Monday, April 10, 2017

SCOM - New Community MP for Monitoring Windows Services

A couple of months ago I came across a blog post from SCOM community contributor Andy Leibundgut describing a new management pack he'd authored to help monitor Windows Services using SCOM and I was keen to give it a test drive to see exactly what it could do.

Built-in Windows Service Monitoring Option

You might be thinking to yourself that this capability has to be available already out of the box with SCOM and you'd be correct. The Windows Service Monitoring Template (accessible from the Authoring workspace in the SCOM console and shown in the image below) will walk you through a wizard to help configure a custom monitor for a Windows Service that might not be automatically monitored with a vendor management pack.

The Problem

This template wizard certainly meets the requirements of bringing Windows services into SCOM but as Andy points out in his post, there's a lot of monitoring bloat that comes with each service monitoring configuration you create using the template - each service has its own class, its own discovery and comes with 3 monitors and 8 overrides!

Also, if you have a large number of custom Windows services to monitor (a common request from my customers), then using the built-in template in the console to create a monitor for each one can be fairly time-consuming.

The Solution

With these points in mind, Andy looked into a better method of spinning up monitors in SCOM for Windows services without having to deal with the extra bloat and cumbersome on-boarding process for multiple services. The solution he came up with comprises a new management pack and a PowerShell-based Service MP Editor complete with an easy-to-follow user interface (shown below).

Along with the Service MP Editor, the new management pack contains the following features for monitoring Windows Services:

  • Uses the same data source for Windows Service monitoring that SCOM uses.
  • Date and time filtering so you can exclude certain days/times from monitoring on a per-service or service object basis.
  • Handy console tasks for starting, stopping and checking the status of the Windows Service.
  • Automatic service recovery (disabled by default). Works on a 3 strikes and you’re out format (overrideable setting where after 3 failures in a 24 hour period it will stop trying to restart the service). 
  • Timer reset monitor (closes itself after 24 hours and enabled by default) to watch for and alert on the 3 strike out situation.
  • Monitor all service startup types with the exclusion of disabled services from alerting.
  • Custom discovery which discovers and adds all the service objects to one class rather than scattering them about like the templates do.

Taking the MP for a Test Drive

I've been running this MP solution in my demo and semi-production SCOM environments (both 2012 R2 and 2016) for the last couple of months with no issues and I felt it was about time to spread the word on how much effort you can save when you use it.

The first thing you'll need to do is to download the latest version of this management pack and you can get it from the TechNet Gallery here.

Next up, you'll want to get yourself a coffee (or beer, if that's how you roll) and take a read through Andy's original blog post using the link below:

Note: Everything you need to know is available in Andy's blog post and for clarity, I'll just blog my own experience on getting the MP up and running here.

When you download the zip file containing the MP, extract it to a location on a computer that runs the SCOM console and you should see the following three files...

The Readme.txt contains a note from the author highlighting the fact that this MP is still in it's early days of development and that you should always test it in a non-production environment first.

The WindowsServiceMonitor.xml file is the unsealed MP used for monitoring your Windows Services and the ServiceMPEditor.ps1 file is a clever PowerShell script that launches the UI-based editor to help you customize the MP for your own (and customer) environments.

Before we go any further, we need to import the WindowsServiceMonitor.xml file into SCOM using the Import Management Packs option from the Administration\Management Packs area in the console as shown here....

Next up, we'll create a temporary folder on the same computer that you've just used the console to import the management pack with. We'll create a folder in C:\Temp\SCOM (shown in the image below) but you can use whatever path you wish for this.

Once the folder has been created, launch a PowerShell window with administrative permissions and run the ServiceMPEditor.ps1 script to open the Service MP Editor similar to the following image...

Now, there's a specific order of steps that you need to follow when entering information into the Service Editor and for this part, I've borrowed the original numbered step-by-step image from Andy's blog post that should make things easy to understand...

If you want to add monitors for a small number of Windows Services, then follow these steps in order (we'll cover importing a larger list of services later):
  1. Management Server – type the name of one of your SCOM management servers in this field.
  2. Management Pack Location – type the location of the temporary folder that you created earlier (we'll use C:\Temp\SCOM) into this field.
  3. Get MP Config – clicking this button will export a copy of the original WindowsServiceMonitor.xml management pack from your SCOM environment into the temporary folder location specified in the previous step.
  4. New Service – a click of this button will ready the Service Name field to allow you start a new service configuration.
  5. Service Name – it's imperative that you type the exact 'Service name' of the Windows Service in here and not the 'Display Name' (refer to the example in the previous image taken from Andy's blog where he has highlighted the Service name for the Print Spooler service - which is simply named Spooler).
  6. Confirm Service Edit – clicking this after you've specified the Service name and are finished choosing all your service monitoring options.
  7. Save MP Config – click this button when you're finished editing and ready to commit your changes to the management pack.
Here's a screenshot of what the editor looks like in my demo environment where I've added three services (Windows Firewall, Windows Time and Print Spooler).

