We have created a new UI tool to make obtaining mass certificates easy.
Here at OpsMgr, we understand the pain that you have to go through to configure certificate authentication to deploy non-domain joined agents. There are many things we've provided for you to make obtaining certificates easier. However, we know we're far from getting to that seamless solution, and are continually providing new tools to help facilitate this process.
Here's a quick lowdown: To mutually authenticate the non-domain joined agent, both the non-domain joined agent and the server both require a personal computer certificate and a root CA certificate. This can be accomplished through two basic steps:
1. Request and acquire the certs from a Certification Authority (CA).
Your company may already have an Enterprise CA set up if using PKI, but if not, you can install a CA (just add it as a role, like you do any other role in Win2K3 and up) and request certificates from there.
2. Install the certificates onto the local machine certificate store of the agent and server computer. Run MOMCertImport.exe tool.
This step is required to, in a sense, "register" your certificates to your computer. The MOMCertImport tool will alert OpsMgr of which certificates you would like to use.
To make it easy, we have developed a tool (attached below as CertGenBinaries.zip) to help simplify the process.
CertGenWizard.exe is a wizard tool which will take your CA information as input (it isn't required if you are running the wizard on the box with the CA), take in the computer names (has to be FQDNs), and send out a request for the certificates you need. Now, you no longer have to fill out the Certificate Request form or enter parameters or connect to the web enrollment service. Once the certificates are approved, there is a Retrieve button in the CertGenWizard which will allow you to retrieve the certificates that you have requested. On top of the personal certificates, the wizard will retrieve the root CA certificate.
The biggest benefit to this tool is the added ability to request multiple certificates at once. If you have 100 non-domain joined agents that you need to set up cert auth for, you can simply request all 100 machine certificates at once, retrieve them all, and manually bring them over to your other machines.
Once you have brought them to your other machines, CertInstaller.exe is a second tool that will install the certificates into the local machine store of your computer and run MOMCertImport.exe for you. Note: Install OpsMgr Agent FIRST and then run the tool!
Below are the steps to using the tool:
Pre-requisites:
-.NET Framework 3.0
-A Certification Authority (Win2K3/Win2K8 Enterprise/Stand-alone CA)
-If it is an Enterprise CA (an OpsMgr certificate template must be created)
-make sure createReqFile.bat is in the same directory as the CertGenWizard.exe
-MOMCertImport.exe must be in the same directory as CertInstaller.exe.
Using CertGenWizard.exe:
Installing the wizard:
Requesting certificates:
Notes:
A processing page will pop up showing the status of each certificate request.
The root CA certificate will also be downloaded at this level and saved as RootCertificate.cer.
Retrieving certificates:
Status:
The final page will alert you of your status. It will alert you to say which certificates have been denied, which have been approved, and which still are pending.
Using the Certificate Installer:
Note: Install the OpsMgr agents BEFORE running the Installer.
What you need on the agent machine:
This posting is provided "AS IS" with no warranties, and confers no rights.Use of included utilities are subject to the terms specified athttp://www.microsoft.com/info/cpyright.htm
-Adam Kiu
System Center Operations Manager
The OpsManJam site has added a MPViewer dump folder in the library. While we are just starting out, what you will find here are MPViewer (thanks Boris) extractions of all the Microsoft published management packs as HTML pages. You can use this as a reference for what is in management packs. We will be updating this regularly as new versions of Microsoft mp's and new Microsoft mp's are released. Check it out here.
Chris
We may run into a situation where we want to execute a console task within OpsMgr based on some condition, like if a file exists, run it otherwise execute another file. Without the If-condition which is not supported by the <Task>, how can we achieve that? Well there is a workaround. Command line has an IF command through which you can do that.
IF [NOT] ERRORLEVEL number commandIF [NOT] string1==string2 commandIF [NOT] EXIST filename command
It also supports ELSE. However, for it to work, it has to occur on the same line as the command.
IF [NOT] EXIST filename (command) ELSE (command)
Adding the IF statement after the CMD.EXE (or %COMSPEC%) will give you much flexibility executing applications based on some criteria, as opposed to directly running the application.
For Example
<
A few of us have been working with the Solutions Accelerator team and Pete Zerger to come up with an Infrastructure Planning Guide for OpsMgr 2007 which got published a couple of weeks ago. This document will lead readers through a sequence of core decision points to design an infrastructure for OpsMgr 2007. It also provides a means to validate design decisions with the business to ensure that the solution meets the requirements of both business and infrastructure stakeholders. This guide will help our customers with…
- Infrastructure design process
- Optimizing OpsMgr 2007 components to meet customer needs
- Designing the databases taking into account requirement of performance, capacity and fault tolerance
- Designing Notification Systems
- And much, much more…
Please share this document with your customers and partners as I am sure they will find this very useful. You can download the guide by scrolling to the bottom of the webpage and clicking the download link for Operations Manager 2007.zip. LINK
Satya Vel | Program Manager | System Center |
Hi all -
Today's tip comes from Robb Dilallo, via Tim Kremer. Robb found that it was frustrating to try to edit an exported custom management pack because he couldn't access the sealed, dependent management pack. He shared the following steps to create a "management pack development environment":
This removes the difficulty of accessing the dependent sealed management pack. Thanks, Robb!
