is required to ensure that re-index
jobs finish successfully. Groom your database aggressively.
• Use the SQL Server Maintenance Plan Wizard in SQL Server Enterprise Manager to
reorganize data and index of the OnePoint database, and to check for database integrity. For
more information about these tasks, see Chapter 4, “Maintain”, in this operations guide.
MOM Reporting (MOM Reporting

Server and the Reporting Database)
You can easily monitor the performance of your reporting server by installing a MOM agent on
the server, and then monitoring basic performance metrics, including disk I/O, CPU, and memory
use during peak usage, which requires the installation of the Windows Base Operating System
Management Pack.
Implement the best practices identified for the MOM Database and ensure that the SQL Server
Management Pack is installed.
MOM Community
Note
The Reporting Server DTS job only transfers operational
database records that have been modified more then five
minutes before the DTS job starts.
This means that if an alert is constantly being modified (for
example, in a scenario where the agent keeps sending alerts
and the consolidation number is increasing). If the alert is
updated less than five minutes before the DTS job runs, this
information will not appear in MOM reports.
Monitor SQL Server Reporting Services Activity

In addition to monitoring SQL Server, it is important to monitor reporting activity. You can do
this by extracting data from the execution log for the reporting server and viewing the custom
reports that are provided.
There are two sets of tasks required to enable reports for SQL Server Reporting Services activity:
• Create a SQL Server data base to hold execution log data.
• Publish the custom reports that are provided to the MOM Reporting Server.
After these tasks are finished, the following reports will be available on the reporting server:
• Longest running reports
• Report parameters
• Reports by Month
• Reports by User
• Reports Executed by Day
• Report Size
• Report Success Rate
• Today’s Reports
Create and populate a database for execution log data

To get execution log data, you must run a DTS package that Reporting Services provides, to
extract the data from the execution log and put it into a table structure that you can query. The
internal table in the report server database does not present the data in a format that is accessible
to users. The DTS package resolves this problem by collecting all of the data you need and
putting it into a table structure.
Create the database (RSExecutionLog
MOM Community
Work with Alerts 61
1. On the SQL Reporting Services CD, navigate to this folder:

SQL Server 2000 Reporting Services\Standard|Developer|Enterprise\extras\Execution Log
Sample Reports.
2. On the reporting server, create a folder to contain the package and other files. Use the default
path and create a folder named Reporting Services and a subfolder named ExecutionLog in
the \80\Tools folder. The folder name and path must be exactly as shown: C:\%Program
Files%\Microsoft SQL Server\80\Tools\Reporting Services\ExecutionLog.
Note
If you are using a non-English version of reporting services, or
if you want to use a non-default location, you can specify a
different folder path. If you specify a different path, you must
perform step 2 in the next section, "Extracting Execution Log
Data".
3. Copy the following files from the extras folder on the product CD to the ExecutionLog
folder:
• cleanup.sql
• createtables.sql
• rsexecutionlog_update.dts
• rsexecutionlog_update.ini
4. In Enterprise Manager, create a new database that the DTS package can use as the
destination data source. Use the default name, RSExecutionLog.
5. In Query Analyzer, run createtables.sql to add tables to the database. Be sure to select the
database you created in step 2 before you run the script.
6. Use a text editor to edit rsexecutionlog_update.ini to specify the report server database
(target) and the execution log database (destination).
Populate the RSExecutionLog database
1. In Enterprise Manager, right-click Data Transformation Packages, click Open Package,
navigate to the folder that contains the files, and RSExecutionLog_Update, and then click
OK.
2. (Optional) If you specified a non-default folder in step 1 of the previous section, "Setting
Up", edit the DTS package global variable sConfigINI.
• On the Package menu, click Properties.
• Click Global Variables.
MOM Community
• In sConfigINI, type the full path and file name of the .ini file (for example,
"c:\logfolder\rsexecutionlog_update.ini"), and then click OK.
3. On the Package menu, click Execute to run the DTS package.
Install the custom reports on MOM Reporting

After the database environment is configured you must install the reports that are provided on the
MOM Reporting server. This requires a computer that:
• Has Microsoft Visual Studio, with Report Designer installed.
• Has Write access to the reporting computer.
Publish reports to the reporting server
1. On the SQL Server Reporting Services CD, navigate to \Execution Log Sample Reports.
2. Double-click executionlog.rptproj to open the reporting project in Visual Studio.
3. Use Visual Studio to ensure that the shared datasource, RSExecutionLog.rds references the
SQL reporting server database.
4. After you verify that the database reference is correct, use Visual Studio to deploy the
execution log reports to the reporting server.
Refreshing Execution Log Data

