Installation Guide for System Center Enterprise Suite

Prepared by

Microsoft Consulting Services

7/23/2010

Version 1.0

Prepared by

Gang Pan, AcutePath, Inc.

Contributors

Mannan Mohammed, Sr. Architect

Mark Stevenson, Senior Consultant II

This file does not collect any personal information.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.

© 2009 Microsoft Corporation. All rights reserved.

Active Directory, Hyper-V, Microsoft, Windows PowerShell, SharePoint, SQL Server, Windows, Windows NT, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Table of Contents

1 Introduction.............................................................................................6

2 Example: Managed Hosting Scenario.........................................................8

2.1 Active Directory Server/Domain Controller...............................................................8

2.1.1 Hyper-V Hosts Organizational Unit................................................................9

2.1.2 Customers Organizational Unit......................................................................9

2.1.3 Customer Sub Organizational Unit...............................................................10

2.2 System Center Configuration Manager 2007 R2.....................................................10

2.3 System Center Operations Manager 2007 SP1.......................................................10

2.4 System Center Data Protection Manager 2007 SP1................................................10

2.5 System Center Virtual Manager 2008.....................................................................10

3 Getting Started with System Center Configuration Manager 2007............12

3.1 Supported Configurations.......................................................................................12

3.2 Configuration Manager 2007 Site Server System Requirements............................13

3.2.2 Configuration Specifics................................................................................15

3.3 Prerequisites for Installing Configuration Manager.................................................21

3.3.1 General Site Server Prerequisites................................................................21

3.3.2 Configuration Manager Primary Site Server Prerequisites...........................22

3.3.3 Site Database Server Prerequisites.............................................................22

3.3.4 SMS Provider Prerequisites..........................................................................23

3.3.5 Configuration Manager Secondary Site Server Prerequisites.......................24

3.3.6 Configuration Manager Console Prerequisites.............................................24

4 Getting Started with System Center Operations Manager 2007................25

4.1 Supported Operating Systems................................................................................25

4.1.1 Minimum Hardware Requirements..............................................................26

4.1.2 Minimum Software Requirements................................................................26

4.1.3 Supported Software Requirements for Operations Manager 2007...............26

4.1.4 Supported Firewall Scenarios......................................................................27

4.1.5 Operations Manager 2007 Firewall Scenarios..............................................28

4.1.6 Minimum Network Connectivity Speeds......................................................30

4.1.7 Supported Cluster Configurations................................................................31

4.1.8 Supported—but Not Recommended—Cluster Configurations......................31

4.1.9 Non-supported Cluster Configurations.........................................................32

4.1.10 Monitored Item Capacity.............................................................................33

4.2 System Requirements for Operations Manager 2007.............................................33

4.2.1 Domain Functional Level.............................................................................35

4.2.2 Forest Functional Level................................................................................35

4.2.3 DNS.............................................................................................................36

4.3 Security Considerations..........................................................................................36

4.3.1 Trust Boundaries.........................................................................................36

4.3.2 Certification Authority.................................................................................37

4.3.3 Accounts and Groups..................................................................................38

4.3.4 Agent and Agentless Monitoring..................................................................42

4.3.5 Deploy an Operations Manager 2007 Management Group on a Single Computer Using the Setup Wizard.............................................................................44

5 Getting Started with System Center Data Protection Manager 2007.........48

5.1 Security Requirements...........................................................................................48

5.2 Network Requirements...........................................................................................48

5.3 Hardware Requirements.........................................................................................49

5.4 Software Requirements..........................................................................................51

5.5 Install Software Prerequisites.................................................................................56

5.6 Steps to Install and Configure Data Protection Manager 2007................................56

5.7 Post-Installation......................................................................................................57

5.8 Manually configuring Hyper-V protection in Data Protection Manager....................57

5.9 Procedures for Enabling End User Recovery...........................................................62

6 Getting Started with System Center Virtual Machine Manager 2008.........64

6.1 Hardware Requirements.........................................................................................64

6.2 Software Requirements..........................................................................................64

6.3 Supported Operating Systems for Virtual Machine Manager Components..............65

6.4 Supported SQL Server Versions..............................................................................67

6.5 Network Requirements for Virtual Machine Manager..............................................68

6.5.1 Network Connections..................................................................................68

6.5.2 Domains......................................................................................................68

6.5.3 Firewalls......................................................................................................68

6.5.4 Computer firewalls......................................................................................69

6.5.5 Virtual Machine Manager Ports and Protocols..............................................69

6.6 Installation Walk-Through.......................................................................................70

6.6.1 Installing the Virtual Machine Manager Server............................................70

6.6.2 Installing the Administrator Console............................................................77

7 Summary...............................................................................................82

8 References.............................................................................................83

1 IntroductionThis document provides guidance on how a hosting provider can create a managed hosting offer by leveraging different technologies offered by Microsoft.

There is no single definition for Managed Hosting, but in general, Managed Hosting is referred to as a Dedicated Server or Virtual Dedicated Server hosting plan with a set of management services, including but not limited to:

1. Server and network monitoring2. Operating system/application updates3. Software and hardware inventory management4. Highly available infrastructure using failover/load balancing5. Backups and restoration6. Firewalls and other network security services7. Virus and spam protection

In this paper, we will discuss ways a hosting provider can leverage the technologies available in the Microsoft System Center family of products. System Center is designed to help capture and aggregate knowledge about your infrastructure, policies, processes, and best practices, empowering you to build manageable systems and automate operations in order to reduce costs, improve availability, and enhance service delivery.

System Center consists of four core products:

System Center Configuration Manager: System Center Configuration Manager comprehensively assesses, deploys, and updates servers, client computers, and devices across physical, virtual, distributed, and mobile environments. Optimized for Microsoft® Windows® and extensible, it is the best choice for gaining enhanced insight into—and control over—IT systems.

System Center Operations Manager: System Center Operations Manager is the end-to-end service-management product that is the best choice for Windows because it works seamlessly with Microsoft software and applications, helping organizations increase efficiency while enabling greater control of the IT environment.

System Center Data Protection Manager: System Center Data Protection Manager is the standard for Windows backup and recovery, delivering continuous data protection for Microsoft application and file servers using seamlessly integrated disk and tape media. Data Protection Manager enables rapid and reliable recovery through advanced technology for organizations of all sizes.

System Center Virtual Machine Manager: Virtual Machine Manager enables customers to configure and deploy new virtual machines and centrally manage physical and virtual infrastructure from one console. New to this version of Virtual Machine Manager is multi-vendor virtualization platform support,

Page 6

Performance and Resource Optimization, and enhanced support of "high-availability" host clusters, among other new features.

We will describe the prerequisites for building out a managed solution later in this document. First, we'll explore a sample Managed Hosting Scenario.

Page 7

2 Example: Managed Hosting ScenarioWe will be covering several topics in this section, including Active Directory® Server and Domain Controller, System Center Configuration Manager 2007 R2, System Center Operations Manager 2007 SP1, System Center Data Protection Manager 2007 SP1, and System Center Virtual Manager 2008. We’ll begin this section with an example of a Managed Hosting Scenario.

2.1 Active Directory Server/Domain ControllerAll System Center products require Active Directory. Both Windows 2003 Active Directory and Windows 2008 Active Directory services are supported. We recommend following standard best practices for Active Directory installation when working with System Center.

Organizational units are used to organize users and computers objects in the Active Directory environment. For purposes of hosting the Organizational Unit structure could be organized as illustrated in the following diagram:

Page 8

2.1.1 Hyper-V Hosts Organizational Unit

The Hyper-V™ Hosts have a unique role not included in other servers in the directory. Putting these hosts in their own Organizational Unit allows unique policies to be applied to these servers. They can also be segregated from other servers in the directory.

2.1.2 Customers Organizational Unit

This top-level Organizational Unit allows all hosted virtual machines and user accounts to be segregated from the rest of the directory. Configuration and security specific to virtual machines that will be provided to customers can be applied using Group Policy Objects at this level.

Page 9

2.1.3 Customer Sub Organizational Unit

The next level of Organizational Units (OUs) is the customer OU. Under each customer OU are sub-OUs for servers and separate sub-OUs for user accounts.

2.2 System Center Configuration Manager 2007 R2The System Center Configuration Manager 2007 R2 is installed on a dedicated server running Windows Server® 2008 with SQL Server® 2005 SP2.

All Configuration Manager roles must be installed on the same node. It is the primary site server as a single site server configuration.

Each managed device may require its own scheduling window for software updates and patching. Therefore, a different collection will be created for each managed device. This will ensure the customer can dictate the best scheduling window for their needs.

2.3 System Center Operations Manager 2007 SP1The System Center Operations Manager (SCOM) 2007 SP1 running on Windows Server 2008 is installed on a dedicated server that has SQL Server 2005 SP1. Due to a compatibility issue with SCOM 2007 SP1 reporting, SQL Server 2005 SP2 is not supported by SCOM 2007 SP1 at this time.

2.4 System Center Data Protection Manager 2007 SP1The System Center Data Protection Manager (SCDPM) 2007 SP1 is installed on a dedicated server. The recommended configuration running Windows Server 2008 with SQL Server 2005 SP2 is as follows:

All SCDPM 2007 related roles are installed on the same node. To support multi-tenant scenario, each protected server has a separate,

dedicated protection group as an isolation boundary.

2.5 System Center Virtual Manager 2008The System Center Virtual Machine Manager (SCVMM) 2008 is installed on a dedicated Windows Server 2008 that has SQL Server 2005 SP2.

All SCVMM 2008 related roles are installed on the same node.

The example scenario presented earlier in the document illustrates a simple deployment model for System Center Product Family for a small environment. Please note that this configuration did not consider failover and scalability. Instead, it provided a simple configuration model to get you started quickly. In this scenario, you

Page 10

will still need to analyze requirements for your environment, conduct proper planning and design, and carry out deployment and configuration in your production environment.

Page 11

3 Getting Started with System Center Configuration Manager 2007In this section we will discuss supported configurations, the requirements for using Configuration Manager 2007 Site Server System Requirements, and the prerequisites for installing Configuration Manager.

3.1 Supported ConfigurationsThis section outlines the hardware and software requirements for implementing and maintaining Microsoft System Center Configuration Manager 2007 (including Microsoft System Center Configuration Manager 2007 SP1) in your environment.

3.1.1.1 Client and Server ComponentsSystem Center Configuration Manager 2007 has a client component (agent) and a server component. The client agent is installed on the desktops (servers) that must be managed.

3.1.1.2 Client Hardware RequirementsThe following table lists the minimum—and recommended—hardware requirements for Configuration Manager 2007 SP1 computer clients.

Hardware Component Requirement

Processor The minimum requirement is a 233 MHz processor. We recommend at least a 300 MHz Intel Pentium/Celeron (or comparable) processor is recommended.

RAM The minimum requirement is 128 megabytes (MB) of RAM, or 384 MB of RAM if using an operating system deployment. We recommend at least 256 MB of RAM.

Free Disk Space The minimum requirement is 350 MB of disk space for a new installation, or 265 MB of disk space to upgrade an existing client.

NOTE: By default, the temporary program download folder on clients is preconfigured at client installation to automatically increase to 5 gigabytes (GB) of disk space if necessary, assuming 5

GB of disk space or more is available.

3.1.1.3 Supported Client PlatformsSupported Configuration Manager 2007 client installation requires at least Windows 2000 Professional SP4. All common configurations are supported on x86

Page 12

and x64 Platforms. However, there are some exceptions for computers leveraging the Itanium architecture.

3.2 Configuration Manager 2007 Site Server System RequirementsConfiguration Manager 2007 SP1 supports server roles with the Windows Server 2008 operating system operating system.

