Академический Документы
Профессиональный Документы
Культура Документы
Prepared by Gang Pan, AcutePath, Inc. Contributors Mannan Mohammed, Sr. Architect Mark Stevenson, Senior Consultant II
This file does not collect any personal information. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Active Directory, Hyper-V, Microsoft, Windows PowerShell, SharePoint, SQL Server, Windows, Windows NT, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents
1 2 2.1 Introduction ................................................................................................. 6 Example: Managed Hosting Scenario ............................................................ 8 Active Directory Server/Domain Controller ....................................................... 8 2.1.1 2.1.2 2.1.3 2.2 2.3 2.4 2.5 3 3.1 3.2 Hyper-V Hosts Organizational Unit ........................................................ 9 Customers Organizational Unit.............................................................. 9 Customer Sub Organizational Unit ....................................................... 10
System Center Configuration Manager 2007 R2 .............................................. 10 System Center Operations Manager 2007 SP1 ................................................ 10 System Center Data Protection Manager 2007 SP1 .......................................... 10 System Center Virtual Manager 2008 ............................................................ 10 Getting Started with System Center Configuration Manager 2007 .............. 12 Supported Configurations............................................................................. 12 Configuration Manager 2007 Site Server System Requirements ........................ 13 3.2.2 Configuration Specifics ...................................................................... 15
3.3
Prerequisites for Installing Configuration Manager ........................................... 21 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 General Site Server Prerequisites ........................................................ 21 Configuration Manager Primary Site Server Prerequisites ....................... 22 Site Database Server Prerequisites...................................................... 22 SMS Provider Prerequisites ................................................................. 23 Configuration Manager Secondary Site Server Prerequisites ................... 24 Configuration Manager Console Prerequisites........................................ 24
4 4.1
Getting Started with System Center Operations Manager 2007 .................. 25 Supported Operating Systems ...................................................................... 25 4.1.1 4.1.2 4.1.3 4.1.4 Minimum Hardware Requirements ....................................................... 26 Minimum Software Requirements ........................................................ 26 Supported Software Requirements for Operations Manager 2007 ............ 26 Supported Firewall Scenarios .............................................................. 27
Operations Manager 2007 Firewall Scenarios ........................................ 28 Minimum Network Connectivity Speeds ............................................... 30 Supported Cluster Configurations ........................................................ 31 Supportedbut Not RecommendedCluster Configurations ................... 31 Non-supported Cluster Configurations ................................................. 32 Monitored Item Capacity .................................................................... 33
System Requirements for Operations Manager 2007 ....................................... 33 4.2.1 4.2.2 4.2.3 Domain Functional Level .................................................................... 35 Forest Functional Level ...................................................................... 35 DNS ................................................................................................ 36
4.3
Security Considerations ............................................................................... 36 4.3.1 4.3.2 4.3.3 4.3.4 Trust Boundaries .............................................................................. 36 Certification Authority........................................................................ 37 Accounts and Groups ......................................................................... 38 Agent and Agentless Monitoring .......................................................... 42
4.3.5 Deploy an Operations Manager 2007 Management Group on a Single Computer Using the Setup Wizard ................................................................... 44 5 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 6 6.1 Getting Started with System Center Data Protection Manager 2007 ........... 48 Security Requirements ................................................................................ 48 Network Requirements ................................................................................ 48 Hardware Requirements .............................................................................. 49 Software Requirements ............................................................................... 51 Install Software Prerequisites ....................................................................... 56 Steps to Install and Configure Data Protection Manager 2007 ........................... 56 Post-Installation ......................................................................................... 57 Manually configuring Hyper-V protection in Data Protection Manager ................. 57 Procedures for Enabling End User Recovery .................................................... 62 Getting Started with System Center Virtual Machine Manager 2008 ........... 64 Hardware Requirements .............................................................................. 64
Software Requirements ............................................................................... 64 Supported Operating Systems for Virtual Machine Manager Components ........... 65 Supported SQL Server Versions .................................................................... 67 Network Requirements for Virtual Machine Manager ........................................ 68 6.5.1 6.5.2 6.5.3 6.5.4 6.5.5 Network Connections ......................................................................... 68 Domains .......................................................................................... 68 Firewalls .......................................................................................... 68 Computer firewalls ............................................................................ 68 Virtual Machine Manager Ports and Protocols ........................................ 69
6.6
Installation Walk-Through ............................................................................ 70 6.6.1 6.6.2 Installing the Virtual Machine Manager Server ...................................... 70 Installing the Administrator Console .................................................... 77
7 8
1 Introduction
This document provides guidance on how a hosting provider can create a managed hosting offer by leveraging different technologies offered by Microsoft. There is no single definition for Managed Hosting, but in general, Managed Hosting is referred to as a Dedicated Server or Virtual Dedicated Server hosting plan with a set of management services, including but not limited to: 1. 2. 3. 4. 5. 6. 7. Server and network monitoring Operating system/application updates Software and hardware inventory management Highly available infrastructure using failover/load balancing Backups and restoration Firewalls and other network security services Virus and spam protection
In this paper, we will discuss ways a hosting provider can leverage the technologies available in the Microsoft System Center family of products. System Center is designed to help capture and aggregate knowledge about your infrastructure, policies, processes, and best practices, empowering you to build manageable systems and automate operations in order to reduce costs, improve availability, and enhance service delivery. System Center consists of four core products: System Center Configuration Manager: System Center Configuration Manager comprehensively assesses, deploys, and updates servers, client computers, and devices across physical, virtual, distributed, and mobile environments. Optimized for Microsoft Windows and extensible, it is the best choice for gaining enhanced insight intoand control overIT systems. System Center Operations Manager: System Center Operations Manager is the end-to-end service-management product that is the best choice for Windows because it works seamlessly with Microsoft software and applications, helping organizations increase efficiency while enabling greater control of the IT environment. System Center Data Protection Manager: System Center Data Protection Manager is the standard for Windows backup and recovery, delivering continuous data protection for Microsoft application and file servers using seamlessly integrated disk and tape media. Data Protection Manager enables rapid and reliable recovery through advanced technology for organizations of all sizes. System Center Virtual Machine Manager: Virtual Machine Manager enables customers to configure and deploy new virtual machines and centrally manage
Page 6
physical and virtual infrastructure from one console. New to this version of Virtual Machine Manager is multi-vendor virtualization platform support, Performance and Resource Optimization, and enhanced support of "highavailability" host clusters, among other new features.
We will describe the prerequisites for building out a managed solution later in this document. First, we'll explore a sample Managed Hosting Scenario.
Page 7
Page 8
Page 9
The example scenario presented earlier in the document illustrates a simple deployment model for System Center Product Family for a small environment. Please note that this configuration did not consider failover and scalability. Instead, it
Page 10
provided a simple configuration model to get you started quickly. In this scenario, you will still need to analyze requirements for your environment, conduct proper planning and design, and carry out deployment and configuration in your production environment.
Page 11
3.1.1.1 Client and Server Components System Center Configuration Manager 2007 has a client component (agent) and a server component. The client agent is installed on the desktops (servers) that must be managed.
3.1.1.2 Client Hardware Requirements The following table lists the minimumand recommendedhardware requirements for Configuration Manager 2007 SP1 computer clients.
Hardware Component Processor Requirement The minimum requirement is a 233 MHz processor. We recommend at least a 300 MHz Intel Pentium/Celeron (or comparable) processor is recommended. The minimum requirement is 128 megabytes (MB) of RAM, or 384 MB of RAM if using an operating system deployment. We recommend at least 256 MB of RAM. The minimum requirement is 350 MB of disk space for a new installation, or 265 MB of disk space to upgrade an existing client. NOTE: By default, the temporary program download folder on clients is preconfigured at client installation to automatically increase to 5 gigabytes (GB) of disk space if necessary, assuming 5 GB of disk space or more is available.
RAM
3.1.1.3 Supported Client Platforms Supported Configuration Manager 2007 client installation requires at least Windows 2000 Professional SP4. All common configurations are supported on x86
Page 12
and x64 Platforms. However, there are some exceptions for computers leveraging the Itanium architecture.
3.2.1.1 Site System Hardware Requirements The following table lists the minimumand recommendedhardware requirements for Configuration Manager 2007 site systems.