You can run the DTS package, periodically, to get updated information from the execution log.
New log entries are appended to the existing entries. The DTS package does not remove old
entries or historical data. Examples of historical data might include users who no longer run
reports on a report server, computer names that are no longer in service, or reports that no longer
exist.
If you do not want to retain historical data, you can run cleanup.sql to clear out the execution log
database.
The DTS package follows these steps to ensure that entries are not duplicated:
• Determine the end date of the last entry added to the execution log database.
• Open the execution log tables in the report server database, and then find all entries added
after the end date.
• Get the new entries, and get related data from other report server database tables.
• Copy all the data to the execution log database.
MOM Community
Work with Alerts 63
Monitoring Windows Service

Availability
By default, MOM monitors the availability of Windows services. This option is configured in
Agent Properties on the Service Monitoring tab.
Note
Most of the Management Packs for MOM 2005 have rules that
alert on the availability of key application services.
By default, agents check service availability every 20 seconds, and send a report on service
availability every 120 seconds. You can configure how often the agent checks and reports
changes in the status of Windows services. MOM uses the availability data to produce Service
Availability reports. For more information about the impact of changing these settings, refer to
Chapter 7, “Administrator Console Reference”.
Monitoring Communications and

Access
MOM depends on reliable, well-performing communication links between each of the MOM
components to ensure access from one component to another.
For example, the DAS needs to be able to access the operational database in order to insert data
or retrieve data. An access failure could be caused by network communications, or by an
authentication failure.
Note
Authentication issues, typically caused by account and
password changes, are covered in Chapter 4 of this guide.
It is important to look for communications issues on an ongoing basis — throughout the day,
each day. Network communications can be the root cause for many other issues, such as agent
installation, and computer discovery.
MOM Community
Tip
There are several cases in which you might decide not to
collect warnings, performance data, and miscellaneous non-
critical events. These include:
• Deployments across satellite links.
• Large branch office deployments.
• Deployments with very slow WAN links.
• Deployments where alerts are forwarded to a global
network operations center.
• Warnings and informational messages are not needed.
You can create custom computer groups and rule overrides to
reduce operational data volumes.
You can filter events that you do not want to be notified about.
First, you must create a folder to hold the new filter rules, and
then you must add the filter rules.
In addition, you might decide to disable certain performance
data to decrease traffic. After making changes, you need to
commit changes to the system. Exercise extreme caution in
disabling performance counters. For example, several Active
Directory reports do not work if performance monitoring is
disabled.
You can verify access by monitoring the agent heartbeat at regular intervals. Because servers that
host the MOM Database, MOM Management Server have the MOM service installed, these
servers can also be monitored by checking for a regular heartbeat. However, there are additional
access issues that apply to communications between the MOM Database, SQL Server, and MOM
Reporting components.
Heartbeats between managed computers and the Management

Server
Agent-managed and agentless managed computers rely on heartbeat messages between a
managed computer and the Management Server.
Agent -managed computers
By default, agents send a heartbeat to their Management Server every 10 seconds.
The default, heartbeat settings for the Management Server are as follows:
• Scan for agent heartbeats every 30 seconds, the heartbeat check interval.
• If no heartbeat is received from an agent:
MOM Community
Work with Alerts 65
• Attempt to ping the agent 4 times (ping timeout is 500 ms).

• Perform the scan 3 times before generating a Service Unavailable alert.
Agentless managed computers
In the agentless managed scenario, the managed computers cannot send heartbeats to the
Management Server. Instead, the Management Servers ping all of the agentless managed
computers at a regular interval.
Heartbeat Issues
It is possible that one or more heartbeat intervals might be missed because of transient
communication issues. When monitoring for access issues, look for agent computers that have
missed several consecutive heartbeats. The number of consecutive heartbeats that might indicate
that there is an access issue that requires your attention will depend on the variables that affect
your environment, including the following:
• The geographic location of the agent.
• The speed and reliability of network connections.
Variable or slow network speed

