How to configure SCOM for Exchange 2010

How to configure SCOM for Exchange 2010

Alert process

There are 2 types of alerts. Monitoring based alerts, these are for services and are in one of 2 states, good or bad (green or red). The second are rule based alerts, these are based on events, number of times it repeats which can indicate on going issues.

1: Responding to an un-known alert

           a)      Close it, see if it comes back (ie: is this a 1 time occurance)

           b)      Research, what is the root cause, what is triggering the alert? Eg: service, event ID, perfmon

- Can it be fixed? Write KB before closing alert

- Can it be fixed and Optimised? Ie: increase threshold.

- look at performance data, baseline vs Spike

- If it is a spike, increase the threshold above spike

- If Baseline is changing (ie: gradually increasing), incestigate root cause.

- If the alert can be ignored/override, add company information to explain override.

2: Responding to a known Alert

·         Apply fix in Knowledge base

·         Reset health state if is it a monitor based alert

·         Close it if it is a rule based alert, re-calculate health.

·         Re-optimize

 

How to in SCOM

1: Override a monitor/rule state (enable/disable)

Never select Disable.

2: Override a monitor/rule setting (eg: frequency, threshold)

a)      Click on “Authoring”>Management Pack Objects> Monitors. Ensure you are not bound by scope, click on the “X” that may pop up at the top.

 

 

b)      In the look for field, type (for example) msftesql

 

c)      Observe that the processor time >75% is a configurable rule, in this example we want to increase the threshold. To configure, Right click on “KHI: msftesql”>Overrides>override the monitor> For all objects of class: content indexing service.

 

d)      At the next screen, select frequency by checking the box, change the over5ride value from 300 to 600 (for this example). Select the management pack to save to as “Exchange Server 2010 MP Customizations. Click on Edit and put in some information about why this override is being put in place. Click apply.

 

3: Create a new monitor/rule to capture, by examples a new EVENT ID.

In this example we are going to create a rule to alert us every time Event 15004 is logged.

a)      Go to the Authoring Section, Expand Management Pack objects and right click on rules> Create New Rule

 b)      In the next window, select NT event log (alert). Under the Management Pack drop down menu, select Exchange server 2010 MP Customizations.

 

c)      Type in the Rule name, Next to Rule Target, Click Select

d)    In the next window, under “Look For” type, Exchange and in the list, select “Microsoft Exchange 2010 server” and select “View All Targets” (this will alert you whenever event ID 15004 is present on any exchange server). Click OK

e)      At the next screen, ensure Application is selected, click Next  

f)      Type in the Event ID number (in this case 15004), and the event Source, click on the dialogue box and select MSExchange Transport. Click Next.

 g)      For this alert we want it to be a high priority, and critical severity, select each from the drop down menu, then click Create. Finish.

4: Create a new view in SCOM

a)   You can only do this on a folder that is not locked. So for example, you want to create a new view for all closed alerts in SCOM.

b)   Right click on Monitoring> Exchange Server 2010 MP Customizations. Right click, New> Alert View.

c)    Under name, type, “Closed Alerts”. Under the Criteria Tab> Show Data Related to, select “Microsoft Exchange 2010 All entities Group. Under “Select Conditions”, choose “with specific resolution state” then click on the criteria descript below and select “Closed (255)”

d)   On the display tab, check “Path”,  “Last modified” and “Repeat Count” check boxes in addition to the default checked boxes. Under sort columns by, first one select “Last Modified” and sort descending. Then group items by, select “Severity” sort Descending

 

e)      Observe new alert view

5: Generate/view performance data to create a baseline

a)      To find a performance counter, Open Monitoring> Exchange 2010 > Performance

b)      For this example we are going to search on alert: “Transport latency impacted – 99^th percentile of messages not meeting SLA over last 30 min - Red (>90). In the look for field, select “Items by text search”, type in Latency for this example in order to find out counter.

