Kevin Holman's System Center Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of UseAre you interested in having a dedicated engineer that will be your Mic

Creating custom dynamic computer groups based on registry keys on agents

Creating custom dynamic computer groups based on registry keys on agents

  • Comments 12
  • Likes

I have had a few requests now for this, so I thought I would take the time to write up the process.

 

image

 

Lets say I have three support levels of servers:

 

Level 1 – servers critical to business operations (ex: customer facing web applications, SQL back-ends)

Level 2 – important servers (ex: messaging, internal apps)

Level 3 – non-essential servers (ex: non-critical or highly redundant internal apps)

 

Lets say we want to create overrides for certain rules…  where we will page on anything in Level 1 group, email notify on Level 2 group, and simply alert for Level 3.  Possibly we want to create views, and only see alerts for Level 1 servers.  Perhaps we wish to scope users so they only see Level 1 and Level 2 servers in the console?

Well – the first step is to place these servers into groups.

Sure – we can do this manually, with explicit assignments to the group.  But that is resource intensive over time, and we might miss one down the road.  I’d prefer to dynamically create the groups of Windows Computers based on a name…. but this can be difficult sometimes – where we don't have a solid naming scheme, or other criteria to group by.

 

I will demonstrate another way to accomplish this… by coming up with a business process to use a registry key on your managed servers, and collect this registry attribute with SCOM.  Then – use this Registry attribute for dynamic group memberships.

 

Ultimately – there are three simple steps to this process:

1.  Create registry keys on agents.

2.  Extended a class with an attribute, to discover the registry keys and values.

3.  Create dynamic groups based on the attribute values from the registry.

It is just that simple.

 

 

To get started – lets talk about our custom registry key.  For this example, I am going to create a new Key at HKLM\Software\ and call it “CompanyName”

Next – in that key – I will create a new DWORD Value, named “SupportLevel”

Lastly – I will assign a numeric value to “SupportLevel” on each server, either 1, 2, or 3.

image

 

In my environment…. my Hyper-V servers are critical.  They host all of my VM’s, including many business critical applications.  Therefore – they will get Level 1.

My Exchange 2007 servers handle all my mail traffic and notifications, so I will set their registry value to Level 2.

My Exchange 2003 servers have been retired – for MP testing only… so we will set those to Level 3.

 

Here is a table that shows what I am planning:

ServerName SupportLevel
VS1 1
VS2 1
VS3 1
EX1CLN1 2
EX1CLN2 2
EXCAS 2
EX2CLN1 3
EX2CLN2 3
OWA 3

 

So – I get all my registry values set on all computers.  This is a big job at first, but it is a one time deal, and you can even script it if you are handy.

 

Next… we need to discover these registry entries in SCOM, as attributes of a class.  Then were can use that attribute to group objects.  Since I want Windows Computer objects in my groups (Windows Computer is a good object for most overrides, scoping, notifications…etc..) we would like to have these attributes added to the Windows Computer class.

However – there is a problem.  The Windows Computer object is in a sealed MP.  We cannot just add information to that class as we would like.  Therefore – OpsMgr allows us to “Extend” an existing class… and add our custom attributes to it.  This “Extended” class is basically a copy of the existing class… it will have all the built in attributes of Windows Computer, and will also have our custom attribute properties.  It’s is easier to see it than to talk about it.

 

First – in the Ops console – authoring pane – go to Attributes.  Create a new attribute.  I am going to call this one “SupportLevel”

 

image

 

Next – choose “Registry” for the discovery type.

Next – We need to pick the Target class.  We want Windows Computer.  Note – this will create a new class, named “Windows Computer_Extended” by default.  We can use this name, or you can rename this whatever you want.  It is your class.  I will leave it at the default.

 

image

 

Most important!  Management Pack location.

 

This is CRITICAL.  Spend some time making sure you are creating these attributes in the correct location.  If you leave this MP unsealed XML…. then any groups you create that use these attributes, will have to be placed in this same MP.  Then – if you use these groups for Overrides – those overrides will be force to go in this same MP.  There is a “cardinal rule” in SCOM… objects in one unsealed MP cannot reference another unsealed MP.  So – we cannot have a group in one unsealed MP, and then use that group for an override in another unsealed override MP. 

So – we have two choices. 