Depending on the networks that you are using for communications between Management Servers
and agents, there may be global settings that you need to adjust, in order to ensure that false
communications alerts are not generated. For example:
• Agent configuration requests and agent heartbeat intervals.
• Ping intervals and ping timeouts.
Refer to Chapter 7, “Administrator Console Reference”, for more information about adjusting the
following settings:
• Packet size
• Bandwidth throttling
• Buffering
• Configuration Requests
• Heartbeat intervals
MOM Community
Caution
Do not shorten the heartbeat interval as a method of
monitoring for access or availability issues, because the
increased traffic and data that is generated can adversely
affect the performance of your MOM system.
Calculating Network Line Usage Time

You can calculate network line usage time by using the following values in the formula that is
provided.
Values:
Current BandwidthBytes = Current Bandwidth / 8
Formula:
LineUsage Time = Total Bytes / Current Bandwidth Bytes
Event and alert latency
Event and alert latency is the interval between when an event or alert is generated on an agent
computer, and when the event or alert is logged in the MOM database and appears in the
Operator console. If latency remains within two minutes for 90 percent of events and alerts, this
is within healthy limits. Event and alert latency that exceeds these limits can be caused by the
following:
• Communication between components is slow or unreliable.
Note
Sometimes event latency for the Web server or the FTP server
can be as high as 10 minutes before an event or alert is seen
in the Operator console. This is caused by the way that the
Web and FTP servers cache their log entries. For performance
reasons, these servers do not immediately write out their log
entries, but retain them until a specified number of entries are
accumulated. The only work-around is to stop and restart
these services.
• The MOM database is too large to record events and alerts efficiently.
• The clock on an agent computer or a Management Server is set to a different time than the
clock on the operational database server.
There are thee ways that you can monitor for latency:
MOM Community
Work with Alerts 67
• Analyze individual events or alerts. Compare the time that the event or alert was raised on
the agent computer with the time that it was received in the Operator console.
• Use MOM reporting to generate the Alert Logging Latency report and the Event Logging
Latency report. These reports list average, maximum, and minimum time intervals for event
and alert latencies on an individual computer basis.
• In the Operator console, run the Test End-to-End Monitoring Task against selected agents.
This task generates the output shown in Figure 3.6. Referring to this figure, note that the
Details pane displays the Alert latency (-6 seconds) for this particular test.
Figure 3.6 Results from End-to-End Monitoring Task
MOM Community
Safeguarding Operational Data

Preserving the data that is collected is one of the first things that you need address in a MOM
environment. Assuming that all of the agents are functioning correctly, you need to configure
MOM to handle two potential failure scenarios.
The first scenario is when there is a Management Server failure and the agents cannot send data
to the Management Server.
MOM Community
Work with Alerts 69
Note
The risk of this scenario is mitigated by using two
Management Servers configured for failover, as illustrated in
Figure 3.5. It is recommended that you use this configuration,
if possible.
The second scenario is a situation where the Management Server cannot insert data in the
operation database.
In both scenarios, MOM provides storage buffers, but the buffers on the agents and Management
Server must be correctly configured to handle outages. For more information about configuring
storage buffer sizes, see Chapter 7, “Administrator Console Reference”.
Important
It is recommended that you do not increase the storage buffer
size for Management Servers or agents to above 100 MB.
Storage Buffer Example

In this scenario, there is a single Management Server and 20 agent-managed computers. The
estimated data volume from the agents is 1,150,125 bytes/day from each agent (23,002,500
bytes/day from all agents).
Using the default setting of 30 MB on the Management Server means that the server’s temporary
storage buffer can hold the data from all of the agents for at least one day. After the server’s
buffer is filled, the Management Server will stop accepting data from the agents, and each agent
will start storing data locally. Based on the agent’s default storage setting of 3 MB, each agent
will be able to temporarily hold data locally for 27 days. The following tables summarize the
temporary storage requirements for the Management Server and an agent.
Table 3.13 Management Server temporary storage requirements
Days of storage Data volume
1 23 MB
2 46 MB
4 92 MB
6 138 MB
Table 3.14 Agent temporary storage requirements
MOM Community
Days of storage Data volume

1 1.1 MB
2 2.2 MB
4 4.4 MB
6 6.6 MB
8 8.8 MB
10 11 MB
12 13.2 MB
20 22 MB
25 27.5 MB
30 33 MB
Calculating Temporary Storage Requirements

