Thursday, December 13, 2007

J.C. Hornbeck describes how to backup, restore AND RECOVER a lost RMS key. Enjoy!


OpsMgr 2007: What if I lose my RMS encryption key??

So let's say I have a functional OpsMgr 2007 infrastructure in place and then for whatever reason have to reinstall/replace the Root Management Server (RMS), but I didn't backup my RMS encryption key.  What are the exact ramifications of this and what would I need to do to correct it? 

Prior to Service Pack 1 (SP1), if something happened to your RMS and it had to be replaced, and you didn't backup your key, you were basically out of luck.  Your only recourse was to rebuild from scratch - not a pretty picture.  That's why we always told people to make sure they backed up their key as soon as they installed:

Backing up your RMS encryption key:

Now with SP1, we have a new CREATE_NEWKEY command line switch that can make recovering from a situation like this potentially much easier. We also made running the encryption key backup process a mandatory process of setup, just so you'll have a friendly reminder.

So let's take a look at a couple scenario's:

1.  The Root Management Server is replaced or reinstalled and the key is not backed up or the password to the key is lost. There are no other Management Servers to promote.

Solution: Install a new Management Server (the RMS replacement) and be sure the computer name is the same name as the previous Root Management Server that is being replaced.  Setup will detect that the machine name is same as the Root Management Server in the database so it will recreate a new key and register the licenses.

2.  The Root Management Server is replaced or reinstalled and the key is not backed up or the password to the key is lost. There is at least one Management Server to promote to Root Management Server.

Solution: On the Management Server that will become the new Root Management Server, run MOM.msi with the CREATE_NEWKEY switch (msiexec.exe /i <Path to MOM.msi> CREATE_NEWKEY=1).  Configure the account for SDK/Config services (this account should have permission to the database, the SDK service account should be added to the SDK_users role, and the config service account should be added to the configsvc_users role).  Promote the Management Server to Root Management Server.

3.  The registry on the Root Management Server got corrupted, thus the encryption key is lost.
Solution: Run MOM.msi with special switch (msiexec.exe /i <Path to MOM.msi> CREATE_NEWKEY=1)

So does this mean you don't have to worry about backing up your keys?  No, you should always backup your keys and keep them in a safe place as doing so will potentially save you a lot of trouble down the road, but now if something happens there's possibly a way to recover without having to rebuild.

Tuesday, November 6, 2007

Ops Mgr 2007 SP1 RC

Be aware before moving forward with SP1 RC that there is no rollback path from RC -> RTM

