Installation Guide For System Center Enterprise Suite

Installation Guide for System Center Enterprise Suite
Prepared by Microsoft Consulting Services 4/22/2012 Version 1.0
Prepared by Gang Pan, AcutePath, Inc. Contributors Mannan Mohammed, Sr. Architect Mark Stevenson, Senior Consultant II
This file does not collect any personal information. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Active Directory, Hyper-V, Microsoft, Windows PowerShell, SharePoint, SQL Server, Windows, Windows NT, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents
1 2 2.1 Introduction ................................................................................................. 6 Example: Managed Hosting Scenario ............................................................ 8 Active Directory Server/Domain Controller ....................................................... 8 2.1.1 2.1.2 2.1.3 2.2 2.3 2.4 2.5 3 3.1 3.2 Hyper-V Hosts Organizational Unit ........................................................ 9 Customers Organizational Unit.............................................................. 9 Customer Sub Organizational Unit ....................................................... 10
System Center Configuration Manager 2007 R2 .............................................. 10 System Center Operations Manager 2007 SP1 ................................................ 10 System Center Data Protection Manager 2007 SP1 .......................................... 10 System Center Virtual Manager 2008 ............................................................ 10 Getting Started with System Center Configuration Manager 2007 .............. 12 Supported Configurations............................................................................. 12 Configuration Manager 2007 Site Server System Requirements ........................ 13 3.2.2 Configuration Specifics ...................................................................... 15
3.3
Prerequisites for Installing Configuration Manager ........................................... 21 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 General Site Server Prerequisites ........................................................ 21 Configuration Manager Primary Site Server Prerequisites ....................... 22 Site Database Server Prerequisites...................................................... 22 SMS Provider Prerequisites ................................................................. 23 Configuration Manager Secondary Site Server Prerequisites ................... 24 Configuration Manager Console Prerequisites........................................ 24
4 4.1
Getting Started with System Center Operations Manager 2007 .................. 25 Supported Operating Systems ...................................................................... 25 4.1.1 4.1.2 4.1.3 4.1.4 Minimum Hardware Requirements ....................................................... 26 Minimum Software Requirements ........................................................ 26 Supported Software Requirements for Operations Manager 2007 ............ 26 Supported Firewall Scenarios .............................................................. 27
4.1.5 4.1.6 4.1.7 4.1.8 4.1.9 4.1.10 4.2
Operations Manager 2007 Firewall Scenarios ........................................ 28 Minimum Network Connectivity Speeds ............................................... 30 Supported Cluster Configurations ........................................................ 31 Supportedbut Not RecommendedCluster Configurations ................... 31 Non-supported Cluster Configurations ................................................. 32 Monitored Item Capacity .................................................................... 33
System Requirements for Operations Manager 2007 ....................................... 33 4.2.1 4.2.2 4.2.3 Domain Functional Level .................................................................... 35 Forest Functional Level ...................................................................... 35 DNS ................................................................................................ 36
4.3
Security Considerations ............................................................................... 36 4.3.1 4.3.2 4.3.3 4.3.4 Trust Boundaries .............................................................................. 36 Certification Authority........................................................................ 37 Accounts and Groups ......................................................................... 38 Agent and Agentless Monitoring .......................................................... 42
4.3.5 Deploy an Operations Manager 2007 Management Group on a Single Computer Using the Setup Wizard ................................................................... 44 5 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 6 6.1 Getting Started with System Center Data Protection Manager 2007 ........... 48 Security Requirements ................................................................................ 48 Network Requirements ................................................................................ 48 Hardware Requirements .............................................................................. 49 Software Requirements ............................................................................... 51 Install Software Prerequisites ....................................................................... 56 Steps to Install and Configure Data Protection Manager 2007 ........................... 56 Post-Installation ......................................................................................... 57 Manually configuring Hyper-V protection in Data Protection Manager ................. 57 Procedures for Enabling End User Recovery .................................................... 62 Getting Started with System Center Virtual Machine Manager 2008 ........... 64 Hardware Requirements .............................................................................. 64
6.2 6.3 6.4 6.5
Software Requirements ............................................................................... 64 Supported Operating Systems for Virtual Machine Manager Components ........... 65 Supported SQL Server Versions .................................................................... 67 Network Requirements for Virtual Machine Manager ........................................ 68 6.5.1 6.5.2 6.5.3 6.5.4 6.5.5 Network Connections ......................................................................... 68 Domains .......................................................................................... 68 Firewalls .......................................................................................... 68 Computer firewalls ............................................................................ 68 Virtual Machine Manager Ports and Protocols ........................................ 69
6.6
Installation Walk-Through ............................................................................ 70 6.6.1 6.6.2 Installing the Virtual Machine Manager Server ...................................... 70 Installing the Administrator Console .................................................... 77
7 8
Summary .................................................................................................... 82 References.................................................................................................. 83
1 Introduction
This document provides guidance on how a hosting provider can create a managed hosting offer by leveraging different technologies offered by Microsoft. There is no single definition for Managed Hosting, but in general, Managed Hosting is referred to as a Dedicated Server or Virtual Dedicated Server hosting plan with a set of management services, including but not limited to: 1. 2. 3. 4. 5. 6. 7. Server and network monitoring Operating system/application updates Software and hardware inventory management Highly available infrastructure using failover/load balancing Backups and restoration Firewalls and other network security services Virus and spam protection
In this paper, we will discuss ways a hosting provider can leverage the technologies available in the Microsoft System Center family of products. System Center is designed to help capture and aggregate knowledge about your infrastructure, policies, processes, and best practices, empowering you to build manageable systems and automate operations in order to reduce costs, improve availability, and enhance service delivery. System Center consists of four core products: System Center Configuration Manager: System Center Configuration Manager comprehensively assesses, deploys, and updates servers, client computers, and devices across physical, virtual, distributed, and mobile environments. Optimized for Microsoft Windows and extensible, it is the best choice for gaining enhanced insight intoand control overIT systems. System Center Operations Manager: System Center Operations Manager is the end-to-end service-management product that is the best choice for Windows because it works seamlessly with Microsoft software and applications, helping organizations increase efficiency while enabling greater control of the IT environment. System Center Data Protection Manager: System Center Data Protection Manager is the standard for Windows backup and recovery, delivering continuous data protection for Microsoft application and file servers using seamlessly integrated disk and tape media. Data Protection Manager enables rapid and reliable recovery through advanced technology for organizations of all sizes. System Center Virtual Machine Manager: Virtual Machine Manager enables customers to configure and deploy new virtual machines and centrally manage
Page 6
physical and virtual infrastructure from one console. New to this version of Virtual Machine Manager is multi-vendor virtualization platform support, Performance and Resource Optimization, and enhanced support of "highavailability" host clusters, among other new features.
We will describe the prerequisites for building out a managed solution later in this document. First, we'll explore a sample Managed Hosting Scenario.
Page 7
2 Example: Managed Hosting Scenario

We will be covering several topics in this section, including Active Directory Server and Domain Controller, System Center Configuration Manager 2007 R2, System Center Operations Manager 2007 SP1, System Center Data Protection Manager 2007 SP1, and System Center Virtual Manager 2008. Well begin this section with an example of a Managed Hosting Scenario.
Managed Hyper-V Guest VMs Managed Hyper-V Guest VMs Managed Hyper-V Guest VMs
Hyper-V Host Windows Server 2008 X64
SCCM2007 R2 SQL Server 2005 SP2 Windows 2008 x86/x64
SCOM2007 SP1 SQL Server 2005 SP1 Windows 2008 x86/x64
SCDPM2007 SP1 SQL Server 2005 SP2 Windows 2008 x86/x64
SCVMM2008 SQL Server 2005 SP2 Windows 2008 x64
Active Directory Windows 2008 x86/x64
2.1 Active Directory Server/Domain Controller

All System Center products require Active Directory. Both Windows 2003 Active Directory and Windows 2008 Active Directory services are supported. We recommend following standard best practices for Active Directory installation when working with System Center. Organizational units are used to organize users and computers objects in the Active Directory environment. For purposes of hosting the Organizational Unit structure could be organized as illustrated in the following diagram:
Page 8
2.1.1 Hyper-V Hosts Organizational Unit

The Hyper-V Hosts have a unique role not included in other servers in the directory. Putting these hosts in their own Organizational Unit allows unique policies to be applied to these servers. They can also be segregated from other servers in the directory.
2.1.2 Customers Organizational Unit

This top-level Organizational Unit allows all hosted virtual machines and user accounts to be segregated from the rest of the directory. Configuration and security specific to virtual machines that will be provided to customers can be applied using Group Policy Objects at this level.
Page 9
2.1.3 Customer Sub Organizational Unit

The next level of Organizational Units (OUs) is the customer OU. Under each customer OU are sub-OUs for servers and separate sub-OUs for user accounts.
2.2 System Center Configuration Manager 2007 R2

The System Center Configuration Manager 2007 R2 is installed on a dedicated server running Windows Server 2008 with SQL Server 2005 SP2. All Configuration Manager roles must be installed on the same node. It is the primary site server as a single site server configuration. Each managed device may require its own scheduling window for software updates and patching. Therefore, a different collection will be created for each managed device. This will ensure the customer can dictate the best scheduling window for their needs.
2.3 System Center Operations Manager 2007 SP1

The System Center Operations Manager (SCOM) 2007 SP1 running on Windows Server 2008 is installed on a dedicated server that has SQL Server 2005 SP1. Due to a compatibility issue with SCOM 2007 SP1 reporting, SQL Server 2005 SP2 is not supported by SCOM 2007 SP1 at this time.
2.4 System Center Data Protection Manager 2007 SP1

The System Center Data Protection Manager (SCDPM) 2007 SP1 is installed on a dedicated server. The recommended configuration running Windows Server 2008 with SQL Server 2005 SP2 is as follows: All SCDPM 2007 related roles are installed on the same node. To support multi-tenant scenario, each protected server has a separate, dedicated protection group as an isolation boundary.
2.5 System Center Virtual Manager 2008

The System Center Virtual Machine Manager (SCVMM) 2008 is installed on a dedicated Windows Server 2008 that has SQL Server 2005 SP2. All SCVMM 2008 related roles are installed on the same node.
The example scenario presented earlier in the document illustrates a simple deployment model for System Center Product Family for a small environment. Please note that this configuration did not consider failover and scalability. Instead, it
Page 10
provided a simple configuration model to get you started quickly. In this scenario, you will still need to analyze requirements for your environment, conduct proper planning and design, and carry out deployment and configuration in your production environment.
Page 11
3 Getting Started with System Center Configuration Manager 2007

In this section we will discuss supported configurations, the requirements for using Configuration Manager 2007 Site Server System Requirements, and the prerequisites for installing Configuration Manager.
3.1 Supported Configurations

This section outlines the hardware and software requirements for implementing and maintaining Microsoft System Center Configuration Manager 2007 (including Microsoft System Center Configuration Manager 2007 SP1) in your environment.
3.1.1.1 Client and Server Components System Center Configuration Manager 2007 has a client component (agent) and a server component. The client agent is installed on the desktops (servers) that must be managed.
3.1.1.2 Client Hardware Requirements The following table lists the minimumand recommendedhardware requirements for Configuration Manager 2007 SP1 computer clients.
Hardware Component Processor Requirement The minimum requirement is a 233 MHz processor. We recommend at least a 300 MHz Intel Pentium/Celeron (or comparable) processor is recommended. The minimum requirement is 128 megabytes (MB) of RAM, or 384 MB of RAM if using an operating system deployment. We recommend at least 256 MB of RAM. The minimum requirement is 350 MB of disk space for a new installation, or 265 MB of disk space to upgrade an existing client. NOTE: By default, the temporary program download folder on clients is preconfigured at client installation to automatically increase to 5 gigabytes (GB) of disk space if necessary, assuming 5 GB of disk space or more is available.
RAM
Free Disk Space
3.1.1.3 Supported Client Platforms Supported Configuration Manager 2007 client installation requires at least Windows 2000 Professional SP4. All common configurations are supported on x86
Page 12
and x64 Platforms. However, there are some exceptions for computers leveraging the Itanium architecture.
3.2 Configuration Manager 2007 Site Server System Requirements