Hardware Component Processor Requirement The minimum requirement is a 733 MHz Pentium III. A 2.0 GHz (or faster) processor is recommended. The minimum requirement is 256 MB of RAM. At least 1024 MB of RAM is recommended. The minimum requirement is 5 GB of disk space. At least 15 GB of free disk space is recommended if using an operating system deployment.
3.2.1.2 Supported Site System Platforms The following roles are available in System Center Configuration Manager: Primary Site Server Secondary Site Server Management Point Standard Distribution Point Branch Distribution Point Server Locator Point Site Database Server Fallback Status Point Configuration Manager Console1 SMS Provider Computer
Each role has different operating system requirements. We recommend using Windows Server 2008 Enterprise Edition or Windows Server 2008 Datacenter Edition in either a 64-bit
1
It is not supported to install the Configuration Manager 2007 console on computers running any site system role except for the primary site server role. Page 13
or 32-bit environment for setting up all the different roles in SC-CM. To simplify your environment, we recommend having a single server support all roles. Site system roles are not supported on a Server Core installation of Windows Server 2008. For more information about configuration requirements for hosting site system roles on Windows Server 2008, see How to Configure Windows Server 2008 for Site Systems.
Note It is supported to host the site database on both 32-bit and 64-bit versions of SQL Server 2005 (SP2 or later), SQL Server 2008 Standard Edition, or SQL Server 2008 Enterprise Edition. However, installing the site database on Itanium 64-bit platforms is not supported.
Upgrading the operating system on the site server from Windows Server 2003 to Windows Server 2008 is not supported. If you wish to run a Configuration Manager 2007 SP1 site on a Windows Server 2008 operating system, you must use a new installation of Configuration Manager 2007 (complete release).
3.2.1.3 Feature-Specific Site System Roles System Center Configuration Manager supports the following Site System roles: State Migration Point Reporting Point System Health Validator Point PXE Service Point Out of Band Service Point Asset Intelligence Synchronization Point
Network Access Protection is fully supported in Configuration Manager 2007 SP1. Network Access Protection in Configuration Manager 2007 requires a System Health Validator Point running on Windows Server 2008. The out of band service point role was added for Configuration Manager 2007 SP1. For more information, see Out of Band Management in Configuration Manager 2007 SP1. The Asset Intelligence synchronization point has been added for Configuration Manager 2007 SP1. For more information, see Asset Intelligence in Configuration Manager.
Note Site system roles are not supported on Server Core installation of Windows Server 2008. For more information about configuration requirements for hosting site system roles on Windows Server 2008, see How to Configure Windows Server 2008 for Site Systems.
Page 14
Graphs may be added to reports if Office Web Components is installed. This feature is available on 32-bit operating systems only (e.g., Microsoft Office 2000 SP2, Microsoft Office XP, or Microsoft Office 2003). Out of band service points are not supported on Windows Server 2003 SP1 computers. Out of band service points running Windows Server 2003 SP2 require KB 942841.
3.2.2.1 Active Directory Schema Extensions Configuration Manager Active Directory schema extensions provide many benefits for Configuration Manager sites but they are not required. If you have extended your Active Directory schema for Systems Management Server (SMS) 2003, you should update your schema extensions for Configuration Manager 2007. Updating the Active Directory schema for Configuration Manager 2007 can be performed before or after upgrading to Configuration Manager and will not interfere with existing SMS 2003 site or client functionality. If you have already extended your schema for Configuration Manager 2007, no additional schema extensions are required. For more information about extending the Active Directory schema for Configuration Manager 2007 see How to Extend the Active Directory Schema for Configuration Manager.
3.2.2.2 Site Server Operating System Upgrade Configurations Starting with Configuration Manager 2007 SP1, Windows Server 2008 is a supported operating system to host the Configuration Manager site server role. Support for performing in-place upgrades of Windows Server 2003 to Windows Server 2008 with Configuration Manager 2007 site installed. Therefore, you must perform an initial installation of Configuration Manager 2007 SP1 integrated on Windows Server 2008 or restore a Configuration Manager 2007 SP1 site backup created by the Configuration Manager 2007 site backup maintenance task to a new Configuration Manager 2007 SP1 installation with identical installation settings as the previous site installation on a computer running Windows Server 2008.
3.2.2.3 SQL Server Site Database Configurations When installing Configuration Manager 2007 SP1, the site database can be installed on either the default instance or a named instance of a supported SQL Server version installation. The instance used to host the site database can also be configured as a SQL Server failover cluster instance in an active/passive cluster configuration.
Page 15
Performing an in-place upgrade of the SQL Server 2005 SP2 instance hosting the Configuration Manager 2007 site database to SQL Server 2008 is supported. For more information about changing site server software, see How to Change Site Server Software. Moving the site database to a new SQL Server 2008 instance is also supported. For information about moving the site database, see How to Move the Site Database.
Important When using SQL Server 2008 to host the site database for Configuration Manager 2007 SP1 sites, the following update must be applied to the site server computer, Systems Management Server (SMS) Provider computer, and any computers hosting a remote Configuration Manager 2007 SP1 Configuration Manager console: Microsoft article ID 955262.
In Systems SMS 2003, the mppublish.vbs script, supplied with the SMS 2003 installation files, was used to configure Microsoft SQL Server site database replication between the site database server and SQL Server site database replicas used to support management points and server locator points. Because Configuration Manager 2007 introduces new site database views and functions that are not replicated by the mppublish.vbs script, it is not supported for configuring SQL Server site database replication in Configuration Manager 2007 sites. For information about how to configure replication to support management points and server locator points, see How to Configure SQL Server Site Database Replication.
3.2.2.4 Support for Windows Server Clustering Installing the site database server site system role on a Windows server failover cluster instance is supported. Installing Configuration Manager 2007 SP1 site servers or any other site system server role on a Windows Server cluster instance is not supported.
Note Physical node computers of a Windows server cluster instance can be managed as Configuration Manager 2007 SP1 clients.
3.2.2.5 Multi-Site Clients Configuration Manager 2007 SP1 clients can be assigned and report to only one site. When auto assignment is used to assign clients to a site during client installation and more than one site has the same boundary configured, the actual site assignment of a client cannot be predicted. If boundaries overlap across multiple Configuration Manager 2007, Configuration Manager 2007 SP1, and Systems Management Server 2003 site hierarchies, clients might not get assigned to the correct site hierarchyor might not get assigned to a site at all.
Page 16
3.2.2.6 Support for Specialized Storage Technology This section describes storage technologies that are supported, or not supported, in Configuration Manager 2007 SP1.
3.2.2.7 Storage Area Network Support Using a Storage Area Network (SAN) is supported as long as a supported Windows server is attached directly to the volume hosted by the SAN. Configuration Manager 2007 SP1 is designed to work with any hardware that is certified on the Windows Hardware Compatibility List for the version of the operating system on which the Configuration Manager component is installed. Configuration Manager 2007 SP1 site server roles require NTFS file systems so that directory and file permissions can be set. Because Configuration Manager 2007 SP1 assumes it has complete ownership of a logical drive when it uses naming conventions, site systems running on separate computers cannot share a logical partition on any storage technology. However, they could each use their own logical partition on a physical partition of a shared storage device. For more information regarding the use of SANs, see: Knowledge Base article 260176: Provides more information about SANs. Knowledge Base article 264135 Describes the differences between SANs and Storage Area Networks. Knowledge Base article 307813 Provides more information about Systems Management Server and SANs.
3.2.2.8 Single Instance Storage Support Configuring distribution point package and signature folders to be configured on a Single Instance Storage (SIS)-enabled volume is not supported. It is also not supported for a Configuration Manager 2007 SP1 client's cache to be configured on a SIS-enabled volume.
Note SIS is a feature of the Windows Storage Server 2003 R2 operating system.
3.2.2.9 Removable Disk Drive Support Installation of a Configuration Manager 2007 SP1 site system or client components on a removable disk drive is not supported.
Page 17
3.2.2.10
Computers in Workgroups All site systems must be members of an Active Directory domain. This requirement includes site systems that support Internet-based client management in a perimeter network.
Note Changing the domain membership or computer name of a Configuration Manager 2007 SP1 site system after it is installed is not supported.
