Sunday 29 July 2012

Deploying System Center 2012 – Data Protection Manager

For the next stage of this lab build, I'm going to be looking at Data Protection Manager.  One of the key new pieces of functionality of the latest version is a centralized console.  In order to take a look at this functionality, I have decided to deploy two DPM servers.  As I will be growing the Exchange side of the lab quite significantly, I have decided to split the purpose for the two DPM servers into Exchange and non-Exchange.  I'll be assigning each of these two servers 500GB to use for backups which will leave half of the space on the 2TB for VM's.  The backup requirements will therefore not exceed 1TB from the SAS disk plus 240GB from the SSD.  However, as the SAS drive will also contain things that will not be backed up by DPM (such as OS images, templates etc), I'm not too worried about having given DPM less than 50% of the overall storage.  I'll be keeping the number of snapshots of any given object to a minimum, and for this lab environment, I expect any differences between snapshots to be extremely minimal anyway.

With the above in mind, I deployed two VM's from template.
With the VM's created, the 500GB volumes assigned, and the DPM install files downloaded, I logged onto the existing SQL server, and ran SQLPrepInstaller_x64.exe to install the SQL Pre-Requisites.
As DPM requires it's own SQL instance, I re-ran the SQL installer, selecting new installation or add shared features.
After accepting the license agreement and entering the product key I selected the Database Engine Services, SQL Server Replication, Full-Text search and reporting services. (The Management tools and SQL Client Connectivity SDK are also requirements, but these shared features were already installed for the Operations Manager instance.)
After some additional checks had run, I entered the name for the instance of INS02.
To keep things simple, I matched the Service accounts to those used for the Operations Manager instance.
I kept the default settings on the next 4 screens, after that, a summary is shown.
The install completed successfully.
To keep the network and firewall config simple for this second instance I loaded SQL server configuration manager and disabled dynamic port allocation, setting a static port of 1432.
I then copied the windows firewall rule I created earlier for the default instance and modified the name, program and port to match the second instance.
I then created a temporary rule in the Windows Firewall, to permit inbound UDP on port 1434 to the SQL browser service.  I should be able to disable this rule once setup completes.

After that, I restarted the Database Engine for INS02, and logged onto the first DPM server and launched the DPM installer.
For now, I'll just be installing DPM itself.  Clicking Data Protection Manager in the above window installs .NET framework 3.5.1 and then launches the DPM Setup Wizard.
I entered the Instance of SQL Server in the format SERVERNAME\INSTANCENAME.
Next, I entered the product key.
I'll be installing DPM to the local system drive.
I then entered a password for DPM to use for it's local user accounts.
I opted not to use Microsoft update.
Opted not to join the CEIP.
After that, you get a summary of options selected.
The install completed successfully.
I then computer Management, and initialized the 500GB volume.
Next, I loaded the DPM console, and went into administration and add disk.  Here I added the 500GB volume to the storage pool.
I then repeated the above process to install DPM on the second DPM server.  I'll cover additional configuration and agent deployment in a subsequent post.