Configuration Manager 2007 SP1 supports server roles with the Windows Server 2008 operating system operating system.
3.2.1.1 Site System Hardware Requirements The following table lists the minimumand recommendedhardware requirements for Configuration Manager 2007 site systems.
Hardware Component Processor Requirement The minimum requirement is a 733 MHz Pentium III. A 2.0 GHz (or faster) processor is recommended. The minimum requirement is 256 MB of RAM. At least 1024 MB of RAM is recommended. The minimum requirement is 5 GB of disk space. At least 15 GB of free disk space is recommended if using an operating system deployment.
RAM Free Disk Space
3.2.1.2 Supported Site System Platforms The following roles are available in System Center Configuration Manager: Primary Site Server Secondary Site Server Management Point Standard Distribution Point Branch Distribution Point Server Locator Point Site Database Server Fallback Status Point Configuration Manager Console1 SMS Provider Computer
Each role has different operating system requirements. We recommend using Windows Server 2008 Enterprise Edition or Windows Server 2008 Datacenter Edition in either a 64-bit
1
It is not supported to install the Configuration Manager 2007 console on computers running any site system role except for the primary site server role. Page 13
or 32-bit environment for setting up all the different roles in SC-CM. To simplify your environment, we recommend having a single server support all roles. Site system roles are not supported on a Server Core installation of Windows Server 2008. For more information about configuration requirements for hosting site system roles on Windows Server 2008, see How to Configure Windows Server 2008 for Site Systems.
Note It is supported to host the site database on both 32-bit and 64-bit versions of SQL Server 2005 (SP2 or later), SQL Server 2008 Standard Edition, or SQL Server 2008 Enterprise Edition. However, installing the site database on Itanium 64-bit platforms is not supported.
Upgrading the operating system on the site server from Windows Server 2003 to Windows Server 2008 is not supported. If you wish to run a Configuration Manager 2007 SP1 site on a Windows Server 2008 operating system, you must use a new installation of Configuration Manager 2007 (complete release).
3.2.1.3 Feature-Specific Site System Roles System Center Configuration Manager supports the following Site System roles: State Migration Point Reporting Point System Health Validator Point PXE Service Point Out of Band Service Point Asset Intelligence Synchronization Point
Network Access Protection is fully supported in Configuration Manager 2007 SP1. Network Access Protection in Configuration Manager 2007 requires a System Health Validator Point running on Windows Server 2008. The out of band service point role was added for Configuration Manager 2007 SP1. For more information, see Out of Band Management in Configuration Manager 2007 SP1. The Asset Intelligence synchronization point has been added for Configuration Manager 2007 SP1. For more information, see Asset Intelligence in Configuration Manager.
Note Site system roles are not supported on Server Core installation of Windows Server 2008. For more information about configuration requirements for hosting site system roles on Windows Server 2008, see How to Configure Windows Server 2008 for Site Systems.
Page 14
Graphs may be added to reports if Office Web Components is installed. This feature is available on 32-bit operating systems only (e.g., Microsoft Office 2000 SP2, Microsoft Office XP, or Microsoft Office 2003). Out of band service points are not supported on Windows Server 2003 SP1 computers. Out of band service points running Windows Server 2003 SP2 require KB 942841.
3.2.2 Configuration Specifics

This section describes specific configuration options and requirements for Configuration Manager 2007 SP1.
3.2.2.1 Active Directory Schema Extensions Configuration Manager Active Directory schema extensions provide many benefits for Configuration Manager sites but they are not required. If you have extended your Active Directory schema for Systems Management Server (SMS) 2003, you should update your schema extensions for Configuration Manager 2007. Updating the Active Directory schema for Configuration Manager 2007 can be performed before or after upgrading to Configuration Manager and will not interfere with existing SMS 2003 site or client functionality. If you have already extended your schema for Configuration Manager 2007, no additional schema extensions are required. For more information about extending the Active Directory schema for Configuration Manager 2007 see How to Extend the Active Directory Schema for Configuration Manager.
3.2.2.2 Site Server Operating System Upgrade Configurations Starting with Configuration Manager 2007 SP1, Windows Server 2008 is a supported operating system to host the Configuration Manager site server role. Support for performing in-place upgrades of Windows Server 2003 to Windows Server 2008 with Configuration Manager 2007 site installed. Therefore, you must perform an initial installation of Configuration Manager 2007 SP1 integrated on Windows Server 2008 or restore a Configuration Manager 2007 SP1 site backup created by the Configuration Manager 2007 site backup maintenance task to a new Configuration Manager 2007 SP1 installation with identical installation settings as the previous site installation on a computer running Windows Server 2008.
3.2.2.3 SQL Server Site Database Configurations When installing Configuration Manager 2007 SP1, the site database can be installed on either the default instance or a named instance of a supported SQL Server version installation. The instance used to host the site database can also be configured as a SQL Server failover cluster instance in an active/passive cluster configuration.
Page 15
Performing an in-place upgrade of the SQL Server 2005 SP2 instance hosting the Configuration Manager 2007 site database to SQL Server 2008 is supported. For more information about changing site server software, see How to Change Site Server Software. Moving the site database to a new SQL Server 2008 instance is also supported. For information about moving the site database, see How to Move the Site Database.
Important When using SQL Server 2008 to host the site database for Configuration Manager 2007 SP1 sites, the following update must be applied to the site server computer, Systems Management Server (SMS) Provider computer, and any computers hosting a remote Configuration Manager 2007 SP1 Configuration Manager console: Microsoft article ID 955262.
In Systems SMS 2003, the mppublish.vbs script, supplied with the SMS 2003 installation files, was used to configure Microsoft SQL Server site database replication between the site database server and SQL Server site database replicas used to support management points and server locator points. Because Configuration Manager 2007 introduces new site database views and functions that are not replicated by the mppublish.vbs script, it is not supported for configuring SQL Server site database replication in Configuration Manager 2007 sites. For information about how to configure replication to support management points and server locator points, see How to Configure SQL Server Site Database Replication.
3.2.2.4 Support for Windows Server Clustering Installing the site database server site system role on a Windows server failover cluster instance is supported. Installing Configuration Manager 2007 SP1 site servers or any other site system server role on a Windows Server cluster instance is not supported.
Note Physical node computers of a Windows server cluster instance can be managed as Configuration Manager 2007 SP1 clients.
3.2.2.5 Multi-Site Clients Configuration Manager 2007 SP1 clients can be assigned and report to only one site. When auto assignment is used to assign clients to a site during client installation and more than one site has the same boundary configured, the actual site assignment of a client cannot be predicted. If boundaries overlap across multiple Configuration Manager 2007, Configuration Manager 2007 SP1, and Systems Management Server 2003 site hierarchies, clients might not get assigned to the correct site hierarchyor might not get assigned to a site at all.
Page 16
3.2.2.6 Support for Specialized Storage Technology This section describes storage technologies that are supported, or not supported, in Configuration Manager 2007 SP1.
3.2.2.7 Storage Area Network Support Using a Storage Area Network (SAN) is supported as long as a supported Windows server is attached directly to the volume hosted by the SAN. Configuration Manager 2007 SP1 is designed to work with any hardware that is certified on the Windows Hardware Compatibility List for the version of the operating system on which the Configuration Manager component is installed. Configuration Manager 2007 SP1 site server roles require NTFS file systems so that directory and file permissions can be set. Because Configuration Manager 2007 SP1 assumes it has complete ownership of a logical drive when it uses naming conventions, site systems running on separate computers cannot share a logical partition on any storage technology. However, they could each use their own logical partition on a physical partition of a shared storage device. For more information regarding the use of SANs, see: Knowledge Base article 260176: Provides more information about SANs. Knowledge Base article 264135 Describes the differences between SANs and Storage Area Networks. Knowledge Base article 307813 Provides more information about Systems Management Server and SANs.
3.2.2.8 Single Instance Storage Support Configuring distribution point package and signature folders to be configured on a Single Instance Storage (SIS)-enabled volume is not supported. It is also not supported for a Configuration Manager 2007 SP1 client's cache to be configured on a SIS-enabled volume.
Note SIS is a feature of the Windows Storage Server 2003 R2 operating system.
3.2.2.9 Removable Disk Drive Support Installation of a Configuration Manager 2007 SP1 site system or client components on a removable disk drive is not supported.
Page 17
3.2.2.10
Computers in Workgroups All site systems must be members of an Active Directory domain. This requirement includes site systems that support Internet-based client management in a perimeter network.
Note Changing the domain membership or computer name of a Configuration Manager 2007 SP1 site system after it is installed is not supported.
Configuration Manager 2007 SP1 provides support for clients in workgroups. Moving a client from the Workgroup to a domain or from a domain to a workgroup is also supported. The following requirements must be met to support workgroup clients: The logged-on user must possess local administrator rights on the workgroup system during client installation. The only account that Configuration Manager 2007 SP1 can use to perform activities that require local administrator privileges is the account of the user that is logged on to the computer. The Configuration Manager client must be installed from a local source on each client machine. This requirement ensures that a local source for repair and client update application will be available for the client. Workgroup clients must be able to locate a server locator point for site assignment as they cannot query Active Directory Domain Services. The server locator point can be published manually in Windows Internet Naming Service (WINS), or it can be specified in the CCMSetup.exe installation command-line parameters. Workgroup clients must use the Network Access Account to access package source files on distribution points. If a Network Access Account is not configured, clients cannot access content on the distribution point. For more information, see Example Package Access Scenarios.
Although workgroup computers can be Configuration Manager 2007 SP1 clients, there are inherent limitations in supporting workgroup computers, including: Workgroup clients cannot reference Configuration Manager 2007 SP1 objects published to Active Directory Domain Services. For workgroup clients to locate their default management point computer, it must be registered and accessible to workgroup
Page 18
clients in either WINS or DNS. For more information, see Configuration Manager and Service Location (Site Information and Management Points. Workgroup clients must use the trusted root key to establish trust with a management point. For more information, see About the Trusted Root Key. Active Directory system, user, or user group discovery is not possible. User-targeted advertisements are not possible. The client push installation method is not supported for workgroup client installation. For more information about installing the Configuration Manager client on workgroup computers, see How to Install Configuration Manager Clients on Workgroup Computers. Global roaming is not possible. For more information about client roaming capabilities and behavior, see About Client Roaming in Configuration Manager.
Using a workgroup client as a branch distribution point is not supported. Configuration Manager 2007 SP1 requires that all site systems, including branch distribution point computers, are members of an Active Directory domain.
3.2.2.11
Remote Assistance Console Sessions Console sessions controlled by Remote Assistance are supported, except for simultaneous use of Configuration Manager Remote Tools. Invoking Remote Assistance from the Configuration Manager console requires that the Configuration Manager console computer and the client computer are running one of the following operating systems: Windows XP SP2 Windows XP SP3 Windows Server 2003 SP1 Windows Server 2003 SP2 Windows Vista (supported editions only; see section 3.1.1.3 Supported Client Platforms on p. 12 for more information) Windows Vista SP1 Windows Server 2008
Page 19
3.2.2.12
Fast User Switching Fast User Switching, which is available in Windows XP editions not joined to a domain and in Windows Vista editions, is not supported in Configuration Manager 2007 SP1.
3.2.2.13
Dual Boot Computers Configuration Manager 2007 SP1 cannot manage more than one operating system on a single computer. If there is more than one operating system on a computer that must be managed, tailor the discovery and installation methods used to ensure that the Configuration Manager client is installed only on the operating system that needs to be managed.
3.2.2.14
Supported Virtualization Environments Configuration Manager 2007 SP1 supports client installation and all site server roles in the following virtualization environments: Microsoft Virtual Server 2005 R2 Microsoft Virtual Server 2005 R2 SP1 Windows Server 2008 with Hyper-V Microsoft Hyper-V Server 2008 Server Virtualization Validation Program (SVVP)
More information about the SVVP is available online.

