Before you ever considered a career in network administration, there was someone who helped keep you organized—your mother. Good old mom helped you keep your room clean, your teeth brushed, your belly full, and your homework away from the dog. Now that you’re all grown up, you’re in charge of the cooking and cleaning, as well as enterprise management projects that make you long for the days of Intro to Calculus. If only there were someone as helpful and efficient as mom to help you with your network chores.

Fortunately, there is—MOM. MOM is Microsoft Operations Manager, a set of Microsoft tools that provide enterprise-wide monitoring and management of users, servers, applications, and workstations. In this Daily Drill Down, I’ll take you home to meet MOM.

Hi, MOM!
As the number of systems and users grows in an organization, management overhead seems to grow exponentially along with it. You have to keep track of users, manage servers, monitor performance, and stay on top of all the other tasks that keep your IT infrastructure running smoothly (or sometimes, just running). It can be overwhelming or impossible to do everything well without a good set of management tools. Operations management tools enable you to collect events and other information to keep tabs on performance and availability of systems and applications across the enterprise.

For example, if one of your SQL servers is having a problem, a good operations management package can alert you to that fact and direct the warning to the appropriate person or group to handle it. But a full-featured operations management tool does a lot more than just warn you when events occur.

Event collection and notification are key components of operations management, but it’s also important for an operations management system to monitor system performance and security, and to provide reporting and analysis of all the data that will rapidly begin to pile up in your management database.

Many organizations have turned to solutions such as CA Unicenter, HP OpenView, and the many applications from NetIQ that provide monitoring, reporting, and other administrative functions for enterprisewide management. If you have used NetIQ’s Operations Manager, MOM should be very familiar. When developing MOM, Microsoft licensed Operations Manager from NetIQ and tailored it to Microsoft’s operating systems and server applications. Microsoft chose NetIQ based on experience—Microsoft has been using NetIQ Operations Manager to manage its internal network for several years.

MOM provides several features to help you monitor and manage systems across the enterprise. First and perhaps foremost, it monitors a system’s operational state by monitoring the events generated on the system and recording those events to a centralized database. It collects system, security, and system log events from the monitored system’s event logs. MOM also can collect events from server applications and services. MOM can collect events from the Application, System, Security, DNS Server, File Replication, and Directory Service logs.

MOM also can collect data from specific application log events, such as Internet Information Services, Internet Locator Service, SQL Server, and generic text-based logs. It can collect data from UNIX syslog files, turn that data into events for monitoring and processing, and place those events into the database along with the events generated by Windows-based systems and applications.

MOM provides other mechanisms for generating events. You can configure rules to create missing events, which are events that you expect to take place at a specific, scheduled time but do not. You can also have MOM create timed events, which are events that it creates itself at specified times. For example, you might want MOM to generate an event at 1:00 A.M. every day to trigger a particular script or other action related to backup, monitoring, and so on.

In addition to collecting and monitoring events generated by Windows-based servers and the other methods I’ve described, MOM receives SNMP traps from any SNMP-capable device. You might use SNMP to obtain data from servers or workstations, but you can also accept data from routers, managed switches, or other devices that support SNMP. This opens the door for MOM to collect data from essentially any computer regardless of its operating system, as long as the computer supports SNMP and is configured to send traps to MOM.

In addition to collecting data from events and SNMP traps, MOM can collect performance data to help you monitor and manage availability and other performance-related issues. MOM collects data from Windows 2000 (or later) performance counters and through the Windows Management Interface (WMI). For example, you might monitor disk space on a SQL server or file server, configuring MOM to generate an alert when the capacity drops below a specified point.

Event and data processing
Gathering all this information from the enterprise would be pointless if you couldn’t do something useful with it. MOM lets you do just that. I’ll go into more depth on MOM’s architecture and components in an upcoming article. For now, I’ll offer an overview of how the components process data and pass it up the food chain for processing.