After you've clicked the Save MP Config button, you can close the editor and check that the C:\Temp\SCOM\WindowsServiceMonitor.xml management pack contains the newly added services...

Now re-import the management pack from your temporary location back into SCOM using the Import Management Packs from the console. You'll get a notification stating that the management pack is already installed and you can just ignore this and hit the Install button to re-import it again as shown here...

Once the management pack completes it's discovery, you should be able to see the newly monitored services light up in the Discovered Inventory view from the Monitoring workspace of the console (make sure to change the target for this view to WindowsService as shown below).

If you're impatient like me and don't want to wait for the discovery to kick in automatically (by default it's configured to run once a day), you can either reduce the discovery time with an override or simply bounce the Microsoft Monitoring Agent service on the server(s) running the service that you want monitored and you should then see the Discovered Inventory view populating like this...

To test the management pack, stop one of your newly monitored services and after a minute or so, you should see the service roll up as a critical state to the Windows Computer object that's hosting it as shown here in this diagram view...

The nice thing with this management pack is that it comes with some custom tasks to help you manage your monitored services and clicking the Start Service task from the pane on the left (shown below), will then restart the problematic service for you without the need to logon directly to the computer!

Note: You could also enable the automatic WindowsService.ServiceStart.Recovery task option from the Diagnostic and Recovery tab of the monitor to get SCOM to restart the service automatically itself in the event of it stopping unexpectedly. This recovery task will restart the service automatically up to 3 times before giving up and alerting you to the fact that the service is constantly being stopped and started.

Importing a Custom List of Services

If you have a large list of Windows Services that you want to monitor and don't fancy having to manually enter each one into the Service Editor, then there's a handy Import Services option that allows you to import a CSV file with the list of custom services that you want monitored.

You need to understand the format the CSV file needs to be in first however as if you get it wrong, you'll end up having to either edit the XML file directly or just start the whole process again.

Here's the steps I went through in the editor to get this bulk import option working:
  1. Management Server – type the name of one of your SCOM management servers in this field.
  2. Management Pack Location – type the location of the temporary folder that you created earlier (we'll use C:\Temp\SCOM) into this field.
  3. Get MP Config – clicking this button will export a copy of the original WindowsServiceMonitor.xml management pack from your SCOM environment into the temporary folder location specified in the previous step.
  4. Import Services –  this button is used to select a CSV file that contains a list of Windows Service names that you want to monitor. The CSV file must be named WindowsServiceMonitor.csv and needs to be located in the temporary folder location specified in the Management Pack Location field.
Here's a screenshot of the steps you need to take in the editor when you want to import a list from CSV....

When you click the Import Services button, you'll be presented with the warning below stating the name and location that your CSV file needs to have...

Assuming you've named your CSV file correctly and copied it to the temporary location specified in the warning dialog, click Yes to continue and you'll be presented with the custom list of services to be monitored as specified in the CSV you previously created.

CSV Creation Tip #1 - The  CSV file needs to be formatted with four column names (Service, Start, End, DaysofWeekMask) and you need to specify values similar to the image below...

CSV Creation Tip #2 - An easy way to quickly grab a CSV file in the correct format is to just manually add one or two Windows Services to the Service Editor and then use the Export Services button to export a template CSV file that you can edit as you need.

CSV Creation Tip #3 - You can export a full list of Windows Service names to a CSV file by using the following PowerShell command (this exported CSV file won't be in the correct format for the Service Editor so you'll need to then copy/paste the names from here into the previously created WindowsServiceMonitor.csv file):

Get-Service | Sort-Object -Property DisplayName | Export-CSV -path C:\winserviceexport.csv

When you're satisfied with the imported bulk list of Windows Services, the final step you need to complete in the editor is to hit the Save MP Config button to commit the changes to the MP.

Now all that's left to do is to close the editor and re-import the newly updated MP from your temporary location back into SCOM.

After the discovery process completes, you can see the full list of monitored services from the Discovered Inventory view similar to my demo environment here...

