Windows Server 2008 R2 Unleashed (166 page)

Integrating System Center Operations Manager 2007 R2 with

Windows Server 2008 R2

1. Launch the Operations Manager 2007 R2 console.

2. Select the Reporting space.

3. Select the Microsoft Generic Report Library node.

4. Right-click the Alert Logging Latency report and select Open.

5. In the From field, select Advanced.

6. Change the Offset to minus and the number of days to 7. Click the green check

mark (OK) to save the selections. The From field will show “Today -7 day(s)”.

7. Change both the From and the To times to 12:00 AM.

8. Click the Add Group button.

9. In the Group Name field, enter agent and click the Search button.

10. Select the Agent Managed Computer Group, the Agentless Managed Computer Group,

and the Microsoft.SystemCenter.AgentWatchersGroup and click the Add button.

11. Click OK to save the selections.

12. Click Run and confirm that the report looks good.

13. Select File, Schedule.

14. In the Description, enter Alert Logging Latency Report.

15. In the Delivery Method field, select Email.

ptg

16. In the To field, enter the SMTP address of the recipient.

17. In the Subject field, replace @ReportName with Alert Logging Latency Report.

18. Click Next.

19. Change the schedule to Weekly and ensure that only Mon is checked.

20. Change the time to be the time that the report should be generated on a daily basis,

for example 6:00 a.m. Click Next.

21. Because the report was generated and all the parameters were selected initially, no

parameters need to be changed. This method ensures that the email report will

match expectations.

22. Click Finish to save the scheduled report.

The Alert Logging Latency report will now generate on a weekly basis and be emailed to

the recipients. The report has two pages with lots of statistical analysis of the alert latency.

It is one of the more complicated reports in the OpsMgr library of reports.

Finally, the SQL Database Space report is based on the databases. This report does not have

any objects selected by default, so the Operations Manager database objects will need to

be selected. To schedule the SQL Database Space report, run the following steps:

1. Launch the Operations Manager 2007 R2 console.

2. Select the Reporting space.

3. Select the SQL Server 2008 (Monitoring) node.

4. Right-click the SQL Database Space report and select Open.

Using Operations Manager 2007 R2

845

5. In the From field, select Advanced.

6. Change the Offset to minus and the number of days to 7. Click the green check

mark (OK) to save the selections. The From field will show “Today -7 day(s)”.

7. Change both the From and the To times to 12:00 AM.

8. Click the Add Object button.

NOTE

When the Add Object window appears, note that there is a caution triangle with the text

23

“Filter Options Have Been Applied.” The objects returned will only be those that match

the report criteria, in the case of SQL database objects. This is new to Operations

Manager 2007 R2. Before this, all object classes would be returned and it was difficult

to ensure that the correct objects were included in the report. Many times, reports

would be returned without any data at all due to the incorrect objects being selected.

This is a huge improvement in OpsMgr 2007 R2.

9. In the Object Name field, enter Operations and click the Search button.

10. Select all the OperationsManager databases and click the Add button.

ptg

11. Click OK to save the selections.

12. Click Run and confirm that the report looks good.

13. Select File, Schedule.

14. In the Description, enter Operations Manager Database Space Report.

15. In the Delivery Method field, select Email.

16. In the To field, enter the SMTP address of the recipient.

17. In the Subject field, replace @ReportName with Operations Manager Database

Space Report.

18. Click Next.

19. Change the schedule to Weekly and ensure that only Mon is checked.

20. Change the time to be the time that the report should be generated on a daily basis,

for example 6:00 a.m. Click Next.

21. Because the report was generated and all the parameters were selected initially, no

parameters need to be changed. This method ensures that the email report will

match expectations.

22. Click Finish to save the scheduled report.

The SQL Database Space report will be delivered every week on Monday at 6:00 a.m.

These three reports help ensure that the Operations Manager 2007 R2 infrastructure is

healthy and performing well.

846

CHAPTER 23

Integrating System Center Operations Manager 2007 R2 with

Windows Server 2008 R2

Summary

System Center Operations Manager 2007 is key to managing Windows Server 2008 R2. It

can also be used in Windows 2003/2008 or mixed environments to provide for automated

monitoring of all vital operating system, application, and network functionality. This type

of functionality is instrumental in reducing downtime and getting the most out of a

Windows Server 2008 R2 investment. In a nutshell, OpsMgr is an effective way to gain

proactive, rather than reactive, control over the entire environment.

Best Practices

The following are best practices from this chapter:

. Deploy System Center Operations Manager 2007 R2 for monitoring Windows

Server 2008 R2.

. Install the Windows Operating System, Active Directory, DNS, IIS, and Windows

Server 2008 R2 management packs into OpsMgr to monitor network systems and

applications that Windows Server 2008 R2 depends on.

ptg

. Deploy Operations Manager components on Windows 64-bit and SQL 64-bit for

optimal performance.

. Create override management packs for each application management pack, such as

the Windows Server 2008 R2 management pack. Don’t use the Default

Management Pack.

. Take future expansion and relevance of hardware into account when sizing servers

for OpsMgr deployment.

. Keep the installation of OpsMgr on a separate server or set of separate dedicated

member servers that do not run any other separate applications.

. Use SQL Server Reporting Services to produce custom reports using OpsMgr’s report-

ing feature.

. Start with a single management group and add on additional management groups

only if they are absolutely necessary.

. Use a dedicated service account for OpsMgr.