3.2.1.1 Site System Hardware RequirementsThe following table lists the minimum—and recommended—hardware requirements for Configuration Manager 2007 site systems.

Hardware Component Requirement

Processor The minimum requirement is a 733 MHz Pentium III. A 2.0 GHz (or faster) processor is recommended.

RAM The minimum requirement is 256 MB of RAM. At least 1024 MB of RAM is recommended.

Free Disk Space The minimum requirement is 5 GB of disk space. At least 15 GB of free disk space is recommended if using an operating system deployment.

3.2.1.2 Supported Site System PlatformsThe following roles are available in System Center Configuration Manager:

Primary Site Server Secondary Site Server Management Point Standard Distribution Point Branch Distribution Point Server Locator Point Site Database Server Fallback Status Point Configuration Manager Console1

SMS Provider Computer

Each role has different operating system requirements. We recommend using Windows Server 2008 Enterprise Edition or Windows Server 2008 Datacenter Edition in either a 64-bit or 32-bit environment for setting up all the different roles in SC-CM. To simplify your environment, we recommend having a single server support all roles.

1 It is not supported to install the Configuration Manager 2007 console on computers running any site system role except for the primary site server role.

Page 13

Site system roles are not supported on a Server Core installation of Windows Server 2008. For more information about configuration requirements for hosting site system roles on Windows Server 2008, see How to Configure Windows Server 2008 for Site Systems.

Note

It is supported to host the site database on both 32-bit and 64-bit versions of SQL Server 2005 (SP2 or later), SQL Server 2008 Standard Edition, or SQL Server 2008 Enterprise Edition. However, installing the site database on Itanium 64-bit platforms is not supported.

Upgrading the operating system on the site server from Windows Server 2003 to Windows Server 2008 is not supported. If you wish to run a Configuration Manager 2007 SP1 site on a Windows Server 2008 operating system, you must use a new installation of Configuration Manager 2007 (complete release).

3.2.1.3 Feature-Specific Site System RolesSystem Center Configuration Manager supports the following Site System roles:

State Migration Point Reporting Point System Health Validator Point PXE Service Point Out of Band Service Point Asset Intelligence Synchronization Point

Network Access Protection is fully supported in Configuration Manager 2007 SP1. Network Access Protection in Configuration Manager 2007 requires a System Health Validator Point running on Windows Server 2008.

The out of band service point role was added for Configuration Manager 2007 SP1. For more information, see Out of Band Management in Configuration Manager 2007 SP1.

The Asset Intelligence synchronization point has been added for Configuration Manager 2007 SP1. For more information, see Asset Intelligence in Configuration Manager.

Note

Site system roles are not supported on Server Core installation of Windows Server 2008. For more information about configuration requirements for hosting site system roles on Windows Server 2008, see How to Configure Windows Server 2008 for Site Systems.

Graphs may be added to reports if Office Web Components is installed. This feature is available on 32-bit operating systems only (e.g., Microsoft Office 2000 SP2, Microsoft Office XP, or Microsoft Office 2003). Out of band service points are not

Page 14

supported on Windows Server 2003 SP1 computers. Out of band service points running Windows Server 2003 SP2 require KB 942841.

3.2.2 Configuration SpecificsThis section describes specific configuration options and requirements for Configuration Manager 2007 SP1.

3.2.2.1 Active Directory Schema ExtensionsConfiguration Manager Active Directory schema extensions provide many benefits for Configuration Manager sites but they are not required. If you have extended your Active Directory schema for Systems Management Server (SMS) 2003, you should update your schema extensions for Configuration Manager 2007. Updating the Active Directory schema for Configuration Manager 2007 can be performed before or after upgrading to Configuration Manager and will not interfere with existing SMS 2003 site or client functionality. If you have already extended your schema for Configuration Manager 2007, no additional schema extensions are required. For more information about extending the Active Directory schema for Configuration Manager 2007 see How to Extend the Active Directory Schema for Configuration Manager.

3.2.2.2 Site Server Operating System Upgrade ConfigurationsStarting with Configuration Manager 2007 SP1, Windows Server 2008 is a supported operating system to host the Configuration Manager site server role. Support for performing in-place upgrades of Windows Server 2003 to Windows Server 2008 with Configuration Manager 2007 site installed. Therefore, you must perform an initial installation of Configuration Manager 2007 SP1 integrated on Windows Server 2008 or restore a Configuration Manager 2007 SP1 site backup created by the Configuration Manager 2007 site backup maintenance task to a new Configuration Manager 2007 SP1 installation with identical installation settings as the previous site installation on a computer running Windows Server 2008.

3.2.2.3 SQL Server Site Database Configurations When installing Configuration Manager 2007 SP1, the site database can be installed on either the default instance or a named instance of a supported SQL Server version installation. The instance used to host the site database can also be configured as a SQL Server failover cluster instance in an active/passive cluster configuration.

Performing an in-place upgrade of the SQL Server 2005 SP2 instance hosting the Configuration Manager 2007 site database to SQL Server 2008 is supported. For more information about changing site server software, see How to Change Site Server Software. Moving the site database to a new SQL Server 2008 instance is

Page 15

also supported. For information about moving the site database, see How to Move the Site Database.

Important

When using SQL Server 2008 to host the site database for Configuration Manager 2007 SP1 sites, the following update must be applied to the site server computer, Systems Management Server (SMS) Provider computer, and any computers hosting a remote Configuration Manager 2007 SP1 Configuration Manager console: Microsoft article ID   955262 .

In Systems SMS 2003, the mppublish.vbs script, supplied with the SMS 2003 installation files, was used to configure Microsoft SQL Server site database replication between the site database server and SQL Server site database replicas used to support management points and server locator points. Because Configuration Manager 2007 introduces new site database views and functions that are not replicated by the mppublish.vbs script, it is not supported for configuring SQL Server site database replication in Configuration Manager 2007 sites. For information about how to configure replication to support management points and server locator points, see How to Configure SQL Server Site Database Replication.

3.2.2.4 Support for Windows Server ClusteringInstalling the site database server site system role on a Windows server failover cluster instance is supported. Installing Configuration Manager 2007 SP1 site servers or any other site system server role on a Windows Server cluster instance is not supported.

Note

Physical node computers of a Windows server cluster instance can be managed as Configuration Manager 2007 SP1 clients.

3.2.2.5 Multi-Site ClientsConfiguration Manager 2007 SP1 clients can be assigned and report to only one site. When auto assignment is used to assign clients to a site during client installation and more than one site has the same boundary configured, the actual site assignment of a client cannot be predicted. If boundaries overlap across multiple Configuration Manager 2007, Configuration Manager 2007 SP1, and Systems Management Server 2003 site hierarchies, clients might not get assigned to the correct site hierarchy—or might not get assigned to a site at all.

3.2.2.6 Support for Specialized Storage TechnologyThis section describes storage technologies that are supported, or not supported, in Configuration Manager 2007 SP1.

Page 16

3.2.2.7 Storage Area Network SupportUsing a Storage Area Network (SAN) is supported as long as a supported Windows server is attached directly to the volume hosted by the SAN.

Configuration Manager 2007 SP1 is designed to work with any hardware that is certified on the Windows Hardware Compatibility List for the version of the operating system on which the Configuration Manager component is installed.

Configuration Manager 2007 SP1 site server roles require NTFS file systems so that directory and file permissions can be set. Because Configuration Manager 2007 SP1 assumes it has complete ownership of a logical drive when it uses naming conventions, site systems running on separate computers cannot share a logical partition on any storage technology. However, they could each use their own logical partition on a physical partition of a shared storage device.

For more information regarding the use of SANs, see:

Knowledge Base article 260176 : Provides more information about SANs.

Knowledge Base article 264135 Describes the differences between SANs and Storage Area Networks.

Knowledge Base article 307813 Provides more information about Systems Management Server and SANs.

3.2.2.8 Single Instance Storage SupportConfiguring distribution point package and signature folders to be configured on a Single Instance Storage (SIS)-enabled volume is not supported. It is also not supported for a Configuration Manager 2007 SP1 client's cache to be configured on a SIS-enabled volume.

Note

SIS is a feature of the Windows Storage Server 2003 R2 operating system.

3.2.2.9 Removable Disk Drive SupportInstallation of a Configuration Manager 2007 SP1 site system or client components on a removable disk drive is not supported.

3.2.2.10 Computers in WorkgroupsAll site systems must be members of an Active Directory domain. This requirement includes site systems that support Internet-based client management in a perimeter network.

Page 17

Note

Changing the domain membership or computer name of a Configuration Manager 2007 SP1 site system after it is installed is not supported.

Configuration Manager 2007 SP1 provides support for clients in workgroups. Moving a client from the Workgroup to a domain or from a domain to a workgroup is also supported.

The following requirements must be met to support workgroup clients:

The logged-on user must possess local administrator rights on the workgroup system during client installation. The only account that Configuration Manager 2007 SP1 can use to perform activities that require local administrator privileges is the account of the user that is logged on to the computer.

The Configuration Manager client must be installed from a local source on each client machine. This requirement ensures that a local source for repair and client update application will be available for the client.

Workgroup clients must be able to locate a server locator point for site assignment as they cannot query Active Directory Domain Services. The server locator point can be published manually in Windows Internet Naming Service (WINS), or it can be specified in the CCMSetup.exe installation command-line parameters.

Workgroup clients must use the Network Access Account to access package source files on distribution points. If a Network Access Account is not configured, clients cannot access content on the distribution point. For more information, see Example Package Access Scenarios.

Although workgroup computers can be Configuration Manager 2007 SP1 clients, there are inherent limitations in supporting workgroup computers, including:

Workgroup clients cannot reference Configuration Manager 2007 SP1 objects published to Active Directory Domain Services. For workgroup clients to locate their default management point computer, it must be registered and accessible to workgroup clients in either WINS or DNS. For more information, see Configuration Manager and Service Location (Site Information and Management Points.

Page 18

Workgroup clients must use the trusted root key to establish trust with a management point. For more information, see About the Trusted Root Key.

Active Directory system, user, or user group discovery is not possible.

User-targeted advertisements are not possible.

The client push installation method is not supported for workgroup client installation. For more information about installing the Configuration Manager client on workgroup computers, see How to Install Configuration Manager Clients on Workgroup Computers.

Global roaming is not possible. For more information about client roaming capabilities and behavior, see About Client Roaming in Configuration Manager.

Using a workgroup client as a branch distribution point is not supported. Configuration Manager 2007 SP1 requires that all site systems, including branch distribution point computers, are members of an Active Directory domain.

3.2.2.11 Remote Assistance Console SessionsConsole sessions controlled by Remote Assistance are supported, except for simultaneous use of Configuration Manager Remote Tools.

Invoking Remote Assistance from the Configuration Manager console requires that the Configuration Manager console computer and the client computer are running one of the following operating systems:

Windows XP SP2 Windows XP SP3 Windows Server 2003 SP1 Windows Server 2003 SP2 Windows Vista® (supported editions only; see section 3.1.1.3

Supported Client Platforms on p. 12 for more information) Windows Vista SP1 Windows Server 2008

3.2.2.12 Fast User SwitchingFast User Switching, which is available in Windows XP editions not joined to a domain and in Windows Vista editions, is not supported in Configuration Manager 2007 SP1.

Page 19

3.2.2.13 Dual Boot ComputersConfiguration Manager 2007 SP1 cannot manage more than one operating system on a single computer. If there is more than one operating system on a computer that must be managed, tailor the discovery and installation methods used to ensure that the Configuration Manager client is installed only on the operating system that needs to be managed.

