Wednesday, March 29, 2017

MP Authoring – Quick & Dirty – 01 – Overview

Advice to the reader
This posting is part of a series of articles. In order to get a full grasp of it, I strongly advise you to start at the beginning of it. 

Other postings in the same series:
00 – Introduction
02 – Authoring the Template MP XML Code
03 - Example Using The Template MP XML Code
04 - Testing The Example MP
05 – Q&A

Overview of how SCOM works
In order to understand what I am trying to achieve with this new series, some basic understanding of SCOM is required. I’ll do my best to give a KISS explanation. After that I’ll talk about the Quick & Dirty MP approach.

Targeting & Classes
First of all, TARGETING in SCOM is key. Without targeting SCOM workloads (Discoveries, Rules, Monitors, Tasks and so on) would run everywhere, causing a lot of mayhem.

As such Classes are made, and their related Objects are ‘picked up’ by Discoveries. Those Objects are nothing but instances of their related Class, inheriting the same attributes as their related Class. The Class and it’s attributes are defined in the so called Service Model.

Service Model
This Service Model also contains the relationship between the different Classes. For example, without a Windows Computer you can’t have a Windows Logical Disk. And per Windows Computer you can have multiple Windows Logical Disks. When the Windows Computer object is removed, so are the related Windows Logical Disks. So this relationship is also described in the Service Model.

Health Model
Over that Service Model, another layer is added, the so called Health Model, containing all the Rules, Monitors and Tasks (if any), directly related to the specific Class.

Health- & Service Model = True power!
When combined, SCOM not only has awareness of (for example) a Windows Server 2012 Logical Disk (thanks to the Service Model), but also has a deep understanding about how to decide whether the related Objects are healthy or not (thanks to the Health Model).

Because of it, SCOM workloads are executed only there where required. For instance SCOM won’t try to monitor non-present SQL databases or non-existent Exchange based workloads. Simply because the related Objects aren’t present and as such, those related SCOM (monitoring) workloads won’t be executed.

No Class = No proper monitoring
Reason why I tell you all this is because WITHOUT a proper Class, monitoring will NEVER be good, a workaround at it’s best. So Classes are a hard requirement in SCOM in order to get some proper monitoring done.

But in the SCOM Console there is no way to create Classes and their related Discoveries. Sure, you can create an Attribute but that’s an absolute no go area since you create a copy of an existing attribute (labeled extended attribute) which is a total pollution of your SCOM environment. So stay away from it. NEVER EVER USE IT! Time for a better approach…

Classes & Discoveries
Defining a Class is one thing. However, a Discovery is required as well in order to have SCOM picking up the Objects related to the same Class. And there are quite a few ways to discover new Objects. Think about WMI and scripts for instance.

However, a script based Discovery can be quite a challenge to get it right and also to KEEP it right. Meaning, along the way the Objects might be running updated software, causing the discovery scripts not working anymore, thus requiring an update as well.

Besides that challenge it’s known that WMI and script based discoveries also can have quite a footprint on the available resources on that box.

Gladly there is another type of Discovery which is light weight, which is the Registry based Discovery. None the less, when the Objects are running updated software, this Discovery might require an update as well since the registry keys – on which the Discovery depends – are modified as well.

Wouldn’t it be TOTALLY awesome to have a Discovery which is ‘Set & Forget’? Which ALWAYS runs and works on ANY Windows based box?  Now you’re about to enter the ‘dirty’ part of this series of postings…

Reverse Discovery
No matter what type of Windows box there is (or was for that matter), ALL of them share common registry keys like this one: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion.

Why not define a Class with a registry based Discovery looking only for the presence of that key? And when found, an Object of that Class is added.

Sure, since EVERY Windows based system has that registry key, ALL Windows systems running a SCOM Agent, would become an instance of that Class. And that’s not what we want.

Hence the REVERSE Discovery. The Class is defined, the Discovery is made but disabled by Default. The same MP also contains a Group which is empty by default.

How it works
When the MP is imported into SCOM, one or more new Classes will be added to SCOM. Since the Discovery is disabled by default, no instances related to those Classes will be discovered, so no monitoring – as defined in the same MP – will take place.

However, when the earlier mentioned Group is modified so that the Windows servers are added which must be monitored by that MP, and that same Group is used as an Override on the Discovery, enabling it only for that Group, those very same servers will be discovered as instances to the Classes as defined in the MP.

Soon after that the instances are discovered, they’ll enter a monitored state, based on the Monitors and Rules defined in the same MP.

Refining it
Sure, you can define registry based Discoveries on registry keys related only to the specific application you’re writing the custom MP for. In such a scenario you don’t disable the Discovery nor do you need the previously mentioned Group.

However, it will take the speed away compared to the other approach using the registry key which is present on any Windows based box. Why? Keep on reading because now you’re about to enter the quick part of it all…

Template MP XML
Suppose we stick to our approach using the common registry key for the Discovery.

All we have to do now is to create a default custom MP in MP Author, defining one Class, the well known Discovery (disabled by default), the Group (later to be used for enabling the Discovery by an Override) a folder for presentation in the SCOM Console (under Monitoring) with a State and and Alert View.