You can use two formulas for calculating storage buffer sizes for your Management Servers and
agents.
Calculating temporary storage requirements for a Management Server
To calculate temporary storage for incoming data, use the following values in the formula that is
provided.
Values:
• AlertsBytes/Hour = Alerts/Hour * 6000
• EventsBytes/Hour = Events/Hour * 2700
• SNDBytes = SND/Hour * 195
Formula:
Buffer size = ((∑ AlertsBytes/Hour, EventsBytes/Hour, SNDBytes/Hour) * number of managed
computers)
Calculating temporary storage requirements for an agent
To calculate temporary storage for data collected by the agent, use the following values in the
formula that is provided.
Values:
• AlertsBytes/Hour = Alerts/Day * 6000
MOM Community
Work with Alerts 71
• EventsBytes/Hour = Events/Day * 2700

• SNDBytes = SND/Day * 195
Formula:
Buffer size = ((∑ AlertsBytes/Hour, EventsBytes/Hour, SNDBytes/Hour) * number of managed
computers)
Monitoring Performance
This section provides an overview of performance monitoring. Chapter 6, “Optimize”, provides
detailed information and best practices for optimizing and troubleshooting performance issues in
a MOM environment.
Performance Rules
Performance rules are the foundation of monitoring in MOM. It is important to monitor the effect
that performance rules have on your environment. Tune the rules so that the data that is generated
is meaningful, and to ensure that MOM continues to run efficiently. Performance rules that
generate too much data can slow the performance of your network, the Management Server, and
the operational database.
Note
If the operational database grows too quickly, then the
grooming and indexing jobs might not be able to finish when
anticipated. This can result in an unusable database.
When you are monitoring processing rules, the following guidelines are recommended:
• Use MOM reports to review common events and alerts and to review the most common
alerts. Use the information that you capture from these reports to tune processing rules for
your environment.
• Customize the monitoring view of the MOM Operator console to include the Repeat Counts
column. Use this column to watch for alerts with a high repeat count that might be
suppressed by rules.
• Watch for alerts that might indicate a poorly formulated rule. For example, if a processing
rule is generating a disproportionate number of alerts, it probably needs to be tuned.
Monitoring the top alerts can help you identify rules that need to be tuned.
• Watch for indicators that too many events are being generated from one processing rule.
MOM Community
In addition to monitoring the impact of performance rules, it is important to control the

deployment of new Management Packs and rules to keep MOM performance within optimal
limits.
Agent Performance
MOM colllects the following performance counters for agents.
Table 3.15 Agent counters collected per management group
Counter Description
Comm Alert Proc Avg Time Specifies the average time (in milli-
seconds) that an alert spends in the
communicator connector on a MOM
agent.
Comm Alert Proc Inc Rate Specifies the number of alerts that
have arrived at the communicator
connector on a MOM agent between
time T1 and time T2.
Comm Alert Proc Simple Count Specifies the total number of alerts
in the communication connector on a
MOM agent at a particular time.
Comm Alert space percent used Specifies the percent of the alert
communication connector queue in
use. This setting is configurable by
the user. The alert communication
connector queue comprises 1/3 of
the overall agent queue file.
Comm Data Proc Avg Time Specifies the average time (in milli-
seconds) data spends in the
communicator connector on a MOM
agent. Data refers to performance,
events or discovery events.
Comm Data Proc Inc Rate Specifies the incoming rate of data
coming into the communicator
connector on a MOM agent between
Time T1 and Time T2.
Comm Data Proc Simple Count Specifies the total number of alerts
in the communication connector on a
Comm Data Proc percent used Specifies the percent of the data
MOM Community
Work with Alerts 73
communication connector queue

use. This setting is configurable by
the user. The data communication
connector queue comprises 1/3 of
the overall agent queue.
Queue Process Avg Time Specifies the average time (in milli-
seconds) items (data and alerts)
spend in the workflow queue on a
MOM agent.
Queue Process Inc Rate Specifies the incoming rate of items
(data and alerts) into the workflow
queue on a MOM agent between
Time T1 and Time T2.
Queue Process Simple Count Specifies the total number of items
(data and alerts) in the workflow
queue on a MOM agent at a
particular time.
Queue space percent used Specifies the percent of the workflow
queue in use (by data and alerts).
This setting is configurable by the
user. The workflow queue comprises
1/3 of the overall agent queue size.
Resp Exec Avg Time Specifies the average time (in milli-
seconds) a response spends on a
MOM agent. Responses are
launched through rules, and include
scripts and command-line responses.
Resp Exec Inc Rate Specifies the incoming rate of
responses on a MOM agent between
Time T1 and Time T2. Responses are
launched through rules, and include
Resp Exec Simple Count Specifies the total number of
responses being processed on a
Responses are launched through
rules, and include scripts and
command-line responses.
Task Exec Avg Time Specifies the average time (in milli-
MOM Community
seconds) a task requires on a MOM

