Are your Servers Compliant?

When doing a post mortem analysis of a system failure we usually find that it is not really the technology side of the equation that failed but the human side. Recent studies have shown that 80% of application downtime is caused by human error, either by misconfiguration, the application being built or managed incorrectly or inappropriate change control mechanisms. Therefore how do we make sure that our servers, which hold precious amounts of information and mission critical systems, are configured like they are supposed to. In a word, compliant.

Imagine a world where you are completely aware of the configurations, settings and files that need to be on your server infrastructure. Then imagine you have an interface to show you whether your servers are configured the way they should be to provide the required services. Further down the line, imagine you have a solution that detected that there is a misconfiguration on the servers and it automatically remediates it. This kind of automation is priceless when comparing it to the cost of downtime. The goal is to proactively monitor the settings in order to reduce impact of an unplanned downtime

For this to work several infrastructure components are needed, Systems Management Server 2003 , the Desired Configuration Monitoring (DCM 2.0) Feature Pack, System Centre Operations Manager 2007 or Microsoft Operations Manager 2005, SQL Server Reporting Services for compliance reporting and both an SMS and Operations Manager agent on the monitored server.

As with all technology implementations, the planning stage is extremely important because it gives a clear vision of where you are and where you want to go, providing the steps towards that goal and the milestones that should be met during that process. The first step in a successful DCM deployment is an understanding of the settings you want to monitor. It is very easy to lose focus and go for every single setting we can think of and have all of this information at our disposal. However that can create an unmanageable state. It is therefore that a versioned approach is recommended. An excellent way to start is with the identification of your most critical configurations and monitor those first. Afterwards build on that discovery with other settings that you have identified as necessary but not a priority.

The data sources that the DCM tool can obtain information from are WMI (Windows Management Instrumentation), the registry, the file system (existence of files, properties, values within .ini and .xml files), Active Directory, the IIS metabase and SQL Server.

The DCM download includes a manifest authoring tool. This tool creates the xml file which is the basis for the configurations to be monitored and how the output of the analysis should be reported.

Since automatic remediation of the monitored settings is a goal of this solution we are going to it is also necessary to build the required packages to remediate the incorrect configurations. These might be in the form of .reg (registry changes) files, scripts, file copies, msi’s, etc.

The collections, advertisements and packages also have to be created in the SMS console. There should be one collection per package and advertisement. A collection is a container of computer objects that you can target for distribution. Imagine a collection as a group of computer objects that are defined either directly by a direct membership or by a query of attributes of the computers. In this case the collection will be empty and a computer object will be added by a script when the Operations Manager Console detects that a certain server has a specified misconfiguration. A package is an SMS object which holds the binaries for any remediation program (be it a file, executable, msi, script, etc.) The advertisement is the SMS object responsible for telling the agent that a distribution is ready for them and that he should install it.

We also need to set up the Operations Manager rules and their interaction with SMS. The best way to do this is to have the DCM wrapper write a specific event to appear in the event log of the server in question and have Operations Manager monitor it and perform an action based on that event, this action generally is a script that adds a managed computer object inside an SMS collection which has an advertisement.

The high level overview of the process is shown in the diagram below. As you can see the process is very simple, however a considerable amount of setting up needs to be performed before actually deploying the solution.

 

Once the solution is in place you can follow its lifecycle with the reporting tools that are provided by SMS, the DCM reporting services component and Operations Manager’s reporting. They all include great out of the box reports that will give you insight on what is happening. It is recommended that as well as configuring action to distribute the remediation package, you should also configure an alert to be emailed to an operator so he can monitor the process. This can be done though SMS status reporting and the reporting point.

All of this component and configuration identification brings us closer to understanding the service they make up. A service is a group of technical components that could be network, application, web server, other services, etc. A service may also be made up of one or more applications.

Identifying and understanding where these components are in the architecture and how they behave gets us closer to a service oriented monitoring and proactive support scenario. This will provide a new perspective into how the business looks into the services that they are provided with, making your IT department move from being a cost centre to a strategic asset.

Following on Microsoft Dynamic Systems Initiative’s vision to create self managing systems, we are delivering the next generation of solutions for the enterprise. It is year four of that vision and the System Centre family of products is being delivered. The three architectural components of the vision are, design for operations, knowledge driven management and virtualized infrastructure. Knowledge which is one of the most important elements of the solution that this article describes is now being embedded to the System Centre family of products.

System Centre Configuration Manager 2007 has the Desired Configuration Monitoring feature built in so there is no additional download necessary. There are new characteristics taking the DCM solution to the next level by including best practices for configuration data for not only Microsoft products for other software vendors as well.