3.2.2.14 Supported Virtualization EnvironmentsConfiguration Manager 2007 SP1 supports client installation and all site server roles in the following virtualization environments:

Microsoft Virtual Server 2005 R2 Microsoft Virtual Server 2005 R2 SP1 Windows Server 2008 with Hyper-V Microsoft Hyper-V Server 2008 Server Virtualization Validation Program (SVVP)

More information about the SVVP is available online.

Note

Configuration Manager 2007 SP1 does not support Virtual PC or Virtual Server guests running on a Macintosh operating system.

Configuration Manager 2007 SP1 cannot manage Virtual PC or Virtual Server guest operating systems unless they are running. An offline Virtual PC image cannot be updated nor can inventory be collected using the Configuration Manager client on the host computer.

No special consideration is given to virtual machines. For example, Configuration Manager 2007 SP1 might not determine that an update needs to be re-applied to a virtual machine image if it is stopped and restarted without saving the state of the virtual machine to which the update was applied.

3.3 Prerequisites for Installing Configuration ManagerAfter reviewing the Configuration Manager supported configurations, you should ensure that you have the proper prerequisites for installing a Microsoft System Center Configuration Manager 2007 site or site system. Familiarizing yourself with the prerequisites ahead of time will enable you to deploy Configuration Manager sites and features efficiently and effectively support the clients assigned to the site.

Page 20

3.3.1 General Site Server PrerequisitesThe general site server prerequisites for hosting the various Configuration Manager 2007 site server roles are as follows:

All site servers must be a member of an Active Directory domain.

Note

Changing the domain membership or computer name of a Configuration Manager 2007 site system after it is installed is not supported.

Internet Information Services (IIS) 6.0 or later is required if the system will perform any of the following site system roles:

o Background Intelligent Transfer Service (BITS)-enabled distribution point. This role requires BITS server extensions and Web Distributed Authoring and Versioning (WebDAV) extensions. IIS is not required if the distribution point will not be BITS-enabled.

Important

The WebDAV component is not included in Windows Server 2008 operating system. You must download, install, and configure WebDAV manually on BITS-enabled distribution points running Windows Server 2008. For more information, see How to Configure Windows Server 2008 for Site Systems.

Management point. This role requires BITS server IIS extensions and WebDAV IIS extensions.

Important

The WebDAV component is not included in Windows Server 2008 operating system. You must download, install, and configure WebDAV manually on management points running Windows Server 2008.

Reporting point. This role requires Active Server pages.

Note

When you install ASP and ASP.NET on a Windows Server 2008 operating system reporting point, you must also manually enable Windows Authentication.

Software Update Point

Server locator point.

Page 21

All Configuration Manager distribution point systems using BITS bandwidth throttling require BITS 2.0 or later.

Management points and server locator points configured to be part of a Network Load Balancing cluster are supported.

All site servers require Internet Explorer 5.0 or later.

Windows Server 2008 is the only supported operating system for hosting the System Health Validator point site system role.

Site servers and branch distribution points require Remote Differential Compression to generate package signatures and perform signature comparison.

Important

Remote Differential Compression is not installed by default on computers running Windows Server 2008. For more information, see How to Configure Windows Server 2008 for Site Systems.

3.3.2 Configuration Manager Primary Site Server PrerequisitesThe following software must be installed before running Setup on a server to support the primary site server role:

Microsoft Management Console (MMC)   3.0 .NET Framework   2.0

If applicable, the following update also should be applied to the system before running Setup: MS06-030: Vulnerability in Server Message Block could allow elevation of privilege.

3.3.3 Site Database Server PrerequisitesConfiguration Manager 2007 primary sites require access to a SQL Server database to host the site database. The site database can be hosted on a SQL Server instance installed on the same server as the primary site, on a remote computer, or on a virtual SQL Server cluster instance. The following conditions apply:

SQL Server 2005 SP2 is the only version of SQL Server supported for hosting the Configuration Manager 2007 site database.

SQL Server 2005 Express is not a supported SQL Server 2005 version for hosting the Configuration Manager 2007 site database.

The SQL database service is the only SQL Server component required to be installed to host the site database.

Page 22

3.3.4 SMS Provider PrerequisitesBecause Configuration Manager 2007 allows you to install the Systems Management Server (SMS) Provider on a computer other than the site server or site database server, you should check to ensure that the computer you have identified to install the SMS Provider on meets the following prerequisites:

The SMS Provider must be installed on a computer in the same domain as the site server and site database server site systems.

The SMS Provider cannot be installed on a virtual SQL Server cluster computer or a physical computer hosting a virtual SQL Server cluster node.

The SMS Provider cannot be installed on a computer already hosting the SMS Provider for another site.

If applicable, the following updates should also be applied to the system before installing the SMS Provider:

MS06-030: Vulnerability in Server Message Block could allow elevation of privilege

Availability of Windows Server   2003 Post-Service Pack   1 COM+   1.5 Hotfix Rollup Package   6

3.3.5 Configuration Manager Secondary Site Server PrerequisitesIf applicable, the following updates should be applied to the system before installing a secondary site server:

Knowledge Base article 906570 ("A custom program that uses the RegConnectRegistry function can no longer access the registry of a remote computer in Windows Server 2003 SP1 or in an x64-based version of Windows Server 2003.")

MS06-030: Vulnerability in Server Message Block could allow elevation of privilege

Page 23

Important

The SMS Provider must be installed on a computer with the same operating system language as the site server's operating system language when a site contains site servers or clients with different language operating systems installed.

3.3.6 Configuration Manager Console PrerequisitesBefore installing the Configuration Manager console on a remote computer, you should ensure it meets the minimum requirements outlined in the Configuration Manager supported configurations, as well as the following installation prerequisites:

Microsoft Management Console (MMC)   3.0 .NET Framework   2.0.

Page 24

4 Getting Started with System Center Operations Manager 2007In this section we will discuss supported operating systems, hardware configurations, software requirements, installation combinations, and security configurations for Systems Center Operations Manager 2007.

4.1 Supported Operating SystemsSystems Center Operations Manager 2007 has the following components that can be distributed on different servers:

Operations Manager 2007 Component Operations Manager Operations database Management server or root management server Operations console Reporting data warehouse Reporting server Gateway server Web console server Audit database Management server with audit collector Management server with Agentless Exception Monitoring file share agent Authoring console

Each of these components can be installed on:

Windows Server 2003 SP1 Windows Server 2003 SP2 Windows Server 2003 R2 Windows Server 2003 Standard Edition on an x86 microprocessor Windows Server 2003 Standard Edition on an x64 microprocessor Windows Server 2003 Enterprise Edition on an x86 microprocessor Windows Server 2003 Enterprise Edition on an x64 microprocessor Windows Server 2003 Datacenter Edition on an x86 microprocessor Windows Server 2003 Datacenter Edition on an x64 microprocessor Windows Server 2008 Standard Edition on an x86 microprocessor Windows Server 2008 Standard Edition on an x64 microprocessor Windows Server 2008 Enterprise Edition on an x86 microprocessor Windows Server 2008 Enterprise Edition on an x64 microprocessor Windows Server 2008 Datacenter Edition on an x86 microprocessor Windows Server 2008 Datacenter Edition on an x64 microprocessor

Page 25

4.1.1 Minimum Hardware RequirementsYou can use the Operations Manager 2007 Prerequisite Checker in Setup to check the hardware and software prerequisites and generate a report listing the prerequisites your system meets (or does not meet) prior to installing and using Operations Manager 2007.

In general, you need a 2.8 GHz (or faster) processor, at least 4 GB of RAM, and 500 GB of disk space to install Operations Manager 2007.

Note

Operations Manager 2007 does not support installing the 32-bit agent on a 64-bit operating system. Operations Manager 2007 provides native support for x86 microprocessors and x64 microprocessors for all components. It also supports agents on computers with 64-bit Itanium processors.

4.1.2 Minimum Software RequirementsOperations Manager 2007 components require a supported operating system. For a list of the supported operating systems for each component, see the Supported Operating Systems section earlier in this document.

The following table lists the minimum software requirements for each of the Operations Manager 2007 components. If you wish to install more than one component on the same computer, you must install the prerequisite software for all of the combined components.

4.1.3 Supported Software Requirements for Operations Manager 2007

Operations Manager Component

Software Requirement(s)

Operations Manager Operations database

One of the following:

SQL Server 2005 Standard SP1 SQL Server 2005 Standard SP2 SQL Server 2005 Enterprise Edition SP1 SQL Server 2005 Enterprise Edition SP2

Management server and root management server

.NET Framework 2.0 .NET Framework 3.0 Microsoft Core XML Services 6.0

Reporting server .NET Framework 3.0 SQL Server 2005 Reporting Services SP1 or SQL

Server 2005 Reporting Services SP2Gateway server .NET Framework 2.0

Microsoft Core XML Services 6.0Reporting data warehouse

Reporting data warehouse (continued)

One of the following:

SQL Server 2005 Standard SP1 SQL Server 2005 Standard SP2 SQL Server Enterprise Edition SP1 SQL Server Enterprise Edition SP2

Page 26

Audit collection database

One of the following:

SQL Server 2005 Standard SP1 SQL Server 2005 Standard SP2 SQL Server Enterprise Edition SP1 SQL Server Enterprise Edition SP2

Operations console Required:

.NET Framework 2.0 .Net Framework 3.0

Optional:

Microsoft Windows PowerShell™. (Required for the Operations Manager 2007 Command Shell.)

Microsoft Office Word 2003 with .NET Programmability Microsoft Visual Studio® 2005 Tools for Office

(required to create or edit Management Pack knowledge data)

Web console server .NET Framework 2.0 .NET Framework 3.0 Internet Information Services (an optional component

of Windows Server 2003) ASP.NET (an optional component of Windows

Server 2003)Agent Microsoft Core XML Services 6.0 (requires Windows

Installer 3.1)Authoring console Required:

.NET Framework 2.0 .Net Framework 3.0 .Net Framework 3.5 SP1

Optional:

Microsoft Windows PowerShell (required for the Operations Manager 2007 Command Shell)

Microsoft Office Word 2003 with.NET Programmability Microsoft Visual Studio 2005 Tools for Office (required

to create or edit Management Pack knowledge data)

Note

Operations Manager 2007 does not support a 32-bit Operations Manager Operations database, Reporting Server data warehouse, or Audit Collection database on a 64-bit operating system.

4.1.4 Supported Firewall ScenariosThe following table shows Operations Manager 2007 component interaction across a firewall, including information about the ports used for communication between the components, which direction to open the inbound port, and whether the port number can be changed.

Page 27

4.1.5 Operations Manager 2007 Firewall Scenarios

Operations Manager 2007 Component A

Port Number and Direction

Operations Manager 2007 Component B

Configurable

Notes

Root management server

1433 --->Operations Manager database

Yes (Setup)

Management server 1433 --->

Operations Manager database

Yes (Setup)

Management server 5723, 5724 --->

Root management server

NoPort 5724 must be open to install this component and can be closed once this component has been installed.

Management server

1433 --> reporting data warehouse

No

Gateway server

5723 ---> Root management server

No

Root management server

1433 ---> Reporting data warehouse

No

Reporting server

5723, 5724 ---> Root management server

No Port 5724 must be open to install this component and can be closed once this component has been installed.

Operations console

5724 ---> Root management server

No

Connector framework source

51905 ---> Root management server

No

Web console server

5724 ---> Root management server

No

Web console browser

Web console browser (continued)

51908 ---> Web console server

Yes (IIS Admin)

Port 51908 is the default port used when selecting Windows Authentication. If you select Forms Authentication, you will need to install an SSL certificate and configure an available port for https functionality for the Operations Manager 2007 Web

Page 28

Console Web site.

