Friday, March 5, 2010

CEIP, ODR and the lot. What are they and why should I use them? Part IV: AEM explained, how to configure it

--------------------------------------------------------------------------------- 
Postings in the same series:
Part   I: ODR explained
Part  II: CEIP explained 
Part III: AEM explained, its origin
---------------------------------------------------------------------------------

This is the last posting in this series. It will be about how to configure AEM. Also some ‘Need-To-Knows’ will be shared since without it, AEM might end up in a bad working way. Besides that, it is good to know what AEM can do and can NOT do. So lets start.

Need-To-Knows

  1. AEM works only for clients residing in the same fully trusted environment where the related SCOM Management Group resides. So it will NOT work for clients residing behind a SCOM Gateway for instance. There needs to be a full trust in place.

  2. AEM needs planning AND sizing. So it is not just ‘Set-and-Forget’ but it needs RTFM and the lot. Where to get that information? The OpsMgr R2 Sizing Helper will help you out for sizing questions. Taken directly from that tool:
    image 
    Also the help file of SCOM (R2) will tell you more about it, the online guides of Microsoft and last but not least, SCOM Unleashed.

  3. AEM also creates Alerts within SCOM (R2). You get Alerts like: ‘Application X stopped on Computer Y while User Z was using it’ and the like. You must ask yourself the question whether your organization wants this since every Alert needs at least some attention. So additional time is needed for the operators which has to be taken into account as well.

  4. Even though AEM gives an opportunity to get a deeper insight of the crashes and application errors, it is not a total solution. Meaning that when for a given application error a solution is known and shown, it still has to be applied in some kind of way. AEM won’t take care of that part.

  5. Make sure you got the AD (Active Directory) engineers involved since deploying AEM means that a GPO has to be created in order to configure the Clients. So get the AD guys/girls in to the loop as well. Even better, do this in an earlier stage and not at the moment when the GPO needs to be created. Somehow AD people do not like that….. :)

  6. There is much more to AEM then this blog posting will reveal. So when you start using AEM and you don’t have the book SCOM Unleashed already NOW it is the time to buy it. This book takes a real deep dive into many aspects of SCOM and AEM is covered in all detail.

How to configure AEM? (*)
(*: This procedure is based on SCOM R2, so when you are running SCOM SP1, there might be some differences.)

  1. Design and build a relevant AEM environment, based on the OpsMgr R2 Sizing Tool and the SCOM R2 Design Guide

  2. Start the SCOM (R2) Console with an account that has SCOM Admin permissions. Also when running the Console from a W2K08 based server, run it with elevated permissions.

  3. Go to the Administration pane > Administration > Device Management > Management Servers. Select the MS that will handle AEM and right click this server. Select the option Configure Client Monitoring:
    image

  4. Now the wizard Client Monitoring Configuration Wizard will start. As the Introduction screen tells you, you will not only configure AEM but you also have the change to configure how CEIP data is treated:
    image 
    Do not just click Next like a robot. You are a human being after all with the capabilities to READ and to UNDERSTAND. So when this is the first time you see this Wizard, do take your time, and READ it since much valuable information is shown. It can save you many hours of trouble shooting so it is worthwhile the time taken…

  5. The next screen is about CEIP Forwarding. Do you want it send it directly to Microsoft or not? Or do you want to use a MS as a collection point which sends it to Microsoft? SSL can be chosen as well here. 
    image
    Since this posting is all about AEM, I leave it at the default option, RTFM the screen and click Next.

  6. Before doing anything in this screen (Error Collection) I have created on the MS which is going to be used for AEM a folder with the name ErrorData on the D drive:
    image
    Besides that, I have NOT changed anything. Only created the folder. Now it is time to RTFM the screen and to enter the needed information. Now I have screen like this:
    image
    One does not have to enter a File Share Path. A local drive path will do as well since the Wizard will create a File Share later on. Also security will be set as well. SSL can be chosen here as well. For the convenience of this posting I have deselected it. Default the Organization Name is set to Microsoft. This can be changed as needed. This name will be shown on the local computer by the error reporting client. Click Next.

  7. The screen Error Forwarding shows what options are available for Error Forwarding. By default nothing is selected. When you choose to leave like that you are missing out on a huge advantage since whenever a solution is available it will not be shown. Not because Microsoft wants to punish you for not forwarding the Error Reports, but simply because Microsoft does NOT KNOW what is going on in your environment…
    image
    When you choose to forward all collected errors, you will receive the link to the solution. And you have the possibility to choose what kind of reports are forwarded to Microsoft: Basic or Detailed. So to a certain level you can control what goes out. Click Next.