Configuration Manager 2007 SP1 provides support for clients in workgroups. Moving a client from the Workgroup to a domain or from a domain to a workgroup is also supported. The following requirements must be met to support workgroup clients: The logged-on user must possess local administrator rights on the workgroup system during client installation. The only account that Configuration Manager 2007 SP1 can use to perform activities that require local administrator privileges is the account of the user that is logged on to the computer. The Configuration Manager client must be installed from a local source on each client machine. This requirement ensures that a local source for repair and client update application will be available for the client. Workgroup clients must be able to locate a server locator point for site assignment as they cannot query Active Directory Domain Services. The server locator point can be published manually in Windows Internet Naming Service (WINS), or it can be specified in the CCMSetup.exe installation command-line parameters. Workgroup clients must use the Network Access Account to access package source files on distribution points. If a Network Access Account is not configured, clients cannot access content on the distribution point. For more information, see Example Package Access Scenarios.
Although workgroup computers can be Configuration Manager 2007 SP1 clients, there are inherent limitations in supporting workgroup computers, including: Workgroup clients cannot reference Configuration Manager 2007 SP1 objects published to Active Directory Domain Services. For workgroup clients to locate their default management point computer, it must be registered and accessible to workgroup
Page 18
clients in either WINS or DNS. For more information, see Configuration Manager and Service Location (Site Information and Management Points. Workgroup clients must use the trusted root key to establish trust with a management point. For more information, see About the Trusted Root Key. Active Directory system, user, or user group discovery is not possible. User-targeted advertisements are not possible. The client push installation method is not supported for workgroup client installation. For more information about installing the Configuration Manager client on workgroup computers, see How to Install Configuration Manager Clients on Workgroup Computers. Global roaming is not possible. For more information about client roaming capabilities and behavior, see About Client Roaming in Configuration Manager.
Using a workgroup client as a branch distribution point is not supported. Configuration Manager 2007 SP1 requires that all site systems, including branch distribution point computers, are members of an Active Directory domain.
3.2.2.11
Remote Assistance Console Sessions Console sessions controlled by Remote Assistance are supported, except for simultaneous use of Configuration Manager Remote Tools. Invoking Remote Assistance from the Configuration Manager console requires that the Configuration Manager console computer and the client computer are running one of the following operating systems: Windows XP SP2 Windows XP SP3 Windows Server 2003 SP1 Windows Server 2003 SP2 Windows Vista (supported editions only; see section 3.1.1.3 Supported Client Platforms on p. 12 for more information) Windows Vista SP1 Windows Server 2008
Page 19
3.2.2.12
Fast User Switching Fast User Switching, which is available in Windows XP editions not joined to a domain and in Windows Vista editions, is not supported in Configuration Manager 2007 SP1.
3.2.2.13
Dual Boot Computers Configuration Manager 2007 SP1 cannot manage more than one operating system on a single computer. If there is more than one operating system on a computer that must be managed, tailor the discovery and installation methods used to ensure that the Configuration Manager client is installed only on the operating system that needs to be managed.
3.2.2.14
Supported Virtualization Environments Configuration Manager 2007 SP1 supports client installation and all site server roles in the following virtualization environments: Microsoft Virtual Server 2005 R2 Microsoft Virtual Server 2005 R2 SP1 Windows Server 2008 with Hyper-V Microsoft Hyper-V Server 2008 Server Virtualization Validation Program (SVVP)
Configuration Manager 2007 SP1 cannot manage Virtual PC or Virtual Server guest operating systems unless they are running. An offline Virtual PC image cannot be updated nor can inventory be collected using the Configuration Manager client on the host computer. No special consideration is given to virtual machines. For example, Configuration Manager 2007 SP1 might not determine that an update needs to be re-applied to a virtual machine image if it is stopped and restarted without saving the state of the virtual machine to which the update was applied.
Page 20
Note Changing the domain membership or computer name of a Configuration Manager 2007 site system after it is installed is not supported.
Internet Information Services (IIS) 6.0 or later is required if the system will perform any of the following site system roles: o Background Intelligent Transfer Service (BITS)-enabled distribution point. This role requires BITS server extensions and Web Distributed Authoring and Versioning (WebDAV) extensions. IIS is not required if the distribution point will not be BITS-enabled.
Important The WebDAV component is not included in Windows Server 2008 operating system. You must download, install, and configure WebDAV manually on BITS-enabled distribution points running Windows Server 2008. For more information, see How to Configure Windows Server 2008 for Site Systems.
Management point. This role requires BITS server IIS extensions and WebDAV IIS extensions.
Important The WebDAV component is not included in Windows Server 2008 operating system. You must download, install, and configure WebDAV manually on management points running Windows Server 2008.
Page 21
Note When you install ASP and ASP.NET on a Windows Server 2008 operating system reporting point, you must also manually enable Windows Authentication.
Software Update Point Server locator point. All Configuration Manager distribution point systems using BITS bandwidth throttling require BITS 2.0 or later. Management points and server locator points configured to be part of a Network Load Balancing cluster are supported. All site servers require Internet Explorer 5.0 or later. Windows Server 2008 is the only supported operating system for hosting the System Health Validator point site system role. Site servers and branch distribution points require Remote Differential Compression to generate package signatures and perform signature comparison.
Important Remote Differential Compression is not installed by default on computers running Windows Server 2008. For more information, see How to Configure Windows Server 2008 for Site Systems.
If applicable, the following update also should be applied to the system before running Setup: MS06-030: Vulnerability in Server Message Block could allow elevation of privilege.
installed on the same server as the primary site, on a remote computer, or on a virtual SQL Server cluster instance. The following conditions apply: SQL Server 2005 SP2 is the only version of SQL Server supported for hosting the Configuration Manager 2007 site database. SQL Server 2005 Express is not a supported SQL Server 2005 version for hosting the Configuration Manager 2007 site database. The SQL database service is the only SQL Server component required to be installed to host the site database.
Important The SMS Provider must be installed on a computer with the same operating system language as the site server's operating system language when a site contains site servers or clients with different language operating systems installed.
The SMS Provider cannot be installed on a virtual SQL Server cluster computer or a physical computer hosting a virtual SQL Server cluster node. The SMS Provider cannot be installed on a computer already hosting the SMS Provider for another site.
If applicable, the following updates should also be applied to the system before installing the SMS Provider: MS06-030: Vulnerability in Server Message Block could allow elevation of privilege Availability of Windows Server 2003 Post-Service Pack 1 COM+ 1.5 Hotfix Rollup Package 6
Page 23
Page 24
Each of these components can be installed on: Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server 2003 2003 2003 2003 2003 2003 2003 2003 2003 2008 2008 2008 2008 2008 2008 SP1 SP2 R2 Standard Edition on an x86 microprocessor Standard Edition on an x64 microprocessor Enterprise Edition on an x86 microprocessor Enterprise Edition on an x64 microprocessor Datacenter Edition on an x86 microprocessor Datacenter Edition on an x64 microprocessor Standard Edition on an x86 microprocessor Standard Edition on an x64 microprocessor Enterprise Edition on an x86 microprocessor Enterprise Edition on an x64 microprocessor Datacenter Edition on an x86 microprocessor Datacenter Edition on an x64 microprocessor
Page 25
.NET Framework 3.0 SQL Server 2005 Reporting Services SP1 or SQL Server 2005 Reporting Services SP2 .NET Framework 2.0 Microsoft Core XML Services 6.0 One of the following: SQL Server 2005 Standard SP1 SQL Server 2005 Standard SP2 SQL Server Enterprise Edition SP1
Page 26
Reporting data
One of the following: SQL SQL SQL SQL Required: Server Server Server Server 2005 Standard SP1 2005 Standard SP2 Enterprise Edition SP1 Enterprise Edition SP2
Operations console
Optional: Microsoft Windows PowerShell. (Required for the Operations Manager 2007 Command Shell.) Microsoft Office Word 2003 with .NET Programmability Microsoft Visual Studio 2005 Tools for Office (required to create or edit Management Pack knowledge data) .NET Framework 2.0 .NET Framework 3.0 Internet Information Services (an optional component of Windows Server 2003) ASP.NET (an optional component of Windows Server 2003) Microsoft Core XML Services 6.0 (requires Windows Installer 3.1) Required: .NET Framework 2.0 .Net Framework 3.0 .Net Framework 3.5 SP1
Optional: Microsoft Windows PowerShell (required for the Operations Manager 2007 Command Shell) Microsoft Office Word 2003 with.NET Programmability Microsoft Visual Studio 2005 Tools for Office (required to create or edit Management Pack knowledge data)
Note Operations Manager 2007 does not support a 32-bit Operations Manager Operations database, Reporting Server data warehouse, or Audit Collection database on a 64-bit operating system.
