Ondřej Ševeček | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official | SCOM event queries how the object model works GOLD PARTNER:Hlavní odborný partner:

Infrastructure recap  SCOM management server  SCOM agent (health service) –Operations Manager event log new configuration became active new MP downloaded

Management pack  XML configuration plus scripts .XML,.MP file or.MPB bundle file  Sealed (digitally signed) or un-sealed and modifiable –different MP cannot target/reference objects from an unsealed MP –cannot define classes  Strict versioning –can update any management pack with newer version –dependent MPs should work –cannot remove MP which other MPs depend on  Downloaded to clients –%programfiles%\Microsoft Monitoring Agent\Agent\Health Service State\Management Packs

Management pack dependencies Microsoft.Windows.Library Windows Core Library Microsoft.Windows.Server.DNS Microsoft Windows Server DNS Monitoring

Management pack dependencies Microsoft.Windows.Library Windows Core Library Microsoft.Windows.Server.DNS Microsoft Windows Server DNS Monitoring Microsoft.Windows.Server.AD.Library Active Directory Server Common Library Microsoft.Windows.Server.AD.2008.Discovery Active Directory Server 2008 and above Discovery Microsoft.Windows.Server.AD.2000.Discovery Active Directory Server 2000 Discovery Microsoft.Windows.Server.AD.2003.Discovery Active Directory Server 2003 Discovery

Management pack dependencies Microsoft.Windows.Library Windows Core Library Microsoft.Windows.Server.DNS Microsoft Windows Server DNS Monitoring Microsoft.Windows.Server.AD.Library Active Directory Server Common Library Microsoft.Windows.Server.AD.2008.Discovery Active Directory Server 2008 and above Discovery Microsoft.Windows.Server.AD.2008.Monitoring Active Directory Server 2008 and above Monitoring Microsoft.Windows.Server.AD.2000.Discovery Active Directory Server 2000 Discovery Microsoft.Windows.Server.AD.2003.Discovery Active Directory Server 2003 Discovery

Management pack dependencies Microsoft.Windows.Library Windows Core Library Microsoft.Windows.Server.DNS Microsoft Windows Server DNS Monitoring Sevecek.Overrides Microsoft.Windows.Server.AD.Library Active Directory Server Common Library Microsoft.Windows.Server.AD.2008.Discovery Active Directory Server 2008 and above Discovery Microsoft.Windows.Server.AD.2008.Monitoring Active Directory Server 2008 and above Monitoring Microsoft.Windows.Server.AD.2000.Discovery Active Directory Server 2000 Discovery Microsoft.Windows.Server.AD.2003.Discovery Active Directory Server 2003 Discovery

Better to separate overriding MPs Microsoft.Windows.Library Windows Core Library Microsoft.Windows.Server.DNS Microsoft Windows Server DNS Monitoring Sevecek.Overrides.AD Microsoft.Windows.Server.AD.Library Active Directory Server Common Library Microsoft.Windows.Server.AD.2008.Discovery Active Directory Server 2008 and above Discovery Microsoft.Windows.Server.AD.2008.Monitoring Active Directory Server 2008 and above Monitoring Microsoft.Windows.Server.AD.2000.Discovery Active Directory Server 2000 Discovery Microsoft.Windows.Server.AD.2003.Discovery Active Directory Server 2003 Discovery Sevecek.Overrides.DNS

base/abstract class inherited object class object class Management pack elements Disco Object instance object instance Object instance object instance singleton monitor rule monitor

object class Object instance object class Object instance object class Object instance Concept of targeting Disco object class Object instance object instance Agent Disco object class Object instance monitor rule

Management pack dependencies Microsoft.Windows.Library Windows Core Library Microsoft.Windows.Server.AD.Library Active Directory Server Common Library Microsoft.Windows.Server.AD.2008.Discovery Active Directory Server 2008 and above Discovery Microsoft.Windows.Server.AD.2000.Discovery Active Directory Server 2000 Discovery Microsoft.Windows.Server.AD.2003.Discovery Active Directory Server 2003 Discovery ReadOnlyDC.Computer DFSR Domain Forest Site DomainControllerRole

Management pack dependencies Microsoft.Windows.Library Windows Core Library Microsoft.Windows.Server.AD.Library Active Directory Server Common Library Microsoft.Windows.Server.AD.2008.Discovery Active Directory Server 2008 and above Discovery Microsoft.Windows.Server.AD.2000.Discovery Active Directory Server 2000 Discovery Microsoft.Windows.Server.AD.2003.Discovery Active Directory Server 2003 Discovery ReadOnlyDC.Computer DFSR Domain Forest Site DomainControllerRole Microsoft.Windows.Server. AD.2008.Monitoring Active Directory Server 2008 and above Monitoring

delete logs start web application SQL instance Manufacturing Module – Monitor – Action principle ok warning critical process punning and CPU < 80% Web instance SharePoint Web instance HRAgenda Web instance Manufacturing service name process ID CPU < 80% CPU > 80% stop mail restart service