Connected root management server (Local)

5724 ---> Connected root management server (Connected)

No

Agent installed using MOMAgent.msi

5723 ---> Root management server

Yes (Setup)

Agent installed using MOMAgent.msi

5723 ---> Management server

Yes (Setup)

Agent installed using MOMAgent.msi

5723 ---> Gateway server Yes (Setup)

Gateway server

5723 ---> Management server

Yes (Setup)

Agent (Audit Collection Services forwarder)

51909 ---> Management server Audit Collection Services collector

Yes (Registry)

Agentless Exception Monitoring data from client

51906 ---> Management server Agentless Exception Monitoring file share

Yes (Client Monitoring Wizard)

Customer Experience Improvement Program data from client

51907 ---> Management server (Customer Experience Improvement Program End) Point

Yes (Client Monitoring Wizard)

Operations console (reports)

80 ---> SQL Reporting Services

No The Operations console uses Port 80 to connect to the SQL Reporting Services Web site.

Reporting server

1433 ---> Reporting data warehouse

Yes

Management server (Audit Collection Services collector)

1433 ---> Audit Collection Services database

Yes

Page 29

In the preceding table, if SQL Server 2005 is installed using a default instance, the port number is 1433. If SQL Server is installed with a named instance, it is most likely using a dynamic port. To identify the port:

1. Run SQL Server Configuration Manager.

2. Open SQL Server Network Configuration.

3. Open Protocols for INSTANCE1 (or the instance running under it).

4. Open TCP/IP.

5. Click IP Addresses.

6. The port is under IPAll (usually the TCP Dynamic Ports).

4.1.6 Minimum Network Connectivity SpeedsOperations Manager 2007 requires the following minimum network connectivity speeds between the specified components:

Page 30

4.1.7 Supported Cluster ConfigurationsOperations Manager 2007 supports the clustering configurations for Operations Manager server roles as shown in the following table:

Server Role Cluster Notes

Operations Manager 2007 Operations database

Single Active-Passive cluster

Setup needs to be run only once on the active node of the cluster. Other Operations Manager 2007 server roles must not be installed on the cluster or nodes of the cluster.

Root management server

Single Active-Passive cluster

Setup needs to be run on every node of the cluster. Other Operations Manager 2007 server roles must not be installed on the cluster or nodes of the cluster.

Operations Manager 2007 Reporting data warehouse

Single Active-Passive cluster

Other Operations Manager 2007 server roles must not be installed on the cluster or nodes of the cluster.

Audit collection database

Single Active-Passive cluster

Other Operations Manager 2007 server roles must not be

Page 31

Component A Component B Minimum Requirement

Root management server\ management server

Agent 64 Kbps

Root management server\ management server

Agentless 1024 Kbps

Root management server\management server

Database 256 Kbps

Root management server

Console 768 Kbps

Root management server

Management server 64 Kbps

Root management server\ management server

Data warehouse database 768 Kbps

Root management server

Reporting server 256 Kbps

Management server Gateway server 64 Kbps

Local management group

Connected management group (tiering)

1024 Kbps

Web console server Web console 128 Kbps

Reporting Data Warehouse

Reporting server 1024 Kbps

Console Reporting server 768 Kbps

Audit collector Audit database 768 Kbps

installed on the cluster or nodes of the cluster.

4.1.8 Supported—but Not Recommended—Cluster ConfigurationsOperations Manager 2007 supports the following clustering configurations for Operations Manager server roles, as shown in the following table. However, due to a potential performance impact on your SQL Server-based computer, these configurations are not recommended:

Server Role Cluster Notes

Operations Manager 2007 Operations database and Operations Manager 2007 Reporting data warehouse

Active-Active cluster where the Operations Manager Operations database is installed on one node of the cluster and the Reporting data warehouse is installed on the other node of the cluster

There might be some performance issues with SQL Server in this configuration.

Operations Manager Operations database, Reporting data warehouse, and audit collection database

Single Active-Passive or Active-Active cluster where all three components are on a single cluster

There might be some performance issues with SQL Server in this configuration.

Operations Manager Operations database and audit collection database

Single Active-Passive cluster where both components are on a single cluster

There might be some performance issues with SQL Server in this configuration.

Operations Manager Operations database and Reporting data warehouse

Single Active-Passive cluster where both components are on a single cluster

There might be some performance issues with SQL Server in this configuration.

Reporting data warehouse and audit collection database

Single Active-Passive cluster where both components are on a single cluster

There might be some performance issues with SQL Server in this configuration

4.1.9 Non-supported Cluster ConfigurationsThe following cluster configurations are not supported:

Server Role Cluster Notes

Operations Manager Operations database and root management server

Single Active-Passive where both components are on the same node of the cluster

Not supported

Operations Manager Operations database and root management

Active-Active-Passive cluster where the Operations Manager

Not supported

Page 32

server Operations database in one active node, the root management server is on the other active node, and the passive node acts as the failover node for both

Operations Manager Operations database and root management server

Active-Active cluster where the Operations Manager Operations database is on one active node, the root management server is on the other active node, and they each act as the passive node for the other component

Not supported

Note

Geographically dispersed clusters or geo clusters are not supported for any Operations Manager 2007 roles.

4.1.10 Monitored Item CapacityOperations Manager supports the following number of monitored items.

Monitored Item Recommended Limit

Simultaneous Operations consoles 50

Agent-monitored computers reporting to a management server

2,000

Agent-monitored computers reporting to a gateway server

800

Agentless Exception Monitored computers per management server

25,000

Agentless Exception Monitored computers per management group

100,000

Collective client monitored computers per management server

2,500

Management servers per agent for multihoming 4

Page 33

Agentless-managed computers per management server

10

Agentless-managed computers per management group

60

Agent-managed computers per management group 6,000

4.2 System Requirements for Operations Manager 2007Ensure the computers you will use to evaluate Operations Manager 2007 meet the hardware and software requirements of the product. For a complete list of supported configurations, see Operations Manager 2007 Supported Configurations.

The following table lists the required software for each Operations Manager 2007 component after a supported operating system has been installed. For a list of supported operating systems, see Operations Manager 2007 Supported Configurations.

Operations Manager 2007 component

Required software

Operations Manager database One of the following:

SQL Server 2005 Standard SP1 SQL Server 2005 Enterprise Edition SP1

Management server .NET Framework 2.0 .NET Framework 3.0 Microsoft Core XML Services 6.0 (This is

installed automatically by the Operations Manager 2007 setup)

Operations Console Required:

.NET Framework 2.0 .NET Framework 3.0

Optional:

Microsoft Windows PowerShell (required for the Operations Manager 2007 Command Shell)

Microsoft Office Word 2003 with.NET Programmability

Microsoft Visual Studio 2005 Tools for Office (required to create or edit Management Pack knowledge data)

Agent Microsoft Core XML Services 6.0 (will install automatically if the agent is deployed from the Operations Console)

NOTE: Microsoft Core XML Services 6.0 requires Windows Installer 3.1.

Reporting Data Warehouse SQL Server 2005 SP1.

Page 34

Reporting server .NET Framework 2.0 .NET Framework 3.0 SQL Server 2005 Reporting Services SP1

Gateway server .NET Framework 2.0 Microsoft Core XML Services 6.0

Web Console

Web Console (continued)

.NET Framework 2.0 .NET Framework 3.0 Internet Information Services (an optional

component of Windows Server 2003) ASP.NET (an optional component of Windows

Server 2003)

Audit collection database One of the following:

SQL Server 2005 Standard SP1 SQL Server Enterprise Edition SP1

In addition, Operations Manager 2007 relies on Active Directory Domain Services for a number of services, including definition of security principles, rights assignment, authentication, and authorization. Operations Manager queries Active Directory Domain Services when performing computer and service discovery and can use Active Directory Domain Services for storing and distributing agent configuration information. For Operations Manager to function properly, Active Directory Domain Services and its’ supporting service, DNS, need to be healthy and at certain minimum configuration levels.

4.2.1 Domain Functional LevelWindows Server 2003 Active Directory domains can operate in one of four different levels of functionality. These levels are distinguished by the version of the Windows Server operating system that is permitted on the domain controllers present in the domain. Each of the following levels provides increasingly powerful features:

Windows 2000 mixed: Windows NT® Server 4.0, Windows 2000 Server, and Windows Server 2003 domain controllers are allowed. This is the default domain functional level for Windows Server 2003 domains.

Windows 2000 native: Windows 2000 Server and Windows Server 2003 domain controllers are allowed.

Windows Server 2003 interim: Windows Server 2003 and Windows NT Server 4.0 domain controllers are allowed. This is only seen when upgrading a Windows NT Server 4.0 domain to be the first Windows Server 2003 domain in an Active Directory forest.

Windows Server 2003: Only Windows Server 2003 domain controllers are allowed.

Page 35

Operations Manager 2007 requires that the domain functional level be Windows 2000 native, Windows Server 2003 interim, or Windows Server 2003. The domain functional level of Windows Server 2008 is also supported. For Operations Manager to function properly, you must check the domain functional level and raise it to at least Windows 2000 native. To do this, see Raise the Domain Functional Level.

4.2.2 Forest Functional LevelThe forest functional level is similar to the domain functional level in that it sets a minimum domain controller operating system level across the whole forest. Once it has been set, domain controllers with down-level operating systems from lower functional levels cannot be introduced into the forest. Operations Manager does not have a forest functional level requirement. However, if the forest functional level is left at the default Windows 2000 level, there may be domains in your forest that won't meet the minimum domain functional level requirement.

4.2.3 DNSDNS must be installed and in a healthy state to support Active Directory Domain Services. Beyond the reliance of Operations Manager on Active Directory Domain Services, there are no specific DNS requirements.

4.3 Security ConsiderationsMost of the work in preparing the environment for Operations Manager 2007 goes into security-related tasks. This section covers those tasks at a cursory level. For detailed coverage, see the Operations Manager   2007 Security Guide .

Preparing the security-related tasks involves the following:

Understanding, planning, and preparing for monitoring across trust boundaries.

Planning and preparing the service accounts, user accounts, and security groups that you will need.

Understanding and preparing the network ports as required by your design.

4.3.1 Trust BoundariesActive Directory domains form the basic unit of a Kerberos trust boundary as seen by Operations Manager. This boundary is automatically expanded to other domains in the same name space (i.e., the same Active Directory tree), and between domains that are in different Active Directory trees but still in the same Active Directory forest via transitive trusts. The trust boundary can be further expanded between domains in different Active Directory forests through the use of across forest trusts.

Page 36

4.3.1.1 KerberosThe Kerberos authentication protocol, which is supported by Windows 2000 domain controllers and above, can only occur within a trust boundary. Kerberos authentication is the mechanism used to perform the Operations Manager 2007 agent/server mutual authentication. Agent/server mutual authentication is mandated in Operations Manager 2007 for all agent/server communication.

An Operations Manager management group does have the ability to perform discovery and monitoring outside of the Kerberos trust boundary in which it’s located. However, because the default authentication protocol for Windows-based computers that are not joined to an Active Directory domain is NTLM, another mechanism must be used to support mutual authentication. This is done through the exchange of certificates between agents and servers.

4.3.1.2 CertificatesWhen Operations Manager 2007 communication needs to occur across trust boundaries, such as when a server that you want to monitor lies in a different, untrusted, Active Directory domain than the management group that is performing the monitoring, certificates can be used to satisfy the mutual authentication requirement. Through manual configuration, certificates can be obtained and associated with the computers and the Operations Manager services running on them. When a service that needs to communicate with a service on a different computer starts and attempts to authenticate, the certificates will be exchanged and mutual authentication completed.