1433 --->
Yes (Setup)
1433 --->
Yes (Setup) Port 5724 must be open to install this component and can be closed once this component has been installed.
No
reporting data warehouse Root management server Reporting data warehouse Root management server
No No
1433 --->
No
No
Port 5724 must be open to install this component and can be closed once this component has been installed.
Operations console Connector framework source Web console server Web console browser
5724 --->
Root management server Root management server Root management server Web console server
No
51905 --->
No
5724 --->
No
51908 --->
Port 51908 is the default port used when selecting Windows Authentication. If you select Forms Authentication, you will need to install an SSL certificate and configure an
Page 28
available port for https functionality for the Operations Manager 2007 Web Console Web site. Connected root management server (Local) Agent installed using MOMAgent.msi Agent installed using MOMAgent.msi Agent installed using MOMAgent.msi Gateway server Agent (Audit Collection Services forwarder) Agentless Exception Monitoring data from client Customer Experience Improvement Program data from client 5724 ---> Connected root management server (Connected) Root management server Management server Gateway server No
5723 --->
Yes (Setup)
5723 --->
Yes (Setup)
5723 --->
Yes (Setup)
Management server Management server Audit Collection Services collector Management server Agentless Exception Monitoring file share Management server (Customer Experience Improvement Program End) Point SQL Reporting Services
51906 --->
51907 --->
80 --->
No
The Operations console uses Port 80 to connect to the SQL Reporting Services Web site.
1433 --->
Yes
1433 --->
Yes
Page 29
In the preceding table, if SQL Server 2005 is installed using a default instance, the port number is 1433. If SQL Server is installed with a named instance, it is most likely using a dynamic port. To identify the port: 1. Run SQL Server Configuration Manager. 2. Open SQL Server Network Configuration. 3. Open Protocols for INSTANCE1 (or the instance running under it). 4. Open TCP/IP. 5. Click IP Addresses. 6. The port is under IPAll (usually the TCP Dynamic Ports).
Agentless
1024 Kbps
Database
256 Kbps
Reporting server Gateway server Connected management group (tiering) Web console Reporting server Reporting server Audit database
256 Kbps 64 Kbps 1024 Kbps 128 Kbps 1024 Kbps 768 Kbps 768 Kbps
Page 30
Operations Manager Operations database, Reporting data warehouse, and audit collection database Operations Manager Operations database and audit collection
There might be some performance issues with SQL Server in this configuration.
There might be some performance issues with SQL Server in this configuration.
Page 31
database Operations Manager Operations database and Reporting data warehouse Reporting data warehouse and audit collection database
single cluster Single Active-Passive cluster where both components are on a single cluster Single Active-Passive cluster where both components are on a single cluster There might be some performance issues with SQL Server in this configuration. There might be some performance issues with SQL Server in this configuration
Not supported
Not supported
Note Geographically dispersed clusters or geo clusters are not supported for any Operations Manager 2007 roles.
Page 32
4.1.10
Simultaneous Operations consoles Agent-monitored computers reporting to a management server Agent-monitored computers reporting to a gateway server Agentless Exception Monitored computers per management server Agentless Exception Monitored computers per management group Collective client monitored computers per management server Management servers per agent for multihoming Agentless-managed computers per management server Agentless-managed computers per management group Agent-managed computers per management group
800
25,000
100,000
2,500
4 10
60
6,000
Management server
Operations Console
.NET Framework 2.0 .NET Framework 3.0 Microsoft Core XML Services 6.0 (This is installed automatically by the Operations Manager 2007 setup) Required: .NET Framework 2.0 .NET Framework 3.0
Optional: Microsoft Windows PowerShell (required for the Operations Manager 2007 Command Shell) Microsoft Office Word 2003 with.NET Programmability Microsoft Visual Studio 2005 Tools for Office (required to create or edit Management Pack knowledge data) Microsoft Core XML Services 6.0 (will install automatically if the agent is deployed from the Operations Console)
Agent
NOTE: Microsoft Core XML Services 6.0 requires Windows Installer 3.1. Reporting Data Warehouse Reporting server Web Console (continued) Audit collection database SQL Server 2005 SP1. .NET Framework 2.0 .NET Framework 3.0 SQL Server 2005 Reporting Services SP1 .NET Framework 2.0 Microsoft Core XML Services 6.0 .NET Framework 2.0 .NET Framework 3.0 Internet Information Services (an optional component of Windows Server 2003) ASP.NET (an optional component of Windows Server 2003)
One of the following: SQL Server 2005 Standard SP1 SQL Server Enterprise Edition SP1
In addition, Operations Manager 2007 relies on Active Directory Domain Services for a number of services, including definition of security principles, rights assignment, authentication, and authorization. Operations Manager queries Active Directory Domain Services when performing computer and service discovery and can use Active Directory Domain Services for storing and distributing agent configuration information. For Operations Manager to function properly, Active Directory Domain
Page 34
Services and its supporting service, DNS, need to be healthy and at certain minimum configuration levels.
Operations Manager 2007 requires that the domain functional level be Windows 2000 native, Windows Server 2003 interim, or Windows Server 2003. The domain functional level of Windows Server 2008 is also supported. For Operations Manager to function properly, you must check the domain functional level and raise it to at least Windows 2000 native. To do this, see Raise the Domain Functional Level.
Page 35
4.2.3 DNS
DNS must be installed and in a healthy state to support Active Directory Domain Services. Beyond the reliance of Operations Manager on Active Directory Domain Services, there are no specific DNS requirements.
4.3.1.1 Kerberos The Kerberos authentication protocol, which is supported by Windows 2000 domain controllers and above, can only occur within a trust boundary. Kerberos authentication is the mechanism used to perform the Operations Manager 2007 agent/server mutual authentication. Agent/server mutual authentication is mandated in Operations Manager 2007 for all agent/server communication. An Operations Manager management group does have the ability to perform discovery and monitoring outside of the Kerberos trust boundary in which its located. However, because the default authentication protocol for Windows-based computers that are not joined to an Active Directory domain is NTLM, another mechanism must be used to support mutual authentication. This is done through the exchange of certificates between agents and servers.
Page 36
4.3.1.2 Certificates When Operations Manager 2007 communication needs to occur across trust boundaries, such as when a server that you want to monitor lies in a different, untrusted, Active Directory domain than the management group that is performing the monitoring, certificates can be used to satisfy the mutual authentication requirement. Through manual configuration, certificates can be obtained and associated with the computers and the Operations Manager services running on them. When a service that needs to communicate with a service on a different computer starts and attempts to authenticate, the certificates will be exchanged and mutual authentication completed.
Important The certificates used for this purpose must ultimately trust the same root certification authority.
For more information about how to obtain and make use of certificates for mutual authentication, see Deploying Gateway Server in the Multiple Server, Single Management Group Scenario.
4.3.2.1 Microsoft Certificate Services There are four types of Microsoft certificate authorities (CAs): Enterprise root Enterprise subordinate Stand-alone root Stand-alone subordinate
Both enterprise types of CAs require Active Directory Domain Services; stand-alone CAs do not. Either type of CA can issue the necessary certificates for agent/server mutual authentication across trust boundaries. Customarily, a CA infrastructure consists of a root CA that signs its own certificates and certifies itself and one or more subordinate CAs, which are certified by the root. The subordinate CA servers are the ones that a service certificate requests while the root is taken offline and held for safekeeping. For more information about designing certificates, see Enterprise Design for Certificate Services and the topic "Certificates" in the Operations Manager 2007 Help file.
