Network Devices Supported for Discovery By Operations Manager 2012

For those of you who are wondering what network devices are supported and to what extent out of the box by SCOM 2012 Microsoft has published a spreadsheet.

Microsoft System Center Operations Manager 2012 provides the ability to discover and monitor network routers and switches, including the network interfaces and ports on those devices and the virtual LAN (VLAN) that they participate in. Operations Manager can tell you whether network devices are online or offline, and can monitor the ports and interfaces for those devices.

Operations Manager 2012 can monitor network devices that support SNMP, and can provide port monitoring for devices that implement interface MIB (RFC 2863) and MIB-II (RFC 1213) standards.

You can find the list here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26831

Steps for Deploying SCOM to an Untrusted Domain Using a Gateway

Overview
I recently extended SCOM monitoring to an isolated and untrusted domain for a client.  I used a Gateway as a collection point for all of the devices in the untrusted domain and certificates to provide authentication and ultimately communication  between the Gateway Server and Management Servers in  untrusted and local domain respectively.

I was unable to find a comprehensive guide for performing this task so I thought I would provide a high level set of instructions along with a few tricks to assist those who find themselves in the same position.

Just a quick recap of extending monitoring using a Gateway or to untrusted machines.

SCOM uses Kerberos for authentication by default.  As a result, if you plan to monitor machines that are either in another domain or in a workgroup there must be either a full trust in place or certificates used respectively.

The following instructions are for the scenario of deploying SCOM agents to untrusted domain joined machines (domain b).  In this scenario, once the Gateway Server (domain b) is trusted by the Management Servers (domain a) through the use of a certificate, the untrusted domain joined machines in domain b will communicate directly with the Gateway Server, funneling all their monitoring information through said server. After following the instructions for this scenario, you will be able to deploy agents to the untrusted domain joined machines (domain b).

If you want to deploy agents to workgroup machines (in this scenario there is no Gateway), you will need to deploy certificates to each of the machines.  Once those certificates are deployed, the SCOM agent can be installed, then the momcertimport utility should be executed to tell the agent which certificate to use.  You can then restart the healthservice and confirm connectivity through the logs.

Pre-Requisites

1. DNS is functional so name resolution works between the Gateway and Management Servers.  If DNS is not an option you can use HOST files.  I suggest testing name resolution each direction.
2. For Firewalls, open Ports 5723 permanently for SCOM communication and 80/443 temporarily for Web Enrollment with CA.  I suggest using a telnet client to perform a telnet over 5723 once name resolution is available and each server has the appropriate SCOM bits installed. (from command prompt: telnet servername 5723).
3. I used an Enterprise CA so the steps are created with this in mind.  The steps different slightly depending on what is used in your environment.  The following links should be used appropriately for such.
1. http://technet.microsoft.com/en-us/library/bb735413.aspx - Windows Server 2003 Enterprise CA
2. http://technet.microsoft.com/en-us/library/dd362553.aspx - Windows Server 2008 Enterprise CA
3. http://technet.microsoft.com/en-us/library/bb735417.aspx - Windows Server 2003 Stand-Alone CA
4. http://technet.microsoft.com/en-us/library/dd362655.aspx - Windows Server 2008 Stand-Alone CA
4. Only if you use an Enterprise CA, create a certificate template and prepare it for use. (see detailed instructions from appropriate link above.  See sections regarding the creation and of the template and adding it to the templates folder)

Steps specific to 2008 Enterprise CA

1.  Run Gateway Approval Tool
1. On a Management Server, copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe utility which is stored in the SCOM installation media under the SupportTools directory and the appropriate platform (i.e. AMD64, i386 etc) to the SCOM installation directory.  
2. Run command prompt as user who has access to write to SCOM database.
3. In the command prompt execute the following command, replace the values for the parameters appropriately:  microsoft.enterprisemanagement.gatewayapprovaltool.exe /managementservername=ManagementServerName.domainName.com /gatewayname=GatewayServerName.domainName.com /action=create
2. Install Gateway bits on Gateway Server in untrusted domain.
3. On each Management Server and the Gateway Server Download the Trusted Root (CA) certificate through the Web Enrollment website of your Certificate Authority (see detailed instructions from appropriate link above).
4. On each Management Server and the Gateway Server Import the Trusted Root (CA) certificate (see detailed instructions from appropriate link above).
5. On each Management Server and Gateway Server create a setup information file for use with the CertReq command-line utility (see detailed instructions from appropriate link above).
6. On each Management Server and Gateway Server create a request file (see detailed instructions from appropriate link above).
7. On each Management Server and Gateway Server submit a request to the CA (see detailed instructions from appropriate link above).
8. On each Management Server and Gateway Server import the certificate into the certificate store (see detailed instructions from appropriate link above).
9. On each Management Server and Gateway Server import the certificate into Operations Manager using MOMCertImport.exe (found in the SupportTools directory in the SCOM installation media).  In Windows Server 2008 you will need to run the command prompt as administrator otherwise it will fail.  Next, restart the System Center Management service on each server once the MOMCertImport has been executed.(see detailed instructions from appropriate link above).

Why Isn't Performance Data included in Operations Manager Diagrams?

In Operations Manager we are provided Diagram views.  These views provide the user insight into the health of any object discovered by the product by graphical representation.  This form is the easiest for most people to consume.  These visuals are nice if you want to know that health of your object(s) but what about the other data that's being collected?  My question is why don't we add some more flavor to these views?  We have all this data we are collecting with the product and storing for lengthy periods of time (out of the box), let's show some more of it in a manner to which makes sense, diagrams.  Don't leave this functionality to third party vendors I say, bake it into the product and leave your user base in a satisfied state with yet another enhancement to the product.  

Today's Diagrams

A small sample of what I propose.  The configuration of the following graph is fairly simple.  The client was monitoring a web application with SCOM and had watchers nodes spread across to country to simulate both the availability and performance aspects of the application.  Each of the watcher nodes were configured to gather response time as a performance metric.  As a result that data is available to us through the databases so I was able to query it out and apply it to the objects. However this is not native and took some customization to do. The same actions are happening today within the product except for the monitors, so why not take it a step further and provide that performance related information?