Monday, November 5, 2007

Operations Manager 2007 Service Pack 1

Source: Stefan Stranger's Weblog

Release Candidate details:
· This will be publicly available release. Customers can download the Service Pack 1 RC from Microsoft Connect. Signup for this is public and available at
· This release will be fully supported. Support options include:
o Microsoft Customer Support Services (CSS) – you can use your standard support options to get support on this edition
o Newsgroups – there will be a dedicated SP1 newsgroup
o Hotfixes requests that are accepted will be incorporated into the final RTM version
· This release is fully upgradable to the final RTM version of the Service Pack.
What's New in Operations Manager 2007 Service Pack 1
This topic describes some of the improvements and major changes in functionality that are included in Operations Manager 2007 Service Pack 1 (SP1). Operations Manager 2007 SP1 is available in two ways. First, it is offered as a standalone executable file that you use to upgrade an existing Microsoft System Center Operations Manager 2007 installation. Second, it has been "slipstreamed" into the Operations Manager 2007 installation media, which means that you can install Operations Manager 2007 from scratch and the final installed version will be Operations Manager 2007 SP1. Operations Manager 2007 SP1 is available for both x86-based and x64-based computers.
New Features
The new features that are in Operations Manager 2007 SP1 are:
· Improved performance and reliability when working with alerts, overrides, and searches.
· In all Alert views, performance has been increased through better fetching and yields alert row selection that is three times quicker. Actions and reports are fetched in the background, which further improves performance. Alert knowledge that is displayed in the Alert Details pane can be shown or hidden according to the user's preference.
· Operations Manager 2007 advanced search has been improved by enabling the ability to search across monitors and rules by their overrides.
· Support for the discovery and monitoring of both SNMP v1 and SNMP v2 network devices. Users can select which SNMP Community Version to search for in the Discovery Wizard.
· Support for exporting Operations Manager 2007 diagrams to Microsoft Visio VDX file format. Note that the Visio button is located on the toolbar when in a diagram view. Diagram layouts can now be saved and will be remembered when the diagram view is selected again.
· Support for copying and pasting (CTRL+C and CTRL+V) from the Alert details pane.
Setup and Recovery
The following are improvements in setup and recovery:
· To make backup and recovery easier, setup in Operations Manager 2007 SP1 starts the Secure Storage Backup Wizard at the end of setup, by default, to back up the RMS encryption keys. This is the same command-line tool used in the original version of Operations Manager 2007, but with an easier-to-use wizard interface. The wizard is actually started by using the command-line version of the tool when no parameters are passed to the tool or it is started from Windows Explorer. The Secure Storage Backup tool is located on the installation media in the Support Tools directory. The Secure Storage Backup Wizard can be started according to the user's preference.
· To make the recovery of a clustered RMS easier, Operations Manager 2007 SP1 enables the repromotion of the RMS cluster to the RMS role after it is fixed. This addresses the situation where a clustered RMS has failed and another management server in the management group has been promoted into the RMS role.
User Interface and Experience
The following are improvements in user interface and experience:
· To make the creation of new management packs easier, Operations Manager 2007 SP1 introduces the ability to copy views from any existing management pack to an unsealed management pack. This is done in the Monitoring view. For example, if you have created a management pack for SQL Server overrides and want to use one of the SQL Server management pack views in the SQL Server overrides management pack, you would simply select the desired view, right-click to copy it, and then paste it into the target management pack folder.
· In all Alert views in the Monitoring space and in the Web console, Operations Manager 2007 SP1 ensures that the Repeat Count value is incremented correctly.
· After you have created an override for any management pack object, you can look at the summary of overrides for the object type in the Overrides Summary box. Operations Manager 2007 SP1 ensures that the description of the override target is complete. For example, if you create an override for Logical Disk Free Space for the C:\ of Server1, the summary will display 'server1/c:'
Core Product
The following are improvements in the core Operations Manager 2007 product:
· SP1 ensures that when agents are uninstalled from a computer in the Administration space\Device Management container\Agent Managed node of the Operations Console, that they are also removed from the computer views in the Monitoring space.
· Scripts can now be used for diagnostic tasks.
· View names, data and, display strings in the Operations Console that have been collected from computers running different language versions of Microsoft Windows operating systems are displayed correctly.
The following are improvements to reporting:
· When you are in a report, you can now choose to publish the report by selecting Publish from the File menu. This will allow you to publish reports to multiple locations, such as Microsoft Windows SharePoint Services Web sites.
Web Console
The following are improvements in the Operations Manager 2007 Web console:
· The Operations Manager Web console provides access to performance data. Users can then select specific counters to graph. In Operations Manager 2007 SP1, it is now possible to construct a filter for the desired performance counters to ease searching and navigation. This ability is available when a performance view is selected and displays in the Performance legend pane. The search options available are All items, Items in the Chart, Items not in the Chart, and Items by text search.
· The Web console has been further improved so that the Favorite Reports container is now available in My Workspace.
Audit Collection Services (ACS)
The following are improvements for ACS:
· New discoveries and views have been added. These features detect and indicate which agents and servers are ACS-forwarding enabled.
· There are more monitors and alert generating rules to track the health state of the ACS collectors. For example, Operations Manager 2007 SP1 includes the ability to watch the DB Queue % full level against default thresholds, such as the back-off threshold or disconnect threshold.
· The ACS forwarder feature is now supported on the Management and Gateway Server roles. The ACS Forwarder is disabled by default. When enabled, it will allow the inclusion of security auditing data for these server roles.
· When using ACS, one of the most common tasks is to enable forwarding on ACS agents. In Operations Manager 2007 SP1, an Operations Manager Command Shell script can be used to enable forwarding for entire computer groups, thereby greatly easing the deployment and administration of ACS.
Agentless Exception Monitoring (AEM)
AEM now provides an improved appearance and functionality of AEM reports.

Tuesday, October 23, 2007

MOM 2005 versus SCOM 2007 – A bandwidth utilization challenge

Satya Vel has posted a good entry on the Operations Manager Product Team Blog concerning Network Bandwidth Utilization for the various OpsMgr 2007 Roles. As a follow-up to Satya's comments on bandwidth utilization, I have posted the below graphic illustrating bandwidth used by 150 agents of each MOM version (MOM 2005 and SCOM 2007). Excellent improvement to say the least. Now if they would only resolve the console performance....

Friday, October 19, 2007

TechEd IT Forum 2007

I've completed registration for IT Forum in Barcelona. Drop me a line if you are attending and we can grab drinks!


System Center Operations Manager Firewall Requirements

I've recently had a few queries on firewall ports from SCOM. The following table describes the necessary firewall requirements for the Root/Management Server, Agent, Operations Console and Web Console components:

Point A

Point B


Root/Management Server

Operations Manager Database


Management Server

Root Management Server



Management Server


Operations Console

Root Management Server


Web Browser

Web Console Server


The following table describes the necessary firewall requirements when using Gateway Severs:

Point A


Point B


Root Management Server


Gateway Server


Gateway Server




Management Server


Gateway Server


Gateway Server


Gateway Server


Thursday, September 27, 2007

Windows Server 2008 RC0

Microsoft has released Windows Server 2008 RC0. See below download locations.