Page 37
4.3.3.1 Role-Based Security Accounts and Groups Operations Manager controls access to monitored groups, tasks, views, and administrative functions through the assignment of user accounts to roles. A role in Operations Manager is the combination of a profile type (operator, advanced operator, administrator) and a scope (to what data the role has access). Typically, Active Directory security groups are assigned to roles, and then individual accounts are assigned to those groups. Prior to deploying, plan out Active Directory security groups that can be added to these and any custom-created roles. This will prepare you to add individual user accounts to the security groups. Operations Manager provides the following role definitions out-of-the-box:
Role name Operations Manager Administrators: Created at setup Cannot be deleted Must contain one or more global groups Operations Manager Advanced Operators: Created at setup Globally scoped Cannot be deleted Profile type Administrator Profile description Has full privileges to Operations Manager; no scoping of the Administrator profile is supported. Role scope Full access to all Operations Manager data, services, administrative, and authoring tools
Advanced Operator
Has limited change access to Operations Manager configuration; ability to create overrides to rules; monitors for targets or groups of targets within the configured scope. Has ability to create, edit, and delete tasks, rules, monitors, and views within configured scope. Has ability to interact with alerts, run tasks, and access views according to configured
Access to all groups, views, and tasks currently present and those imported in the future
Operations Manager Authors: Created at setup Globally scoped Cannot be deleted Operations Manager Operators: Created at setup Globally scoped
Author
Access to all groups, views, and tasks currently present and those imported in the future Access to all groups, views, and tasks currently present and those imported in the
Page 38
Operator
Cannot be deleted Operations Manager Read-Only Operators: Created at setup Globally scoped Cannot be deleted Operations Manager Report Operators: Created at setup Globally scoped Operations Manager Report Security Administrators: Integrates SQL Reporting Services security with Operations Manager user roles Gives Operations Manager administrators the ability to control access to reports Cannot be scoped
scope. Read-Only Operator Has ability to view alerts and access views according to configured scope.
future Access to all groups and views currently present and those imported in the future Globally scoped
Report Operator
Has ability to view reports according to configured scope. Enables integration of SQL Reporting Services security with Operations Manager roles.
No scope
You can add Active Directory security groups or individual accounts to any of these predefined roles. If you do, those individuals will be able to exercise the given role privileges across the scoped objects. Operations Manager also allows you to create custom roles based on the Operator, Read-Only Operator, Author, and Advanced Operator profiles. When you create the role, you can further narrow the scope of groups, tasks, and views that the role can access. For example, you can create a role entitled "Exchange Operator" and narrow the scope to only Exchange-related groups, views, and tasks. User accounts assigned to this role will only be able to run Operator-level actions on Exchange-related objects.
Important Make sure that you create a domain security group for the Operations Manager Administrators role. This is required to be in place during the first setup run for a management group.
Page 39
4.3.3.2 Notification Accounts and Groups Individuals who will interact with Operations Manager frequently, such as an Exchange administrator who has been assigned to the Exchange Operator role, need a way to discover new alerts. This can be done by either watching the Operations console for new alerts or by Operations Manager informing them about the alert via supported communications channels. Operations Manager supports notifications through e-mail, instant messaging, Short Message Service, or pager messages. Notifications on what the role needs to know go out to recipients that you specify in Operations Manager. An Operations Manager recipient is merely an object that has a valid address to receive the notification, such as an SMTP address for e-mail notifications. Therefore, it is logical to combine role assignment with notification group membership via an e-mail-enabled security group. For example, create an Exchange Administrators security group and populate it with individuals that have the knowledge and permissions to fix things in Exchange. Assign this security group to a custom-created Exchange Administrator role so they have access to the data and are e-mail-enabled. Then, create a recipient by using the SMTP address of the e-mail-enabled security group.
4.3.3.3 Service Accounts At the time of deployment, you need to have the following service accounts ready. If you use domain accounts and your domain Group Policy object has the default password expiration policy set as required, you will either have to change the passwords on the service accounts according to the schedule, or use lowmaintenance system accounts, or configure the accounts so that the passwords never expire.
Account name Requested when Management server setup Used for Low maintenance Local system High security
Collecting data from providers, running responses Writing to operational database, running services
SDK and Configuration Service Account SDK and Configuration Service Account (continued) Local Administrator
Local system
Installing
Domain or local
install
agents
account
Gathering information and running responses on managed computers Writing to the Reporting Data Warehouse database Querying SQL Reporting Services database
4.3.3.4 Run As Accounts Agents on monitored computers can run tasks, modules, and monitors on demand as well as in response to predefined conditions. By default, all tasks run by using the Agent Action account credentials. In some cases, the Agent Action account may have insufficient rights and privileges to run a given action on the computer. Operations Manager supports the running of tasks by agents in the context of an alternate set of credentials called a Run As Account. A Run As Account is an object that is created in Operations Manager, just like a recipient is, and maps to an Active Directory user account. A Run As Profile is then used that maps the Run As Account to a specific computer. When a rule, task, or monitor that has been associated with a Run As Profile at the development time of a management pack needs to run on the targeted computer, it does so by using the specified Run As Account. Operations Manager provides a number of Run As Accounts and Run As Profiles out of the box, and you can create additional ones as necessary. You may also choose to modify the Active Directory credentials with which a Run As Account is associated. This will require planning, creating, and maintaining additional Active Directory credentials for this purpose. You should treat these accounts as service accounts with regards to password expiration, Active Directory Domain Services, location, and security. Also, you will need to work with management pack authors as they develop requests for Run As Accounts. For more information, see the Operations Manager 2007 Security Guide.
Page 41
4.3.4.1 Clients with Agents Installed The three main activities involved with agent administration are discovery of target devices, deployment or installation of agents to those devices, and ongoing management of the agents. Agents that lie outside a trust boundary require a few more prerequisites than agents that lie inside a trust boundary.
4.3.4.2
Discovery
Discovery requires that the TCP 135 (RPC), RPC range, and TCP 445 (SMB) ports remain open and that the SMB service is enabled.
4.3.4.3
Installation
After a target device has been discovered, an agent can be deployed to it. Agent installation requires the following: Opening Remote procedure call (RPC) ports beginning with endpoint mapper TCP 135 and the Server Message Block (SMB) port TCP/UDP 445. Enabling the File and Printer Sharing for Microsoft Networks and the Client for Microsoft Networks services. (This ensures that the SMB port is active.) If enabled, Windows Firewall Group Policy settings for "Allow remote administration exception" and "Allow file and printer sharing exception" must be set to "Allow unsolicited incoming messages from: to the IP address and subnets for the primary and secondary management servers for the agent." For more information, see How to Configure the Windows Firewall to Enable Management of Windows-Based Computers from the Operations Manager 2007 Operations Console. An account that has local administrator rights on the target computer. Windows Installer 3.1. To install, see article 893803 in the Microsoft Knowledge Base. Microsoft Core XML Services 6 on the Operations Manager product installation media in the \msxml subdirectory.
Page 42
Note Push agent installation will install Microsoft Core XML Services 6 on the targeted device if it is not there.
4.3.4.4
Ongoing Management
Ongoing management of an agent requires that the TCP 135 (RPC), RPC range, and TCP 445 (SMB) ports remain open and that the SMB service remains enabled.
4.3.4.5
For agents that lie outside the trust boundary of the management servers, the environmental prerequisites are the same as for those that lie inside a trust boundary, with some additions. Because the device is going to have an installed agent, the software, service, and port requirements remain the same. However, because there is no underlying infrastructure to support Kerberos authentication, certificates must be used on both sides of the connection. To simplify the cross trust boundaryr configuration, you can install an Operations Manager gateway server in the same trust boundary as the devices that you will monitor. The gateway server acts as a proxy so that all communication between the management server and agents is routed through the gateway server. This communication is done over a single port, TCP 5723, and requires certificates on the management server and the gateway server. In addition, the gateway server performs discovery and installation, and relays ongoing administration traffic on behalf of the management server to the agents. The use of gateway servers also reduces the volume of network traffic and is therefore useful in low bandwidth conditions. For more information about gateway server configuration, see Deploying Gateway Server in the Multiple Server, Single Management Group Scenario.
4.3.4.6
Discovery is not performed for manually installed agents. Therefore, there are fewer requirements.
4.3.4.7 Agentless Monitoring Agentless monitoring of devices is performed by either a management server or by another device that does have an agent, called a proxy agent. An agentless managed device must not be separated from its management server or proxy agent by a firewall because monitoring is performed over remote procedure protocol
Page 43
(RPC). The action account of the agent that is performing the monitoring must have local administrative rights on the device that is being monitored.