Important

The certificates used for this purpose must ultimately trust the same root certification authority.

For more information about how to obtain and make use of certificates for mutual authentication, see Deploying Gateway Server in the Multiple Server, Single Management Group Scenario.

4.3.2 Certification AuthorityTo get the necessary certificates, you will need access to a certification authority. This can be either Microsoft Certificate Services or a third-party certification service such as VeriSign.

Page 37

4.3.2.1 Microsoft Certificate ServicesThere are four types of Microsoft certificate authorities (CAs):

Enterprise root Enterprise subordinate Stand-alone root Stand-alone subordinate

Both enterprise types of CAs require Active Directory Domain Services; stand-alone CAs do not. Either type of CA can issue the necessary certificates for agent/server mutual authentication across trust boundaries.

Customarily, a CA infrastructure consists of a root CA that signs its own certificates and certifies itself and one or more subordinate CAs, which are certified by the root. The subordinate CA servers are the ones that a service certificate requests while the root is taken offline and held for safekeeping. For more information about designing certificates, see Enterprise Design for Certificate Services and the topic "Certificates" in the Operations Manager 2007 Help file.

4.3.3 Accounts and GroupsYou will potentially need many accounts and security groups over the lifetime of your Operations Manager deployment. During Operations Manager setup, you are only prompted for four. You need to consider additional accounts when planning out role-based security assignments, notifications, and alternate credentials to run processes. For guidance on planning role-based security assignments, see the Operations Manager   2007 Design Guide .

4.3.3.1 Role-Based Security Accounts and GroupsOperations Manager controls access to monitored groups, tasks, views, and administrative functions through the assignment of user accounts to roles. A role in Operations Manager is the combination of a profile type (operator, advanced operator, administrator) and a scope (to what data the role has access). Typically, Active Directory security groups are assigned to roles, and then individual accounts are assigned to those groups. Prior to deploying, plan out Active Directory security groups that can be added to these and any custom-created roles. This will prepare you to add individual user accounts to the security groups.

Operations Manager provides the following role definitions out-of-the-box:

Page 38

Page 39

Role name Profile type Profile description Role scope

Operations Manager Administrators:

Created at setup

Cannot be deleted

Must contain one or more global groups

Administrator Has full privileges to Operations Manager; no scoping of the Administrator profile is supported.

Full access to all Operations Manager data, services, administrative, and authoring tools

Operations Manager Advanced Operators: Created at

setup Globally scoped Cannot be

deleted

Advanced Operator

Has limited change access to Operations Manager configuration; ability to create overrides to rules; monitors for targets or groups of targets within the configured scope.

Access to all groups, views, and tasks currently present and those imported in the future

Operations Manager Authors: Created at

setup Globally scoped Cannot be

deleted

Author Has ability to create, edit, and delete tasks, rules, monitors, and views within configured scope.

Access to all groups, views, and tasks currently present and those imported in the future

Operations Manager Operators: Created at

setup Globally scoped Cannot be

deleted

Operator Has ability to interact with alerts, run tasks, and access views according to configured scope.

Access to all groups, views, and tasks currently present and those imported in the future

Operations Manager Read-Only Operators: Created at

setup Globally scoped Cannot be

deleted

Read-Only Operator

Has ability to view alerts and access views according to configured scope.

Access to all groups and views currently present and those imported in the future

Operations Manager Report Operators: Created at

setup Globally scoped

Report Operator Has ability to view reports according to configured scope.

Globally scoped

Operations Manager Report Security Administrators: Integrates SQL

Reporting Services security with Operations Manager user roles

Gives Operations Manager administrators the ability to control access to reports

Cannot be scoped

Report Security Administrator

Enables integration of SQL Reporting Services security with Operations Manager roles.

No scope

You can add Active Directory security groups or individual accounts to any of these predefined roles. If you do, those individuals will be able to exercise the given role privileges across the scoped objects.

Operations Manager also allows you to create custom roles based on the Operator, Read-Only Operator, Author, and Advanced Operator profiles. When you create the role, you can further narrow the scope of groups, tasks, and views that the role can access. For example, you can create a role entitled "Exchange Operator" and narrow the scope to only Exchange-related groups, views, and tasks. User accounts assigned to this role will only be able to run Operator-level actions on Exchange-related objects.

Important

Make sure that you create a domain security group for the Operations Manager Administrators role. This is required to be in place during the first setup run for a management group.

4.3.3.2 Notification Accounts and GroupsIndividuals who will interact with Operations Manager frequently, such as an Exchange administrator who has been assigned to the Exchange Operator role, need a way to discover new alerts. This can be done by either watching the Operations console for new alerts or by Operations Manager informing them about the alert via supported communications channels. Operations Manager supports notifications through e-mail, instant messaging, Short Message Service, or pager messages. Notifications on what the role needs to know go out to recipients that you specify in Operations Manager. An Operations Manager recipient is merely an object that has a valid address to receive the notification, such as an SMTP address for e-mail notifications.

Therefore, it is logical to combine role assignment with notification group membership via an e-mail-enabled security group. For example, create an Exchange Administrators security group and populate it with individuals that have the knowledge and permissions to fix things in Exchange. Assign this security group to a custom-created Exchange Administrator role so they have access to the data and are e-mail-enabled. Then, create a recipient by using the SMTP address of the e-mail-enabled security group.

4.3.3.3 Service AccountsAt the time of deployment, you need to have the following service accounts ready. If you use domain accounts and your domain Group Policy object has the default password expiration policy set as required, you will either have to change the

Page 40

passwords on the service accounts according to the schedule, or use low-maintenance system accounts, or configure the accounts so that the passwords never expire.

Account name Requested when

Used for Low maintenance

High security

Management server Action Account

Management server setup

Collecting data from providers, running responses

Local system Low privilege domain account

SDK and Configuration Service Account

SDK and Configuration Service Account (continued)

Management server setup

Writing to operational database, running services

Local system Low privilege domain account

Local Administrator Account for target devices

Discovery and push agent install

Installing agents

Domain or local administrator account

Domain or local administrator account

Agent Action Account

Discovery and push agent install

Gathering information and running responses on managed computers

Local system Low privilege domain account

Data Warehouse Write Action Account

Reporting Server setup

Writing to the Reporting Data Warehouse database

Low privilege domain account

Low privilege domain account

Data Reader Account

Reporting Server setup

Querying SQL Reporting Services database

Low privilege domain account

Low privilege domain account

4.3.3.4 Run As AccountsAgents on monitored computers can run tasks, modules, and monitors on demand as well as in response to predefined conditions. By default, all tasks run by using the Agent Action account credentials. In some cases, the Agent Action account may have insufficient rights and privileges to run a given action on the computer. Operations Manager supports the running of tasks by agents in the context of an alternate set of credentials called a Run As Account. A Run As Account is an object

Page 41

that is created in Operations Manager, just like a recipient is, and maps to an Active Directory user account. A Run As Profile is then used that maps the Run As Account to a specific computer. When a rule, task, or monitor that has been associated with a Run As Profile at the development time of a management pack needs to run on the targeted computer, it does so by using the specified Run As Account.

Operations Manager provides a number of Run As Accounts and Run As Profiles out of the box, and you can create additional ones as necessary. You may also choose to modify the Active Directory credentials with which a Run As Account is associated. This will require planning, creating, and maintaining additional Active Directory credentials for this purpose. You should treat these accounts as service accounts with regards to password expiration, Active Directory Domain Services, location, and security.

Also, you will need to work with management pack authors as they develop requests for Run As Accounts.

For more information, see the Operations Manager 2007 Security Guide.

4.3.4 Agent and Agentless MonitoringIn this section we will discuss the environmental prerequisites for devices that will have agents installed and devices that will be monitored in an agentless fashion.

4.3.4.1 Clients with Agents InstalledThe three main activities involved with agent administration are discovery of target devices, deployment or installation of agents to those devices, and ongoing management of the agents. Agents that lie outside a trust boundary require a few more prerequisites than agents that lie inside a trust boundary.

4.3.4.1.1Agents Inside a Trust Boundary

4.3.4.2 Discovery

Discovery requires that the TCP 135 (RPC), RPC range, and TCP 445 (SMB) ports remain open and that the SMB service is enabled.

4.3.4.3 Installation

After a target device has been discovered, an agent can be deployed to it. Agent installation requires the following:

Opening Remote procedure call (RPC) ports beginning with endpoint mapper TCP 135 and the Server Message Block (SMB) port TCP/UDP 445.

Page 42

Enabling the File and Printer Sharing for Microsoft Networks and the Client for Microsoft Networks services. (This ensures that the SMB port is active.)

If enabled, Windows Firewall Group Policy settings for "Allow remote administration exception" and "Allow file and printer sharing exception" must be set to "Allow unsolicited incoming messages from: to the IP address and subnets for the primary and secondary management servers for the agent." For more information, see How to Configure the Windows Firewall to Enable Management of Windows-Based Computers from the Operations Manager 2007 Operations Console.

An account that has local administrator rights on the target computer.

Windows Installer 3.1. To install, see article 893803 in the Microsoft Knowledge Base.

Microsoft Core XML Services 6 on the Operations Manager product installation media in the \msxml subdirectory.

Note

Push agent installation will install Microsoft Core XML Services 6 on the targeted device if it is not there.

4.3.4.4 Ongoing Management

Ongoing management of an agent requires that the TCP 135 (RPC), RPC range, and TCP 445 (SMB) ports remain open and that the SMB service remains enabled.

4.3.4.5 Agents Outside a Trust Boundary

For agents that lie outside the trust boundary of the management servers, the environmental prerequisites are the same as for those that lie inside a trust boundary, with some additions.

Because the device is going to have an installed agent, the software, service, and port requirements remain the same. However, because there is no underlying infrastructure to support Kerberos authentication, certificates must be used on both sides of the connection.

To simplify the cross trust boundaryr configuration, you can install an Operations Manager gateway server in the same trust boundary as the devices that you will monitor. The gateway server acts as a proxy so that all communication between the management server and agents is routed through the gateway server. This communication is done over a single port, TCP 5723, and requires certificates on the management server and the gateway server. In addition, the gateway server performs discovery and installation, and relays ongoing administration traffic on behalf of the management server to the agents. The use of gateway servers also

Page 43

reduces the volume of network traffic and is therefore useful in low bandwidth conditions.

For more information about gateway server configuration, see Deploying Gateway Server in the Multiple Server, Single Management Group Scenario.

4.3.4.6 Manually Installed Agents

Discovery is not performed for manually installed agents. Therefore, there are fewer requirements.

4.3.4.7 Agentless MonitoringAgentless monitoring of devices is performed by either a management server or by another device that does have an agent, called a proxy agent. An agentless managed device must not be separated from its management server or proxy agent by a firewall because monitoring is performed over remote procedure protocol (RPC). The action account of the agent that is performing the monitoring must have local administrative rights on the device that is being monitored.

4.3.5 Deploy an Operations Manager 2007 Management Group on a Single Computer Using the Setup WizardUse the following procedure to deploy the Operations Manager 2007 server components required for a management group on a single computer, using the Setup Wizard. The required server components for a management group are the Operations Manager database, a management server, and an Operations Console.

To deploy an Operations Manager 2007 management group by using the Setup Wizard:

1. Use local administrator privileges to log on to the computer. (This account must have system administrator privileges on the instance of SQL Server that will host the Operations Manager 2007 database.)