  8. Now the File Share will be created. Here it is important, when running the Console from a W2K08 based server, to use elevated permissions when starting the Console, as stated in step 2. Otherwise the changes are likely that an error message will pop up while the share is being created.
    image
    Even though one might RFTM this screen, something important will happen in the back ground as well: two AD accounts will be created. So be sure that the user being used does have that permission as well. Click Next.

  9. Now the task status of the File Share creation process (and the creation of the two AD Global Groups and setting permissions on the File Share) is being shown. After a short while this message appears:
    image
    Lets take a look at what has been done by the Wizard. In AD two additional Global Groups have been added:
    image 
    The earlier mentioned folder has been shared:
    image
    Security has been set, Share Permissions:
    image
    and NTFS Permissions:
    image

  10. Click Next. Now the needed template for the GPO will be created. One can choose where this template must be saved. Best practice is to use a separate folder for this.
    image
    Click Finish.

Whoa! That’s a lot of work! But now we’re done? AEM is running now? No. Not just jet. The GPO Template must be added to a GPO AND set as well. So lets start.

Adding the template to a new GPO (*)
(*: This procedure is based on W2K08 R2, so when you are running older versions of Windows, there might be some differences.)

  1. Go to Start > type GPMC.msc <enter>. In this example there is Organizational Unit named Client Systems. All client systems reside just here (How convenient :) ).

  2. Right-click this OU and choose Create a GPO in this Domain and Link it here. Give it a logical name. This is the name I gave it: ‘C_SCOM_AEM_Policy’. The first character tells me it is a GPO targeted at the Computer Configuration node. And the rest is clear I guess… Click OK.

  3. Right-click this new GPO and select Edit. Expand Computer Configuration > right-click Administrative Templates and select Add/Remove Templates…
    image
    Click Add, browse to the location where the GPO Template has been saved, select it and click Open.
    image
    Now you are back in the Add/Remove Templates screen. The template has been selected. Click Close.

  4. A new node has been added (or was there before when other Templates have been previously added), the Classic Administrative Templates (ADM).
    image
  5. Expand that node > Microsoft Applications > System Center Operations Manager (SCOM) and this will be shown:
    image
    In total 11 settings are to be found. By default these are all disabled. Enable each setting as needed. For most settings when enabled the answers given when the Client Monitoring Configuration Wizard was run, will be shown. Like this:
    Not Configured (default setting):
    image

    Enabled:
    image 
    as you can see it matches the earlier mentioned Wizard (Step 6, How to Configure AEM?):
    image

  6. In my days being a Systems Engineer I always created GPO’s per subject. So not one GPO containing settings for multiple subjects. Also when I created a GPO it was targeted at the Computer Configuration or User Configuration. Never both. This way it was much easier to differentiate between the GPOs. Made life much easier.

    Another good practice was to disable the part not being used. So for a GPO targeted solely at the Computer Configuration, I disabled by default the User Configuration Settings. This way the GPO gets processed way much faster. Don’t get me wrong here. I am a SCOM specialist and not a AD/GPO specialist. I am sure there are other good practices as well which I do not know about. So feel free to comment.

    Go to the top level in the GPO Editor and right click the GPO. Select Properties and select Disable User Configuration settings. When you click OK a warning is shown. Read it, understand it and click Yes and then OK.
    image

  7. Now you must tell the WER (Windows Error Reporting) client not to send the Error Reports to Microsoft directly. For this the same GPO is being used. Go to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings.
    image

    The setting you need is: Turn off Windows Error Reporting.
    image
    This setting is set to Not Configured by default. You need to set it to Disabled (thanks to Jon Sykes pointing this out to me).

  8. Close the GPO Editor. Now you are back in GPMC.msc. Select the correct OU and the linked GPO. Go to the Settings tab of this GPO and check it out:
    image

  9. A final check: In the SCOM Console go to the Monitoring pane > Monitoring > Agentless Exception Monitoring > Crash Listener View. When all is well something like this is being shown:
    image

And now (finally?) AEM is running. Yeeha!

Used resources
Besides my own personal experience I have used the good and detailed guides which Microsoft provides and last, but not least, SCOM Unleashed the BEST book on SCOM. as I have been told, the R2 edition of this book will available on the 25th of March 2010…

2 comments:

apollo said...

Thank you for this article. One piece that I believe is incorrect in the configuration settings - "Turn Off Error Reporting" should be set to either "not configured" or "disabled" and not "enabled".

Marnix Wolf said...

Hi Jon.

Thanks for your comments. I have checked it and indeed, you're correct. Thanks so much for mentioning it. I will adjust my blog posting accordingly.

Cheers,
Marnix