4.3.5 Deploy an Operations Manager 2007 Management Group on a Single Computer Using the Setup Wizard
Use the following procedure to deploy the Operations Manager 2007 server components required for a management group on a single computer, using the Setup Wizard. The required server components for a management group are the Operations Manager database, a management server, and an Operations Console. To deploy an Operations Manager 2007 management group by using the Setup Wizard: 1. Use local administrator privileges to log on to the computer. (This account must have system administrator privileges on the instance of SQL Server that will host the Operations Manager 2007 database.) 2. On the Operations Manager 2007 installation media, double-click SetupOM.exe. 3. On the Start page, select Install Operations Manager 2007. 4. When the Welcome page displays, click Next. 5. On the End-User License Agreement page, accept the agreement and then click Next. 6. On the Product Registration page, type the information in the text boxes (the CD key is required) and click Next. 7. When the Custom Setup page displays, leave the components set to their defaults and then click Next. 8. On the Management Group Configuration page, follow these steps: a. Type the name you want for the management group in the Management Group text box. Important: The name of a management group cannot be changed.
Note The management group name cannot contain the following characters: ( ) ^ ~ : ; . ! ? " , ' ` @ # % \ / * + = $ | & [ ] <>{}, or have a leading or trailing space. It is recommended that the management group name is unique within your organization if you plan to connect Operations Manager 2007 management groups.
Page 44
b. Click Browse and select the universal or global security group that you want added to the management group's administrators role, and then click OK.
Important The person installing the management group must be a member of the specified universal or global security group to run the Operations Console.
c. Click Next. 9. On the SQL Server Database Instance page, in the SQL Server Database Instance list, select the instance of SQL Server on which you want to install the Operations Manager 2007 database and then click Next. 10. On the Database and Log Files Options page, in the SQL Server Database Instance list, select the instance of SQL Server on which you want to install the Operations Manager 2007 database and then click Next.
Note To change the default database name or installation location of either the data file or the log file, click Advanced, make the changes, click OK, and then click Next to continue.
11. On the Management Server Action Account page, perform one of the following steps: a. Select Local System, and click Next. b. Select Domain or Local Computer Account, type the User Account and Password, select the Domain or local computer from the list, and then click Next. If User Account is provided in alias@contoso.com format, the value in Domain or local computer is ignored.
Note If you plan to deploy agents to remote computers from the Operations Manager 2007 Operations console, the Management Server Action account must have administrative privileges on these remote computers.
12. On the SDK and Config Service Account page, perform one of the following steps: Select Local System, and click Next.
Page 45
Select Domain or Local Account, type the User Account and Password, select the Domain or local computer from the list, and then click Next. If User Account is provided in alias@contoso.com format, the value in Domain or local computer is ignored.
13. On the Web Console Authentication Configuration page, select Use Windows Authentication if the console will be accessed only over an intranet. Select Use Forms Authentication if the console will be accessed over the Internet. 14. On the Operations Manager Error Reports page, either leave Do you want to send error reports to Microsoft cleared and click Next to not send Operations Manager 2007 error reports to Microsoft, or select Do you want to send error reports to Microsoft and perform the following steps: a. Select Automatically send error reports about this product to Microsoft without prompting the user, or leave the default option, Prompt the user for approval before sending error reports to Microsoft, selected. b. Click Next. 15. On the Customer Experience Improvement Program page, perform one of the following steps: a. Leave the default option of I don't want to join the program selected if you do not want your organization to participate in the program, and then click Next. b. Select Join the Customer Experience Improvement Program if you want your organization to participate in the program, and then click Next. 16. On the Ready to Install page, click Install. The Installing System Center Operations Manager 2007 page will display and provide installation progress. 17. When the Completing the System Center Operations Manager 2007 Setup Wizard page displays, do the following: a. Leave the Start the Console check box selected to launch the Operations Console.
Note To open the Operations Console, you must be a member of an Operations Manager 2007 user role for the management group. For information about adding a user to a user role, see Security Considerations in Operations Manager 2007.
Page 46
18. Leave Back up Encryption Key selected to back up the encryption key.
Important Without a backup of the Root Management Server key, you would need to re-enter all of your Run As Accounts if you had to rebuild the root management server. In larger environments, this rebuild could involve hundreds of accounts. For more information, see Encryption Key Backup or Restore Wizard, see How to Backup and Restore Encryption Keys in Operations Manager 2007.
Page 47
DPM 2007 running on Windows Server 2000 domain controllers does not support the following: Protecting computers across domains.
Page 48
Protecting a child Windows Server 2000 domain controller in a domain where Windows Server 2000 is the primary domain controller. Protecting computers running Exchange Server 2007.
DPM 2007 running on Windows Server 2003 domain controllers supports protecting computers across domains within a forest. However, you must establish two-way trust across the domains. If there is not two-way trust across domains, you must have a separate DPM server for each domain. DPM 2007 does not support protection across forests. Active Directory Domain Services, an essential component of the Windows Server 2003 architecture, provides organizations with a directory service designed for distributed computing environments. Active Directory Domain Services allows organizations to centrally manage and share information about network resources and users while acting as the central authority for network security. In addition to providing comprehensive directory services to a Windows environment, Active Directory Domain Services is designed to be a consolidation point for isolating, migrating, centrally managing, and reducing the number of directories that companies require.
Note The DPM server requires persistent connectivity with the servers and desktop computers it protects.
System files DPM installation files DPM prerequisite software DPM database files
DPM owns and manages the disks in the storage pool, which must be dynamic. For purposes of DPM, "disk" is defined as any disk device manifested as a disk in Disk Management. For information about the types of disks that the storage pool supports and how to plan your disk configuration, see Planning the Storage Pool.
Page 49
If you want to manage your own additional disk space, DPM enables you to attach or associate custom volumes to data sources that you are protecting in a protection group. Custom volumes can be on basic or dynamic disks. Any volume that is attached to the DPM server can be selected as a custom volume. However, DPM cannot manage the space in custom volumes. Note that the release of DPM 2007 being discussed here will not delete any existing volumes on the disk attached to the storage pool to make the entire disk space available.
Note A 64-bit system is recommended for installing DPM 2007.
The following table lists the minimum and recommended hardware requirements for the DPM server. For more information about planning DPM server configurations, see Planning for DPM Deployment.
Component Processor Memory Minimum Requirement 1 gigahertz (GHz) or faster 2 gigabytes (GB) RAM For information about how DPM manages memory, see DPM and Memory. Pagefile 0.2 percent the size of all recovery point volumes combined, in addition to the recommended size. (This is typically 1.5 times the amount of RAM on the computer.) For information about configuring the DPM pagefile size, in the DPM Operations Guide see Managing Performance. Disk space for DPM installation Program files drive: 410 megabytes (MB) Database files drive: 900 MB System drive: 2,650 MB From 2GB to 3 GB of free space on the program files volume N/A Recommended Requirement 2.33 GHz quad-core CPUs 4 GB RAM
NOTE: The system drive disk space requirement is necessary if you chose to install the instance of SQL Server from the DPM download package. If you are using an existing instance of SQL Server, this disk space requirement is considerably less.
NOTE: DPM requires at least 300 MB of free space on each protected volume for the change journal. In addition, before archiving data to tape, DPM copies the file catalog to a DPM temporary installation location. Therefore, we recommend that the volume on which DPM is installed contains from 2 GB to 3 GB of free space.
Page 50
1.5 times the size of the protected data. For information about calculating capacity requirements and planning the configuration of the disks, in Planning a DPM 2007 Deployment see Planning the Storage Pool.
[The storage pool does not support Universal Serial Bus (USB)/139 4 disks.] Logical unit number (LUN)
N/A
Maximum of 17 terabytes for GUID partition table dynamic disks 2 terabytes for master boot record disks
NOTE: These requirements are based on the maximum size of the disk as it appears to the Windows Server operating system.
Please note: DPM 2007 supports 32-bit and x64-bit operating systems. DPM does not support ia64-bit operating systems. The server cannot be the Management Server for Microsoft System Center Operations Manager. DPM 2007 is designed to run on a dedicated, single-purpose server that cannot be either a domain controller or an application server. There is a Volume Shadow Copy Service (VSS) non-paged pool limitation on x86 32-bit operating systems. If you are protecting more than 10 terabytes of data, the DPM server must be running on a 64-bit operating system. In addition, because VSS non-paged pool usage is based on the size of a single volume, we recommend that you do not protect a single volume larger than 4 terabytes of data on 32-bit operating systems.