2. On the Operations Manager 2007 installation media, double-click SetupOM.exe.

3. On the Start page, select Install Operations Manager 2007.

4. When the Welcome page displays, click Next.

5. On the End-User License Agreement page, accept the agreement and then click Next.

6. On the Product Registration page, type the information in the text boxes (the CD key is required) and click Next.

Page 44

7. When the Custom Setup page displays, leave the components set to their defaults and then click Next.

8. On the Management Group Configuration page, follow these steps:

a. Type the name you want for the management group in the Management Group text box. Important: The name of a management group cannot be changed.

Note

The management group name cannot contain the following characters: ( ) ^ ~ : ; . ! ? " , ' ` @ # % \ / * + = $ | & [ ] <>{}, or have a leading or trailing space. It is recommended that the management group name is unique within your organization if you plan to connect Operations Manager 2007 management groups.

b. Click Browse and select the universal or global security group that you want added to the management group's administrators role, and then click OK.

Important

The person installing the management group must be a member of the specified universal or global security group to run the Operations Console.

c. Click Next.

9. On the SQL Server Database Instance page, in the SQL Server Database Instance list, select the instance of SQL Server on which you want to install the Operations Manager 2007 database and then click Next.

10. On the Database and Log Files Options page, in the SQL Server Database Instance list, select the instance of SQL Server on which you want to install the Operations Manager 2007 database and then click Next.

Note

To change the default database name or installation location of either the data file or the log file, click Advanced, make the changes, click OK, and then click Next to continue.

11. On the Management Server Action Account page, perform one of the following steps:

a. Select Local System, and click Next.

b. Select Domain or Local Computer Account, type the User Account and Password, select the Domain or local computer from the list,

Page 45

and then click Next. If User Account is provided in alias@contoso.com format, the value in Domain or local computer is ignored.

Note

If you plan to deploy agents to remote computers from the Operations Manager 2007 Operations console, the Management Server Action account must have administrative privileges on these remote computers.

12. On the SDK and Config Service Account page, perform one of the following steps:

Select Local System, and click Next.

Select Domain or Local Account, type the User Account and Password, select the Domain or local computer from the list, and then click Next. If User Account is provided in alias@contoso.com format, the value in Domain or local computer is ignored.

13. On the Web Console Authentication Configuration page, select Use Windows Authentication if the console will be accessed only over an intranet. Select Use Forms Authentication if the console will be accessed over the Internet.

14. On the Operations Manager Error Reports page, either leave Do you want to send error reports to Microsoft cleared and click Next to not send Operations Manager 2007 error reports to Microsoft, or select Do you want to send error reports to Microsoft and perform the following steps:

a. Select Automatically send error reports about this product to Microsoft without prompting the user, or leave the default option, Prompt the user for approval before sending error reports to Microsoft, selected.

b. Click Next.

15. On the Customer Experience Improvement Program page, perform one of the following steps:

a. Leave the default option of I don't want to join the program selected if you do not want your organization to participate in the program, and then click Next.

b. Select Join the Customer Experience Improvement Program if you want your organization to participate in the program, and then click Next.

Page 46

16. On the Ready to Install page, click Install. The Installing System Center Operations Manager 2007 page will display and provide installation progress.

17. When the Completing the System Center Operations Manager 2007 Setup Wizard page displays, do the following:

a. Leave the Start the Console check box selected to launch the Operations Console.

Note

To open the Operations Console, you must be a member of an Operations Manager 2007 user role for the management group. For information about adding a user to a user role, see Security Considerations in Operations Manager 2007.

18. Leave Back up Encryption Key selected to back up the encryption key.

Important

Without a backup of the Root Management Server key, you would need to re-enter all of your Run As Accounts if you had to rebuild the root management server. In larger environments, this rebuild could involve hundreds of accounts. For more information, see Encryption Key Backup or Restore Wizard, see How to Backup and Restore Encryption Keys in Operations Manager 2007.

19. Click Finish.

Page 47

5 Getting Started with System Center Data Protection Manager 2007Before you install System Center Data Protection Manager (DPM) 2007, you need to ensure that the DPM server and the computers and applications it is going to protect meet network and security requirements. You must also ensure that they are running on supported operating systems and that they meet the minimum hardware requirements and software prerequisites.

DPM is designed to run on a dedicated, single-purpose server that cannot be either a domain controller or an application server. The DPM server must not serve as a management server for Microsoft Operations Manager (MOM) 2005 or Microsoft System Center Operations Manager 2007. However, you can monitor the DPM server and the computers that it protects in MOM or Operations Manager.

5.1 Security RequirementsThe System Center Data Protection Manager (DPM) 2007 security requirements are as follows:

Before you install DPM 2007, you must log on to the computer as a domain user who is a member of the local administrators group.

After you install DPM, you must be a domain user with administrator access to use DPM Administrator Console.

5.2 Network RequirementsThe System Center Data Protection Manager (DPM) 2007 network requirements are as follows:

The DPM server must be deployed within a Windows Server 2003 Active Directory domain. The domain controllers can be running Windows Server 2000, Windows Server 2003, Windows Server 2003 R2 Server, or on a Windows Server 2008 operating system.

Note

For complete protection on a Windows Server 2008 operating system, including system state protection, you must install Knowledge Base article 949779.

DPM 2007 running on Windows Server 2000 domain controllers does not support the following:

Protecting computers across domains.

Page 48

Protecting a child Windows Server 2000 domain controller in a domain where Windows Server 2000 is the primary domain controller.

Protecting computers running Exchange Server 2007.

DPM 2007 running on Windows Server 2003 domain controllers supports protecting computers across domains within a forest. However, you must establish two-way trust across the domains. If there is not two-way trust across domains, you must have a separate DPM server for each domain. DPM 2007 does not support protection across forests.

Active Directory Domain Services, an essential component of the Windows Server 2003 architecture, provides organizations with a directory service designed for distributed computing environments. Active Directory Domain Services allows organizations to centrally manage and share information about network resources and users while acting as the central authority for network security. In addition to providing comprehensive directory services to a Windows environment, Active Directory Domain Services is designed to be a consolidation point for isolating, migrating, centrally managing, and reducing the number of directories that companies require.

Note

The DPM server requires persistent connectivity with the servers and desktop computers it protects.

5.3 Hardware RequirementsSystem Center Data Protection Manager (DPM) 2007 requires a disk that is dedicated to the storage pool and a disk that is dedicated to the following:

System files DPM installation files DPM prerequisite software DPM database files

Note

You can install DPM on the same volume that the operating system is installed on, or you can install DPM on a different volume that does not include the operating system. However, you cannot install DPM on the disk that is dedicated to the storage pool, which is a set of disks on which the DPM server stores the replicas and recovery points for the protected data.

DPM owns and manages the disks in the storage pool, which must be dynamic. For purposes of DPM, "disk" is defined as any disk device manifested as a disk in Disk Management. For information about the types of disks that the storage pool supports and how to plan your disk configuration, see Planning the Storage Pool.

Page 49

If you want to manage your own additional disk space, DPM enables you to attach or associate custom volumes to data sources that you are protecting in a protection group. Custom volumes can be on basic or dynamic disks. Any volume that is attached to the DPM server can be selected as a custom volume. However, DPM cannot manage the space in custom volumes. Note that the release of DPM 2007 being discussed here will not delete any existing volumes on the disk attached to the storage pool to make the entire disk space available.

Note

A 64-bit system is recommended for installing DPM 2007.

The following table lists the minimum and recommended hardware requirements for the DPM server. For more information about planning DPM server configurations, see Planning for DPM Deployment.

Component Minimum Requirement Recommended Requirement

Processor 1 gigahertz (GHz) or faster 2.33 GHz quad-core CPUs

Memory 2 gigabytes (GB) RAM

For information about how DPM manages memory, see DPM and Memory.

4 GB RAM

Pagefile 0.2 percent the size of all recovery point volumes combined, in addition to the recommended size. (This is typically 1.5 times the amount of RAM on the computer.)

For information about configuring the DPM pagefile size, in the DPM Operations Guide see Managing Performance.

 N/A

Disk space for DPM installation

Program files drive: 410 megabytes (MB)

Database files drive: 900 MB

System drive: 2,650 MB

NOTE: The system drive disk space requirement is necessary if you chose to install the instance of SQL Server from the DPM download package. If you are using an existing instance of SQL Server, this disk space requirement is considerably less.

From 2GB to 3 GB of free space on the program files volume

NOTE: DPM requires at least 300 MB of free space on each protected volume for the change journal. In addition, before archiving data to tape, DPM copies the file catalog to a DPM temporary installation location. Therefore, we recommend that the volume on which DPM is installed contains from2 GB to 3 GB of free space.

Page 50

Disk space for storage pool

[The storage pool does not support Universal Serial Bus (USB)/1394 disks.]

1.5 times the size of the protected data.

For information about calculating capacity requirements and planning the configuration of the disks, in Planning a DPM 2007 Deployment see Planning the Storage Pool.

From 2 to 3 times the size of the protected data

Logical unit number (LUN)

N/A Maximum of 17 terabytes for GUID partition table dynamic disks

2 terabytes for master boot record disks

NOTE: These requirements are based on the maximum size of the disk as it appears to the Windows Server operating system.

5.4 Software RequirementsThe Data Protection Manager (DPM) server must be running one of the following operating systems:

Windows Server 2008 Standard or Windows Server 2008 Enterprise. For more information regarding complete protection for Windows Server 2008, including system state protection, see Knowledge Base article 949779.

Windows Server 2003 SP2. To download SP2 for Windows Server 2003, see Windows Server 2003 Service Pack 2.

Windows Server 2003 R2 Standard Edition SP2 or Windows Server 2003 R2 Enterprise Edition SP2.

Windows Advanced Server 2003 SP2.

Windows Storage Server 2003 Standard Edition, Windows Storage Server 2003 Enterprise Edition, or Windows Storage Server 2003 Express Edition SP2. (To obtain SP2 for Windows Storage Server 2003 or Windows Storage Server 2003 R2, contact your original equipment manufacturer.)

Page 51

Windows Storage Server 2003 R2 SP2.

Please note: DPM 2007 supports 32-bit and x64-bit operating systems. DPM does not

support ia64-bit operating systems.

The server cannot be the Management Server for Microsoft System Center Operations Manager.

DPM 2007 is designed to run on a dedicated, single-purpose server that cannot be either a domain controller or an application server.

There is a Volume Shadow Copy Service (VSS) non-paged pool limitation on x86 32-bit operating systems. If you are protecting more than 10 terabytes of data, the DPM server must be running on a 64-bit operating system. In addition, because VSS non-paged pool usage is based on the size of a single volume, we recommend that you do not protect a single volume larger than 4 terabytes of data on 32-bit operating systems.

DPM Management Shell, an interactive command-line technology that supports task-based scripting, is supported on the following operating systems:

Windows XP Service Pack 2 Windows Vista Windows Server 2003 SP2

The System Center DPM server must be a dedicated, single-purpose server, and it cannot be either a domain controller or an application server. The DPM server cannot be the management server for Microsoft Operations Manager (MOM) 2005 or Microsoft System Center Operations Manager 2007. Other items of note:

Windows PowerShell 1.0

Single Instance Storage (SIS) on Windows Server 2008. (For information about installing SIS on Windows Server 2008, see Manually Install Required Windows Components.)

Windows Deployment Services (WDS) on Windows Server 2003 SP2, or Single Instance Server (SIS) on Windows Storage Server 2003 R2.

Microsoft .NET Framework 2.0.

Internet Information Services (IIS) 6.0 for Windows Server 2003. (IIS 6.0 is not installed on Windows Server 2003 by default.)

