After installing the Operations Manager 2007 R2
infrastructure, several configuration steps should be taken to have the
system monitor properly, generate Active Directory synthetic
transactions, and send out email notifications of alerts.
Agent Proxy
Configuration
Operations Manager 2007 R2
has a variety of security measures built in to the product to prevent
security breaches. One measure in particular is the prevention of
impersonation of one agent by another. That is, an agent SERVER1 cannot
insert operations data into the database about a domain controller DC1.
This could constitute a security violation, where SERVER1 could
maliciously generate fraudulent emergencies by making it appear that DC1
was having operational issues.
Although this is normally a
good feature, this can be a problem if, in fact, SERVER1 is monitoring
DC1 from a client perspective. The Operations Manager infrastructure
would reject any information presented about DC1 by SERVER1. When this
occurs, the system generates an alert to indicate that an attempt to
proxy operations data has occurred. Figure 1 shows an example of the alert. In the normal course of
events, this alert is not an indication of an attack but rather a
configuration problem.
To get around this problem,
Agent Proxy can be selectively enabled for agents that need to be able
to present operational data about other agents. To enable Agent Proxy
for a computer, run the following steps:
1. | Open the
Operations Manager 2007 R2 console.
|
2. | Select the Administration section.
|
3. | Select the Agent Managed node.
|
4. | Right-click the agent in
the right pane and select Properties.
|
5. | Click the Security tab.
|
6. | Check the Allow This Agent to Act as a Proxy and
Discover Managed Objects on Other Computers check box.
|
7. | Click OK to save.
|
Repeat this for all agents that
need to act as proxy agents.
Note
Because the alerts
generated by this condition are rule-based and not monitor-based, the
alert needs to be manually resolved by right-clicking on it and
selecting Close Alert.
Active Directory Client
Monitoring Configuration
Although monitoring
performance of Active Directory services is done by the domain
controllers using a variety of measures, sometimes what really matters
is how clients perceive the performance of the domain services. To
measure that, the Windows Server 2008 Active Directory management pack
can generate synthetic transactions from selected client systems. These
transactions include ADSI bind and search times, LDAP ping and bind
times, global catalog search times, and PDC ping and bind times. The
clients execute tests and log the results, as well as alert on slow
performance.
The
Active Directory Server Client object discovery is disabled by default.
The object discovery has to be overridden to discover objects that will
then run the rules. To selectively override the Active Directory Server
Client object discovery, run the following steps:
1. | Open the
Operations Manager 2007 R2 console.
|
2. | Select the Authoring section.
|
3. | Expand the Management Pack Object node.
|
4. | Select the Object Discoveries node.
|
5. | Select View, Scope.
|
6. | In the Look For field, type Client Perspective.
This narrows down the selections.
|
7. | Check the Active Directory Client Perspective target
and click OK.
|
8. | Right-click
the AD Client Monitoring Discovery and select Overrides, Override the
Object Discovery, and For a Specific Object of Class: Windows Computer.
|
9. | A list of Windows Computer objects will be displayed.
Select the computer that will act as an Active Directory client and
click OK.
Note
The selected Windows Computer
should not be a domain controller.
|
10. | Check the
Override box next to Enabled and set the value to True.
|
11. | In the Select Destination Management Pack pull-down
menu, select the appropriate override management pack. If none exists,
create one for the Active Directory management pack by clicking New.
Note
Never use the Default
Management Pack for overrides. Always create an override management pack
that corresponds to each imported management pack.
|
12. | Click OK
to save the override.
|
13. | Repeat for each Windows computer that will be an Active
Directory Server Client agent.
|
After a period of time, the
selected agents will begin to generate Active Directory client
perspective data and alerts. As a best practice, key Exchange servers
are often selected as Active Directory Server Client agents. It is also a
best practice to select at least one agent in each location to be an
Active Directory Server Client agent as well.