Agents collect the data at the node level and pass that information to consolidators, which further process the information. At both levels, rules determine the action taken for a given event. The consolidators also act as agents for the computers on which they are installed. At both levels, the event might result in a script or batch file being executed or SNMP trap being generated. A consolidator might also generate a notification by e-mail or pager and/or forward an alert up the chain for further processing.

At the next level are Data Access Servers (DAS), which serve as intermediaries between consolidators and the central server, where the database resides. DAS control the data coming to and from the database, controlling access, performing queries, caching data, and managing pooled database connections. DAS also service communications going to the consolidators, such as updated processing rules that need to be distributed to agents.

The central server hosts the SQL database and consoles that you use to manage MOM. The product includes an MMC console and a Web console that runs under IIS and provides Web-based access to the database. The administrator console provides full configuration and monitoring, while the Web console provides only monitoring—it doesn’t give you the ability to configure MOM or define rules.

Without a means to filter and preprocess the data coming from your managed systems, you and the database would quickly be overwhelmed with information. MOM uses event-processing rules to process incoming data at multiple levels. For example, the agents process events using rules, as do consolidators. Event-processing rules that MOM uses include:

  • Alert-processing rules: Alert-processing rules let you determine how alerts are handled. You might need to take a specific action when an alert occurs for a specific event. Alert-processing rules let you control who receives alerts. You can direct an alert or notification to a particular individual or group for specific events.
  • Collection rules: Collection rules determine what data is collected from a given source. They don’t generate their own alerts or provide any kind of response action. Missing event rules determine how and when MOM generates alerts or performs actions when a scheduled/expected event is missed.
  • Consolidation rules: Consolidation rules enable an agent to consolidate multiple similar events into a single summary event.
  • Event rules: Event rules are tied to a specific event and determine the action (alert or task response) MOM should take when the event occurs.
  • Filtering rules: Filtering rules enable you to specify which events are stored and which are ignored—some events are trivial and have no impact on performance or management and should therefore be excluded from the database or further actions.
  • Performance-processing rules: To support performance monitoring, MOM provides performance-processing rules. Measuring rules determine how MOM retrieves performance data through WMI. The results are stored in the database for viewing, and you can specify that a measuring rule generate a response action.
  • Threshold rules: Threshold rules let MOM generate an alert when a WMI-collected counter value passes a threshold that you’ve set for the value in the rule. The threshold rule can generate a response action, but the threshold data—unlike the counter data—is not stored in the database.

There are lots of ways to control collection, event generation, and other aspects of the collection and response features in MOM, which I’ll cover in another article. At this point, understand that you have considerable control over the types of events that are generated, how those events are processed, and the action taken when a given event occurs, including who gets notified and how alerts are generated and forwarded.

Configuration and reporting
I’ve explored the data collection and processing side of MOM; now let’s look at the management side. As I’ve already mentioned, you have a couple of options to configure how MOM functions and to gain access to the data it collects and processes. The MMC-based administrator console is a set of MMC snap-ins that let you configure collection and reporting as well as perform monitoring.

The Monitor snap-in is the tool you use to keep tabs on what’s going on in your enterprise. The Monitor provides several predefined views that let you view computers, agents, groups, alerts, events, and so on. There are several default views, and you can customize views as needed to control the information you see. You can save views for either public or private use. Views saved for private use can be used only by the person who configured them. However, you can easily publish a private view to a public folder to allow others to use it. These views can be used both in the administrator console and in the Web console.

The Rules snap-in lets you configure and distribute rules. You can view existing computer groups and create new ones through the snap-in based on a variety of criteria. The snap-in also provides several windows for managing and creating event processing rules, alert processing rules, and performance processing rules. You use the Rules snap-in to manage notification groups, which MOM uses to generate notifications. You can also manage scripts for use by rules, view and create computer attributes, and create and manage data sources.

Finally, the Configuration snap-in is the place to go to configure overall MOM properties such as e-mail server, location of the Web console, auditing, and a wide array of other properties and features. You can configure and manage consolidators and agents through the Configuration snap-in.