IIS 7.0 for Windows Server 2008. (IIS 7.0 is not installed on Windows Server 2008 by default. If IIS is not installed before installing SQL Server 2005, SQL Server will not install SQL Server Reporting Services. Note that in addition to

Page 52

the default components that IIS 7.0 installs, DPM requires all IIS 7.0 components.)

Microsoft SQL Server 2005 SP2 workstation components.

You may use an existing remote instance of SQL Server for your DPM database. If you choose to use a remote instance of SQL Server, you must install sqlprep.msi.

To use an instance of SQL Server on a remote computer, run sqlprep.msi which is located on the DPM product DVD in the DPM2007\msi\SQLprep folder. DPM 2007 does not support using an instance of SQL Server 2008 for your DPM database. DPM Setup will not proceed if you select an instance of SQL Server 2008. Verify that the user account you will be using to run the SQL Server service and the SQL Server Agent service has read and execute permissions to the SQL Server installation location.

Microsoft SQL Server 2005 SP2 with Reporting Services. (If SQL Server Reporting Services is installed on the remote SQL Server, DPM Setup will use that Reporting Service. If SQL Server Reporting Services is not installed on the remote computer running SQL Server, you must install and configure the service on the remote computer running SQL Server.)

Microsoft SQL Server 2005 SP2.

Important

You cannot install DPM 2007 on a computer with Cluster services enabled. Before you install DPM 2007 you must remove the computer from the cluster using the Cluster Administrator tool, or you must install DPM on another computer.

Each computer that System Center DPM 2007 protects must meet the requirements listed in the following table. Protected volumes must be formatted as NTFS file system. DPM cannot protect volumes formatted as FAT or FAT32. Also, the volume must be at least 1 GB for DPM to protect it. DPM uses the VSS to create a snapshot of the protected data, and VSS will create a snapshot only if the volume size is greater than or equal to 1 GB.

Before you install protection agents on the computers you are going to protect, you must apply hotfix 940349. You must install the hotfix on your 64-bit and 32-bit servers. If you are installing a protection agent on Windows Vista, the 940349 hotfix is not required.

Protected Computers

Computer Requirements

File servers You can protect file servers on any of the following operating systems:

Windows Server 2003 Standard Edition with SP1

Page 53

Windows Server 2003 Standard Edition with SP2 Windows Server 2003 Enterprise Edition SP1 Windows Server 2003 Enterprise Edition SP2 Windows Advanced Server 2003 SP1 Windows Advanced Server 2003 SP2 Windows Server 2003 R2 Standard Edition Windows Server 2003 R2 Enterprise Edition Windows Storage Server 2003 Standard Edition SP1 Windows Storage Server 2003 Standard Edition SP2 Windows Storage Server 2003 Enterprise Edition SP1 Windows Storage Server 2003 Enterprise Edition SP2 Windows Storage Server 2003 Express Edition SP1 Windows Storage Server 2003 Express Edition SP2

NOTE: To obtain SP1 for Windows Storage Server 2003, contact your original equipment manufacturer.

Windows Small Business Server 2003 Standard Edition Windows Small Business Server 2003 Premium Edition Windows Small Business Server 2003 R2 Standard Edition Windows Small Business Server 2003 R2 Premium Edition Windows Server 2008 Standard Edition Windows Server 2008 Enterprise Edition

Computers running SQL Server

Microsoft SQL Server 2000 with SP4 Microsoft SQL Server 2005 SP1 Microsoft SQL Server 2005 SP2

NOTE: DPM supports SQL Server Standard Edition, SQL Server Enterprise Edition, SQL Server Workgroup Edition, and SQL Server Express Edition.

IMPORTANT: You must start the SQL Server VSS Writer Service on computers running SQL Server 2005 SP1 before you can start protecting SQL Server data. The SQL Server VSS Writer Service is turned on by default on computers running SQL Server 2005. To start the SQL Server VSS Writer service, in the Services console, right-click SQL Server VSS writer, and then click Start.

Computers running Exchange Server

Computers running Exchange Server (continued)

Exchange Server 2003 SP2Exchange Server 2007

NOTE: DPM supports Exchange Server Standard Edition and Exchange Server Enterprise Edition installed on Windows Server 2003 and later.

Before you can protect Exchange Server 2007 data in a Clustered Continuous Replication (CCR) configuration, you must install hotfix 940006. For more details, see Knowledge Base article 940006, Description of Update Rollup 4 for Exchange 2007.

IMPORTANT: The eseutil.exe and ese.dll versions that are installed on the most recent edition of Exchange Server must be the same versions that are installed on the DPM server. In addition, you must update eseutil.exe and ese.dll on the DPM server if they are updated on a computer running Exchange Server after applying an upgrade or an update. For more information about updating eseutil.exe and ese.dll, see Eseutil.exe and

Page 54

Ese.dll.

Computers running Virtual Server

Microsoft Virtual Server 2005 R2 SP1

NOTE: To protect virtual machines for online backups, we recommend that you install version 13.715 of Virtual Machine Additions.

Windows SharePoint Services

Windows SharePoint Services 3.0 Microsoft Office SharePoint Server 2007

Before you can protect Windows SharePoint Services (WSS) data, you must do the following:

Install Knowledge Base article 941422: Update for Windows SharePoint Services 3.0.

NOTE: You must install Knowledge Base article 941422 on all protected servers on which Windows SharePoint® Services 3.0, Microsoft Office SharePoint Server 2007, and Microsoft Office SharePoint Server 2007 SP1 are installed.

Start the WSS Writer service on the WSS Server and then provide the protection agent with credentials for the WSS farm. For more information, in Configuring DPM 2007, see Starting and Configuring the WSS VSS Writer Service.

Update the instance of SQL Server 2005 to SQL Server 2005 SP2.

Install the SQL Server Client components on the front-end web server of the Windows SharePoint Services farm that DPM is going to protect. For information about installing SQL Server components, see How to: Install SQL Server 2008.

Shared disk clusters

File servers SQL Server 2000 SP4 SQL Server 2005 SP1 Exchange Server 2003 SP2 Exchange Server 2007

Non-shared disk clusters

Exchange Server 2007

Workstations

Workstations (continued)

Windows XP Professional SP2 Windows Vista Business Edition Windows Vista Ultimate Edition

NOTE: DPM requires that the workstations and laptops that it protects be Active Directory members. Therefore, they must remain connected to the corporate local area network (LAN) at all times using reliable and consistent networks.

5.5 Install Software PrerequisitesHere are the steps for installing the prerequisite software required for Data Protection Manager (DPM) 2007:

Page 55

1. Install Windows Server 2003 SP2 (or later).

Important

You must properly configure Windows Server 2003 to support a DPM 2007 installation. For more information about installing Windows Server 2003, see How to Install Windows Server   2003 .

2. Logon to the computer as a domain user who is a member of the local administrators group.

3. Go to Microsoft Update and install all available updates for Windows

4. Install Knowledge Base article 940349 .

5. Install Windows PowerShell 1.0.

DPM Setup will install the following prerequisite software before installing the actual DPM application:

Windows Deployment Services Microsoft .NET Framework 2.0. Internet Information Services (IIS) 6.0 Microsoft SQL Server 2005 SP2 and Reporting Services

The next section outlines the steps required to install and configure a complete installation of DPM 2007. You can use DPM Administrator Console to configure DPM 2007.

5.6 Steps to Install and Configure Data Protection Manager 2007Here are the steps for installing and configuring a complete installation of Data Protection Manager (DPM) 2007:

1. Install DPM 2007 using the default settings. (You must be a domain user who is a member of the local administrators group on the computer to which you are logged on.

2. Add a disk to the storage pool: Go to DPM Administrator Console, in the Management task area, on the Disks tab, in the Actions pane, click Add. (For detailed instructions, see Adding Disks to the Storage Pool.)

3. Configure your tape library: In DPM Administrator Console, in the Management task area, on the Libraries tab, in the Actions pane, click Rescan.

4. Install a Protection agent: In DPM Administrator Console, in the Management task area, on the Agents tab, in the Actions pane, click Install. The Protection Agent Installation wizard appears and guides you

Page 56

through the process of creating the protection agent. For detailed instructions, see Installing Protection Agents.

5. Install the software requirements on the computers you are going to protect. For information about protected computer requirements, see Protected Computer Requirements.

6. Create a protection group. In DPM Administrator Console, in the Protection task area, in the Actions pane, click Create protection group. The New Protection Group Wizard appears and guides you through the process of creating the protection group. For detailed instructions, see Creating Protection Groups.

5.7 Post-InstallationAfter you perform the initial configuration, you can enable the following optional Data Protection Manager (DPM) 2007 features:

Enabling end-user recovery Installing the Shadow Copy Client software Subscribing to alerts and notifications Configuring the SMTP server Publishing DPM alerts Installing DPM Management Shell

5.8 Manually configuring Hyper-V protection in Data Protection ManagerHere are the steps required to manually configure Hyper-V protection in Data Protection Manager (DPM):

1. Go to the protection tab and choose Create Protection Group on the right side of the DPM management console.

Page 57

2. Microsoft Hyper-V will now appear as an option in the Available Members for protection.

3. Select the guest you wish to protect and click Next.

Page 58

4. Name your protection group and then configure Short-Term Protection and Long-Term Protection.

5. Set the retention range for how far back you wish to be able to able to restore to and select Next again.

Page 59

6. Modify space allocation as needed. (Note: Hyper-V guests generally require a large amount of storage space.)

Page 60

7. Choose the replication method to use. This will generally be automatic replication but it may be scheduled for a later time when the network has less traffic.

8. Confirm the settings you wish to use and select Create Group to create the new protection group. If you choose to replicate now, the snapshot will take place immediately and the replication of the backup will begin across the network.

Page 61

5.9 Procedures for Enabling End User RecoveryTo configure Active Directory Domain Services and enable end-user recovery for schema and domain administrators:

1. In DPM Administrator Console, on the Action menu, click Options.

2. In the Configure Active Directory dialog box, select Use Current Credentials or type the user name and password for an account that has both schema and domain administrator privileges and click OK.

3. On the confirmation and notification prompts, click Yes and click OK.

4. After configuration of Active Directory Domain Services is complete, select the check box for the Enable end-user recovery option and click OK.

To configure Active Directory and enable end-user recovery for users who are not schema and domain administrators:

1. Direct a user who is both a schema and domain administrator to configure the Active Directory schema by running <drive>:\Program Files\Microsoft DPM\DPM\ End User Recovery\DPMADSchemaExtension.exe on a Windows Server 2003–based computer that is a member of the same domain as the DPM server.

Note

If the protected computer and DPM reside in different domains, the schema needs to be extended by running the DPMADSchemaExtension.exe tool on the other domain.

2. In the Enter Data Protection Manager Computer Name dialog box, type the name of the computer for which you want end-user recovery data in Active Directory Domain Services, and click OK.

3. Type the DNS domain name of the DPM computer for which you want end-user recovery data in Active Directory Domain Services and click OK.

4. In the Active Directory Configuration for Data Protection Manager dialog box, click OK.

5. In DPM Administrator Console, on the Action menu, click Options.

6. In the Options dialog box, on the End-User Recovery tab, select the Enable End-User Recovery check box and click OK.

Page 62

Page 63

6 Getting Started with System Center Virtual Machine Manager 2008System Center Virtual Machine Manager (VMM) 2008 can scale across a wide range of virtual environments from a stand-alone VMM implementation on a single computer, managing a virtual environment with one to 20 hosts, to a fully distributed enterprise environment, managing hundreds of hosts and thousands of virtual machines dispersed across a wide geographic area.