1.  Keep an unsealed MP… and live with the fact that attribute, group, and override will all have to be placed here. 

2.  Create the attribute and the dynamic group in the MP, then seal it.  Then – you can use this group in ANY of your override MP’s… for Exchange, SQL, etc…

I strongly recommend option #2 for this exercise… but you can make this decision for yourself.

 

image

 

Ok…. I will choose Option #2 (seal the MP), so I will create a new MP just for this extended class, and groups.

 

On the next screen – we can put in our registry information:

In this example – I am looking for a registry Value (1, 2, or 3), and my attribute type is “Int” for integer.

For the frequency, set this to a reasonable frequency to discover you machines as they come on to you network.  Typically, once per day is sufficient (86400 seconds)  Remember – this will run against ALL your Windows Computers… so never set this more frequent than once per hour… that creates unnecessary overhead.

image

 

Ok – lets examine our work!

Go to Monitoring, Discovered Inventory, and change target type to our new class “Windows Computer_Extended”

If you do this quickly – you may find it is empty.  This is what is happening behind the scenes:  All Windows Computers are now downloading our newly created MP.  They are going to run the registry attribute discovery, and submit their discovery data to the management server.  The Management Server will insert this discovery data in the database.  Over time, you will start to see all your Windows Computers pop into this class membership.  You will notice a new attribute now, in addition to all the existing Windows Computer attributes.  This attribute is “SupportLevel” and will be 1, 2, 3, or empty… depending on what each agent find in the registry.

Now – I set my registry discovery to once per day…. so I will need to wait 24 hours before I can expect all my healthy agents to show up in this list.  To speed things up – I am going to bounce the HealthService on these example agents.  (Agents run all discoveries when a HealthService restarts, and then on their frequency schedule)

Here is an example a few minutes after bouncing the HealthService on some agents:

 

image

 

Next on the list – create the groups.  I will create these in the same MP that the attributes exist in.

 

I will call my first group “CompanyName – Support Level 1 Servers Group”.  I like to append the word “Group” to all groups I create as a best practice.  This helps us determine this group class is actually a group when we see it in the list of classes in the UI.  I sure wish all MP authors would take this to heart, since every group is actually a singleton class.

 

image

 

On the dynamic members screen – I will fins my “Windows Computer_Extended” class – and click Add.  What we now see – is that we have a new attribute to use, “Support Level”

 

image

 

I will set this group to “SupportLevel Equals 1” and click OK.

 

image

 

Now – I can right-click my new group – and choose “View Group Members”

 

image

 

image

 

Yee-haw!  It works!  Now – I simply repeat this above step – creating groups for SupportLevel 2, and 3.

 

image image

 

 

Now – that is done.  This is the area, that I recommend we stop… take a breather…. then seal the MP.  If you seal the MP – we will be able to use the groups for overrides in any other override MP.  If you choose not to seal the MP now… any overrides you use the groups for – will be forced into this same MP.  Please keep that in mind.

Since I am harping on sealing the MP…. I am going to do a quick example of just that.  Jonathan Almquist has an excellent tutorial on sealing MP’s HERE and we will use his example.

**Note – when running the sn.exe commands to create our key…. we only need to do this one… not every time we want to seal an MP.

***Critical note – you need to keep a backup of this key… because it will be required for making updates to this MP in the future, re-sealing, and keeping the ability to upgrade the existing MP in production.

So, I create the folders, create the key using sn.exe, copy over the referenced MP’s from the RMS,  and now I am ready to seal.

MPSeal.exe c:\mpseal\input\CompanyName.SupportLevel.MP.xml /I "c:\mpseal\mp" /Keyfile "c:\mpseal\key\PairKey.snk" /Company "CompanyName" /Outdir "c:\mpseal\output"

 

Works great.

 

image

 

Now – I can delete my unsealed MP from the management group, and import my sealed MP.

 

Phew.  All the heavy lifting is done.  Now… I have my groups… I can start setting up overrides using these groups, or scoping notifications. 

On my Support Level 1 group – I will use this to set up my pager Notification subscriptions to only page based on specific classes, and this group.

On my Support Level 2 group – I will use this to override important alerts to High Priority… because I am using High Priority as a filter for email notifications, per my previous blog post here:  http://blogs.technet.com/kevinholman/archive/2008/06/26/using-opsmgr-notifications-in-the-real-world-part-1.aspx

On my Support Level 3 group – I will use this group for tweaking/disabling rules and monitors for the group… turning off discoveries so they don't discover lab servers, scoping views, etc.