Save that XML code and you’re in business! Of course, the MP is lacking Monitors and Rules, but they will be added as required per custom application/service to be monitored. So there is no point in adding them already in the template.

Let me explain it a bit more. In the next postings of this series I’ll cover the details, for now I cover the overview of it.

Custom Application = Template MP XML

  1. Since we’re going to build template MP XML, we require a template name as well. Custom Application is a good name here. MP Author is a great tool to build a MP for IT Pro’s. So this is the tool we’re going to use.
  2. Every time a name is required we type Custom Application (mind the space!) or Custom.Application (mind the dot (.)!)or in case of the Discovery CustomApplication (mind the lacking space!).
  3. We create the Class, the related Discovery (disable it when created), Folder, State and Alert View. Also a Group is created.
  4. Then we save the XML code and scrub it – using Notepad++ - since MP Author adds these annoying tags stating MP Author was used to create this MP…
  5. We save the scrubbed code and store it for later usage.
  6. Please mind that the name of the Template XML code is Custom.Application.xml. This name must be modified later on as well.

Custom application monitoring required
Suppose we have the template MP XML code stored for later usage. Now is the time to use it since we are required to monitor two servers connecting to Office 365. This is the way to go about it.

  1. We inventory the services and Event IDs defining the health and availability of a working Office 365 Connection Server;
  2. We make a copy of the Template MP XML and rename the it to Office365.Connection.Server.xml;
  3. We open this XML code in Notepad++ and do a couple of search & replace actions:
  4. Search for Custom.Application and replace it with Office365.Connection.Server;
  5. Search for Custom Application and replace it with Office 365 Connection Server;
  6. Search for CustomApplication and replace it with Office365ConnectionServer;
  7. Save the changes and close Notepadd++
  8. Start MP Author and open the XML code previously saved in Step 7;
  9. Add the required Monitors and Rules and save the MP;
  10. Import the MP in SCOM, modify the Group and use as an Override target for enabling the Discovery. Soon the correct Office 365 Connection Servers will be discovered and monitored by SCOM, with their own Folder and Views in the SCOM Console Smile.

In the future postings I’ll cover the details of it all. Please know that it won’t become a detailed guide about using MP Author. Instead I’ll highlight the most important parts of it, supporting the why of this series.

See you all next time!

Credits: The usage of the reverse Discovery isn’t invented by myself. A former colleague of mine taught me this trick, so all credits for this approach should go to him. Thank you Peter Smit!

Tuesday, March 28, 2017

MP Authoring – Quick & Dirty – 00 – Introduction

Advice to the reader
This posting is part of a series of articles. In order to get a full grasp of it, I strongly advise you to start at the beginning of it. 

Other postings in the same series:
01 – Overview
02 – Authoring the Template MP XML Code
03 - Example Using The Template MP XML Code
04 - Testing The Example MP
05 – Q&A

How the challenge came to be
Based on the MPs delivered by Microsoft, SCOM is capable of monitoring many different workloads ‘out of the box’. However, in the real world organizations run many non-Microsoft based workloads running on Windows Servers, which require monitoring as well. Also by SCOM. And many times there aren’t third party MPs available for monitoring those workloads.

And now a challenge takes shape. Because HOW is one going to do that WITHOUT:

  1. Big investments in time, resources and budget;
  2. Turning to the ‘crappy’ SCOM Console which isn’t made at all for custom MP authoring;
  3. Taking a deep dive into how SCOM really works;
  4. Taking a deep dive into MP authoring and XML coding;
  5. Buying expensive Visual Studio licenses?

Let me explain item 5 a bit more. Sure, with Visual Studio (VS), the MP Authoring Extensions (AE), and using snippets, one is capable of writing good MPs pretty fast WITHOUT deep understanding of MP Authoring and/or XML coding.

VSAE: The license & the steep learning curve
However, VS doesn’t come free. And yes AE works well with the community edition of VS. BUT this version isn’t allowed in a commercial setting. So using VSAE community edition is most of the times an absolute no go for organizations, or at least open for discussion. And many organizations simply don’t want to go there. So when your organization doesn’t have VS already in use (and properly licensed) VSAE is most out the time, a no go area…

Besides that, VSAE has a steep learning curve. I know from my own experiences it’s not only a challenge to master, but even more a challenge to stay on a certain level. For myself when not having authored a MP with VSAE for some time, it takes a while to get the hang of it again. So MP authoring with VSAE is quite a challenge.

MP Fragments?
So one could solve this issue with Management Pack Fragments. This allows for very quick MP authoring with VSAE without having to go through all the challenges of reinventing the wheel yourself. Instead you use ‘ready-to-bake’ MP Fragments, containing much of the required code for your MP.

Kevin Holman has made an impressive library of MP Fragments and made it publicly available, for free! And it works, super fast and easy. Also he has written a series of postings about how to use these MP fragments in order to create your own MP.

But how about the VS license?
Sure, you still require VS and a proper license. As stated before, the community edition won’t do in a corporate environment. But still, when requiring good custom made MPs, covering your company’s custom services/applications, it’s the best way to go.

