Archive

Archive for June, 2005

MOM Training and Event Resources

June 30, 2005 2 comments
New to MOM?  Familiar with MOM, but want to learn more?  Need to pitch MOM to management?
 
Microsoft has two good sites for people to get familiar with MOM 2005 and learn more about the product.
 
If you are interested in Training and Events, then you want to click HERE.
 
If you are interested in Webcasts for MOM and other Microsoft management tools, then click HERE.
Advertisements
Categories: MOM

SpamPal for Windows: POP3 and IMAP4 free spam filter application

June 28, 2005 Leave a comment

Spam is annoying.  We all get it, and we all hate it.  I really don’t need an email from a stranger asking if I want to enlarge any part of my body.  Nor do I want my wife to come into my office and see a piece of spam mail asking if I am interested in meeting other women.  So how do I prevent this spam from reaching my inbox?  I use SpamPal for Windows.  A friend recommended this free application years ago and I have been using it ever since.

Setting up this application is a little cumbersome, but if you follow the directions carefully you will have it up and running in no time.  It has white lists, so you can prevent the mass mailings you subscribe to from being blocked.  It will mark suspect mail with a tag of your choosing.  It updates its white and black lists often.  I believe it does send statistics from your pc to their web site about how much spam your client blocked.  If you are concerned about this, then you may not want to install the application.

When new updates for the application come out it notifies you.  You can go directly to the site to get the updates, or discard them.  Like I said before, I have had this application for several years now.  I still use it even though I have Outlook 2003.  SpamPal catches all my spam, but it does catch mass mailing subscriptions I have as well.  I could add them to the white list, but I find that they often change, so you will have to constantly add new mailing hosts to the white list.  It gets to be a bit high maintenance, so I just sort through all the good mail that was marked as spam and move it back to my inbox.

Overall, this seems to be the best POP3/IMAP4 spam filter I have ever used.  I highly recommend you check it out if you are sick and tired of spammers!!

MOM 2005: Report documentation issues, MOM issues, and MOM suggestions

June 27, 2005 Leave a comment

Have you found any issues with the MOM documentation?  Have you found any bugs?  Do you have any suggestions?  If you said yes to any of these questions, then let Microsoft know:

To report issues with MOM documentation: momdocs@microsoft.com

To report bugs or make suggestions about MOM:

http://lab.msdn.microsoft.com/productfeedback/default.aspx

Keep an eye on the MOM Team’s Blog as well:

http://blogs.technet.com/momteam/default.aspx

Categories: MOM

Microsoft Operations Manager 2005 Reporting: Installing with a remote instance if IIS and no IIS installed on the SQL Reporting Server

June 25, 2005 Leave a comment

After MMS 2004 Microsoft released MOM 2005 (previously known as MOM 2004).  A short time prior to MMS 2004 I had a beta copy of MOM and had installed it to see what was new.  At that time I did not install reporting, because I wasn’t very concerned about that portion of MOM.  Several months after MMS, I really had to dive into MOM 2005 because we were making plans to move to it from MOM 2000 SP1.  In my virtual labs I could set up every aspect of MOM 2005.  In our test labs, I always had issues with SQL reporting services.  Why?  Because I didn’t understand it.  I was a bit upset that Microsoft did not include some basic documentation on setting up SQL Reporting Services with all their MOM documentation.  Microsoft simply asks you to refer to the SQL Reporting Services documentation, and now I finally know why…It’s not very hard!  It’s sad that this was a major roadblock for me, but sometimes the easiest solution is the hardest one to find.

Often I see people asking about MOM Reporting on the forums and newsgroups.  I asked the same questions, and got assistance, but never the right answer (maybe it was the right answer, but I just didn’t get it!).  So now I would like to share with you my guide to setting up SQL Reporting Services and MOM 2005 Reporting.  Keep in mind that I follow some security guidelines, but this is by far not the most secure deployment.  These steps are tailored for my environment, so they may not work in yours.  I recommend setting this up in a virtual lab first just to show that MOM Reporting is not difficult to install.  After you see that it works, then you can work on securing it.  I highly suggest you read the MOM 2005 Security Guide and the SQL 2000 Management Pack Guide for MOM 2005.  For more information on how to set up SQL monitoring with a low privileged account, see my blog titled Monitor and Secure SQL Server with MOM 2005”.