All credit goes to Andy Leibundgut for his contribution of this management pack to the SCOM community - and make sure to leave any comments you have on bugs or suggested improvements directly on his original blog post here.

Tuesday, April 4, 2017

Cloud and Datacenter Conference 2017

Conference season is beginning to kick off again and in just over four weeks time (4th - 5th May), I'll be presenting a session at the Cloud and Datacenter Conference in Munich.

The conference is organised by Rachfal IT Solutions and it's the brainchild of my good friend and well-known MVP Carsten Rachfal (aka @hypervserver). It's my first time presenting at this event and it'll also be my first time in Munich so I'm really looking forward to it.

There's a long list of awesome speakers presenting over the two days that reads like a who's-who of Cloud and Datacenter specialists from across the MVP and Microsoft world.

My presentation will be in the Chicago room on the Thursday and it's titled 'What's New in OpsMgr 2016?'. In the session, I'll demonstrate new features, enhancements and administration tips to help make your OpsMgr 2016 environments rock.

Here's a snippet of the agenda for the room I'll be presenting in...

You can check out the full conference schedule here.

Browsing through the schedule, there's a really good mix of sessions delivered in either German or English and I've already bookmarked a number of them to attend so I can learn from the experts in area's like Hyper-V, Azure Stack, Azure and OMS.

If you're in Germany and haven't registered yet, head over to and get your tickets before it sells out as from what I've heard about the venue, food, content and networking at last years event, it's going to be epic!

Friday, March 10, 2017

SCOM 2016 Agent Crashing Legacy IIS Application Pools

SCOM 2016 has been generally available since late last year and as is usually the case with new versions of software, compatibility issues begin to rear their heads as more organizations begin to adopt it.

During one of our recent SCOM 2016 deployments we encountered an issue where the agent (referred to as the Microsoft Monitoring Agent) was deployed to an IIS server - initially without any apparent problems. However, when the IIS server was restarted some time later to accommodate some Windows updates, the IIS Application Pools began to crash regularly. A check of the Windows Event Log on the server threw up the following Event ID 1000 error:

Log Name: Application
Source: Application Error
Date: 24.02.2017 10:42:30
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Faulting application name: w3wp.exe, version: 8.0.9200.16384, time stamp: 0x50108835
Faulting module name: PerfMon64.dll, version: 8.0.10918.0, time stamp: 0x577fd168
Exception code: 0xc0000409
Fault offset: 0x0000000000149794
Faulting process id: 0x2c38
Faulting application start time: 0x01d24405d195eb6a
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: C:\Program Files\Microsoft Monitoring Agent\Agent\APMDOTNETAgent\V8.0.10918.0\PerfMon64.dll

Identifying the Issue

The 'Faulting Module Path' in the above application error pointing to the Application Performance Monitoring (APM) component of the agent was the first give-away to us that SCOM was the culprit. A quick uninstall of the SCOM 2016 agent and recycle of the Application Pools gave us confirmation when the errors and crashes went away.

The Microsoft Monitoring Agent APM component comes bundled in the form of a Windows service as part of the initial agent installation but is disabled by default as shown below:

APM is typically enabled through the SCOM console on a server-by-server basis and delivers some really nice DevOps scenarios for monitoring .NET workloads at a code level.

I've previously blogged about SCOM APM, presented on it at conferences and even wrote a chapter in the Mastering SCOM 2012 R2 book about it. A number of our customers also use this feature and it's always been very successful.

The weird thing about this particular IIS crashing issue though was that the APM feature was never enabled.

We needed to dig deeper to see how we could continue monitoring this server using SCOM without having the IIS Application Pools crashing and as the faulting module path in the Event Log error referenced the APM component, I decided to focus here first.

If you use the command line to install your SCOM agents, you can specify a parameter that removes the APM feature from the agent installation (check out this link for command line options) and I figured this was the best place to start as the IIS server in question didn't require the APM feature.

Removing the Agent APM Feature

In the following steps, I'll walk you through a process to remove the APM feature on the SCOM 2016 agent using the command line. The first walk-through will perform an in-place repair on an existing agent to save you from having to uninstall the agent first. An added benefit of the repair option is that the agent will stay registered as Remotely Manageable in the console and you'll avoid having to follow this process to change them.

The second walk-through will show you how to use the command line to perform a new agent installation that doesn't contain the APM feature.