The modularity of the VMM components allows you to configure your VMM implementation in a manner that best meets the management needs and objectives of your virtual environment. You can install all VMM components on a single computer, install more than one VMM component on a single computer, or install each VMM component on a different computer, depending on the size and complexity of your environment.

6.1 Hardware RequirementsThe minimum and recommended hardware requirements to install and operate all Virtual Machine Manager (VMM) components on a single computer are listed in the following tables based on the number of hosts that the VMM server manages.

Hardware component

Minimum Recommended

Processor Pentium 4, 2.8 GHz (x64) Dual-Core Pentium 4, 2 GHz (x64) or greater

RAM 2 GB 4 GB

Hard disk space 10 GB 50 GB

6.2 Software RequirementsThe following software must be installed prior to installing all Virtual Machine Manager components on a single computer:

 Software requirement Notes

Windows Server 2008 Standard Edition with Hyper-V

Windows Server 2008 Enterprise Edition with Hyper-V

Windows Server 2008 Datacenter Edition with Hyper-V

Windows PowerShell 1.0 This software is included in Windows Server 2008. If this software has been removed, the Setup Wizard automatically adds it.

Windows Remote Management (WinRM)

This software is included in Windows Server 2008. The WinRM service is set to start automatically.

If the WinRM service is disabled and

Page 64

Windows Remote Management (WinRM) (continued)

stopped, Setup will fail. If the WinRM service is set to start

automatically and is stopped, the Setup Wizard starts the service.

If the WinRM service is set to start manually and is stopped, the Setup Wizard starts the service and sets it to start automatically.

Windows Automated Installation Kit 1.1

If this software has not been installed previously, the Setup Wizard automatically installs it.

Windows Server Internet Information Services (IIS) 7.0

You must add the Web Server (IIS) role and then install the following server role services:

IIS 6 Metabase Compatibility IIS 6 WMI Compatibility Static Content Default Document Directory Browsing HTTP Errors ASP.NET .NET Extensibility ISAPI Extensions ISAPI Filters Request Filtering

NOTE: If the default port (80) for the VMM Self-Service portal is used by another Web site, you must either use a different dedicated port or specify a host header for the portal.

A supported version of Microsoft SQL Server

For more information about supported versions of SQL Server, see System Requirements: VMM Database.

6.3 Supported Operating Systems for Virtual Machine Manager ComponentsThe following tables show the operating systems that are supported for Virtual Machine Manager (VMM) 2008 components and managed computers.

VMM Server and Windows-based Hosts:

Operating System All VMM Components on One Computer

VMM Server

Hyper-V Hosts

Virtual Server Hosts

Windows Server 2008 Standard Edition with Hyper-V

Windows Server 2008 Enterprise Edition with Hyper-V

Windows Server 2008 Datacenter Edition with Hyper-V

Yes Yes Yes N/A

Windows Server 2008 Standard Edition (without Hyper-V)

No Yes No Yes

Page 65

Windows Server 2008 Enterprise Edition (without Hyper-V)

Windows Server 2008 Datacenter Edition (without Hyper-V)

Windows Server 2008 Standard x32 Edition (without Hyper-V)

Windows Server 2008 Enterprise Edition (without Hyper-V)

Windows Server 2008 Datacenter Edition (without Hyper-V)

No No No Yes

Windows Server 2008 Enterprise Edition with Server Core installation

Windows Server 2008 Datacenter Edition with Server Core installation

No No Yes No

Windows Server 2008 Standard Edition SP2

Windows Server 2008 Enterprise Edition SP2

Windows Server 2008 Datacenter Edition SP2

No No No Yes

Windows Server 2003 R2 with SP2

No No No Yes

Windows Server 2003 Standard x64 Edition with Service Pack 2

No No No Yes

Windows Server 2003 R2 x64 Edition with Service Pack 2

No No No Yes

Other VMM Components and VMM Library Servers:

Operating System VMM Administrator Console

VMM Self-Service Portal

VMM Library Server

Windows Server 2003 Standard x64 Edition with Hyper-V

Windows Server 2008 Standard Edition with Hyper-V

Windows Server 2008 Enterprise Edition with Hyper-V

Windows Server 2008 Datacenter Edition with Hyper-V

Yes Yes Yes

Windows Server 2008 Standard x64 Edition (without Hyper-V)

Windows Server 2008 Standard Edition (without Hyper-V)

Windows Server 2008 Enterprise Edition (without Hyper-V)

Windows Server 2008 Datacenter Edition (without Hyper-V)

Yes Yes Yes

Page 66

Windows Server 2008 Standard Edition (without Hyper-V)

Windows Server 2008 Enterprise Edition (without Hyper-V)

Windows Server 2008 Datacenter Edition (without Hyper-V)

Yes Yes Yes

Windows Server 2008 Standard Edition with Server Core installation

Windows Server 2008 Enterprise Edition with Server Core installation

Windows Server 2008 Datacenter Edition with Server Core installation

No No Yes

Windows Web Server 2008 No Yes No

Windows Server 2003 Standard Edition SP2

Windows Server 2003 Enterprise Edition SP2

Windows Server 2003 Datacenter Edition SP2

Yes Yes Yes

Windows Server 2003 R2 with SP2 Yes Yes Yes

Windows Server 2003 x64 Edition with SP2

Yes Yes Yes

Windows Server 2003 R2 x64 Edition with SP2

Yes Yes Yes

Windows Vista with SP1 Yes No No

Windows XP Professional Edition SP2

Windows XP Professional Edition SP3

Yes No No

Windows XP Professional x64 Edition with SP2

Yes No No

6.4 Supported SQL Server VersionsThe Virtual Machine Manager database requires a supported version of Microsoft SQL Server. You can either specify a local or remote instance of an existing Microsoft SQL Server database or have the Setup Wizard install SQL Server 2005 Express Edition SP2 on the local computer. The Setup Wizard also installs SQL Server 2005 Tools and creates a SQL Server instance named MICROSOFT$VMM$ on the local computer. 

Supported SQL Server versions Supports Reporting in VMM

SQL Server 2008 Express Edition No

SQL Server 2008 Standard Edition (32-bit version)SQL Server 2008 Standard Edition (64-bit version)

Yes

SQL Server 2008 Enterprise Edition (32-bit version)SQL Server 2008 Enterprise Edition (64-bit version)

Yes

SQL Server 2005 Express Edition SP2 No

SQL Server 2005 Standard Edition SP2 (32-bit version)SQL Server 2005 Standard Edition SP2 (64-bit version)

Yes

SQL Server 2005 Enterprise Edition SP2 (32-bit version) Yes

Page 67

SQL Server 2005 Enterprise Edition SP2 (64-bit version)

6.5 Network Requirements for Virtual Machine ManagerThis section discusses network requirements and considerations for installing System Center Virtual Machine Manager 2008.

6.5.1 Network ConnectionsBecause of the large size of virtual machine files, it is a best practice to connect all computers in a Virtual Machine Manager (VMM) configuration with at least a 100-MB Ethernet connection. Using a gigabit Ethernet connection and a more powerful processor for the VMM server than the recommended processor can further improve performance.

6.5.2 DomainsBefore installing the Virtual Machine Manager (VMM) server, you must join the computer to a domain in Active Directory. All Windows Server-based virtual machine hosts must also be joined to Active Directory domains. A Windows Server-based host can be in a domain separate from the VMM server's domain and a host can be in a domain with a two-way trust with the VMM server’s domain or in a domain that does not have a two-way trust with the VMM server’s domain.

For hosts in perimeter networks, you must install a VMM agent locally on that host, configure the firewalls as discussed later in this topic, and then add the host to VMM.

6.5.3 FirewallsVirtual machine hosts and library servers must have access to the Virtual Machine Manager (VMM) server on the ports specified during VMM server setup. This means that all firewalls, whether software-based or hardware-based, must be configured appropriately.

6.5.4 Computer firewallsWhen you install the Virtual Machine Manager (VMM) server, you specify which ports the VMM server uses to communicate with the VMM Administrator Console, for communications with and file transfers between hosts and library servers. By default, these ports are 8100, 80, and 443, respectively. If you install the VMM server on a computer that is using Windows Firewall, the Setup Wizard automatically adds firewall port exceptions to Windows Firewall.

When you install the VMM Self-Service Portal, you specify which port the self-service users use to connect to the portal. By default, this port is 80.

Page 68

When you add a computer that is using Windows Firewall as a host or a library server, VMM automatically adds firewall port exceptions to Windows Firewall on that computer. VMM adds firewall exceptions for the ports that were specified during the VMM server and the VMM Self-Service Portal installation.

6.5.5 Virtual Machine Manager Ports and ProtocolsWhen you install the System Center Virtual Machine Manager (VMM) server, you can assign some of the ports that it will use for communications and file transfers between the VMM components. While it is a security best practice to change the default ports, not all of the ports can be changed through VMM. The default settings for the ports are listed in the following table. 

Connection type Protocol Default port

Where to change the port setting

VMM server to Windows host agent (control)

WinRM 80 During VMM setup, registry

VMM server to Windows host agent (data)

SMB 445 Registry

VMM server to remote Microsoft SQL Server database

TDS 1433 Registry

VMM server to P2V source agent DCOM 135 Registry

VMM Administrator Console to VMM Server

WCF 8100 During VMM setup, registry

VMM Self-Service Portal Web Server to VMM Server

WCF 8100 During VMM setup

VMM Self-Service Portal to VMM Self-Service Web Server

HTTPS 443 During VMM setup

VMM library to hosts BITS 443 During VMM setup, registry

VMM host-to-host file transfer BITS 443 Registry

VMRC connection to Virtual Server host

VMRC 5900 VMM Administrator Console, registry

VMConnect (RDP) to Hyper-V hosts RDP 2179 VMM Administrator Console, registry

Remote Desktop to virtual machines

RDP 3389 Registry

VMWare Web Service Communication

HTTPS 443 VMM Administrator Console, registry

SFTP file transfer from VMWare ESX Server 3.0 and 3.5 hosts

SFTP 22 Registry

SFTP file transfer from VMWare ESX Server 3i to hosts

HTTPS 443 Registry

6.6 Installation Walk-ThroughThis section contains walk-throughs for installing the Virtual Machine Manager Server and for installing the Administrator Console.

Page 69

6.6.1 Installing the Virtual Machine Manager Server1. From the VMM2008 splash screen, click on VMM Server under the SETUP

option to install Virtual Machine Manager (VMM) Server:

Page 70

Page 71

Note

Page 72

Enter the name of the SQL server if you plan to host the database on a separate server.

2. Select Create a new Library Share. Note: the MSSCVMMLibrary folder must pre-create.

Page 73

Note

If you plan to integrate with System Center Operations Manager and make use of the PRO feature, it’s recommended that you use a domain account for the Virtual Machine Manager (VMM) Service Account.

Page 74

3. If you have previously installed all the software prerequisites, you should receive a green check for each prerequisite you preinstalled. Otherwise, it will be installed by VMM at this point.

Page 75

Page 76

6.6.2 Installing the Administrator Console 1. From the VMM2008 splash screen, click on VMM Administrator Console

under the SETUP option to install Virtual Machine Manager (VMM) Server.

Page 77

Page 78

2. If you have previously changed the default port during the VMM Server installation, ensure that you provide the same port to setup you use previously.

Page 79

Page 80

Page 81

7 SummaryThis document describes prerequisites, tasks, and steps you need to get started with building a managed hosting environment using Microsoft System Center Product Family. In the document, a sample scenario is presented for illustration purpose. The information contained in this document is intended to help you get started with your own managed hosting solution.

Page 82

8 References

Page 83