====================

Background/Assumptions:

All of my MOM servers use one service account and that account is a local admin on all of them (Management Servers and Database Servers).  This one service account has these roles:

MOM DAS
MOM Server Action Account
MOM DTS
MOM Reporting Server Service Account
MOM Reporting Server SQL Access Account
MOM SQL Server Action Account (Our DBA’s strip BUILTIN\ADMINISTRATORS from SQL Security after we install all of the MOM Servers and apply the correct security settings.  If you don’t do this, then this install should really be simple, but you have a potential security threat.)

MOM SQL Reporting Server does not have any IIS components installed.

MOM Management server has IIS components and ASP.Net installed, or there is a dedicated IIS server.

All MOM server roles (besides the MOM Management server with IIS) are separated: Dedicated Management Server, Dedicated SQL Server(s).

====================

When I install MOM 2005 I logon with this account and perform the install.  So all default ACL setting is assigned to this one account (saves me from having to maybe change a few and less troubleshooting if there are any issues).  I do NOT use this account to push and install agents.  I have a separate account for that.  I also run all my agents as local system, unless they require a low privileged action account (requires Windows 2003 to do this).  So now that you know all of this, let’s proceed to the task of installing SQL Reporting Services.

If your MOM SQL Reporting Server is running Enterprise SQL, then use the Enterprise edition of SQL Reporting Services (Same for Standard editions, etc.).  You want to keep these at the same edition level.

I don’t have IIS installed on my SQL Reporting Server for security reasons.  So we put IIS on one of the Management Servers in order to host our reporting interface.  This is where you will begin:

  • Logon to the Management Server that has IIS and ASP.Net installed (Doesn’t have to be your management server.  It can be a stand alone IIS server).
  • Begin the setup for SQL Reporting Services.
  • Verify prereqs are good (minus Visual Studio .Net).
  • Follow all the screens until you are asked about the SQL Reporting Services account.  Change that to the domain account you use for your MOM DAS account and ensure the box is checked for ‘Auto-start the service’ (if you use network services, then I can’t help you.  I was unable to get this to work, but it should be possible).
  • I keep the virtual directories with their default names and unselect ‘Use SSL..’
  • When you see the option to select the Reporting Server SQL Database Instance enter the name of the SQL Server and Instance.  On this same screen select Domain User Account for ‘Credentials Type’ and then put in your DAS account information.
  • Complete the rest of the install.

You should see the page for successful install.  If you see a warning about failed to initialize, then you will have to trouble shoot that.  I was getting that a lot, and it was primarily related to policies on the server that didn’t let IIS or ASP.Net work correctly.

Now that SQL Reporting Services is installed you have to go to your SQL Server and install MOM Reporting.  If your environment does not allow IIS to be installed, like mine, then you will have to do a silent install of MOM Reporting.  Here are the steps to do that:

  • Log on to the SQL box with that same MOM service account (keep in mind this account has all the roles listed in the beginning of this article).
  • Copy the MOMReporting.msi file from the MOM 2005 install CD/Share to this SQL Server.
  • Open a command window and change directories to the location of MOMReporting.msi.
  • Execute the silent install which would look something like this:
    • msiexec /i momreporting.msi DB_SIZE="<Size you want>" SQLSVR_INSTANCE="<Reporting SQL Server>" TASK_USER_ACCOUNT="<DAS Account if you follow my model>" TASK_USER_PASSWORD="<DAS Account PW>" TASK_USER_DOMAIN="<Domain Account is in>" REPORTING_USER_ACCOUNT="<DAS Account if you follow my model>" REPORTING_USER_PASSWORD="<DAS Account PW>" REPORTING_USER_DOMAIN="="<DAS Account if you follow my model>" MOM_DB_SERVER="<MOM SQL Server hosting OnePoint>" ROSETTA_SERVER="<Server you have SQL Reporting Svcs on>" PREREQ_COMPLETED=1 /q /l*v <Path and name of msiexec log file>
      • Keep in mind, this is what I did for my deployment and it may not follow all best practices for security.  Nonetheless, if you want to ensure that MOM reporting works, then following this guide and you should have no problems installing MOM Reporting.
      • Also the above silent install is one line, so type it all out in notepad in a single line, then copy and paste it into the command window to execute.  Double check what you typed.  The silent install options for MOM components can be found HERE.
      • When you specify the size of your Reporting Server database you should make it the same size or larger then your current OnePoint database.
  • Wait patiently and monitor the event log.  Eventually you should see an informational event in the application log with the source of MsiInstaller indicating it was successful (event id is 11707).
  • The only bad part about this install seems to be that you cannot tell msiexec where to put the database files and log files.  There maybe an option for this, but I don’t know of it.  It may just come from your SQL settings.  I don’t know.  You may be able to move the log file to a different drive after you create the database (or create a new one for the database to use.
  • Now you need to add users or global groups to the local group on the SQL Reporting Server called SC DW Reader.  This must be done so the users can access the reports.  Microsoft recommends creating global groups with similar names of all the local groups MOM creates for easier management.  You can read more about that in the MOM whitepapers.
  • After you have done all of this, verify that the scheduled task for DTS has been created and is set with the DAS account credentials (Run as on the task should be the DAS account – If you follow my model).
  • Execute the DTS job, and verify it works by looking at the application log.
  • Go to the server with SQL Reporting Services and bring up the Report Manager web site.  You may be prompted for credentials, so enter the DAS account information: DOMAIN\DASACCOUNT and password.
  • On the first page, click on the Properties tab.
  • Click on New Role Assignment.
  • Enter the user name (Domain\Account) or global group in the box "Group or user name" and select the role "Browser" then click apply.
  • You are done!

Should you have any issues, be patient and you will be able to find the solution.  If you follow this article and something does not work for you, please feel free to contact me or post a comment.  If this article becomes your solution, then I am happy for you and good luck!

 

Regards,

Blake

Categories: MOM

Using regular expressions to prevent a rule from running on a agent or agents

June 24, 2005 Leave a comment

Often I see people asking how to prevent a rule or several rules from running on a agent or agents.  It seems to be a common question.  Rule over-rides do not disable rules from running on agents, but instead let you modify thresholds.

If you want to prevent a rule from running on a agent then you have to go into the criteria tab of the rule, and click on the advanced button.  In the criteria selection you want to create something like this:

Agent does not equal %SERVERNAME%

Simple enough.  How about a group of servers, say with a similar naming convention?  Let’s say all our Exchange Bridgehead servers have BRD in their name.  The criteria may look like this:

Agent does not match regular expression ^.*(BRD).*$

Easy right?  Now lets make it so all Public Folder servers are excluded as well:

Agent does not match regular expression ^.*(BRD|PUB).*$

The above example expects that PUB is in the naming convention for your Public Folder servers.

You can get creative with regular expressions and they are a time saver.  When I create computer groups I use them for domains and computers to add to the group.  John Hann has a nice article on his blog describing regular expressions in more detail.  Check it out:

http://myitforum.techtarget.com/blog/jfhann/archive/2005/03/29/4296.aspx

Categories: MOM

Monitor and Secure SQL Server with MOM 2005

June 23, 2005 Leave a comment

When we started to deploy MOM 2005 we ran into a security issue.  The MOM action account is a local admin on all the MOM servers.  The SQL group does not allow BuiltIn\Administrators SA access to SQL.  Therefore, once they removed that group from SQL MOM started to have issues with scripts and maintenance jobs.  I looked at the whitepaper for MOM 2005 Security and the SQL MP Guide and tried to create an outline for my DBA (and for our own documentation process).  Here is what I ended up with:

This solution is only available if your running SQL on Windows 2003.