Hi all - An additional resource for Operations Manager 2007 MP Authors and IT Pro's is now live at OpsManJam. This site, sponsored by Microsoft, focuses on MP Authoring best practices and tutorials. There is deployment and administration content for the IT Pro, too. You can download content such as management packs, featured articles and command shell scripts for your use from a simple document library.
The site also includes a "Best of Operations Manager" search tool.
For this tool, we have preselected Operations Manager specific content from MSDN, Technet, various blogs and other great resources and crawled them for you.Your keyword search is then scoped to those content sources only, which you can tab through in the results pane.
The contributors to this site are from Microsoft Consulting, Customer Support Services, MSIT and the Product team. Content and features are regularly being added so check back frequently.
Recently we have been receiving some questions on the meaning of the 'grayed-out, Healthy' agent status icon (see picture below).
You will see this in the Monitoring space in the Computers view and the Discovered Inventory view and the Operations Manager ==> Agent ==> Agent Health State view. In short, the grayed-out icon means that the health service watcher on the RMS that is watching the health service on the monitored machine is not receiving heartbeats from the agent anymore. It had been receiving them previously (and it was reported as healthy), but now it is not. This also means that the management servers are no longer receiving any information from the agent at all.
To find out why this is happening, you need to check the Active Alerts for 'Health Service Heartbeat Failure', which generally indicates that the health service on the agent monitored computer is down but the monitored computer is still running and available on the network. If the agent monitored computer is down, you will see a 'Failed to Connect to Computer' alert for the monitored computer subsequent to the 'Health Service Heartbeat Failure' alert. The 'Failed to Connect to Computer' alert generally indicates either some sort of network connectivity issues or that the agent monitored computer is offline.
The Operations Manager 2007 Management Pack tracks memory usage of the MonitoringHost.exe process via the private bytes counter. By default, the agent will be automatically restarted if memory usage for MonitoringHost.exe is above 100MB. On large Exchange 2007 systems, this threshold may be too low. The recommended threshold is 600MB.
This is why:
On Exchange 20007 servers the .Net runtime (CLR) gets loaded into MonitoringHost.exe. The way Windows performance counters work is that to read a performance counter from an application a DLL provided by that application is loaded into the process. Since some of the Exchange services (for example Hub Transport) are written in managed code, the CLR performance counter client is loaded into the MonitoringHost.exe process for reading those counters. The .net runtime performance counter client implementation loads the CLR to handle reading the counters from the managed service.
The CLR handles memory management via a garbage collection system rather than traditional native code where you explicitly allocate and de-allocate memory. In a garbage collection system the application doesn't explicitly release memory. Periodically the garbage collector will run to see what objects are no longer being used and then free up the memory for those objects. The CLR garbage collector is designed to monitor system load so that if there is no memory pressure then it doesn't need to run as often. When the garbage collector runs it will internally release objects and make space for new objects. However, it may not trim the amount of memory it has requested from the operating system if it detects there is no memory pressure on the system. If the system starts seeing memory pressure then the CLR may start decreasing the amount of memory it has asked for.
On large systems like Exchange 2007 servers, Operations Managers default private byte threshold of 100MB may end up being too small. Since there is limited memory pressure on these systems, the CLR may commit more than 100MB of memory and not de-allocate until there is more memory pressure on the system.
Symptoms
Health Service restarts even after installing the following hotfixes (monitoringhost.exe) on X64 Systems running Exchange 2007.
950853 A memory leak occurs when you monitor Exchange Server 2007 by using the MOM 2007 agent in System Center Operations Manager 2007
http://support.microsoft.com/default.aspx?scid=kb;EN-US;950853
951979 Problems occur on a management server that is running System Center Operations Manager 2007 Service Pack 1 when certain management packs are installed
http://support.microsoft.com/default.aspx?scid=kb;EN-US;951979
You'll see the following event being logged in the Operations Manager Event log.
Event Type: Warning
Event Source: Health Service Script
Event Category: None
Event ID: 6026
Date: 6/26/2008
Time: 8:59:55 PM
User: N/A
Computer: SGBD012512
Description:
LaunchRestartHealthService.js : Launching Restart Health Service. Monitoring Host exceeded Process\Private Bytes threshhold.
To update the agent restart threshold, perform the following steps
1. In the authoring section of the console, find the Monitoring Host Private Bytes Threshold Rule for the Agent class
2. Select to override the value for a group. To override for all Exchange 2007 Servers, select the All Computers in Management Pack: Microsoft.Exchange.2007 Computer Group. It is also possible to override this for single instances of agents or your own groups.
3. Set the Threshold to 629145600 (600MB). Note that you should not store the override in the Default Management Pack
4. Perform the same steps for the Health Service Private Bytes Threshold Monitor (again for the Agent class; this will prevent the agent health state from changing to critical)
(Thanks to Marc Reyhner and Brian Zoucha for most of the content of this article)