Note Configuration Manager 2007 SP1 does not support Virtual PC or Virtual Server guests running on a Macintosh operating system.
Configuration Manager 2007 SP1 cannot manage Virtual PC or Virtual Server guest operating systems unless they are running. An offline Virtual PC image cannot be updated nor can inventory be collected using the Configuration Manager client on the host computer. No special consideration is given to virtual machines. For example, Configuration Manager 2007 SP1 might not determine that an update needs to be re-applied to a virtual machine image if it is stopped and restarted without saving the state of the virtual machine to which the update was applied.
Page 20
3.3 Prerequisites for Installing Configuration Manager

After reviewing the Configuration Manager supported configurations, you should ensure that you have the proper prerequisites for installing a Microsoft System Center Configuration Manager 2007 site or site system. Familiarizing yourself with the prerequisites ahead of time will enable you to deploy Configuration Manager sites and features efficiently and effectively support the clients assigned to the site.
3.3.1 General Site Server Prerequisites

The general site server prerequisites for hosting the various Configuration Manager 2007 site server roles are as follows: All site servers must be a member of an Active Directory domain.
Note Changing the domain membership or computer name of a Configuration Manager 2007 site system after it is installed is not supported.
Internet Information Services (IIS) 6.0 or later is required if the system will perform any of the following site system roles: o Background Intelligent Transfer Service (BITS)-enabled distribution point. This role requires BITS server extensions and Web Distributed Authoring and Versioning (WebDAV) extensions. IIS is not required if the distribution point will not be BITS-enabled.
Important The WebDAV component is not included in Windows Server 2008 operating system. You must download, install, and configure WebDAV manually on BITS-enabled distribution points running Windows Server 2008. For more information, see How to Configure Windows Server 2008 for Site Systems.
Management point. This role requires BITS server IIS extensions and WebDAV IIS extensions.
Important The WebDAV component is not included in Windows Server 2008 operating system. You must download, install, and configure WebDAV manually on management points running Windows Server 2008.
Reporting point. This role requires Active Server pages.
Page 21
Note When you install ASP and ASP.NET on a Windows Server 2008 operating system reporting point, you must also manually enable Windows Authentication.
Software Update Point Server locator point. All Configuration Manager distribution point systems using BITS bandwidth throttling require BITS 2.0 or later. Management points and server locator points configured to be part of a Network Load Balancing cluster are supported. All site servers require Internet Explorer 5.0 or later. Windows Server 2008 is the only supported operating system for hosting the System Health Validator point site system role. Site servers and branch distribution points require Remote Differential Compression to generate package signatures and perform signature comparison.
Important Remote Differential Compression is not installed by default on computers running Windows Server 2008. For more information, see How to Configure Windows Server 2008 for Site Systems.
3.3.2 Configuration Manager Primary Site Server Prerequisites

The following software must be installed before running Setup on a server to support the primary site server role: Microsoft Management Console (MMC) 3.0 .NET Framework 2.0
If applicable, the following update also should be applied to the system before running Setup: MS06-030: Vulnerability in Server Message Block could allow elevation of privilege.
3.3.3 Site Database Server Prerequisites

Configuration Manager 2007 primary sites require access to a SQL Server database to host the site database. The site database can be hosted on a SQL Server instance
Page 22
installed on the same server as the primary site, on a remote computer, or on a virtual SQL Server cluster instance. The following conditions apply: SQL Server 2005 SP2 is the only version of SQL Server supported for hosting the Configuration Manager 2007 site database. SQL Server 2005 Express is not a supported SQL Server 2005 version for hosting the Configuration Manager 2007 site database. The SQL database service is the only SQL Server component required to be installed to host the site database.
3.3.4 SMS Provider Prerequisites

Because Configuration Manager 2007 allows you to install the Systems Management Server (SMS) Provider on a computer other than the site server or site database server, you should check to ensure that the computer you have identified to install the SMS Provider on meets the following prerequisites: The SMS Provider must be installed on a computer in the same domain as the site server and site database server site systems.
Important The SMS Provider must be installed on a computer with the same operating system language as the site server's operating system language when a site contains site servers or clients with different language operating systems installed.
The SMS Provider cannot be installed on a virtual SQL Server cluster computer or a physical computer hosting a virtual SQL Server cluster node. The SMS Provider cannot be installed on a computer already hosting the SMS Provider for another site.
If applicable, the following updates should also be applied to the system before installing the SMS Provider: MS06-030: Vulnerability in Server Message Block could allow elevation of privilege Availability of Windows Server 2003 Post-Service Pack 1 COM+ 1.5 Hotfix Rollup Package 6
Page 23
3.3.5 Configuration Manager Secondary Site Server Prerequisites

If applicable, the following updates should be applied to the system before installing a secondary site server: Knowledge Base article 906570 ("A custom program that uses the RegConnectRegistry function can no longer access the registry of a remote computer in Windows Server 2003 SP1 or in an x64-based version of Windows Server 2003.") MS06-030: Vulnerability in Server Message Block could allow elevation of privilege
3.3.6 Configuration Manager Console Prerequisites

Before installing the Configuration Manager console on a remote computer, you should ensure it meets the minimum requirements outlined in the Configuration Manager supported configurations, as well as the following installation prerequisites: Microsoft Management Console (MMC) 3.0 .NET Framework 2.0.
Page 24
4 Getting Started with System Center Operations Manager 2007

In this section we will discuss supported operating systems, hardware configurations, software requirements, installation combinations, and security configurations for Systems Center Operations Manager 2007.
4.1 Supported Operating Systems

Systems Center Operations Manager 2007 has the following components that can be distributed on different servers: Operations Manager 2007 Component Operations Manager Operations database Management server or root management server Operations console Reporting data warehouse Reporting server Gateway server Web console server Audit database Management server with audit collector Management server with Agentless Exception Monitoring file share agent Authoring console
Each of these components can be installed on: Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server 2003 2003 2003 2003 2003 2003 2003 2003 2003 2008 2008 2008 2008 2008 2008 SP1 SP2 R2 Standard Edition on an x86 microprocessor Standard Edition on an x64 microprocessor Enterprise Edition on an x86 microprocessor Enterprise Edition on an x64 microprocessor Datacenter Edition on an x86 microprocessor Datacenter Edition on an x64 microprocessor Standard Edition on an x86 microprocessor Standard Edition on an x64 microprocessor Enterprise Edition on an x86 microprocessor Enterprise Edition on an x64 microprocessor Datacenter Edition on an x86 microprocessor Datacenter Edition on an x64 microprocessor
Page 25
4.1.1 Minimum Hardware Requirements

You can use the Operations Manager 2007 Prerequisite Checker in Setup to check the hardware and software prerequisites and generate a report listing the prerequisites your system meets (or does not meet) prior to installing and using Operations Manager 2007. In general, you need a 2.8 GHz (or faster) processor, at least 4 GB of RAM, and 500 GB of disk space to install Operations Manager 2007.
Note Operations Manager 2007 does not support installing the 32-bit agent on a 64-bit operating system. Operations Manager 2007 provides native support for x86 microprocessors and x64 microprocessors for all components. It also supports agents on computers with 64-bit Itanium processors.
4.1.2 Minimum Software Requirements

Operations Manager 2007 components require a supported operating system. For a list of the supported operating systems for each component, see the Supported Operating Systems section earlier in this document. The following table lists the minimum software requirements for each of the Operations Manager 2007 components. If you wish to install more than one component on the same computer, you must install the prerequisite software for all of the combined components.
4.1.3 Supported Software Requirements for Operations Manager 2007

Operations Manager Component Operations Manager Operations database Software Requirement(s) One of the following: SQL Server 2005 Standard SP1 SQL Server 2005 Standard SP2 SQL Server 2005 Enterprise Edition SP1 SQL Server 2005 Enterprise Edition SP2 .NET Framework 2.0 .NET Framework 3.0 Microsoft Core XML Services 6.0
Management server and root management server Reporting server
Gateway server Reporting data warehouse
.NET Framework 3.0 SQL Server 2005 Reporting Services SP1 or SQL Server 2005 Reporting Services SP2 .NET Framework 2.0 Microsoft Core XML Services 6.0 One of the following: SQL Server 2005 Standard SP1 SQL Server 2005 Standard SP2 SQL Server Enterprise Edition SP1
Page 26
Reporting data
warehouse (continued) Audit collection database
SQL Server Enterprise Edition SP2
One of the following: SQL SQL SQL SQL Required: Server Server Server Server 2005 Standard SP1 2005 Standard SP2 Enterprise Edition SP1 Enterprise Edition SP2
Operations console
.NET Framework 2.0 .Net Framework 3.0
Optional: Microsoft Windows PowerShell. (Required for the Operations Manager 2007 Command Shell.) Microsoft Office Word 2003 with .NET Programmability Microsoft Visual Studio 2005 Tools for Office (required to create or edit Management Pack knowledge data) .NET Framework 2.0 .NET Framework 3.0 Internet Information Services (an optional component of Windows Server 2003) ASP.NET (an optional component of Windows Server 2003) Microsoft Core XML Services 6.0 (requires Windows Installer 3.1) Required: .NET Framework 2.0 .Net Framework 3.0 .Net Framework 3.5 SP1
Web console server
Agent Authoring console
Optional: Microsoft Windows PowerShell (required for the Operations Manager 2007 Command Shell) Microsoft Office Word 2003 with.NET Programmability Microsoft Visual Studio 2005 Tools for Office (required to create or edit Management Pack knowledge data)
Note Operations Manager 2007 does not support a 32-bit Operations Manager Operations database, Reporting Server data warehouse, or Audit Collection database on a 64-bit operating system.
4.1.4 Supported Firewall Scenarios

The following table shows Operations Manager 2007 component interaction across a firewall, including information about the ports used for communication between the components, which direction to open the inbound port, and whether the port number can be changed.
Page 27
4.1.5 Operations Manager 2007 Firewall Scenarios

Operations Manager 2007 Component A Root management server Management server Management server Port Number and Direction Operations Manager 2007 Component B Operations Manager database Operations Manager database Root management server Configurable Notes
1433 --->
Yes (Setup)
1433 --->
Yes (Setup) Port 5724 must be open to install this component and can be closed once this component has been installed.
5723, 5724 --->
No
Management server Gateway server Root management server Reporting server
1433 --> 5723 --->
reporting data warehouse Root management server Reporting data warehouse Root management server
No No
1433 --->
No
5723, 5724 --->
No
Port 5724 must be open to install this component and can be closed once this component has been installed.
Operations console Connector framework source Web console server Web console browser
5724 --->
Root management server Root management server Root management server Web console server
No
51905 --->
No
5724 --->
No
51908 --->
Yes (IIS Admin)
Web console browser (continued)
Port 51908 is the default port used when selecting Windows Authentication. If you select Forms Authentication, you will need to install an SSL certificate and configure an
Page 28
available port for https functionality for the Operations Manager 2007 Web Console Web site. Connected root management server (Local) Agent installed using MOMAgent.msi Agent installed using MOMAgent.msi Agent installed using MOMAgent.msi Gateway server Agent (Audit Collection Services forwarder) Agentless Exception Monitoring data from client Customer Experience Improvement Program data from client 5724 ---> Connected root management server (Connected) Root management server Management server Gateway server No
5723 --->
Yes (Setup)
5723 --->
Yes (Setup)
5723 --->
Yes (Setup)
5723 ---> 51909 --->
Management server Management server Audit Collection Services collector Management server Agentless Exception Monitoring file share Management server (Customer Experience Improvement Program End) Point SQL Reporting Services
Yes (Setup) Yes (Registry)
51906 --->
Yes (Client Monitoring Wizard)
51907 --->
Yes (Client Monitoring Wizard)
Operations console (reports)
80 --->
No
The Operations console uses Port 80 to connect to the SQL Reporting Services Web site.
Reporting server Management server (Audit Collection Services collector)
1433 --->
Reporting data warehouse Audit Collection Services database
Yes
1433 --->
Yes
Page 29
In the preceding table, if SQL Server 2005 is installed using a default instance, the port number is 1433. If SQL Server is installed with a named instance, it is most likely using a dynamic port. To identify the port: 1. Run SQL Server Configuration Manager. 2. Open SQL Server Network Configuration. 3. Open Protocols for INSTANCE1 (or the instance running under it). 4. Open TCP/IP. 5. Click IP Addresses. 6. The port is under IPAll (usually the TCP Dynamic Ports).
4.1.6 Minimum Network Connectivity Speeds