These instructions are assuming that you are using W2K3 w/ SQL 2000 SP3a. In this scenario the MOM action account is a local admin on the box, but built-in administrators have been removed from SQL server access (these are basically the steps you have to take if you want to monitor SQL with a low level privileged account):

1) Needs to belong to the Users group and Performance Monitor Users group (since it is a local admin you really don’t need to worry about group membership).

2) Should also belong to Performance Log Users, Power Users, and Remote Desktop Users. **This is my requirement, not MSFT**

3) Needs permission to “Manage auditing and security log”.

4) Needs permission to “Allow log on locally”. Since it is a member of Users and Power Users it already has this permission in my lab. In production this may be different.

5) Setup gives the action account additional permissions, these permissions must remain. Act as part of the operating system, log on as a batch job, log on as a service.

6) Added to the registry properties of HKLM\Software\Microsoft\Microsoft SQL Server and provide read access.

7) Added to the sub-keys: Setup, MSSQLServer, MSSQLServer\Parameters, Replication and provide read access.

8) Needs default access to all databases on the SQL server. Should still be listed as DB_Owner for One Point. If this is SQL Reporting Server, the DB_Owner for the ReportServer databases and SystemCenterReporting database.

9) Given Select permission to the sysjobs table of the msdb database.

10) Given Execute permission to the xp_sqlmaint extended stored procedure in the master database.

11) Given Execute permission to the xp_sqlagent_enum_jobs extended stored procedure in the master database.

12) Given Execute permission to the xp_startmail and xp_stopmail extended stored procedures in the master database.

13) Network Service must have read access to SQLEVN70.rll and SQLAGENT.dll (should have it by default).

After all of this is done and all components of MOM have been installed, then the SQL DBA can remove BUILTIN\Administrators from all of the MOM SQL servers.

If you follow these steps you should be golden. Read the SQL MP guide as it will enumerate what you must do for other SQL scripts to work properly.

Categories: MOM

What is on your Blog?!

June 23, 2005 4 comments

First let me say I apologize for not being able to segment the various blogs from the home page.  I would like it if only the MOM blog was displayed when you arrive at my space, or if you had the option to select a blog for your default view.  This does not seem to be the case (limitation of the software I suppose).  Since this is not the case, I hope the Japanese entries don’t bother you.  I may end up scratching that blog, but I don’t know yet.

It has been a long time since I have used Japanese, so I am forcing myself to relearn all I knew at one time.  It’s not like there are jobs in Japan, or their economy is so strong that getting familiar with Japanese will benefit me in my professional career.  All things Japanese are an interest to me.  The language especially, but I enjoy the culture, history, art, music, etc.

I gained an interest in Japanese while I was stationed overseas at Camp Hansen in Okinawa, and Camp Fuji in mainland Japan (Honshu).  Once I returned from our temporary active duty during the first Gulf War, I started to take Japanese classes in college.  Eventually I got a BA in Japanese with a minor in International Business (yet I work in the IT field!).  My first degree was a BS in Criminal Justice.  So I suppose if things get out of control in Japan, I could always apply for a job as a Japanese police officer and have a side job in some trading company!

Anyway, I just wanted to let you know I am as frustrated as you in regards to the blog layout.  The intention was to keep this pure MOM/IT related, but I have blog fever and can’t seem to stop myself.  Next I’ll probably put up a blog about my Barbie collection!  Just kidding!  I don’t collect Barbie.  Those toys were to expensive.  I had to settle for My Little Pony. 

Regards,
Blake

P.S. The primary focus of this space will be in regards to MOM and the world of IT.  The secondary seems to consist of family, friends, Japanese, and other odd things eventually.  If your primary interest is the MOM information then all you need to do is click on the MOM category and bookmark it.  Seems to be a decent work around.

Categories: Questions and Answers