agent. Tasks are launched by users
in the Operator console.
Task Exec Inc Rate Specifies the incoming rate of tasks
on a MOM agent between Time T1
and Time T2. Tasks are launched by
users in the Operator console.
Task Exec Simple Count Specifies the total number of tasks
being processed on a MOM agent at
a particular time. Tasks are launched
by users using the Operator Console.
Workflow avg time Specifies the average amount of
time (in milli-seconds) items (data
and alerts) spend in the workflow on
a MOM agent.
Workflow inc rate Specifies the incoming rate of items
on a MOM agent between Time T1
and Time T2.
Workflow simple counter Specifies the total number of items
(data and alerts) in the workflow on
a MOM agent at a particular time.
Note
The performance counters in the MOM Management Pack are
designed to give users a quick snapshot of performance on
the various MOM components. For detailed performance
gathering and analysis, it is expected that you would install
additional Management Packs, such as the Windows Base
Operating System and SQL Server. In some instances, it may
be necessary to create and use custom counters for tuning
and optimization.
MOM Management Server and MOM Database server

performance
The performance of the MOM Management Server and the MOM Database server are critical to
monitoring your environment. A good monitoring strategy for the Management and database
servers includes monitoring for thresholds and creating custom views to monitor other
performance counters.
MOM Community
Work with Alerts 75
MOM Management Server performance

The performance of the Management Server is affected by:
• The number of agents that the Management Server is responsible for.
• The volume of data that is collected from the agents.
MOM provides the following performance counters for Management Servers.
Table 3.16 Management Server counters per management group
Counter Description
DB Alert Insert Avg Time Specifies the average time (in milli-
seconds) that alerts take to be
inserted into the MOM Database.
DB Alert Insert Inc Rate Specifies the incoming rate of alerts
that are to be inserted into the MOM
Database between Time T1 and Time
T2.
DB Alert Insert simple count Specifies the total number of alerts
that are being inserted into the MOM
Database at a particular time.
DB disc insert avg time Specifies the average time (in milli-
seconds) that discovery data takes
to be inserted into the MOM
Database.
DB disc insert inc rate Specifies the incoming rate of
discovery data items that are to be
inserted into the MOM Database
between Time T1 and Time T2.
DB disc insert simple count Specifies the total number of
discovery data items that are being
inserted into the MOM Database at a
particular time.
DB event Insert Avg Time Specifies the average time (in milli-
seconds) that events take to be
inserted into the MOM Database.
DB event Insert Inc Rate Specifies the incoming rate of events
that are to be inserted into the MOM
Database between Time T1 and Time
T2.
MOM Community
DB event Insert simple count Specifies the total number of events