(Repair Agent Install Option)

Copy the SCOM 2016 Agent installation folder (amd64) from your SCOM server to the IIS server (this folder is located at "C:\Program Files\Microsoft System Center 2016\Operations Manager\Server\AgentManagement")

Log on to the IIS server and open a command prompt using an administrative account. From there, browse to the location where you saved the SCOM 2016 Agent folder to and run the following command:

msiexec.exe /i momagent.msi NOAPM=1

This command will then launch the Microsoft Monitoring Agent Setup installer shown in the following image..

Click Next and if you've already installed the SCOM 2016 agent to your IIS server, then you'll be presented with the Program Maintenance window shown below.

Select the Repair option and hit Next to move on.

Hit Install at the next window and the agent repair should kick off. After a minute or so, the agent repair job will be complete and you'll be presented with the following confirmation of success...

Now if you open the Windows Services (services.msc) snap-in and check the services listed for the Microsoft Monitoring Agent, you'll see that the APM component is no longer installed as shown here..

With the agent sucessfully repaired, it'd be a good idea to check the Update Rollup version of the agent and if needs be, to re-apply the latest one (UR2 at this time). You can check the UR version of your agent by importing the awesome SCOM Agent Version Addendum Management Pack from Microsoft's Kevin Holman.

Recycle the IIS Application Pools on your IIS server to ensure the new agent changes take affect.

(New Agent Install Option)

If you've already uninstalled the SCOM 2016 agent from your IIS servers or haven't yet deployed it, then follow these steps to get it deployed without the APM feature:

Copy the SCOM 2016 Agent installation folder (amd64) from your SCOM server to the IIS server (this folder is located at "C:\Program Files\Microsoft System Center 2016\Operations Manager\Server\AgentManagement")

Log on to the IIS server and open a command prompt using an administrative account. From there, browse to the location where you saved the SCOM 2016 Agent folder to and run the following command:

msiexec.exe /i momagent.msi NOAPM=1

This command will then launch the Microsoft Monitoring Agent Setup installer where you will need to click Next and then hit the I Agree button in the following window to accept the license agreement.

At the Destination Folder window, confirm the installation path for the agent and click Next to continue.

When you see the Agent Setup Options window, select Connect the agent to System Center Operations Manager (shown below), then hit Next.

At the Management Group Configuration window, fill in the information required to connect the agent to your SCOM environment and remember that the Management Group Name field is case sensitive!

Click Next to continue and at the Agent Action Account window, leave the Local System option selected, then hit Next again.

Review your installation settings at the Ready to Install window, then click Install to deploy the agent without the APM feature.

When the agent has installed, open the Windows Services (services.msc) snap-in and check the services listed for the Microsoft Monitoring Agent, you'll see that the APM component is no longer installed (see image below).

As this is a new manually installed agent, you will need to change the Remotely Manageable status of the agent back to Yes by following the steps in Kevin Holman's post here (although this post references SCOM 2007, the steps are still the same for SCOM 2016).

You will also need to install the latest update rollup - which is currently at UR2 - and if you've set the Remotely Manageable status back, you should be able to push the update rollup out from the SCOM console. Make sure to reference the SCOM Agent Version Addendum Management Pack to deliver easier visibility of your agent UR versions.

Recycle the IIS Application Pools on your IIS server to ensure the new agent changes take affect.

More Information About This Issue

This issue was the first time in years that I've encountered a scenario where the SCOM agent 'broke' something and as such, I wanted to investigate it a bit further and raise it with Microsoft. One of the massive benefits of being a Microsoft MVP for me is that I get the opportunity to interact with the SCOM Product Group on a regular basis.

After a few emails back and forth, the awesome folks on the Product Group came back to me with the following detailed information about the issue:

  • Issue affects only IIS Application Pools running .NET Framework 2.0/3.5 and can be seen on any version of Windows Server or IIS that hosts these pools.
  • Switching the IIS pool to .NET Framework 4.0 (or higher) will solve the issue however, this is not a suitable workaround for SharePoint as SharePoint 2010 doesn't support 4.0 pools.
  • If you need to deploy to the system with IIS running pools 4.0+ - no action is needed and a default installation of the SCOM 2016 Agent will work fine.
  • For now, if you need to deploy to a server running .NET Framework 2.0/3.5 application pools, then you'll need to either install the SCOM 2016 agent with the NOAPM=1 switch (following my walkthrough above) or you can continue to use the SCOM 2012 R2 agent as it’s forward compatible with SCOM 2016 and doesn't crash these application pools.
  • A permanent fix for this issue will be included in Update Rollup 3 for the SCOM 2016 agent.