Friday 20 July 2012

Configuring SCOM 2012 - Part 3

For the final part in this series on configuring SCOM 2012, I want to look at additional Exchange 2003 tweaks that will (mostly) clear down the alerts generated in SCOM.  First let's take a look at the current alert view to see what I need to work on.
OK, the NNTP service isn't something I plan on using, and isn't actually a dependency for Exchange 2003 core functionality, only for the pre-reqs for install.  As such, the services can be un-installed now that Exchange is installed.  This can be done by running "sc delete NNTPSvc" from the command prompt, which I ran on both the Back-End and Front-End exchange 2003 servers.
Next, I wanted to clean up the accounts left behind from running LoadGen.  In this case I simply deleted the LoadGen objects OU in the root of the domain.
I then ran the cleanup agent on each database to ensure the LoadGen mailboxes were now in a disconnected state.
Next, I wanted to run the Exchange Management Pack configuration utility, which can be downloaded here.  With the utility downloaded I launched the installer.
The installer is pretty straight forward. Click Next, accept the license agreement, Next, choose the install path, Next and finish.  With the tool installed, it can be launched from the start menu.  You get the standard welcome screen and after that are prompted to select the Administrative Group containing the servers you want to configure.
After that you are prompted to select the servers you want to configure.  I selected both the Back-End and Front-End servers.
I'll be going with custom configuration options.
I then ticked all boxes for properties to configure.
Selected that Message Tracking should be enabled.
Selected that Front-End monitoring should be enabled.
I kept the services to be monitored at the defaults.
For availability monitoring, I selected per store.
Next, you are prompted to configure the sending and receiving servers for the mail flow tests, I've only got one back end, but that shouldn't be an issue, as I'll be running the tests at the database level.
I then opened ADUC, and created a MOM Mailboxes OU inside the Service Accounts OU I created earlier, and in there created a new user named MOMMailMonitor.
I entered the details for this account in the next step of the configuration wizard.
After clicking Next again, a summary is presented.
Next one final time and the wizard runs.  It completed successfully.
Next, I moved the MOM mailboxes that were created by the wizard from the Users container to the MOM Mailboxes OU I created earlier.
In ESM, I verified each database had it's own MOM Mailbox, and that the mailboxes were being accessed by the MOMMailMonitor account.
Next, also in ESM, I loaded the Exchange Administration Delegation Wizard.
Here, I added the MOMMailMonitor to the Exchange View Only Administrator role.
 I then went into Mobile Services and enabled OMA.
Next I opened the boot.ini file on the Exchange 2003 Back-End and added the /3GB /USERVA=3030 configuration parameters.
I opened RegEdit, and modified the HeapDeCommitFreeBlockThreshold DWORD property at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager to 40000 (Hexadecimal).
Next, I performed a reboot of the Exchange 2003 Back-End and verified event ID 9665 no longer appeared in the Application event log at startup. Next, I looked at the following alert I was seeing in SCOM.
As you can see from the above, the alert states that the issue is that SSL is not configured.  But this is a Back-End server - SSL shouldn't be configured.  The only web results I could find on this pointed to disabling the alert for back end servers, or creating an override.  I have a general dislike of creating overrides unless absolutely necessary so decided to dig into this one a little further.  I came across event ID 9110 in the Operations Manager event log on the Exchange Back-End server, this shed a little more light on the reasons the alert was actually being generated.
So there are two criteria that must be met for alert generation - No SSL configuration AND Basic Authentication enabled for a given virtual directory.  Now, I don't actually need Basic Authentication enabled on the Back-End server, authentication from Front-End servers is done via Integrated Auth (First Kerberos, then NTLM), and only if both of those fail will it attempt to use Basic Authentication. (See this technet article for more information).  So I disabled Basic Authentication for the Exchange, Microsoft-Server-ActiveSync, OMA, and Public virtual directories on the Back-End Exchange server in IIS, ensuring that integrated authentication was enabled.
With that configuration change made, I rebooted the Exchange 2003 Back-End a second time, and verified there was no repeat of the Event ID 9110, and that the SCOM alert had cleared itself.  I also verified the change hadn't caused problems accessing OWA, and that I could still connect the outlook client using both RPC over HTTPS and direct MAPI to the Back-End - all the tests came back good.

Next, I wanted to look at the following 3 alerts that had cropped up after running the Exchange Management Pack configuration wizard.
As you can see from the above, I was getting alerts about availability of the OWA, OMA and Activesync services.  The SCOM resolutions all pointed to the SSL config which I knew was fine for the Front-End, so with the recent success of tracking down useful information in the Operations Manager event log of the server in question, I immediately checked the Operations Manager event log on the Front-End.  In there I came across alerts in groups of 3 along similar to the example below.
A quick search on "0x80131502(-2146233086)" led me straight to Microsoft KB943511.  Looks like security update 931212 causes issues with the Exchange Management Pack Monitoring, and a hotfix is available from the KB article.  I downloaded and ran the hotfix.
A simple Next > Accept license agreement > finish is all that is required.  After that, I rebooted the Front-End and the SCOM alerts cleared themselves.

At this stage I was down to a single remaining alert in SCOM.
Now, I won't be clearing the alert on truncated log files until I start looking at DPM, so that one will have to sit there for now, but I'm basically at the stage where I can say the lab deployment of SCOM is complete, and all alerts have been cleared, and I didn't even have to resort to setting overrides to clear any of them.