. Allocate adequate space for the databases depending on the length of time needed to

store events and the number of managed systems.

. Monitor the size of the OpsMgr database to ensure that it does not increase beyond

the bounds of acceptable size.

. Leverage the reporting database to store and report on data over a long period.

Best Practices

847

. Modify the grooming interval to aggressively address environmental requirements.

. When tuning, err on the side of fewer alerts. If nothing will be done about an alert,

make sure it doesn’t send a notification email.

. When tuning, use the Most Common Alerts report to see which alerts are the most

valuable targets for tuning.

. Configure OpsMgr to monitor itself.

23

ptg

This page intentionally left blank

ptg

CHAPTER 24

IN THIS CHAPTER

Server-to-Client Remote
. VPN in Windows Server

2008 R2

Access and DirectAccess
. Authentication Options to an

RRAS System

. VPN Protocols

. DirectAccess in Windows

Server 2008 R2

As the Internet grows year after year, so does the need to

. Choosing Between Traditional

work productively away from the office. Companies are

VPN Technologies and

always looking for alternative cost-effective methods of

DirectAccess

connecting their remote and mobile users without sacrific-

. Traditional VPN Scenario

ing performance or security. Although Windows Server

2008 offered Routing and Remote Access Service (RRAS) in

. DirectAccess Scenario

the form of virtual private network (VPN) or dial-up

. Connection Manager

services, Windows Server 2008 R2 adds DirectAccess as an

alternative method of remote connectivity.

ptg

As the Internet has evolved and become ubiquitous, the

vast majority of users have high-speed Internet connections

at home, while on the road at hotels, and even while

sipping a latte in a coffee shop. The Internet to which they

are connecting is full of hackers, worms, and viruses, from

which the connections need to be protected. These users

use remote access in the form of tunnels (shown in Figure

24.1) that connect from their workstation in the coffee

shop through the dangerous Internet to the corporate

resources. This chapter discusses the traditional VPN

components of server-to-client remote and mobile access.

This chapter also discusses the new DirectAccess, which

makes this process even simpler for the remote worker,

allowing application-level access without requiring a tradi-

tional VPN.

A huge problem is ensuring that the resources that are

connecting to the internal network are healthy and will not

infect internal resources. When the remote and mobile

clients are connected to the internal network, they have

direct network connectivity to internal resources, such as

the database server, file servers, and directory server.

This can present a huge risk if not managed and mitigated

850

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

properly. Windows Server 2003 offered some features, but they were difficult to use.

Windows Server 2008 provided a vastly improved access control mechanism for validating

and controlling access to sensitive network resources via the Network Policy Server (NPS).

Network Policy Server introduced key features to detect unhealthy systems, control what

internal resources they can access, and even remediate the problems on the remote clients.

Windows Server 2008 R2 extends NPS functionality with templates for NPS configuration,

SQL logging for RADIUS, and support for non-English languages.

Web

Virus

Hacker

Corporate

Internet

Network

Tunnel

Database

Mobile

Mail

Worm

User

Protected Tunnel

Through the

Dangerous

Internet

FIGURE 24.1

Connecting securely over the Internet.

ptg

DirectAccess, a new feature introduced in Windows Server 2008 R2, seamlessly connects

users to the corporate network anywhere they have Internet access. DirectAccess loads as

the system boots, extending access into the “office.” Remote systems are treated just as if

they are on the local network and can be managed in a similar manner with the added

quarantine and remediation functionality of the NPS system.

This chapter focuses on client-to-server connectivity in Windows Server 2008 R2, rather

than server-to-server security or site-to-site connectivity. Please refer to Chapter 14,

“Transport-Level Security,” for a detailed discussion on the server-to-server and site-to-site

connectivity features of Windows Server 2008 R2.

VPN in Windows Server 2008 R2

A virtual private network (VPN) is the extension of a private network that encompasses

links across shared or public networks like the Internet. A VPN allows data to be sent

between two computers across the Internet in a manner that emulates a point-to-point

private link. With a virtual private network, illustrated in Figure 24.2, a private link is

created between the client and the VPN server by encrypting the data for confidentiality;

data packets that are intercepted while traveling through the Internet are unreadable

without the proper encryption keys.

VPN technology provides corporations with a scalable and low-cost solution for remote

access to corporate resources, such as database, file, and directory servers. VPN connec-

tions allow remote users to securely connect to their corporate networks across the

VPN in Windows Server 2008 R2

851

Internet

Telecommuter

24

VPN

Server

Mobile Worker

Internal Network

Database

File

Directory

Server

Server

Server

FIGURE 24.2

Virtual private networking across the Internet.

ptg

Internet. Remote users would access resources as if they were physically connected to the

corporate local area network (LAN).

NOTE

Later in the chapter, a new technology introduced with Windows Server 2008 R2

called DirectAccess is discussed. Microsoft has positioned DirectAccess as being dif-

ferent from a traditional VPN. This positioning is based mainly on the automated

nature of DirectAccess, rather than on technical or architectural differences.

DirectAccess is technically a VPN, but we’ll focus on key differences from traditional

VPNs later in this chapter.

Other books

Goblin Secrets by William Alexander
Thirty Rooms To Hide In by Sullivan, Luke
Parvana's Journey by Deborah Ellis
Sweet Jiminy by Kristin Gore
Tell Me Lies by Locklyn Marx
A Taste Of Sin by Jami Alden
Legacy of the Dead by Charles Todd
The Trouble With Murder by Catherine Nelson