Operations Manager 2007 requires the following minimum network connectivity speeds between the specified components:
Component A Root management server\ management server Root management server\ management server Root management server\ management server Root management server Root management server Root management server\ management server Root management server Management server Local management group Web console server Reporting Data Warehouse Console Audit collector Component B Agent Minimum Requirement 64 Kbps
Agentless
1024 Kbps
Database
256 Kbps
Console Management server Data warehouse database
768 Kbps 64 Kbps 768 Kbps
Reporting server Gateway server Connected management group (tiering) Web console Reporting server Reporting server Audit database
256 Kbps 64 Kbps 1024 Kbps 128 Kbps 1024 Kbps 768 Kbps 768 Kbps
Page 30
4.1.7 Supported Cluster Configurations

Operations Manager 2007 supports the clustering configurations for Operations Manager server roles as shown in the following table:
Server Role Operations Manager 2007 Operations database Cluster Single Active-Passive cluster Notes Setup needs to be run only once on the active node of the cluster. Other Operations Manager 2007 server roles must not be installed on the cluster or nodes of the cluster. Setup needs to be run on every node of the cluster. Other Operations Manager 2007 server roles must not be installed on the cluster or nodes of the cluster. Other Operations Manager 2007 server roles must not be installed on the cluster or nodes of the cluster. Other Operations Manager 2007 server roles must not be installed on the cluster or nodes of the cluster.
Root management server
Single Active-Passive cluster
Operations Manager 2007 Reporting data warehouse Audit collection database
4.1.8 Supportedbut Not RecommendedCluster Configurations

Operations Manager 2007 supports the following clustering configurations for Operations Manager server roles, as shown in the following table. However, due to a potential performance impact on your SQL Server-based computer, these configurations are not recommended:
Server Role Operations Manager 2007 Operations database and Operations Manager 2007 Reporting data warehouse Cluster Active-Active cluster where the Operations Manager Operations database is installed on one node of the cluster and the Reporting data warehouse is installed on the other node of the cluster Single Active-Passive or Active-Active cluster where all three components are on a single cluster Single Active-Passive cluster where both components are on a Notes There might be some performance issues with SQL Server in this configuration.
Operations Manager Operations database, Reporting data warehouse, and audit collection database Operations Manager Operations database and audit collection
There might be some performance issues with SQL Server in this configuration.
There might be some performance issues with SQL Server in this configuration.
Page 31
database Operations Manager Operations database and Reporting data warehouse Reporting data warehouse and audit collection database
single cluster Single Active-Passive cluster where both components are on a single cluster Single Active-Passive cluster where both components are on a single cluster There might be some performance issues with SQL Server in this configuration. There might be some performance issues with SQL Server in this configuration
4.1.9 Non-supported Cluster Configurations

The following cluster configurations are not supported:
Server Role Operations Manager Operations database and root management server Operations Manager Operations database and root management server Cluster Single Active-Passive where both components are on the same node of the cluster Active-Active-Passive cluster where the Operations Manager Operations database in one active node, the root management server is on the other active node, and the passive node acts as the failover node for both Active-Active cluster where the Operations Manager Operations database is on one active node, the root management server is on the other active node, and they each act as the passive node for the other component Notes Not supported
Not supported
Operations Manager Operations database and root management server
Not supported
Note Geographically dispersed clusters or geo clusters are not supported for any Operations Manager 2007 roles.
Page 32
4.1.10
Monitored Item Capacity

Operations Manager supports the following number of monitored items.
Monitored Item Recommended Limit 50 2,000
Simultaneous Operations consoles Agent-monitored computers reporting to a management server Agent-monitored computers reporting to a gateway server Agentless Exception Monitored computers per management server Agentless Exception Monitored computers per management group Collective client monitored computers per management server Management servers per agent for multihoming Agentless-managed computers per management server Agentless-managed computers per management group Agent-managed computers per management group
800
25,000
100,000
2,500
4 10
60
6,000
4.2 System Requirements for Operations Manager 2007

Ensure the computers you will use to evaluate Operations Manager 2007 meet the hardware and software requirements of the product. For a complete list of supported configurations, see Operations Manager 2007 Supported Configurations. The following table lists the required software for each Operations Manager 2007 component after a supported operating system has been installed. For a list of supported operating systems, see Operations Manager 2007 Supported Configurations.
Operations Manager 2007 component Operations Manager database Required software One of the following: SQL Server 2005 Standard SP1 SQL Server 2005 Enterprise Edition SP1
Page 33
Management server
Operations Console
.NET Framework 2.0 .NET Framework 3.0 Microsoft Core XML Services 6.0 (This is installed automatically by the Operations Manager 2007 setup) Required: .NET Framework 2.0 .NET Framework 3.0
Optional: Microsoft Windows PowerShell (required for the Operations Manager 2007 Command Shell) Microsoft Office Word 2003 with.NET Programmability Microsoft Visual Studio 2005 Tools for Office (required to create or edit Management Pack knowledge data) Microsoft Core XML Services 6.0 (will install automatically if the agent is deployed from the Operations Console)
Agent
NOTE: Microsoft Core XML Services 6.0 requires Windows Installer 3.1. Reporting Data Warehouse Reporting server Web Console (continued) Audit collection database SQL Server 2005 SP1. .NET Framework 2.0 .NET Framework 3.0 SQL Server 2005 Reporting Services SP1 .NET Framework 2.0 Microsoft Core XML Services 6.0 .NET Framework 2.0 .NET Framework 3.0 Internet Information Services (an optional component of Windows Server 2003) ASP.NET (an optional component of Windows Server 2003)
Gateway server Web Console
One of the following: SQL Server 2005 Standard SP1 SQL Server Enterprise Edition SP1
In addition, Operations Manager 2007 relies on Active Directory Domain Services for a number of services, including definition of security principles, rights assignment, authentication, and authorization. Operations Manager queries Active Directory Domain Services when performing computer and service discovery and can use Active Directory Domain Services for storing and distributing agent configuration information. For Operations Manager to function properly, Active Directory Domain
Page 34
Services and its supporting service, DNS, need to be healthy and at certain minimum configuration levels.
4.2.1 Domain Functional Level

Windows Server 2003 Active Directory domains can operate in one of four different levels of functionality. These levels are distinguished by the version of the Windows Server operating system that is permitted on the domain controllers present in the domain. Each of the following levels provides increasingly powerful features: Windows 2000 mixed: Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 domain controllers are allowed. This is the default domain functional level for Windows Server 2003 domains. Windows 2000 native: Windows 2000 Server and Windows Server 2003 domain controllers are allowed. Windows Server 2003 interim: Windows Server 2003 and Windows NT Server 4.0 domain controllers are allowed. This is only seen when upgrading a Windows NT Server 4.0 domain to be the first Windows Server 2003 domain in an Active Directory forest. Windows Server 2003: Only Windows Server 2003 domain controllers are allowed.
Operations Manager 2007 requires that the domain functional level be Windows 2000 native, Windows Server 2003 interim, or Windows Server 2003. The domain functional level of Windows Server 2008 is also supported. For Operations Manager to function properly, you must check the domain functional level and raise it to at least Windows 2000 native. To do this, see Raise the Domain Functional Level.
4.2.2 Forest Functional Level

The forest functional level is similar to the domain functional level in that it sets a minimum domain controller operating system level across the whole forest. Once it has been set, domain controllers with down-level operating systems from lower functional levels cannot be introduced into the forest. Operations Manager does not have a forest functional level requirement. However, if the forest functional level is left at the default Windows 2000 level, there may be domains in your forest that won't meet the minimum domain functional level requirement.
Page 35
4.2.3 DNS
DNS must be installed and in a healthy state to support Active Directory Domain Services. Beyond the reliance of Operations Manager on Active Directory Domain Services, there are no specific DNS requirements.
4.3 Security Considerations

Most of the work in preparing the environment for Operations Manager 2007 goes into security-related tasks. This section covers those tasks at a cursory level. For detailed coverage, see the Operations Manager 2007 Security Guide. Preparing the security-related tasks involves the following: Understanding, planning, and preparing for monitoring across trust boundaries. Planning and preparing the service accounts, user accounts, and security groups that you will need. Understanding and preparing the network ports as required by your design.
4.3.1 Trust Boundaries

Active Directory domains form the basic unit of a Kerberos trust boundary as seen by Operations Manager. This boundary is automatically expanded to other domains in the same name space (i.e., the same Active Directory tree), and between domains that are in different Active Directory trees but still in the same Active Directory forest via transitive trusts. The trust boundary can be further expanded between domains in different Active Directory forests through the use of across forest trusts.
4.3.1.1 Kerberos The Kerberos authentication protocol, which is supported by Windows 2000 domain controllers and above, can only occur within a trust boundary. Kerberos authentication is the mechanism used to perform the Operations Manager 2007 agent/server mutual authentication. Agent/server mutual authentication is mandated in Operations Manager 2007 for all agent/server communication. An Operations Manager management group does have the ability to perform discovery and monitoring outside of the Kerberos trust boundary in which its located. However, because the default authentication protocol for Windows-based computers that are not joined to an Active Directory domain is NTLM, another mechanism must be used to support mutual authentication. This is done through the exchange of certificates between agents and servers.
Page 36
4.3.1.2 Certificates When Operations Manager 2007 communication needs to occur across trust boundaries, such as when a server that you want to monitor lies in a different, untrusted, Active Directory domain than the management group that is performing the monitoring, certificates can be used to satisfy the mutual authentication requirement. Through manual configuration, certificates can be obtained and associated with the computers and the Operations Manager services running on them. When a service that needs to communicate with a service on a different computer starts and attempts to authenticate, the certificates will be exchanged and mutual authentication completed.
Important The certificates used for this purpose must ultimately trust the same root certification authority.
For more information about how to obtain and make use of certificates for mutual authentication, see Deploying Gateway Server in the Multiple Server, Single Management Group Scenario.
4.3.2 Certification Authority

To get the necessary certificates, you will need access to a certification authority. This can be either Microsoft Certificate Services or a third-party certification service such as VeriSign.
4.3.2.1 Microsoft Certificate Services There are four types of Microsoft certificate authorities (CAs): Enterprise root Enterprise subordinate Stand-alone root Stand-alone subordinate
Both enterprise types of CAs require Active Directory Domain Services; stand-alone CAs do not. Either type of CA can issue the necessary certificates for agent/server mutual authentication across trust boundaries. Customarily, a CA infrastructure consists of a root CA that signs its own certificates and certifies itself and one or more subordinate CAs, which are certified by the root. The subordinate CA servers are the ones that a service certificate requests while the root is taken offline and held for safekeeping. For more information about designing certificates, see Enterprise Design for Certificate Services and the topic "Certificates" in the Operations Manager 2007 Help file.
Page 37
4.3.3 Accounts and Groups