SQL instance Manufacturing Module – Rule – Action principle event log user account locked Web instance SharePoint Web instance HRAgenda Web instance Manufacturing service name process ID mail to admin sms to user

Sample environment gopas.virtual (GPS) sevecek.com (SEVECEK) mutual forest non-selective SCOM 2012 R2

Sample environment DC R2 DC R2 SEVECEK-DC 2012 R2 RR 2003 gopas.virtual _msdcs.gopas.virtual gopas.cz sevecek.com gopas.cz inet Client81 8.1

Sample environment DC R2 DC R2 SEVECEK-DC 2012 R2 RR 2003 gopas.virtual _msdcs.gopas.virtual gopas.cz sevecek.com gopas.cz sevecek.com gopas.virtual Client81 8.1

Sample environment DC R2 DC R2 SEVECEK-DC 2012 R2 RR 2003 gopas.virtual _msdcs.gopas.virtual gopas.cz sevecek.com gopas.cz sevecek.com gopas.virtual _msdcs.gopas.virtual gopas.cz Client81 8.1

Microsoft.Windows.Server.DNS.Zone Windows DNS Zone Microsoft.Windows.Server.DNS.Zone Windows DNS Zone DNS relationship basics Microsoft.Windows.Computer Windows Computer Microsoft.Windows.Server.DNS.Server Windows DNS Server Microsoft.Windows.Server.DNS.Zone Windows DNS Zone hosting

Microsoft.Windows.Server.DNS.Zone Windows DNS Zone Microsoft.Windows.Server.DNS.Zone Windows DNS Zone Microsoft.Windows.Server.DNS.Forwarder Windows DNS Forwarder DNS relationships Microsoft.Windows.Computer Windows Computer Microsoft.Windows.Server.DNS.Server Windows DNS Server Microsoft.Windows.Server.DNS.Zone Windows DNS Zone Microsoft.Windows.Server.DNS.Forwarder Windows DNS Forwarder hosting Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address hosting

Microsoft.Windows.Server.DNS.Zone Windows DNS Zone Microsoft.Windows.Server.DNS.Zone Windows DNS Zone Microsoft.Windows.Server.DNS.Forwarder Windows DNS Forwarder DNS relationships Microsoft.Windows.Computer Windows Computer Microsoft.Windows.Server.DNS.Server Windows DNS Server Microsoft.Windows.Server.DNS.Zone Windows DNS Zone Microsoft.Windows.Server.DNS.Forwarder Windows DNS Forwarder hosting Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address Microsoft.Windows.Server.DNS.Forwarder.IPAddress. Unconditional / Conditional.Forward / Conditional.Reverse Windows DNS Forwarder IP Address Unconditional / Conditional Forward / Conditional Reverse Microsoft.Windows.Server.DNS.Forwarder.IPAddress Windows DNS Forwarder IP Address hosting

Microsoft.Windows.Server.DNS.Server.2008R2.Group DNS 2008 R2 Servers Windows DNS Zone DNS relationships DNS Forwarder Microsoft.Windows.Server.DNSDomain Windows DNS Domain hosting Windows Computer Forwarder IP Address hosting Windows DNS Server Windows DNS Zone Forwarder IP Address Windows DNS Zone containment Windows Computer Windows DNS Server containment

Windows DNS Zone Unit monitors DNS Forwarder DNS Domain hosting Windows Computer Forwarder IP Address hosting Windows DNS Server Windows DNS Zone Forwarder IP Address Forwarder IP Address Windows DNS Zone containment Windows Computer Windows DNS Server

XML XPath queries EventData/*[name()='Data' *[name()='EventData]/*[name()='Data' EventData/DataItem/*[name()='EventData']/*[name=()='Data' or you can use a shorter form //*[name()='EventData']/*[name=()='Data'

Děkuji za pozornost! GOC170 - SCOM authoring Ondřej Ševeček | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official |

Aktuální a navazující kurzy sledujte na DÁREK PRO VÁS! TechEd-DevCon 2016! …získejte tričko TechEd-DevCon 2016!Vyplňte dotazníkové hodnocení a… TechEd party! Xbowling Strašnice, Buďte The Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ! SOUTĚŽ!