 

c)    Select the counter by checking the appropriate box. Right click> select time range, on the graph to change the time range to get a clearer picture of whether the counter was a momentary spike or requires threshold review.

d)      Select 7 days as the time range option, click OK. 

 

e)      Observe that this case is a spike and there is no further action required.

e)      If it is a repetative spike, then you want to increase the threshold of that alert to above the highest figure it reached

6: Generate reports

If you have the permission level to do so, you can generate a report under reports and export this to PDF.

7: Add Company Knowledge

a)   Need Microsoft office & visual studio 2005 for Microsoft office system installed in order to edit this. http://technet.microsoft.com/en-us/library/cc974492.aspx

 

b)   Log on to the computer with an account that is a member of the Operations Manager Authors role for the Operations Manager 2007 management group.

c)  Click Authoring to open the Authoring workspace.

d)  Locate the monitor or rule to be documented.

e)  Click Properties under Actions, or right-click the monitor name and select Properties from the shortcut menu.

f)   Click the Company Knowledge tab.

g)  In the Management pack section, select a management pack in which to save the company knowledge. As a best practice, you should not save changes to the Default Management Pack.

h)   Click Edit to launch Microsoft Office Word.

i)      Add or edit text as desired.

a.   The company knowledge tab displays only the sections of the Word document   with custom text.

j)      On the File menu, click Save to save your changes.

k)     Return to the company knowledge tab and click Save, and then click Close. This will close both the properties dialog box and Word.

8: How to determine if an alert is Rule or Monitor based.

a)  In this example we want to disable an alert “Realtime Scan Enabled State Monitor” which is a ForeFront based alert.

 

You can search for this alert under the alerts tab and under Alert Monitor, it will tell you if it is a rule or monitor, in this case it is a monitor.

 

 

Normally you would go to Authoring>Monitors and in the Look for: “realtime scan” and run a search and place your overrides there but you can also click on the Alert monitor (as above) and it will immediately bring you all the options to configure the alert.

b)   In this case we want to turn off this alert. Click on overrides tab>override> for all objects of class. 

c)     Give this an override value of False, place a comment in the edit field, Select “Microsoft Forefront Protections 2010 MP Customizations” for this case.

 

9: Enable Event Collection for Synthetic Transaction Rules (Do not do this, this is just for testing purposes)

Enable Event Collection for Synthetic Transaction Rules

The Exchange 2010 Management Pack uses synthetic transactions, for example, running the Test-MapiConnectivity, Test-OwaConnectivity, and other commands, to scan your Exchange organization for basic connection responses and to test simple operations such as signing in to a mailbox. Whether these tests succeed or fail, their output is useful for investigating the state of the Exchange environment. However, because there is a large amount of output for each task, the event output isn't stored by default. The views for these tests in the Operations Console are populated if you enable the event collection rules for each respective test. For more information about synthetic transactions, see Monitoring by Using Synthetic Transactions in the System Center Operations Manager 2007 R2 documentation.

Caution:

When you enable these collection rules, make sure you have sufficient disk space to accommodate the additional data. Each task creates from 4 to 12 event messages every time it runs. By default, each test runs every five minutes.

To enable the event collection rules for synthetic transaction output:

1.   In System Center Operations Manager 2007, click Authoring.

2.   In the Authoring pane, expand Management Pack Objects, and then click Rules.

3.   In the Rules pane, click Change Scope.

4.   In the Scope Management Pack Target(s) by object dialog box, in the Look for box, type "Exchange Server 2010."

5.   Click View all targets.

6.   Click Select All if it’s not disabled (it is only disabled when all rows are already selected).

7.   Click OK to close the dialog box.

8.   After the rules have loaded, type "Script event collection" in the Look for box near the top of the console.

9.   For each test task that you would like to enable, perform the following steps:

a.   Right-click the rule and select Overrides > Override the Rule > For all objects of class:<class name>.

b.   Select the Override check box.

c.   Set the override value to True.

d.   Click OK.

It will take some time for the overrides to be picked up by the agents and for events to appear in the built-in views.