DPM Management Shell, an interactive command-line technology that supports taskbased scripting, is supported on the following operating systems: Windows XP Service Pack 2 Windows Vista Windows Server 2003 SP2
The System Center DPM server must be a dedicated, single-purpose server, and it cannot be either a domain controller or an application server. The DPM server cannot be the management server for Microsoft Operations Manager (MOM) 2005 or Microsoft System Center Operations Manager 2007. Other items of note: Windows PowerShell 1.0 Single Instance Storage (SIS) on Windows Server 2008. (For information about installing SIS on Windows Server 2008, see Manually Install Required Windows Components.) Windows Deployment Services (WDS) on Windows Server 2003 SP2, or Single Instance Server (SIS) on Windows Storage Server 2003 R2. Microsoft .NET Framework 2.0. Internet Information Services (IIS) 6.0 for Windows Server 2003. (IIS 6.0 is not installed on Windows Server 2003 by default.)
Page 52
IIS 7.0 for Windows Server 2008. (IIS 7.0 is not installed on Windows Server 2008 by default. If IIS is not installed before installing SQL Server 2005, SQL Server will not install SQL Server Reporting Services. Note that in addition to the default components that IIS 7.0 installs, DPM requires all IIS 7.0 components.) Microsoft SQL Server 2005 SP2 workstation components.
You may use an existing remote instance of SQL Server for your DPM database. If you choose to use a remote instance of SQL Server, you must install sqlprep.msi. To use an instance of SQL Server on a remote computer, run sqlprep.msi which is located on the DPM product DVD in the DPM2007\msi\SQLprep folder. DPM 2007 does not support using an instance of SQL Server 2008 for your DPM database. DPM Setup will not proceed if you select an instance of SQL Server 2008. Verify that the user account you will be using to run the SQL Server service and the SQL Server Agent service has read and execute permissions to the SQL Server installation location. Microsoft SQL Server 2005 SP2 with Reporting Services. (If SQL Server Reporting Services is installed on the remote SQL Server, DPM Setup will use that Reporting Service. If SQL Server Reporting Services is not installed on the remote computer running SQL Server, you must install and configure the service on the remote computer running SQL Server.) Microsoft SQL Server 2005 SP2.
Important You cannot install DPM 2007 on a computer with Cluster services enabled. Before you install DPM 2007 you must remove the computer from the cluster using the Cluster Administrator tool, or you must install DPM on another computer.
Each computer that System Center DPM 2007 protects must meet the requirements listed in the following table. Protected volumes must be formatted as NTFS file system. DPM cannot protect volumes formatted as FAT or FAT32. Also, the volume must be at least 1 GB for DPM to protect it. DPM uses the VSS to create a snapshot of the protected data, and VSS will create a snapshot only if the volume size is greater than or equal to 1 GB. Before you install protection agents on the computers you are going to protect, you must apply hotfix 940349. You must install the hotfix on your 64-bit and 32-bit servers. If you are installing a protection agent on Windows Vista, the 940349 hotfix is not required.
Page 53
Protected Computers
Computer Requirements
File servers
You can protect file servers on any of the following operating systems: Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Windows Server 2003 Standard Edition with SP1 Server 2003 Standard Edition with SP2 Server 2003 Enterprise Edition SP1 Server 2003 Enterprise Edition SP2 Advanced Server 2003 SP1 Advanced Server 2003 SP2 Server 2003 R2 Standard Edition Server 2003 R2 Enterprise Edition Storage Server 2003 Standard Edition SP1 Storage Server 2003 Standard Edition SP2 Storage Server 2003 Enterprise Edition SP1 Storage Server 2003 Enterprise Edition SP2 Storage Server 2003 Express Edition SP1 Storage Server 2003 Express Edition SP2
NOTE: To obtain SP1 for Windows Storage Server 2003, contact your original equipment manufacturer.
Small Business Server 2003 Standard Edition Small Business Server 2003 Premium Edition Small Business Server 2003 R2 Standard Edition Small Business Server 2003 R2 Premium Edition Server 2008 Standard Edition Server 2008 Enterprise Edition
Microsoft SQL Server 2000 with SP4 Microsoft SQL Server 2005 SP1 Microsoft SQL Server 2005 SP2
NOTE: DPM supports SQL Server Standard Edition, SQL Server Enterprise Edition, SQL Server Workgroup Edition, and SQL Server Express Edition. IMPORTANT: You must start the SQL Server VSS Writer Service on computers running SQL Server 2005 SP1 before you can start protecting SQL Server data. The SQL Server VSS Writer Service is turned on by default on computers running SQL Server 2005. To start the SQL Server VSS Writer service, in the Services console, right-click SQL Server VSS writer, and then click Start. Computers running Exchange Server Exchange Server 2003 SP2 Exchange Server 2007
NOTE: DPM supports Exchange Server Standard Edition and Exchange Server Enterprise Edition installed on Windows Server 2003 and later. Before you can protect Exchange Server 2007 data in a Clustered Continuous Replication (CCR) configuration, you must install hotfix 940006. For more details, see Knowledge Base article 940006, Description of Update Rollup 4 for
Page 54
Computers running
Exchange 2007. IMPORTANT: The eseutil.exe and ese.dll versions that are installed on the most recent edition of Exchange Server must be the same versions that are installed on the DPM server. In addition, you must update eseutil.exe and ese.dll on the DPM server if they are updated on a computer running Exchange Server after applying an upgrade or an update. For more information about updating eseutil.exe and ese.dll, see Eseutil.exe and Ese.dll. Microsoft Virtual Server 2005 R2 SP1 NOTE: To protect virtual machines for online backups, we recommend that you install version 13.715 of Virtual Machine Additions. Windows SharePoint Services 3.0 Microsoft Office SharePoint Server 2007
Before you can protect Windows SharePoint Services (WSS) data, you must do the following: Install Knowledge Base article 941422: Update for Windows SharePoint Services 3.0. NOTE: You must install Knowledge Base article 941422 on all protected servers on which Windows SharePoint Services 3.0, Microsoft Office SharePoint Server 2007, and Microsoft Office SharePoint Server 2007 SP1 are installed. Start the WSS Writer service on the WSS Server and then provide the protection agent with credentials for the WSS farm. For more information, in Configuring DPM 2007, see Starting and Configuring the WSS VSS Writer Service. Update the instance of SQL Server 2005 to SQL Server 2005 SP2. Install the SQL Server Client components on the front-end web server of the Windows SharePoint Services farm that DPM is going to protect. For information about installing SQL Server components, see How to: Install SQL Server 2008. Shared disk clusters File servers SQL Server 2000 SP4 SQL Server 2005 SP1 Exchange Server 2003 SP2 Exchange Server 2007 Exchange Server 2007
Windows XP Professional SP2 Windows Vista Business Edition Windows Vista Ultimate Edition
NOTE: DPM requires that the workstations and laptops that it protects be
Page 55
Workstations (continued)
Active Directory members. Therefore, they must remain connected to the corporate local area network (LAN) at all times using reliable and consistent networks.
2. Logon to the computer as a domain user who is a member of the local administrators group. 3. Go to Microsoft Update and install all available updates for Windows 4. Install Knowledge Base article 940349. 5. Install Windows PowerShell 1.0. DPM Setup will install the following prerequisite software before installing the actual DPM application: Windows Deployment Services Microsoft .NET Framework 2.0. Internet Information Services (IIS) 6.0 Microsoft SQL Server 2005 SP2 and Reporting Services
The next section outlines the steps required to install and configure a complete installation of DPM 2007. You can use DPM Administrator Console to configure DPM 2007.
2. Add a disk to the storage pool: Go to DPM Administrator Console, in the Management task area, on the Disks tab, in the Actions pane, click Add. (For detailed instructions, see Adding Disks to the Storage Pool.) 3. Configure your tape library: In DPM Administrator Console, in the Management task area, on the Libraries tab, in the Actions pane, click Rescan. 4. Install a Protection agent: In DPM Administrator Console, in the Management task area, on the Agents tab, in the Actions pane, click Install. The Protection Agent Installation wizard appears and guides you through the process of creating the protection agent. For detailed instructions, see Installing Protection Agents. 5. Install the software requirements on the computers you are going to protect. For information about protected computer requirements, see Protected Computer Requirements. 6. Create a protection group. In DPM Administrator Console, in the Protection task area, in the Actions pane, click Create protection group. The New Protection Group Wizard appears and guides you through the process of creating the protection group. For detailed instructions, see Creating Protection Groups.
