So lately I have been developing an internal training course to help educate our internal technical field on our soon to be released Operations Manager 2007 (MOMv3 for those that are old-school) and although it has many great new features such as the ability to do 'true' service health monitoring (including easier to configure 'end-user perspective' monitoring), ability to monitor OS/Office crashes on desktops, security audit collection (of course you can do this today but good luck with the size of your OnePoint DB if you turn these rules on in MOM 2005!), and many others, there are two lesser publicized feautres that I believe many EDU customers will really like...
The first is the ability to set up OpsMgr 2007 to where new agents within an AD domain will be able to 'discover' their proper configuration automatically such as which Management Group to be a part of, who the primary (and secondaries for fallback) management servers are supposed to be, etc. Once set up, all that is required on the agent in is to have the service installed and started - OpsMgr 2007 takes care of the rest automagically. In delegated shops that share the same forests but centralize their monitoring, or vice versa, or something in between (something in between defines most of the customers I deal with!), this simplifies things greatly as when servers come and go from the environment, all that needs to be done is to have the server join AD and the OpsMgr agent started. This auto configuration will become especially important as OpsMgr 2007 is now better suited to fully monitor desktops.
The second is an introduction of a new role called the Gateway Server. A Gateway Server act as a proxy for those agents that may reside on the other side of a firewall (DMZ network, etc.), and/or are not part of the same trusted AD forest as the MOM implementation. Now in MOM 2005 today, you could allow untrusted systems on the other side of a FW into your MOM system, but you had to do it at the expense of turning off mutual auth. completely for everything AND you needed to set up FW rules for each and every server on the other side of the FW to allow the encrypted communication channel between the Management Server and the servers in the protected network. With the Gateway Server, you can apply certificates that allow you to communicate securely to these untrusted targets as well as position the Gateway Server on the same network as the protected servers thereby relieving the need for all those FW rules - you just need one rule to allow communication between the MS and the GS and that is it!
SCOM 2007 beta 2 is the worst MS's beta i have seen.
ACS is interesting... archiving feature. ACS doesn't provide Alerts, Events or Notifications. It doesn't give us the ability to monitor Security Logs.