 

Maybe in my next post…. I will build on this MP… and show a really simple way to add the Health Service Watcher objects to these dynamic groups… for each Windows Computer object that is in the group – so we can use these groups for Heartbeat failure notifications.

Comments
  • Kevin,

    This is great but it stills requires the manual creation of groups for very possible registry key.

    What we are exploring right now is how to create a dynamic group and scoped role based on different string values of defined registry keys.

    Say a registry key contains the name of the business group who owns the server. Lets say say the value is SupportTeamX. This registry key will be read by OpsMgr, create a computer group called SupportTeamX and create a scoped role called SupportTeamX that is scoped to just that computer group.

    Active Directory group membership of the role can be managed separately.

    Would you have any examples of something like this? Based on the work so far I think the dynamic group and role creation is going to require managed code to handle.

  • Nice post Kevin, the art helps :)

  • Again a masterpiece. Thanks for sharing this information.

  • Kevin, how should we convert a formula to scom that uses boolean conditions (Check if exists). It doesn't seem to have an option in SCOM for that. Should we use "Equals True", like below for example?

    ( Object is Windows Server Operating System_Extended AND ( MOSS 32bit Equals True )

    José Fehse

    MCSE

  • You nailed it - that is exactly correct - as I am sure you found out by testing.  Boolean or "check if exists" will always be "attributename" equals "true"

  • Firstly thanks for a great easy to follow example but I still have a few issues to make this work with clusters.

    Is there anyway for the support value of the underlying cluster node to be set for the virtual nodes it hosts?

    They are discovered by the extended class but the supportlevel is always blank. Which of course means if you use these groups to limit for example to level 1 SQL DB Engines then any SQL instances on a cluster are missing.

  • Thanks Kevin we have been using this method successfully for about a year.  It was recommended by our MS Consultant.  I found your article because we are experiencing the issue that you described near the end of the post, we need a way to tie this registry key to the Health Service Watcher class so that we can control the Heartbeat alerts.  

    So far I have been able to extend the Health Service Watcher class, but the value of the registry key for the class is set to the value on the MANAGEMENT SERVER that manages the server, not the value on the server itself.

    Not sure how to work around this issue, the only idea I have so far is that when looking at the Health Service Watcher class and the Windows Server class, the only attributes in common are Display Name which is inherited from Entity.  Somehow you would have to extend the Health Service Watcher class with the attribute from Windows Server_Extended where

    (pseudo-code)

    Health_Service_Watcher.Display_Name=Windows_Server_Extended.Display_Name

    Hoping I explained this well, I would be interested in any feedback you could give.  TIA

  • You cannot extend the HSW class.  It is special and you really cant treat it like any other class.

    You cannot add the HSW instance to a group in the UI:

    You must edit the XML for your group.

    Here is an example:

    http://www.scom2k7.com/dynamic-computer-groups-that-send-heartbeat-alerts/

  • Hi,

    I am trying to do something similar, adding attribute "Forwarders" to DNS servers to be able to create a group containing DNS servers with specific addresses as forwarders.

    I then point to the value "HKLM\System\CurrentControlSet\Services\DNS\Parameters\Forwarders" where there will typically be one or more ip addresses. (in this case I am using "string" as type.

    The discovery works, but I only get the first ip address populated (in most cases there are two).

    Is there any way to set string to multi-string to support this?

    thanks in advance!!!

  • This article is very helpfull, many thanks

    We have at the moment a workshop and discussed the same problem, handling machines groups based dynamic on different classifications defined from us itself

  • Hi Kevin, thanks for this post - we've been using this method successfully to create groups, using the string method, we're finding a handful of our servers are just not populating into any groups, the reg keys are right, they are reporting in SCOM and the remote registry service is running, but the query doesnt catch them for some reason - apart from resorting to making the problem servers explicit members, have you got any ideas as to what it may be?

    Thanks again, for this article - saved us a lot of work!

  • i need some help for doing something similar for Database class, i want to have two dynamic groups, PROD Databases and DEV\TEST Databases. i can put a registry key for each database that will hold that value. i need an idea on how to do the discovery for this attribute.

    any idea if there are other ways then registry\wmi Discovery, i thought on using one XML file on each SQL server that will hold list of all databases on that server, but it seem that i cannot use POWERSHELL script for the discovery.

    any idea ?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Search Blogs