When it’s time to create reports, you’ll find a wealth of predefined reports for a broad range of services and applications. Some reports are purely textual and others include graphs; you can specify the type of graph that a particular report should use. Out of the box, MOM provides multiple reports for Active Directory, Exchange Server, IIS, MOM, Remote Access Services, SQL Server, Windows NT and Windows 2000, and Terminal Server. You can also create custom reports as needed.

MOM gives you several options for publishing reports to make them available to others. You can view reports with the administrator or Web consoles, or publish the reports to HTML for viewing from any browser. Naturally, you can also print reports when needed.

One particularly powerful feature that can simplify management and reduce the time needed to respond to particular events is the fact that MOM includes some additional data along with the alerts. When you view an alert, it includes not only information about the source of the alert, but also a Knowledge Base tab that provides links to Knowledge Base (KB) articles on Microsoft’s Web site. These articles relate directly to specific events and alerts. You can click a link to go directly to an article to research the possible cause and potential resolution to the problem.

Perhaps even better, you can customize the information associated with specific events and alerts. For example, you might include the name and e-mail address of a person or group who has the most experience with a particular issue so that when the issue comes up, it’s easy to identify the right person to implement the fix. You might also (or instead) enter the information necessary to address the issue in your organization based on past history and experience. This is particularly handy for addressing recurring issues that have solutions that are somewhat different from the solutions suggested by Microsoft’s KB articles. This ability to build a custom solution can be a very effective means to minimize downtime and improve your ability to respond to issues when they arise.

MOM Management Pack Modules
Much of MOM’s functionality is built into the core product. Microsoft has opted to provide support for specific applications through Management Pack Modules. These modules provide the object groups, filters, alerts, other rules, and KB data needed to provide an out-of-the-box solution for specific applications. The core product serves the following systems and services:

  • Active Directory
  • Default Event Collection for Microsoft Windows NT and Windows 2000
  • Distributed Transaction Coordinator (MS DTC)
  • Domain Name System (DNS)
  • Dynamic Host Configuration Protocol (DHCP)
  • Internet Information Services (IIS)
  • Message Queue Services (MSMQ)
  • Microsoft Operations Manager (MOM)
  • Routing and Remote Access Service (RRAS)
  • Systems Management Server (SMS)
  • Windows 2000 Server Terminal Services
  • Windows Internet Naming Service (WINS)
  • Windows 2000, XP, and .NET Operating Systems

The Application Management pack, available separately, includes modules for the following applications:

  • Application Center 2000
  • Commerce Server 2000
  • Exchange 5.5 and 2000
  • Host Integration Server 2000
  • Internet Security and Acceleration Server 2000
  • Proxy Server 2.0
  • Site Server 3.0
  • SNA Server 4.0
  • SQL Server 7.0 and 2000

In effect, these application modules give you the means to quickly and easily add support for specific services and applications without requiring that you do a lot of development from the ground up. Because the modules add all the necessary components, filters, reports, and so on, you can add an application module and begin integrating that application into MOM right away. The filters and reports are all ready to go right out of the box.

What about SMS?
After reading about some of the features included in MOM, you may think that it sounds a lot like Microsoft Systems Management Server (SMS). However, SMS and MOM do not overlap that much. Although the products have some similarities in the way they are structured and deployed, the products’ functions are quite different. The primary function of SMS is to provide the means to manage systems: tracking inventory, installing the OS and applications, and managing systems remotely.

MOM, on the other hand, is geared toward system performance and availability tracking. In general, due to the few areas of overlap, the two products would be best used in concert. SMS would allow you to deploy systems and applications, while MOM would enable you to monitor those systems and react to a broad range of potential problems and events that SMS simply isn’t geared to track.

Your MOM is calling you
If you’re trying to get a handle on system management in your enterprise, consider deploying MOM not only to give you real-time notification when problems occur, but also to give you a heads-up on events that could lead to future problems, such as dwindling disk capacity on your servers. The solution-based information integrated into MOM will help you quickly identify the steps you need to address an event, and the scripting and other response actions provided by MOM will help you address at least some of those issues without intervention. In either case, system and network management will be a lot easier, and you’ll be a much happier camper.