5.7 Post-Installation
After you perform the initial configuration, you can enable the following optional Data Protection Manager (DPM) 2007 features: Enabling end-user recovery Installing the Shadow Copy Client software Subscribing to alerts and notifications Configuring the SMTP server Publishing DPM alerts Installing DPM Management Shell
Page 57
2. Microsoft Hyper-V will now appear as an option in the Available Members for protection.
4. Name your protection group and then configure Short-Term Protection and Long-Term Protection.
5. Set the retention range for how far back you wish to be able to able to restore to and select Next again.
Page 59
6. Modify space allocation as needed. (Note: Hyper-V guests generally require a large amount of storage space.)
Page 60
7. Choose the replication method to use. This will generally be automatic replication but it may be scheduled for a later time when the network has less traffic.
8. Confirm the settings you wish to use and select Create Group to create the new protection group. If you choose to replicate now, the snapshot will take place immediately and the replication of the backup will begin across the network.
Page 61
To configure Active Directory and enable end-user recovery for users who are not schema and domain administrators: 1. Direct a user who is both a schema and domain administrator to configure the Active Directory schema by running <drive>:\Program Files\Microsoft DPM\DPM\ End User Recovery\DPMADSchemaExtension.exe on a Windows Server 2003based computer that is a member of the same domain as the DPM server.
Page 62
Note If the protected computer and DPM reside in different domains, the schema needs to be extended by running the DPMADSchemaExtension.exe tool on the other domain.
2. In the Enter Data Protection Manager Computer Name dialog box, type the name of the computer for which you want end-user recovery data in Active Directory Domain Services, and click OK. 3. Type the DNS domain name of the DPM computer for which you want enduser recovery data in Active Directory Domain Services and click OK. 4. In the Active Directory Configuration for Data Protection Manager dialog box, click OK. 5. In DPM Administrator Console, on the Action menu, click Options. 6. In the Options dialog box, on the End-User Recovery tab, select the Enable End-User Recovery check box and click OK.
Page 63
Notes
Windows Automated Installation Kit 1.1 Windows Server Internet Information Services (IIS) 7.0
automatically and is stopped, the Setup Wizard starts the service. If the WinRM service is set to start manually and is stopped, the Setup Wizard starts the service and sets it to start automatically. If this software has not been installed previously, the Setup Wizard automatically installs it. You must add the Web Server (IIS) role and then install the following server role services: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility Static Content Default Document Directory Browsing HTTP Errors ASP.NET .NET Extensibility ISAPI Extensions ISAPI Filters Request Filtering NOTE: If the default port (80) for the VMM SelfService portal is used by another Web site, you must either use a different dedicated port or specify a host header for the portal.
For more information about supported versions of SQL Server, see System Requirements: VMM Database.
Windows Server 2008 Standard Edition with Hyper-V Windows Server 2008 Enterprise Edition with Hyper-V Windows Server 2008 Datacenter Edition with Hyper-V Windows Server 2008 Standard Edition (without Hyper-V) Windows Server 2008 Enterprise Edition
No
Yes
No
Yes
Page 65
(without Hyper-V) Windows Server 2008 Datacenter Edition (without Hyper-V) Windows Server 2008 Standard x32 Edition (without Hyper-V) Windows Server 2008 Enterprise Edition (without Hyper-V) Windows Server 2008 Datacenter Edition (without Hyper-V) Windows Server 2008 Enterprise Edition with Server Core installation Windows Server 2008 Datacenter Edition with Server Core installation Windows Server 2008 Standard Edition SP2 Windows Server 2008 Enterprise Edition SP2 Windows Server 2008 Datacenter Edition SP2 Windows Server 2003 R2 with SP2 Windows Server 2003 Standard x64 Edition with Service Pack 2 Windows Server 2003 R2 x64 Edition with Service Pack 2
No
No
No
Yes
No
No
Yes
No
No
No
No
Yes
No No
No No
No No
Yes Yes
No
No
No
Yes
Windows Server 2003 Standard x64 Edition with Hyper-V Windows Server 2008 Standard Edition with Hyper-V Windows Server 2008 Enterprise Edition with Hyper-V Windows Server 2008 Datacenter Edition with Hyper-V Windows Server 2008 Standard x64 Edition (without Hyper-V) Windows Server 2008 Standard Edition (without Hyper-V) Windows Server 2008 Enterprise Edition (without Hyper-V) Windows Server 2008 Datacenter
Yes
Yes
Yes
Page 66
Edition (without Hyper-V) Windows Server 2008 Standard Edition (without Hyper-V) Windows Server 2008 Enterprise Edition (without Hyper-V) Windows Server 2008 Datacenter Edition (without Hyper-V) Windows Server 2008 Standard Edition with Server Core installation Windows Server 2008 Enterprise Edition with Server Core installation Windows Server 2008 Datacenter Edition with Server Core installation Windows Web Server 2008 Windows Server 2003 Standard Edition SP2 Windows Server 2003 Enterprise Edition SP2 Windows Server 2003 Datacenter Edition SP2 Windows Server 2003 R2 with SP2 Windows Server 2003 x64 Edition with SP2 Windows Server 2003 R2 x64 Edition with SP2 Windows Vista with SP1 Windows XP Professional Edition SP2 Windows XP Professional Edition SP3 Windows XP Professional x64 Edition with SP2
Yes
Yes
Yes
No
No
Yes
No Yes
Yes Yes
No Yes
Yes
No
No
Page 67
SQL Server 2005 Express Edition SP2 SQL Server 2005 Standard Edition SP2 (32-bit version) SQL Server 2005 Standard Edition SP2 (64-bit version) SQL Server 2005 Enterprise Edition SP2 (32-bit version) SQL Server 2005 Enterprise Edition SP2 (64-bit version)
No Yes Yes
6.5.2 Domains
Before installing the Virtual Machine Manager (VMM) server, you must join the computer to a domain in Active Directory. All Windows Server-based virtual machine hosts must also be joined to Active Directory domains. A Windows Server-based host can be in a domain separate from the VMM server's domain and a host can be in a domain with a two-way trust with the VMM servers domain or in a domain that does not have a two-way trust with the VMM servers domain. For hosts in perimeter networks, you must install a VMM agent locally on that host, configure the firewalls as discussed later in this topic, and then add the host to VMM.
6.5.3 Firewalls
Virtual machine hosts and library servers must have access to the Virtual Machine Manager (VMM) server on the ports specified during VMM server setup. This means that all firewalls, whether software-based or hardware-based, must be configured appropriately.
computer that is using Windows Firewall, the Setup Wizard automatically adds firewall port exceptions to Windows Firewall. When you install the VMM Self-Service Portal, you specify which port the self-service users use to connect to the portal. By default, this port is 80. When you add a computer that is using Windows Firewall as a host or a library server, VMM automatically adds firewall port exceptions to Windows Firewall on that computer. VMM adds firewall exceptions for the ports that were specified during the VMM server and the VMM Self-Service Portal installation.
Page 69
Page 70
Page 71
Page 72
Note Enter the name of the SQL server if you plan to host the database on a separate server.
Page 73
2. Select Create a new Library Share. Note: the MSSCVMMLibrary folder must pre-create.
Page 74
Note If you plan to integrate with System Center Operations Manager and make use of the PRO feature, its recommended that you use a domain account for the Virtual Machine Manager (VMM) Service Account.
3. If you have previously installed all the software prerequisites, you should receive a green check for each prerequisite you preinstalled. Otherwise, it will be installed by VMM at this point.
Page 75
Page 76
Page 77
Page 78
2. If you have previously changed the default port during the VMM Server installation, ensure that you provide the same port to setup you use previously.
Page 79
Page 80
Page 81
7 Summary
This document describes prerequisites, tasks, and steps you need to get started with building a managed hosting environment using Microsoft System Center Product Family. In the document, a sample scenario is presented for illustration purpose. The information contained in this document is intended to help you get started with your own managed hosting solution.
Page 82
8 References
Page 83