You will potentially need many accounts and security groups over the lifetime of your Operations Manager deployment. During Operations Manager setup, you are only prompted for four. You need to consider additional accounts when planning out rolebased security assignments, notifications, and alternate credentials to run processes. For guidance on planning role-based security assignments, see the Operations Manager 2007 Design Guide.
4.3.3.1 Role-Based Security Accounts and Groups Operations Manager controls access to monitored groups, tasks, views, and administrative functions through the assignment of user accounts to roles. A role in Operations Manager is the combination of a profile type (operator, advanced operator, administrator) and a scope (to what data the role has access). Typically, Active Directory security groups are assigned to roles, and then individual accounts are assigned to those groups. Prior to deploying, plan out Active Directory security groups that can be added to these and any custom-created roles. This will prepare you to add individual user accounts to the security groups. Operations Manager provides the following role definitions out-of-the-box:
Role name Operations Manager Administrators: Created at setup Cannot be deleted Must contain one or more global groups Operations Manager Advanced Operators: Created at setup Globally scoped Cannot be deleted Profile type Administrator Profile description Has full privileges to Operations Manager; no scoping of the Administrator profile is supported. Role scope Full access to all Operations Manager data, services, administrative, and authoring tools
Advanced Operator
Has limited change access to Operations Manager configuration; ability to create overrides to rules; monitors for targets or groups of targets within the configured scope. Has ability to create, edit, and delete tasks, rules, monitors, and views within configured scope. Has ability to interact with alerts, run tasks, and access views according to configured
Access to all groups, views, and tasks currently present and those imported in the future
Operations Manager Authors: Created at setup Globally scoped Cannot be deleted Operations Manager Operators: Created at setup Globally scoped
Author
Access to all groups, views, and tasks currently present and those imported in the future Access to all groups, views, and tasks currently present and those imported in the
Page 38
Operator
Cannot be deleted Operations Manager Read-Only Operators: Created at setup Globally scoped Cannot be deleted Operations Manager Report Operators: Created at setup Globally scoped Operations Manager Report Security Administrators: Integrates SQL Reporting Services security with Operations Manager user roles Gives Operations Manager administrators the ability to control access to reports Cannot be scoped
scope. Read-Only Operator Has ability to view alerts and access views according to configured scope.
future Access to all groups and views currently present and those imported in the future Globally scoped
Report Operator
Has ability to view reports according to configured scope. Enables integration of SQL Reporting Services security with Operations Manager roles.
Report Security Administrator
No scope
You can add Active Directory security groups or individual accounts to any of these predefined roles. If you do, those individuals will be able to exercise the given role privileges across the scoped objects. Operations Manager also allows you to create custom roles based on the Operator, Read-Only Operator, Author, and Advanced Operator profiles. When you create the role, you can further narrow the scope of groups, tasks, and views that the role can access. For example, you can create a role entitled "Exchange Operator" and narrow the scope to only Exchange-related groups, views, and tasks. User accounts assigned to this role will only be able to run Operator-level actions on Exchange-related objects.
Important Make sure that you create a domain security group for the Operations Manager Administrators role. This is required to be in place during the first setup run for a management group.
Page 39
4.3.3.2 Notification Accounts and Groups Individuals who will interact with Operations Manager frequently, such as an Exchange administrator who has been assigned to the Exchange Operator role, need a way to discover new alerts. This can be done by either watching the Operations console for new alerts or by Operations Manager informing them about the alert via supported communications channels. Operations Manager supports notifications through e-mail, instant messaging, Short Message Service, or pager messages. Notifications on what the role needs to know go out to recipients that you specify in Operations Manager. An Operations Manager recipient is merely an object that has a valid address to receive the notification, such as an SMTP address for e-mail notifications. Therefore, it is logical to combine role assignment with notification group membership via an e-mail-enabled security group. For example, create an Exchange Administrators security group and populate it with individuals that have the knowledge and permissions to fix things in Exchange. Assign this security group to a custom-created Exchange Administrator role so they have access to the data and are e-mail-enabled. Then, create a recipient by using the SMTP address of the e-mail-enabled security group.
4.3.3.3 Service Accounts At the time of deployment, you need to have the following service accounts ready. If you use domain accounts and your domain Group Policy object has the default password expiration policy set as required, you will either have to change the passwords on the service accounts according to the schedule, or use lowmaintenance system accounts, or configure the accounts so that the passwords never expire.
Account name Requested when Management server setup Used for Low maintenance Local system High security
Management server Action Account
Collecting data from providers, running responses Writing to operational database, running services
Low privilege domain account
SDK and Configuration Service Account SDK and Configuration Service Account (continued) Local Administrator
Management server setup
Local system
Discovery and push agent
Installing
Domain or local
Domain or local administrator

Page 40
Account for target devices Agent Action Account
install
agents
administrator account Local system
account
Discovery and push agent install
Gathering information and running responses on managed computers Writing to the Reporting Data Warehouse database Querying SQL Reporting Services database
Data Warehouse Write Action Account
Reporting Server setup
Data Reader Account
Reporting Server setup
4.3.3.4 Run As Accounts Agents on monitored computers can run tasks, modules, and monitors on demand as well as in response to predefined conditions. By default, all tasks run by using the Agent Action account credentials. In some cases, the Agent Action account may have insufficient rights and privileges to run a given action on the computer. Operations Manager supports the running of tasks by agents in the context of an alternate set of credentials called a Run As Account. A Run As Account is an object that is created in Operations Manager, just like a recipient is, and maps to an Active Directory user account. A Run As Profile is then used that maps the Run As Account to a specific computer. When a rule, task, or monitor that has been associated with a Run As Profile at the development time of a management pack needs to run on the targeted computer, it does so by using the specified Run As Account. Operations Manager provides a number of Run As Accounts and Run As Profiles out of the box, and you can create additional ones as necessary. You may also choose to modify the Active Directory credentials with which a Run As Account is associated. This will require planning, creating, and maintaining additional Active Directory credentials for this purpose. You should treat these accounts as service accounts with regards to password expiration, Active Directory Domain Services, location, and security. Also, you will need to work with management pack authors as they develop requests for Run As Accounts. For more information, see the Operations Manager 2007 Security Guide.
Page 41
4.3.4 Agent and Agentless Monitoring

In this section we will discuss the environmental prerequisites for devices that will have agents installed and devices that will be monitored in an agentless fashion.
4.3.4.1 Clients with Agents Installed The three main activities involved with agent administration are discovery of target devices, deployment or installation of agents to those devices, and ongoing management of the agents. Agents that lie outside a trust boundary require a few more prerequisites than agents that lie inside a trust boundary.
4.3.4.1.1 Agents Inside a Trust Boundary
4.3.4.2
Discovery
Discovery requires that the TCP 135 (RPC), RPC range, and TCP 445 (SMB) ports remain open and that the SMB service is enabled.
4.3.4.3
Installation
After a target device has been discovered, an agent can be deployed to it. Agent installation requires the following: Opening Remote procedure call (RPC) ports beginning with endpoint mapper TCP 135 and the Server Message Block (SMB) port TCP/UDP 445. Enabling the File and Printer Sharing for Microsoft Networks and the Client for Microsoft Networks services. (This ensures that the SMB port is active.) If enabled, Windows Firewall Group Policy settings for "Allow remote administration exception" and "Allow file and printer sharing exception" must be set to "Allow unsolicited incoming messages from: to the IP address and subnets for the primary and secondary management servers for the agent." For more information, see How to Configure the Windows Firewall to Enable Management of Windows-Based Computers from the Operations Manager 2007 Operations Console. An account that has local administrator rights on the target computer. Windows Installer 3.1. To install, see article 893803 in the Microsoft Knowledge Base. Microsoft Core XML Services 6 on the Operations Manager product installation media in the \msxml subdirectory.
Page 42
Note Push agent installation will install Microsoft Core XML Services 6 on the targeted device if it is not there.
4.3.4.4
Ongoing Management
Ongoing management of an agent requires that the TCP 135 (RPC), RPC range, and TCP 445 (SMB) ports remain open and that the SMB service remains enabled.
4.3.4.5
Agents Outside a Trust Boundary
For agents that lie outside the trust boundary of the management servers, the environmental prerequisites are the same as for those that lie inside a trust boundary, with some additions. Because the device is going to have an installed agent, the software, service, and port requirements remain the same. However, because there is no underlying infrastructure to support Kerberos authentication, certificates must be used on both sides of the connection. To simplify the cross trust boundaryr configuration, you can install an Operations Manager gateway server in the same trust boundary as the devices that you will monitor. The gateway server acts as a proxy so that all communication between the management server and agents is routed through the gateway server. This communication is done over a single port, TCP 5723, and requires certificates on the management server and the gateway server. In addition, the gateway server performs discovery and installation, and relays ongoing administration traffic on behalf of the management server to the agents. The use of gateway servers also reduces the volume of network traffic and is therefore useful in low bandwidth conditions. For more information about gateway server configuration, see Deploying Gateway Server in the Multiple Server, Single Management Group Scenario.
4.3.4.6
Manually Installed Agents
Discovery is not performed for manually installed agents. Therefore, there are fewer requirements.
4.3.4.7 Agentless Monitoring Agentless monitoring of devices is performed by either a management server or by another device that does have an agent, called a proxy agent. An agentless managed device must not be separated from its management server or proxy agent by a firewall because monitoring is performed over remote procedure protocol
Page 43
(RPC). The action account of the agent that is performing the monitoring must have local administrative rights on the device that is being monitored.
4.3.5 Deploy an Operations Manager 2007 Management Group on a Single Computer Using the Setup Wizard
Use the following procedure to deploy the Operations Manager 2007 server components required for a management group on a single computer, using the Setup Wizard. The required server components for a management group are the Operations Manager database, a management server, and an Operations Console. To deploy an Operations Manager 2007 management group by using the Setup Wizard: 1. Use local administrator privileges to log on to the computer. (This account must have system administrator privileges on the instance of SQL Server that will host the Operations Manager 2007 database.) 2. On the Operations Manager 2007 installation media, double-click SetupOM.exe. 3. On the Start page, select Install Operations Manager 2007. 4. When the Welcome page displays, click Next. 5. On the End-User License Agreement page, accept the agreement and then click Next. 6. On the Product Registration page, type the information in the text boxes (the CD key is required) and click Next. 7. When the Custom Setup page displays, leave the components set to their defaults and then click Next. 8. On the Management Group Configuration page, follow these steps: a. Type the name you want for the management group in the Management Group text box. Important: The name of a management group cannot be changed.
Note The management group name cannot contain the following characters: ( ) ^ ~ : ; . ! ? " , ' ` @ # % \ / * + = $ | & [ ] <>{}, or have a leading or trailing space. It is recommended that the management group name is unique within your organization if you plan to connect Operations Manager 2007 management groups.
Page 44
b. Click Browse and select the universal or global security group that you want added to the management group's administrators role, and then click OK.
Important The person installing the management group must be a member of the specified universal or global security group to run the Operations Console.
c. Click Next. 9. On the SQL Server Database Instance page, in the SQL Server Database Instance list, select the instance of SQL Server on which you want to install the Operations Manager 2007 database and then click Next. 10. On the Database and Log Files Options page, in the SQL Server Database Instance list, select the instance of SQL Server on which you want to install the Operations Manager 2007 database and then click Next.
Note To change the default database name or installation location of either the data file or the log file, click Advanced, make the changes, click OK, and then click Next to continue.
11. On the Management Server Action Account page, perform one of the following steps: a. Select Local System, and click Next. b. Select Domain or Local Computer Account, type the User Account and Password, select the Domain or local computer from the list, and then click Next. If User Account is provided in alias@contoso.com format, the value in Domain or local computer is ignored.
Note If you plan to deploy agents to remote computers from the Operations Manager 2007 Operations console, the Management Server Action account must have administrative privileges on these remote computers.
12. On the SDK and Config Service Account page, perform one of the following steps: Select Local System, and click Next.
Page 45
Select Domain or Local Account, type the User Account and Password, select the Domain or local computer from the list, and then click Next. If User Account is provided in alias@contoso.com format, the value in Domain or local computer is ignored.
13. On the Web Console Authentication Configuration page, select Use Windows Authentication if the console will be accessed only over an intranet. Select Use Forms Authentication if the console will be accessed over the Internet. 14. On the Operations Manager Error Reports page, either leave Do you want to send error reports to Microsoft cleared and click Next to not send Operations Manager 2007 error reports to Microsoft, or select Do you want to send error reports to Microsoft and perform the following steps: a. Select Automatically send error reports about this product to Microsoft without prompting the user, or leave the default option, Prompt the user for approval before sending error reports to Microsoft, selected. b. Click Next. 15. On the Customer Experience Improvement Program page, perform one of the following steps: a. Leave the default option of I don't want to join the program selected if you do not want your organization to participate in the program, and then click Next. b. Select Join the Customer Experience Improvement Program if you want your organization to participate in the program, and then click Next. 16. On the Ready to Install page, click Install. The Installing System Center Operations Manager 2007 page will display and provide installation progress. 17. When the Completing the System Center Operations Manager 2007 Setup Wizard page displays, do the following: a. Leave the Start the Console check box selected to launch the Operations Console.
Note To open the Operations Console, you must be a member of an Operations Manager 2007 user role for the management group. For information about adding a user to a user role, see Security Considerations in Operations Manager 2007.
Page 46
18. Leave Back up Encryption Key selected to back up the encryption key.
Important Without a backup of the Root Management Server key, you would need to re-enter all of your Run As Accounts if you had to rebuild the root management server. In larger environments, this rebuild could involve hundreds of accounts. For more information, see Encryption Key Backup or Restore Wizard, see How to Backup and Restore Encryption Keys in Operations Manager 2007.
19. Click Finish.
Page 47
5 Getting Started with System Center Data Protection Manager 2007