Windows Web Server 2008 RC0 -

Windows Server 2008 RC0 Standard Edition -

Windows Server 2008 RC0 for Itanium-based Systems -

Windows Server 2008 RC0 Enterprise -

Windows Server 2008 RC0 Datacenter -

Windows Server 2008 Release Candidate: System Requirements and Installation Documentation -

Windows Server 2008 Media Services
Windows Media Services 2008 for Windows Server 2008 RC0


Windows Server 2008 Learning Portal


Windows Server 2008 Technical Overviews


Windows Server 2008 Technical Library


Windows Server 2008 Step-By-Steps


Windows Server 2008 Security Guild


Windows Server 2008 Component Posters


Windows Server 2008 Virtualization

Release Notes:

Product Overview:

Installing (BLOG):



Microsoft released the newest version of our FTP server for Windows Server 2008 Release Candidate 0 (RC0)!

Listed below are the links for the download pages for each of the individual installation packages:

FTP 7 (x86) Installation Package

FTP 7 (x64) Installation Package


Tuesday, June 26, 2007

Secure Vantage Solutions for Operations Manager 2007

After spending several months working with the gang at SecureVantage, I am pleased that we have selected them as our security solution for Operations Manager 2007. While a number of their management packs are in RC at the moment, the ACS reporting and archival has already proved to be extremely valuable to us. I have loaded many of their RC packs for testing and look forward with *great* excitement to their IIS and SQL auditor pack scheduled for release this summer.

Wednesday, May 30, 2007

SQL Failed Jobs report

I went to pull a listing of failed SQL jobs from Operations Manager a while back and found that there is no report to provide this information. I wrote a quick report to gather this information from the Operations Manager data warehouse. Grab the rdl and/ sql script from the links below.

--SQL Failed Jobs SQL query (.sql)

--Failed SQL Jobs report (.rdl)


Thursday, May 10, 2007

Enable Detailed Logging for ACS Forwarder

In order to troubleshoot various ACS issues this past week, I enabled detailed logging on the ACS forwarder. The below steps will write detailed log entries to C:\Windows\Temp\AdtAgent.log.

  1. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtAgent\Parameters
  2. Create DWORD value = TraceFlags
  3. Edit the TraceFlags entry and enter decimal value 524420
  4. Restart the AdtAgent service

SMS 2003 Management Pack for Operations Manager 2007

Microsoft released the SMS 2003 MP for Operations Manager 2007 on 5/9/2007. It may be downloaded here.

Feature Summary:

• Detects all SMS 2003 server computers and site systems.

• Monitors the starting and stopping of all SMS 2003 services, including critical dependent services such as Windows Management Instrumentation (WMI), Internet Information Server (IIS), and Microsoft SQL Server.

• Provides alerts for SMS service stops, service failures, performance thresholds, status messages, and site system status.

• Presents the state of all roles and computers in the SMS 2003 environment.

• Provides a topology diagram that displays site, site server and site system relationships along with health status.

• Monitors processing rates.

• Monitors backlogs of discovery data records (DDRs), software inventory, hardware inventory, status messages, and software metering on both primary site servers and management points.

• Monitors core system resource usage.

• Includes tasks that enable users of the Operations Manager Operations Console to diagnose and resolve problems on remote computers through the use of SMS Administrator Console.

• Configuration, availability and performance reports. Monitors the performance trends of many SMS performance counters.

Tuesday, May 8, 2007

Auditing events on untrusted computers – Audit collection Services (ACS)

After having successfully deployed Operations Manager framework to our primary domain and a few untrusted computers in a workgroup, I ventured to enable ACS and begin collecting audit events. While the documented procedure works fine for those servers within the trusted domain (using Kerberos), the workgroup computers posed a bit of a challenge. Specifically, after enabling audit services on the workgroup computers, numerous security events 529 and 680 began appearing and the computers were refused connection to the collector.

Microsoft mentions in the ACS documentation that Kerberos is used by adtagent.exe to authenticate to the collector, by default, but offers no workaround for computers that are not joined to the domain. The document below steps one through the process of using certificate authentication with ACS. As you will see from the steps required this could be troublesome, from a management standpoint, when you have many untrusted agents forwarding events.

As time allows, I will publish a more through guide. This document, in the interim, should help those that are struggling with this issue. Feel free to contact me at with any issues to validate that this procedure worked in your environment.