As is turned out during writing this posting, Silect has released an updated version of MP Author Professional which is now also capable of using VS fragments. So the very same MP Fragments made by Kevin can be used by MP Author Professional. So this could be an alternative for VS with a more agreeable price tag. When you’re a developer, I would go for VS, but that’s me Smile.

RoI and a FREE & FAST alternative
Return on Investment is something to be taken seriously. Is the above mentioned approach still viable when you want to monitor just a few services, logs and events on a subset of servers? Does one really has to go through the ‘pain’ of buying software? Or is there another approach in cases like these, totally FREE and FAST? YES THERE IS!!!

However, the scope of this approach/workaround is limited. The moment you’re required to monitor a multi layered application/service hierarchy running on multiple servers, I strongly advise you NOT to use the approach I am going to share in a new series of postings. Instead, use VSAE or MP Author Professional with the MP Fragments and be happy.

However, when you only want to monitor some services, logs, events on a subset of servers for a rather single dimensioned application/service, the approach I am going to share will work for you and not just that, but it will be pretty fast, especially when you use the template XML code I am going to share with you.

Fun thing is that in many cases this approach works pretty good for many monitoring requirements and saves you and your company a lot of time, resources AND money! Besides that, it’s easy to master and to apply this knowledge in the future.

So stay tuned since quite a few additional postings will follow!

Required tools
All you’re going to need are these FREE tools:

  1. MP Author (free version, available here);
  2. An XML editor, like Notepad++ for instance.

Wednesday, March 22, 2017

OM16 Agent APM Feature Crashes IIS App Pool Running Under .NET 2.0 Runtime

As blogged before, the OM16 Agent APM Feature crashes IIS Application Pool when running under .NET 2.0 Runtime. Thanks to my Irish buddy Kevin Greene there are a few workarounds, worked out in great detail.

At this moment Microsoft has acknowledged this bug (AKA ‘hidden feature’) which will be addressed for certain with the release of Update Rollup #3 and perhaps even before that, with the release of a hotfix. However, the release of this hotfix is still under investigation and as such uncertain.

Want to know more? Read this article on the System Center Operations Manager Team Blog.

Monday, March 20, 2017

Updated/New MPs For Microsoft’s 2016 Releases (And Others)

In the past weeks Microsoft has released MPs covering their 2016 releases of well known products and services.

Since I don’t prefer to reinvent the wheel, I’ve borrowed the list from Daniele Grandini’s blog. So all credits for this list should go to him, not me.

Other updated MPs are:

Monday, March 13, 2017

Cross Post: Registry Tweaks For SCOM 2016

Last week Kevin Holman wrote a posting about registry tweaks for SCOM 2016. For anyone running a SCOM 2016 environment, that posting is a MUST read.

Cross Post: OM16 Agent Crashing Legacy IIS Application Pools

My Irish buddy and fellow MVP Kevin Greene has posted an article on his blog about SCOM 2016 Agents crashing legacy IIS Application Pools.

Kevin investigated this issue thoroughly before coming to this conclusion. So this is not something to be taken lightly. However, his investigation showed him:

  1. The SCOM 2016 Agent in general being the culprit;
  2. The APM component specifically being the real cause of crashing legacy IIS Application Pools;
  3. Installing the SCOM 2016 Agent with the NOAPM = 1 switch works around this issue.

APM stands for Application Performance Monitoring, enabling organizations to deeply monitor .NET based applications, from server to client and back. Later on Microsoft also enabled APM to monitor J2EE based applications.

The APM component is part of the SCOM Agent and is installed by default when a SCOM Agent is installed. By default the APM service is switched off. But now with the SCOM 2016 Agent, the APM component is buggy and causes legacy IIS Application Pools to crash EVEN WHEN THE APM COMPONENT IS SWITCHED OFF (by default)…

In Kevin’s same posting he also tells you how to remove APM from SCOM 2016 Agents. So his posting is a MUST read.

At this moment Microsoft is aware of this bug and working hard on a fix. For now there is no known time frame when the fix will be ready and released.

Monday, March 6, 2017

!!!Security Issue!!! SHA-1 Algorithm Is Unsecure. OM12 R2 UR#12 / OM16 UR#2 Fixes It

SHA-1 is an outdated cryptographic hash function. Last week Google hammered another nail in it’s coffin. So SHA-1 is really dead now, no mistake about that.

Thing is that SCOM uses SHA-1 itself for monitoring UX based workloads!

SHA-2 to the rescue?
Gladly, UR#12 for SCOM 2012 R2 and UR#2 for SCOM 2016 fixes this issue by replacing SHA-1 by SHA256, member of the SHA-2 family.

What to do?
Simple! Whenever running SCOM 2012 R2 and/or SCOM 2016 AND monitoring UX based workloads, roll out the respective UR and follow this article on the SCOM Team Blog about how to replace the SHA-1 certificates with the SHA256 certificates.

Do I need to?
Well, it depends. When you like flipping burgers as a next career move, then don’t. When you like your current career, then do it ASAP…