Before you install System Center Data Protection Manager (DPM) 2007, you need to ensure that the DPM server and the computers and applications it is going to protect meet network and security requirements. You must also ensure that they are running on supported operating systems and that they meet the minimum hardware requirements and software prerequisites. DPM is designed to run on a dedicated, single-purpose server that cannot be either a domain controller or an application server. The DPM server must not serve as a management server for Microsoft Operations Manager (MOM) 2005 or Microsoft System Center Operations Manager 2007. However, you can monitor the DPM server and the computers that it protects in MOM or Operations Manager.
5.1 Security Requirements

The System Center Data Protection Manager (DPM) 2007 security requirements are as follows: Before you install DPM 2007, you must log on to the computer as a domain user who is a member of the local administrators group. After you install DPM, you must be a domain user with administrator access to use DPM Administrator Console.
5.2 Network Requirements

The System Center Data Protection Manager (DPM) 2007 network requirements are as follows: The DPM server must be deployed within a Windows Server 2003 Active Directory domain. The domain controllers can be running Windows Server 2000, Windows Server 2003, Windows Server 2003 R2 Server, or on a Windows Server 2008 operating system.
Note For complete protection on a Windows Server 2008 operating system, including system state protection, you must install Knowledge Base article 949779.
DPM 2007 running on Windows Server 2000 domain controllers does not support the following: Protecting computers across domains.
Page 48
Protecting a child Windows Server 2000 domain controller in a domain where Windows Server 2000 is the primary domain controller. Protecting computers running Exchange Server 2007.
DPM 2007 running on Windows Server 2003 domain controllers supports protecting computers across domains within a forest. However, you must establish two-way trust across the domains. If there is not two-way trust across domains, you must have a separate DPM server for each domain. DPM 2007 does not support protection across forests. Active Directory Domain Services, an essential component of the Windows Server 2003 architecture, provides organizations with a directory service designed for distributed computing environments. Active Directory Domain Services allows organizations to centrally manage and share information about network resources and users while acting as the central authority for network security. In addition to providing comprehensive directory services to a Windows environment, Active Directory Domain Services is designed to be a consolidation point for isolating, migrating, centrally managing, and reducing the number of directories that companies require.
Note The DPM server requires persistent connectivity with the servers and desktop computers it protects.
5.3 Hardware Requirements

System Center Data Protection Manager (DPM) 2007 requires a disk that is dedicated to the storage pool and a disk that is dedicated to the following:
Note You can install DPM on the same volume that the operating system is installed on, or you can install DPM on a different volume that does not include the operating system. However, you cannot install DPM on the disk that is dedicated to the storage pool, which is a set of disks on which the DPM server stores the replicas and recovery points for the protected data.
System files DPM installation files DPM prerequisite software DPM database files
DPM owns and manages the disks in the storage pool, which must be dynamic. For purposes of DPM, "disk" is defined as any disk device manifested as a disk in Disk Management. For information about the types of disks that the storage pool supports and how to plan your disk configuration, see Planning the Storage Pool.
Page 49
If you want to manage your own additional disk space, DPM enables you to attach or associate custom volumes to data sources that you are protecting in a protection group. Custom volumes can be on basic or dynamic disks. Any volume that is attached to the DPM server can be selected as a custom volume. However, DPM cannot manage the space in custom volumes. Note that the release of DPM 2007 being discussed here will not delete any existing volumes on the disk attached to the storage pool to make the entire disk space available.
Note A 64-bit system is recommended for installing DPM 2007.
The following table lists the minimum and recommended hardware requirements for the DPM server. For more information about planning DPM server configurations, see Planning for DPM Deployment.
Component Processor Memory Minimum Requirement 1 gigahertz (GHz) or faster 2 gigabytes (GB) RAM For information about how DPM manages memory, see DPM and Memory. Pagefile 0.2 percent the size of all recovery point volumes combined, in addition to the recommended size. (This is typically 1.5 times the amount of RAM on the computer.) For information about configuring the DPM pagefile size, in the DPM Operations Guide see Managing Performance. Disk space for DPM installation Program files drive: 410 megabytes (MB) Database files drive: 900 MB System drive: 2,650 MB From 2GB to 3 GB of free space on the program files volume N/A Recommended Requirement 2.33 GHz quad-core CPUs 4 GB RAM
NOTE: The system drive disk space requirement is necessary if you chose to install the instance of SQL Server from the DPM download package. If you are using an existing instance of SQL Server, this disk space requirement is considerably less.
NOTE: DPM requires at least 300 MB of free space on each protected volume for the change journal. In addition, before archiving data to tape, DPM copies the file catalog to a DPM temporary installation location. Therefore, we recommend that the volume on which DPM is installed contains from 2 GB to 3 GB of free space.
Page 50
Disk space for storage pool
1.5 times the size of the protected data. For information about calculating capacity requirements and planning the configuration of the disks, in Planning a DPM 2007 Deployment see Planning the Storage Pool.
From 2 to 3 times the size of the protected data
[The storage pool does not support Universal Serial Bus (USB)/139 4 disks.] Logical unit number (LUN)
N/A
Maximum of 17 terabytes for GUID partition table dynamic disks 2 terabytes for master boot record disks
NOTE: These requirements are based on the maximum size of the disk as it appears to the Windows Server operating system.
5.4 Software Requirements

The Data Protection Manager (DPM) server must be running one of the following operating systems: Windows Server 2008 Standard or Windows Server 2008 Enterprise. For more information regarding complete protection for Windows Server 2008, including system state protection, see Knowledge Base article 949779. Windows Server 2003 SP2. To download SP2 for Windows Server 2003, see Windows Server 2003 Service Pack 2. Windows Server 2003 R2 Standard Edition SP2 or Windows Server 2003 R2 Enterprise Edition SP2. Windows Advanced Server 2003 SP2. Windows Storage Server 2003 Standard Edition, Windows Storage Server 2003 Enterprise Edition, or Windows Storage Server 2003 Express Edition SP2. (To obtain SP2 for Windows Storage Server 2003 or Windows Storage Server 2003 R2, contact your original equipment manufacturer.)
Page 51
Windows Storage Server 2003 R2 SP2.
Please note: DPM 2007 supports 32-bit and x64-bit operating systems. DPM does not support ia64-bit operating systems. The server cannot be the Management Server for Microsoft System Center Operations Manager. DPM 2007 is designed to run on a dedicated, single-purpose server that cannot be either a domain controller or an application server. There is a Volume Shadow Copy Service (VSS) non-paged pool limitation on x86 32-bit operating systems. If you are protecting more than 10 terabytes of data, the DPM server must be running on a 64-bit operating system. In addition, because VSS non-paged pool usage is based on the size of a single volume, we recommend that you do not protect a single volume larger than 4 terabytes of data on 32-bit operating systems.
DPM Management Shell, an interactive command-line technology that supports taskbased scripting, is supported on the following operating systems: Windows XP Service Pack 2 Windows Vista Windows Server 2003 SP2
The System Center DPM server must be a dedicated, single-purpose server, and it cannot be either a domain controller or an application server. The DPM server cannot be the management server for Microsoft Operations Manager (MOM) 2005 or Microsoft System Center Operations Manager 2007. Other items of note: Windows PowerShell 1.0 Single Instance Storage (SIS) on Windows Server 2008. (For information about installing SIS on Windows Server 2008, see Manually Install Required Windows Components.) Windows Deployment Services (WDS) on Windows Server 2003 SP2, or Single Instance Server (SIS) on Windows Storage Server 2003 R2. Microsoft .NET Framework 2.0. Internet Information Services (IIS) 6.0 for Windows Server 2003. (IIS 6.0 is not installed on Windows Server 2003 by default.)
Page 52
IIS 7.0 for Windows Server 2008. (IIS 7.0 is not installed on Windows Server 2008 by default. If IIS is not installed before installing SQL Server 2005, SQL Server will not install SQL Server Reporting Services. Note that in addition to the default components that IIS 7.0 installs, DPM requires all IIS 7.0 components.) Microsoft SQL Server 2005 SP2 workstation components.
You may use an existing remote instance of SQL Server for your DPM database. If you choose to use a remote instance of SQL Server, you must install sqlprep.msi. To use an instance of SQL Server on a remote computer, run sqlprep.msi which is located on the DPM product DVD in the DPM2007\msi\SQLprep folder. DPM 2007 does not support using an instance of SQL Server 2008 for your DPM database. DPM Setup will not proceed if you select an instance of SQL Server 2008. Verify that the user account you will be using to run the SQL Server service and the SQL Server Agent service has read and execute permissions to the SQL Server installation location. Microsoft SQL Server 2005 SP2 with Reporting Services. (If SQL Server Reporting Services is installed on the remote SQL Server, DPM Setup will use that Reporting Service. If SQL Server Reporting Services is not installed on the remote computer running SQL Server, you must install and configure the service on the remote computer running SQL Server.) Microsoft SQL Server 2005 SP2.
Important You cannot install DPM 2007 on a computer with Cluster services enabled. Before you install DPM 2007 you must remove the computer from the cluster using the Cluster Administrator tool, or you must install DPM on another computer.
Each computer that System Center DPM 2007 protects must meet the requirements listed in the following table. Protected volumes must be formatted as NTFS file system. DPM cannot protect volumes formatted as FAT or FAT32. Also, the volume must be at least 1 GB for DPM to protect it. DPM uses the VSS to create a snapshot of the protected data, and VSS will create a snapshot only if the volume size is greater than or equal to 1 GB. Before you install protection agents on the computers you are going to protect, you must apply hotfix 940349. You must install the hotfix on your 64-bit and 32-bit servers. If you are installing a protection agent on Windows Vista, the 940349 hotfix is not required.
Page 53
Protected Computers
Computer Requirements
File servers
You can protect file servers on any of the following operating systems: Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Server 2003 Standard Edition with SP1 Server 2003 Standard Edition with SP2 Server 2003 Enterprise Edition SP1 Server 2003 Enterprise Edition SP2 Advanced Server 2003 SP1 Advanced Server 2003 SP2 Server 2003 R2 Standard Edition Server 2003 R2 Enterprise Edition Storage Server 2003 Standard Edition SP1 Storage Server 2003 Standard Edition SP2 Storage Server 2003 Enterprise Edition SP1 Storage Server 2003 Enterprise Edition SP2 Storage Server 2003 Express Edition SP1 Storage Server 2003 Express Edition SP2
NOTE: To obtain SP1 for Windows Storage Server 2003, contact your original equipment manufacturer.
Windows Windows Windows Windows Windows Windows
Small Business Server 2003 Standard Edition Small Business Server 2003 Premium Edition Small Business Server 2003 R2 Standard Edition Small Business Server 2003 R2 Premium Edition Server 2008 Standard Edition Server 2008 Enterprise Edition
Computers running SQL Server
Microsoft SQL Server 2000 with SP4 Microsoft SQL Server 2005 SP1 Microsoft SQL Server 2005 SP2
NOTE: DPM supports SQL Server Standard Edition, SQL Server Enterprise Edition, SQL Server Workgroup Edition, and SQL Server Express Edition. IMPORTANT: You must start the SQL Server VSS Writer Service on computers running SQL Server 2005 SP1 before you can start protecting SQL Server data. The SQL Server VSS Writer Service is turned on by default on computers running SQL Server 2005. To start the SQL Server VSS Writer service, in the Services console, right-click SQL Server VSS writer, and then click Start. Computers running Exchange Server Exchange Server 2003 SP2 Exchange Server 2007
NOTE: DPM supports Exchange Server Standard Edition and Exchange Server Enterprise Edition installed on Windows Server 2003 and later. Before you can protect Exchange Server 2007 data in a Clustered Continuous Replication (CCR) configuration, you must install hotfix 940006. For more details, see Knowledge Base article 940006, Description of Update Rollup 4 for
Page 54
Computers running
Exchange Server (continued)
Exchange 2007. IMPORTANT: The eseutil.exe and ese.dll versions that are installed on the most recent edition of Exchange Server must be the same versions that are installed on the DPM server. In addition, you must update eseutil.exe and ese.dll on the DPM server if they are updated on a computer running Exchange Server after applying an upgrade or an update. For more information about updating eseutil.exe and ese.dll, see Eseutil.exe and Ese.dll. Microsoft Virtual Server 2005 R2 SP1 NOTE: To protect virtual machines for online backups, we recommend that you install version 13.715 of Virtual Machine Additions. Windows SharePoint Services 3.0 Microsoft Office SharePoint Server 2007
Computers running Virtual Server
Windows SharePoint Services
Before you can protect Windows SharePoint Services (WSS) data, you must do the following: Install Knowledge Base article 941422: Update for Windows SharePoint Services 3.0. NOTE: You must install Knowledge Base article 941422 on all protected servers on which Windows SharePoint Services 3.0, Microsoft Office SharePoint Server 2007, and Microsoft Office SharePoint Server 2007 SP1 are installed. Start the WSS Writer service on the WSS Server and then provide the protection agent with credentials for the WSS farm. For more information, in Configuring DPM 2007, see Starting and Configuring the WSS VSS Writer Service. Update the instance of SQL Server 2005 to SQL Server 2005 SP2. Install the SQL Server Client components on the front-end web server of the Windows SharePoint Services farm that DPM is going to protect. For information about installing SQL Server components, see How to: Install SQL Server 2008. Shared disk clusters File servers SQL Server 2000 SP4 SQL Server 2005 SP1 Exchange Server 2003 SP2 Exchange Server 2007 Exchange Server 2007
Non-shared disk clusters Workstations
Windows XP Professional SP2 Windows Vista Business Edition Windows Vista Ultimate Edition
NOTE: DPM requires that the workstations and laptops that it protects be
Page 55
Workstations (continued)
Active Directory members. Therefore, they must remain connected to the corporate local area network (LAN) at all times using reliable and consistent networks.
5.5 Install Software Prerequisites