Thursday, April 26, 2007

Citrix Management Pack for SCOM 2007

The Citrix management pack for SCOM 2007 has been posted. It may be downloaded by logging into My Citrix.

Monday, April 23, 2007

Citrix Management Pack documentation for SCOM 2007

While the actually binary is not yet posted to My Citrix for download, the new Citrix Management Pack guide is available for download here.

ACS Report - System_Integrity_-_Audit_Log_Cleared

The ACS report System_Integrity_-_Audit_Log_Cleared displays any instance of the security event log being cleared. This reports displays the proper data when the audit log is cleared from the local machine. If the audit log is cleared by a remote machine, however, the remote machine name is displayed as having its event log cleared. For example, if I use computer management from workstation wrk101 to clear the security log from svr101, the report displays. The computer column should display srv101.

To workaround this, I've created a new report (from the existing report) and added the Computer field. The field used by the RTM report (labeled Computer) uses the Event Machine field.

RTM report


Cleared By




4/20/2007 1:29 PM

The report I created, displays the following:


Cleared By

Cleared On





4/20/2007 1:29 PM

Friday, April 20, 2007

Operations Manager 2007 MP Catalog

Until very recently, selecting Operations Manager 2007 from the Microsoft Management Pack catalog site returned no results. Searching for available management packs for OM 2007 now returns 10 results – albeit all included with the RTM version.

Hopefully, this is a sign that we will begin seeing additional MPs in the near future.


Tuesday, April 17, 2007

Outlook 2007 Receives a Boost in Speed

Thought I would pass this along to those running Outlook 2007. I have experienced the sluggish performance mentioned in the article and KB entry and applied this update last week. Performance has improved tremendously…

Outlook 2007 Receives a Boost in Speed

Computerworld - April 14, 2007

Microsoft on Friday released an update to Outlook 2007 that is designed to speed up the communication software, which has been criticized for being sluggish.

Wednesday, April 11, 2007

Error when saving a recorded web monitor

I received an error when recording several web monitor sessions - "Array index out of bounds. Cannot fetch element with index=0 (Collection size=0)"

In each instance, the recorded session verified and tested, but would not save. In each of my recorded sessions, parts of the URL contained curly braces ('{' and '}'). By replacing any occurence of the curly braces with their corresponding escape sequences I was able to save and run the web monitor.

'{' = %7b
'}' = %7d


Tuesday, April 10, 2007

ACS service fails to start - Access Denied

After installing Ops Mgr 2007 RTM I decided to tackle an ACS installation. The ACS database and application install went smoothly, but the ACS service would fail to start explaining that "Access is Denied".

I recalled reading a post by TheTallest in the ACS beta newsgroup that spoke of a similar issue. The 'solution' was to rename the AcsConfig.xml within the C:\WINDOWS\system32\Security\AdtServer directory and create a new file entitled AcsConfig.xml. Simply copy the contents of the old AcsConfig.xml to the file you just created with the same name and viola! - the service starts without issue.

Hopefully, Microsoft will speak up/fix the issue in the coming weeks.


Wednesday, March 28, 2007

What is MOMADAdmin.exe? Should I be scared?

For those who have moved towards integrating Operations Manager 2007 with Active Directory, you have come across a new tool included in OM 2007 - MOMADAdmin.exe. For those hesitant to rouse the AD beast, let's examine what this tool does. First, let's be clear – MOMADAdmin.exe does NOT extend AD's schema! With this obstacle cleared, let's take a brief look at MOMADAdmin.

MOMADAdmin.exe syntax is MomADAdmin ManagementGroupName MOMAdminSecurityGroup PrincipalManagementServerComputerName Domain

ManagementGroupName is the name of the OM Management Group. For each management group to be integrated, you need to run this tool so that a separate container is created.

MOMAdminSecurityGroup is the name of your OM Admin Security Group

PrincipalManagementServerComputerName is the name of the primary management server for this group.

Domain is the domain name of the domain being prepared.


When you run the tool, the following occurs:

  • Creates an Operations Manager container under the root of the domain specified.
  • Creates a container under the Operations Manager container the tool just created with the name of the management group specified.
  • Within the management group container, the tool creates two service connection points (SCP) and one security group.



OM 2007 RTM

Microsoft met their goal of March 23, 2007 and released System Center Operations Manager 2007 to manufacturing (RTM).

For those that are running MOM 2000 or 2005, this version is a leaps and bounds improvement. Download the evaluation edition from Microsoft HERE.





Hi, and welcome to my IT Management blog at Blogger.

I am an IT management professional specializing in System Center Operations Manager.

Much of my time is spent in the office dealing with day-to-day technology management of a Fortune 1000 company and thought I would blog about my experiences.

I hope you find my posts useful!