that are being inserted into the MOM
Database at a particular time.
DB perf insert avg time Specifies the average time (in milli-
seconds) that performance items
take to be inserted into the MOM
Database.
DB perf insert inc rate Specifies the incoming rate of
performance items that are to be
inserted into the MOM Database
DB perf insert simple count Specifies the total number of
performance items that are being
inserted into the MOM Database at a
particular time.
Queue Process Avg Time Specifies the average time (in milli-
spend in the workflow queue on a
MOM Management Server.
Queue Process Inc Rate Specifies the incoming rate of items
queue on a MOM Management
Server between Time T1 and Time
T2.
Queue Process Simple Count Specifies the total number of items
(data and alerts) in the workflow
queue on a MOM Management
Server at a particular instance in
time.
Queue Space Percent used Specifies the percent of the workflow
queue in use (by data and alerts).
This setting is configurable by the
user, and comprises 100% of the
overall server queue.
Resp Exec Avg Time Specifies the average time (in milli-
seconds) a response requires on a
MOM Management Server.
Responses are launched through
rules and include scripts and
MOM Community
Work with Alerts 77
Resp Exec Inc Rate Specifies the incoming rate of
responses on a MOM Management
Server between Time T1 and Time
T2. Responses are launched through
rules and include scripts and
Resp Exec Simple Count Specifies the total number of
responses being processed on a
MOM Management Server at a
particular time. Responses are
launched through rules and include
Task Exec Avg Time Specifies the average time (in milli-
seconds) a task requires on a MOM
server. Tasks are launched by users
using the Operator console.
Task Exec Inc Rate Specifies the incoming rate of tasks
on a MOM Management Server
Tasks are launched by users in the
Operator console.
Task Exec Simple Count Specifies the total number of tasks
being processed on a MOM
Management Server at a particular
time. Tasks are launched by users in
the Operator console.
Workflow avg time Specifies the average time (in milli-
spend in the workflow on a MOM
Management Server.
Workflow inc rate Specifies the incoming rate of items
on a MOM Management Server
Workflow simple counter Specifies the total number of items
(data and alerts) in the workflow on
a MOM Management Server at a
particular time.
MOM Community
It is important to monitor CPU and memory utilization on the Management Server to ensure
efficient MOM operations, and also to determine when the agent load needs to be redistributed
among other Management Servers. The MOM Management Pack provides numerous
performance counters for tracking Management Server performance, such as Raw Bytes
Received/Transmitted, and Total Connections. You should also use other performance counters
that the MOM Management Pack provides, such as Server Queue Spaced Used and Server Total
Connections, It is recommended that you leverage the performance counters provided by the
Windows Base Operating System Management Pack, which was summarized earlier in this
chapter.
It is recommended that you do not exceed the maximum supported levels for the number of
agents per Management Server or management group, as noted in the following table.
Table 3.17 Support limits for MOM components
Item Limit
Agent-managed 4000
computers/Management Group
Managed computers/Management 2000
Server
Management Servers/Management 10
Group
Agentless Managed 60
Computers/Management Group 1
Agentless Managed 10
Computers/Management Server
MOM Database 30 GB
MOM Reporting Database 1 Terabyte
1 In mixed-mode environments, where you have agent -managed and agentless
managed computers, support limits are variable.
MOM Database performance
The performance of the MOM database server is affected by:
• The size of the database.
• The efficiency of the grooming and indexing jobs.
• The amount of free disk space that is available.
• The volume and rate of the data that is being added to the database.
• The rate of communication between the database server and other MOM components.
MOM Community
Work with Alerts 79
• Other databases installed on the same server.

In addition to watching the size of the database, you need to monitor the efficiency of the
grooming and indexing jobs. If the time that is required for these jobs to complete increases, then
the performance and integrity of the database will eventually be compromised. Evaluate the need
for more aggressive grooming. It is also important to monitor the amount of free space in the
database. If the amount of free space falls below 40 percent, the database can become unstable
and will eventually be unusable.
It is important to watch the data traffic to and from the database server. Ensure that the rate and
volume of data that is communicated does not present a performance problem. It might be
necessary to optimize processing rules to keep the database server performance within healthy
limits.
MOM provides the following performance counters for graphing operational database
performance:
• Database Alert Insertion Incoming Rate
• Database Average Alert Insertion Time
• Database Average Discovery Data Insertion Time
• Database Average Event Insertion Time
• Database Average Performance Data Insertion Time
• Database Discovery Data Insertion Incoming Rate
• Database Event Insertion Incoming Rate
• Database Performance Data Insertion Incoming Rate
• Operational Database Free Space
Establishing and monitoring thresholds
The key to monitoring these components is to establish appropriate thresholds for the variables
on these servers that affect their performance, and then to monitor for these thresholds. Identify
thresholds for:
• Processor use.
• Memory use.
• Page fault rate.
• Network adapter use.
On the MOM database server, monitor thresholds for:
• Disk I/O queue length.
MOM Community
• SQL Server performance metrics.

• Database size and free space.
• Time required for grooming and indexing the database.
On the MOM Management server, monitor thresholds for:
• Server queue space percent used
• Server total connections
After you have established normal thresholds for these elements, configure processing rules to
alert you when these thresholds are exceeded.
Job Failures and Other Error

Conditions
It is important to identify job failures and other error conditions. It is recommended that you
monitor:
• Database grooming.
• Database indexing on the operational database and the reporting database.
• The DTS job used to copy data from the operational database to the reporting database.
Important
If you are running the Reporting DTS job, and you have
timeouts with this Event text:
"System.Data.SqlClient.SqlException: Timeout expired. The
timeout period elapsed prior to completion of the operation or
the server is not responding."
You need to get and install this hotfix:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;821415
Using Tracing and Log Files