Here are the steps for installing the prerequisite software required for Data Protection Manager (DPM) 2007: 1. Install Windows Server 2003 SP2 (or later).
Important You must properly configure Windows Server 2003 to support a DPM 2007 installation. For more information about installing Windows Server 2003, see How to Install Windows Server 2003 .
2. Logon to the computer as a domain user who is a member of the local administrators group. 3. Go to Microsoft Update and install all available updates for Windows 4. Install Knowledge Base article 940349. 5. Install Windows PowerShell 1.0. DPM Setup will install the following prerequisite software before installing the actual DPM application: Windows Deployment Services Microsoft .NET Framework 2.0. Internet Information Services (IIS) 6.0 Microsoft SQL Server 2005 SP2 and Reporting Services
The next section outlines the steps required to install and configure a complete installation of DPM 2007. You can use DPM Administrator Console to configure DPM 2007.
5.6 Steps to Install and Configure Data Protection Manager 2007

Here are the steps for installing and configuring a complete installation of Data Protection Manager (DPM) 2007: 1. Install DPM 2007 using the default settings. (You must be a domain user who is a member of the local administrators group on the computer to which you are logged on.
Page 56
2. Add a disk to the storage pool: Go to DPM Administrator Console, in the Management task area, on the Disks tab, in the Actions pane, click Add. (For detailed instructions, see Adding Disks to the Storage Pool.) 3. Configure your tape library: In DPM Administrator Console, in the Management task area, on the Libraries tab, in the Actions pane, click Rescan. 4. Install a Protection agent: In DPM Administrator Console, in the Management task area, on the Agents tab, in the Actions pane, click Install. The Protection Agent Installation wizard appears and guides you through the process of creating the protection agent. For detailed instructions, see Installing Protection Agents. 5. Install the software requirements on the computers you are going to protect. For information about protected computer requirements, see Protected Computer Requirements. 6. Create a protection group. In DPM Administrator Console, in the Protection task area, in the Actions pane, click Create protection group. The New Protection Group Wizard appears and guides you through the process of creating the protection group. For detailed instructions, see Creating Protection Groups.
5.7 Post-Installation
After you perform the initial configuration, you can enable the following optional Data Protection Manager (DPM) 2007 features: Enabling end-user recovery Installing the Shadow Copy Client software Subscribing to alerts and notifications Configuring the SMTP server Publishing DPM alerts Installing DPM Management Shell
5.8 Manually configuring Hyper-V protection in Data Protection Manager

Here are the steps required to manually configure Hyper-V protection in Data Protection Manager (DPM): 1. Go to the protection tab and choose Create Protection Group on the right side of the DPM management console.
Page 57
2. Microsoft Hyper-V will now appear as an option in the Available Members for protection.
3. Select the guest you wish to protect and click Next.

Page 58
4. Name your protection group and then configure Short-Term Protection and Long-Term Protection.
5. Set the retention range for how far back you wish to be able to able to restore to and select Next again.
Page 59
6. Modify space allocation as needed. (Note: Hyper-V guests generally require a large amount of storage space.)
Page 60
7. Choose the replication method to use. This will generally be automatic replication but it may be scheduled for a later time when the network has less traffic.
8. Confirm the settings you wish to use and select Create Group to create the new protection group. If you choose to replicate now, the snapshot will take place immediately and the replication of the backup will begin across the network.
Page 61
5.9 Procedures for Enabling End User Recovery

To configure Active Directory Domain Services and enable end-user recovery for schema and domain administrators: 1. In DPM Administrator Console, on the Action menu, click Options. 2. In the Configure Active Directory dialog box, select Use Current Credentials or type the user name and password for an account that has both schema and domain administrator privileges and click OK. 3. On the confirmation and notification prompts, click Yes and click OK. 4. After configuration of Active Directory Domain Services is complete, select the check box for the Enable end-user recovery option and click OK.
To configure Active Directory and enable end-user recovery for users who are not schema and domain administrators: 1. Direct a user who is both a schema and domain administrator to configure the Active Directory schema by running <drive>:\Program Files\Microsoft DPM\DPM\ End User Recovery\DPMADSchemaExtension.exe on a Windows Server 2003based computer that is a member of the same domain as the DPM server.
Page 62
Note If the protected computer and DPM reside in different domains, the schema needs to be extended by running the DPMADSchemaExtension.exe tool on the other domain.
2. In the Enter Data Protection Manager Computer Name dialog box, type the name of the computer for which you want end-user recovery data in Active Directory Domain Services, and click OK. 3. Type the DNS domain name of the DPM computer for which you want enduser recovery data in Active Directory Domain Services and click OK. 4. In the Active Directory Configuration for Data Protection Manager dialog box, click OK. 5. In DPM Administrator Console, on the Action menu, click Options. 6. In the Options dialog box, on the End-User Recovery tab, select the Enable End-User Recovery check box and click OK.
Page 63
6 Getting Started with System Center Virtual Machine Manager 2008

System Center Virtual Machine Manager (VMM) 2008 can scale across a wide range of virtual environments from a stand-alone VMM implementation on a single computer, managing a virtual environment with one to 20 hosts, to a fully distributed enterprise environment, managing hundreds of hosts and thousands of virtual machines dispersed across a wide geographic area. The modularity of the VMM components allows you to configure your VMM implementation in a manner that best meets the management needs and objectives of your virtual environment. You can install all VMM components on a single computer, install more than one VMM component on a single computer, or install each VMM component on a different computer, depending on the size and complexity of your environment.
6.1 Hardware Requirements

The minimum and recommended hardware requirements to install and operate all Virtual Machine Manager (VMM) components on a single computer are listed in the following tables based on the number of hosts that the VMM server manages.
Hardware component Processor RAM Hard disk space Minimum Pentium 4, 2.8 GHz (x64) 2 GB 10 GB Recommended Dual-Core Pentium 4, 2 GHz (x64) or greater 4 GB 50 GB
6.2 Software Requirements

The following software must be installed prior to installing all Virtual Machine Manager components on a single computer:
Software requirement Windows Server 2008 Standard Edition with Hyper-V Windows Server 2008 Enterprise Edition with Hyper-V Windows Server 2008 Datacenter Edition with Hyper-V This software is included in Windows Server 2008. If this software has been removed, the Setup Wizard automatically adds it. This software is included in Windows Server 2008. The WinRM service is set to start automatically. If the WinRM service is disabled and stopped, Setup will fail. If the WinRM service is set to start
Page 64
Notes
Windows PowerShell 1.0
Windows Remote Management (WinRM)
Windows Remote Management (WinRM) (continued)
Windows Automated Installation Kit 1.1 Windows Server Internet Information Services (IIS) 7.0
automatically and is stopped, the Setup Wizard starts the service. If the WinRM service is set to start manually and is stopped, the Setup Wizard starts the service and sets it to start automatically. If this software has not been installed previously, the Setup Wizard automatically installs it. You must add the Web Server (IIS) role and then install the following server role services: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility Static Content Default Document Directory Browsing HTTP Errors ASP.NET .NET Extensibility ISAPI Extensions ISAPI Filters Request Filtering NOTE: If the default port (80) for the VMM SelfService portal is used by another Web site, you must either use a different dedicated port or specify a host header for the portal.
A supported version of Microsoft SQL Server
For more information about supported versions of SQL Server, see System Requirements: VMM Database.
6.3 Supported Operating Systems for Virtual Machine Manager Components

The following tables show the operating systems that are supported for Virtual Machine Manager (VMM) 2008 components and managed computers. VMM Server and Windows-based Hosts:
Operating System All VMM Components on One Computer Yes VMM Server Yes Hyper-V Hosts Yes Virtual Server Hosts N/A
Windows Server 2008 Standard Edition with Hyper-V Windows Server 2008 Enterprise Edition with Hyper-V Windows Server 2008 Datacenter Edition with Hyper-V Windows Server 2008 Standard Edition (without Hyper-V) Windows Server 2008 Enterprise Edition
No
Yes
No
Yes
Page 65
(without Hyper-V) Windows Server 2008 Datacenter Edition (without Hyper-V) Windows Server 2008 Standard x32 Edition (without Hyper-V) Windows Server 2008 Enterprise Edition (without Hyper-V) Windows Server 2008 Datacenter Edition (without Hyper-V) Windows Server 2008 Enterprise Edition with Server Core installation Windows Server 2008 Datacenter Edition with Server Core installation Windows Server 2008 Standard Edition SP2 Windows Server 2008 Enterprise Edition SP2 Windows Server 2008 Datacenter Edition SP2 Windows Server 2003 R2 with SP2 Windows Server 2003 Standard x64 Edition with Service Pack 2 Windows Server 2003 R2 x64 Edition with Service Pack 2
No
No
No
Yes
No
No
Yes
No
No
No
No
Yes
No No
No No
No No
Yes Yes
No
No
No
Yes
Other VMM Components and VMM Library Servers:

Operating System VMM Administrator Console Yes VMM SelfService Portal Yes VMM Library Server Yes
Windows Server 2003 Standard x64 Edition with Hyper-V Windows Server 2008 Standard Edition with Hyper-V Windows Server 2008 Enterprise Edition with Hyper-V Windows Server 2008 Datacenter Edition with Hyper-V Windows Server 2008 Standard x64 Edition (without Hyper-V) Windows Server 2008 Standard Edition (without Hyper-V) Windows Server 2008 Enterprise Edition (without Hyper-V) Windows Server 2008 Datacenter
Yes
Yes
Yes
Page 66
Edition (without Hyper-V) Windows Server 2008 Standard Edition (without Hyper-V) Windows Server 2008 Enterprise Edition (without Hyper-V) Windows Server 2008 Datacenter Edition (without Hyper-V) Windows Server 2008 Standard Edition with Server Core installation Windows Server 2008 Enterprise Edition with Server Core installation Windows Server 2008 Datacenter Edition with Server Core installation Windows Web Server 2008 Windows Server 2003 Standard Edition SP2 Windows Server 2003 Enterprise Edition SP2 Windows Server 2003 Datacenter Edition SP2 Windows Server 2003 R2 with SP2 Windows Server 2003 x64 Edition with SP2 Windows Server 2003 R2 x64 Edition with SP2 Windows Vista with SP1 Windows XP Professional Edition SP2 Windows XP Professional Edition SP3 Windows XP Professional x64 Edition with SP2
Yes
Yes
Yes
No
No
Yes
No Yes
Yes Yes
No Yes
Yes Yes Yes Yes Yes
Yes Yes Yes No No
Yes Yes Yes No No
Yes
No
No
6.4 Supported SQL Server Versions

The Virtual Machine Manager database requires a supported version of Microsoft SQL Server. You can either specify a local or remote instance of an existing Microsoft SQL Server database or have the Setup Wizard install SQL Server 2005 Express Edition SP2 on the local computer. The Setup Wizard also installs SQL Server 2005 Tools and creates a SQL Server instance named MICROSOFT$VMM$ on the local computer.
Supported SQL Server versions SQL Server 2008 Express Edition SQL Server 2008 Standard Edition (32-bit version) SQL Server 2008 Standard Edition (64-bit version) SQL Server 2008 Enterprise Edition (32-bit version) SQL Server 2008 Enterprise Edition (64-bit version) Supports Reporting in VMM No Yes Yes
Page 67
SQL Server 2005 Express Edition SP2 SQL Server 2005 Standard Edition SP2 (32-bit version) SQL Server 2005 Standard Edition SP2 (64-bit version) SQL Server 2005 Enterprise Edition SP2 (32-bit version) SQL Server 2005 Enterprise Edition SP2 (64-bit version)
No Yes Yes
6.5 Network Requirements for Virtual Machine Manager

This section discusses network requirements and considerations for installing System Center Virtual Machine Manager 2008.
6.5.1 Network Connections

Because of the large size of virtual machine files, it is a best practice to connect all computers in a Virtual Machine Manager (VMM) configuration with at least a 100-MB Ethernet connection. Using a gigabit Ethernet connection and a more powerful processor for the VMM server than the recommended processor can further improve performance.
6.5.2 Domains
Before installing the Virtual Machine Manager (VMM) server, you must join the computer to a domain in Active Directory. All Windows Server-based virtual machine hosts must also be joined to Active Directory domains. A Windows Server-based host can be in a domain separate from the VMM server's domain and a host can be in a domain with a two-way trust with the VMM servers domain or in a domain that does not have a two-way trust with the VMM servers domain. For hosts in perimeter networks, you must install a VMM agent locally on that host, configure the firewalls as discussed later in this topic, and then add the host to VMM.
6.5.3 Firewalls
Virtual machine hosts and library servers must have access to the Virtual Machine Manager (VMM) server on the ports specified during VMM server setup. This means that all firewalls, whether software-based or hardware-based, must be configured appropriately.
6.5.4 Computer firewalls

When you install the Virtual Machine Manager (VMM) server, you specify which ports the VMM server uses to communicate with the VMM Administrator Console, for communications with and file transfers between hosts and library servers. By default, these ports are 8100, 80, and 443, respectively. If you install the VMM server on a
Page 68
computer that is using Windows Firewall, the Setup Wizard automatically adds firewall port exceptions to Windows Firewall. When you install the VMM Self-Service Portal, you specify which port the self-service users use to connect to the portal. By default, this port is 80. When you add a computer that is using Windows Firewall as a host or a library server, VMM automatically adds firewall port exceptions to Windows Firewall on that computer. VMM adds firewall exceptions for the ports that were specified during the VMM server and the VMM Self-Service Portal installation.
6.5.5 Virtual Machine Manager Ports and Protocols

When you install the System Center Virtual Machine Manager (VMM) server, you can assign some of the ports that it will use for communications and file transfers between the VMM components. While it is a security best practice to change the default ports, not all of the ports can be changed through VMM. The default settings for the ports are listed in the following table.
Connection type VMM server to Windows host agent (control) VMM server to Windows host agent (data) VMM server to remote Microsoft SQL Server database VMM server to P2V source agent VMM Administrator Console to VMM Server VMM Self-Service Portal Web Server to VMM Server VMM Self-Service Portal to VMM Self-Service Web Server VMM library to hosts VMM host-to-host file transfer VMRC connection to Virtual Server host VMConnect (RDP) to Hyper-V hosts Remote Desktop to virtual machines VMWare Web Service Communication SFTP file transfer from VMWare ESX Server 3.0 and 3.5 hosts SFTP file transfer from VMWare ESX Server 3i to hosts Protocol WinRM SMB TDS DCOM WCF WCF HTTPS BITS BITS VMRC RDP RDP HTTPS SFTP HTTPS Default port 80 445 1433 135 8100 8100 443 443 443 5900 2179 3389 443 22 443 Where to change the port setting During VMM setup, registry Registry Registry Registry During VMM setup, registry During VMM setup During VMM setup During VMM setup, registry Registry VMM Administrator Console, registry VMM Administrator Console, registry Registry VMM Administrator Console, registry Registry Registry
Page 69
6.6 Installation Walk-Through

This section contains walk-throughs for installing the Virtual Machine Manager Server and for installing the Administrator Console.
6.6.1 Installing the Virtual Machine Manager Server

1. From the VMM2008 splash screen, click on VMM Server under the SETUP option to install Virtual Machine Manager (VMM) Server:
Page 70
Page 71
Page 72
Note Enter the name of the SQL server if you plan to host the database on a separate server.
Page 73
2. Select Create a new Library Share. Note: the MSSCVMMLibrary folder must pre-create.
Page 74
Note If you plan to integrate with System Center Operations Manager and make use of the PRO feature, its recommended that you use a domain account for the Virtual Machine Manager (VMM) Service Account.
3. If you have previously installed all the software prerequisites, you should receive a green check for each prerequisite you preinstalled. Otherwise, it will be installed by VMM at this point.
Page 75
Page 76
6.6.2 Installing the Administrator Console

1. From the VMM2008 splash screen, click on VMM Administrator Console under the SETUP option to install Virtual Machine Manager (VMM) Server.
Page 77
Page 78
2. If you have previously changed the default port during the VMM Server installation, ensure that you provide the same port to setup you use previously.
Page 79
Page 80
Page 81
7 Summary
This document describes prerequisites, tasks, and steps you need to get started with building a managed hosting environment using Microsoft System Center Product Family. In the document, a sample scenario is presented for illustration purpose. The information contained in this document is intended to help you get started with your own managed hosting solution.
Page 82
8 References
Page 83

Installation Guide For System Center Enterprise Suite

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Installation Guide For System Center Enterprise Suite

Загружено:

Авторское право:

Доступные форматы

Installation Guide for System Center Enterprise Suite

Prepared by Microsoft Consulting Services 4/22/2012 Version 1.0

4.1.5 4.1.6 4.1.7 4.1.8 4.1.9 4.1.10 4.2

6.2 6.3 6.4 6.5

Summary .................................................................................................... 82 References.................................................................................................. 83

2 Example: Managed Hosting Scenario

Hyper-V Host Windows Server 2008 X64

Hyper-V Host Windows Server 2008 X64

Hyper-V Host Windows Server 2008 X64

SCCM2007 R2 SQL Server 2005 SP2 Windows 2008 x86/x64

SCOM2007 SP1 SQL Server 2005 SP1 Windows 2008 x86/x64

SCDPM2007 SP1 SQL Server 2005 SP2 Windows 2008 x86/x64

SCVMM2008 SQL Server 2005 SP2 Windows 2008 x64

Active Directory Windows 2008 x86/x64

2.1 Active Directory Server/Domain Controller

2.1.1 Hyper-V Hosts Organizational Unit

2.1.2 Customers Organizational Unit

2.1.3 Customer Sub Organizational Unit

2.2 System Center Configuration Manager 2007 R2

2.3 System Center Operations Manager 2007 SP1

2.4 System Center Data Protection Manager 2007 SP1

2.5 System Center Virtual Manager 2008

3 Getting Started with System Center Configuration Manager 2007

3.1 Supported Configurations

Free Disk Space

3.2 Configuration Manager 2007 Site Server System Requirements

RAM Free Disk Space

3.2.2 Configuration Specifics

More information about the SVVP is available online.

3.3 Prerequisites for Installing Configuration Manager

3.3.1 General Site Server Prerequisites

Reporting point. This role requires Active Server pages.

3.3.2 Configuration Manager Primary Site Server Prerequisites

3.3.3 Site Database Server Prerequisites

3.3.4 SMS Provider Prerequisites

3.3.5 Configuration Manager Secondary Site Server Prerequisites

3.3.6 Configuration Manager Console Prerequisites

4 Getting Started with System Center Operations Manager 2007

4.1 Supported Operating Systems

4.1.1 Minimum Hardware Requirements

4.1.2 Minimum Software Requirements

4.1.3 Supported Software Requirements for Operations Manager 2007

Management server and root management server Reporting server

Gateway server Reporting data warehouse

warehouse (continued) Audit collection database

SQL Server Enterprise Edition SP2

.NET Framework 2.0 .Net Framework 3.0

Web console server

Agent Authoring console

4.1.4 Supported Firewall Scenarios

4.1.5 Operations Manager 2007 Firewall Scenarios

5723, 5724 --->

Management server Gateway server Root management server Reporting server

1433 --> 5723 --->

5723, 5724 --->

Yes (IIS Admin)

Web console browser (continued)

5723 ---> 51909 --->

Yes (Setup) Yes (Registry)

Yes (Client Monitoring Wizard)

Yes (Client Monitoring Wizard)

Operations console (reports)