For debugging purposes, you can enable tracing and generate log files. The following trace levels
can be set in the registry:
• 0 - Error
MOM Community
Work with Alerts 81
• 3 - Warning
• 6 - Info
• 9 - Debug
Caution
Trace levels 6 and 9 will impact performance. Make sure that
you disable these trace levels after you’ve generated the log
files.
Enable trace levels

1. Click Start, and then click Run.
2. Type regedit.
3. In the registry, navigate to HKEY_LOCAL_MACHINE\Software\Mission Critical
Software.
4. In the Details pane right-click TraceLevel and pick Modify.
5. Enter the trace level that you want to use, save your changes, and then close the registry
editor.
Log file locations

Trace files and log files are found in several locations:
• On the agent and server computer, in the "%temp%\Microsoft Operations Manager" folder,
you may find such trace files as MsiExec.mc8, mmc.mc8, MOMService*.mc8 and
MOMHost*.mc8 files.
• On server computers, in "%ProgramFiles%\Microsoft Operations Manager
2004\AgentLogs" and “%temp%\Microsoft Operations Manager” as mentioned above and in
“%Windir%\Temp\Microsoft Operations Manager”.
• Some *.mc8 trace logs, like MOMAgentPerformanceHost*.mc8,
MOMAgentScriptHost*.mc8, MOMHost*.mc8 and MOMService*.mc8 files, are in the
“%Windir%\Temp\Microsoft Operations Manager” directory.
• MomService*.log is in the “%Windir%\Temp\Microsoft Operations Manager”.
• Administrator console log files are located in %temp%\Microsoft Operations Manager”.
MOM Community
Tip
It is recommended that you use the MOM Trace Log Viewer
provided in the MOM 2005 Resource Kit to view the contents
of trace log files.
Additional Resources
For the latest information about MOM, see the MOM Web site at
http://go.microsoft.com/fwlink/?linkid=6727.
To access the MOM core product documentation on the Web, see to the Technical Resources
section of the MOM Web site at http://go.microsoft.com/fwlink/?LinkId=8943.
MOM Community

3 Monitor2005

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

3 Monitor2005

Caricato da

Copyright:

Formati disponibili

Microsoft

Before You Begin

The role of the IT Staff

How monitoring is used

• Performance: performance counters within acceptable parameters.

The role of Management Packs

The MOM Management Pack

• Disable the original rule.

Additional Management Packs

Table 3.1 MOM 2005 Management Pack

• Large number of legacy connections refused

Table 3.2 Windows Base Operating System Management Pack

• Duplicate network names

Table 3.3 SQL Server Management Pack

Replication monitoring • Monitors the health of SQL Server

Table 3.4 IIS Management Pack

Table 3.5 MBSA Management Pack

Services vulnerabilities directories are installed

• SQL Server or MSDE service

Table 3.6 Windows Server Clusters Management Pack

Configure the Monitoring

Task 1 - Add users to MOM local groups (MOM Administrator)

5. Click Add to open the Select Users, Computers, or Groups dialog.

Task 2 - Add Operators (MOM Author)

Commit Configuration Changes (MOM Author)

Task 3 - Create Notification Groups (MOM Author)

MAPI notifications are not supported in MOM 2005. Use SMTP

Create a notification group

Task 4 - Create new computer group (MOM Author)

Task 5 - Associate rule group with computer group (MOM Author)

Task 6 - Create/modify console scope (MOM Administrator)

Task 7 - Create a new task (MOM Author)

2. Follow the wizard steps to create a task.

Task 8 - Add or modify rule groups and rules (MOM Author)

Create a rule group

Task 9 - Customize the Operator Console (MOM User)

Show or hide toolbars

Work with Alerts

Web Console Notes

Operational data processing cycle

Referring to Figure 3.4:

The Alerts View

View Alert summary

Ticket Id Specifies the ticket ID assigned to

View Alert details

Alert view sample

Set Alert Resolution State

2. Right-click and then pick Set Alert Resolution State.

Use Maintenance Mode

The availability of a task to an Operator console user is determined by:

Notes on other Views

• Least Severe of any Server

Performance data view

Add background image

• Monitoring Windows service availability.

Referring to the callouts in Figure 3.5:

• An administrator uses the Uninstall Agents option for an agent-managed computer to

Because a healthy MOM system depends on successfully installed agents, it is important to

• Agents belong to the appropriate computer groups.

Verify computer discovery in the Administrator console - Wizard task

Verify computer discovery in the Administrator console - Computers

Agent communication and connectivity