***Update March 21st 2017: The Product Group have also just released a blog on this issue and in their post, they have confirmed that it will be resolved in Update Rollup 3 along with a chance that a hotix may be released sooner. Check out their blog post here.***


Although this issue has been an annoyance, it's good to know that it only affects a small subset of legacy systems and the workaround is relatively simple to implement. Hopefully this blog post will help to serve people who've already deployed SCOM 2016 (or who are about to deploy it) and need to monitor legacy IIS application pools prior to the release of UR3.

Tuesday, February 28, 2017

SCOM 2016 - The Curious Case of the Missing Agent Patch List Property and Static Agent Version Value

Last week Microsoft released the second update rollup (UR2) for SCOM 2016 and a common trend I've noticed with these UR's is that the Patch List property is missing from the Agents by Version view in the Monitoring workspace of the console.

This is a bug with the SCOM 2016 agent and a bit of an annoyance when deploying update rollups as it's handy to know which agents need to be upgraded and which ones don't.

A quick check in the Agent Managed view of the Administration workspace will show a version for the agent but this version won't update to any new UR versions. The following image shows the default SCOM 2016 agent version even though I've deployed UR1 to this environment months ago...

Now, if you're thinking that after an update, all agents always drop into the Pending Management view of the Administration workspace and patiently wait until you're ready to upgrade them, then you'd be wrong. Unfortunately, depending on how you deploy the update rollup (e.g. non-admin permissions, manually installed etc.), there's a good chance that some if not all of these agents will not appear in Pending Management and you'll end up with something similar to this...

So, now your only option in the console to upgrade the agents is to run a series of bulk Repair jobs from the Agent Managed view on all of them and then hope for the best that all agents have been successfully upgraded. This is not a fun process and I really don't like not having a central view of all my agent versions direct in the console.

Thankfully Microsoft's Kevin Holman (SCOM Deity and all-round awesome community contributor) has created the new SCOM Agent Version Addendum Management Pack to help address this exact problem!

This management pack runs a script that disables the built in discovery for Microsoft.SystemCenter.DiscoverHealthServiceProperties (which has a display name of 'Discover Health Service Properties') and replaces it with a new discovery that attempts to retrieve the actual update rollup Agent Version value from a DLL file in the agent installation path.

Straight after I import this new MP, my agent version in the Agent Managed view changes to reflect the existing agent versions (the 8.0.10931.0 version shows the UR1 agents that I currently have running) and after I've deployed UR2,  I can select those agents for a Repair job as shown in the image below...

When the Repair job has completed, the version changes to show that my agents have now been updated to UR2 as shown here:

I love this MP as it adds some much needed functionality to the Agent Managed view within the console. An extra bonus is that this MP also works perfectly on SCOM 2012 R2 too!

If you want to know more, check out Kevin Holman's blog post here and you can download it directly from the TechNet Gallery here.


Wednesday, February 22, 2017

SCOM 2016 Update Rollup 2 (UR2) Now Available

Today, Microsoft released a new Update Rollup (UR2) for SCOM 2016.

This update contains twenty documented fixes with the following few of particular interest to me (based on what I've come across on customer sites so far):

  • When alerts are closed from the Alerts view after you run a Search, the closed Alerts still appear in the View when the Search is cleared.
  • Groups disappear from Group view after they are added to a Distributed Application.
  • When the maintenance mode option for the dependency monitor is set to “Ignore,” and the group (consisting of the server to which this dependency monitor is targeted) is put in Maintenance mode, the state of the monitor changes to critical and does not ignore maintenance mode.
  • Because of a rare scenario of incorrect computation of configuration and overrides, some managed entities may go into an unmonitored state. This behavior is accompanied by 1215 events that are written to the Operations Manager log.

You can see the full list of fixes from the official UR2 knowledge base article here.

To get access to this update, you can choose to either manually download it from the Microsoft Update Catalog here or you can use Windows Update to pull down the update automatically to your SCOM 2016 environment.

Whatever method you choose to deploy this update, make sure to read through the full installation instructions as there are some manual tasks to carry out once the update has been applied to each SCOM role and if you're not confident, I'd always recommend waiting for Microsoft's Kevin Holman to add his walk-through post for this UR to his blog here.

Finally, this update is one part of a larger UR2 release for covering other products in the System Center 2016 suite. If you've deployed additional components of the suite alongside SCOM, then you might be interested to check out the updates now available for DPM 2016, SCSM 2016, SPF 2016 and SCVMM 2016.

Full details of all the fixes in the main System Center 2016 UR2 downloads can be viewed at:

Tuesday, February 14, 2017

Scandinavian SCOM Solutions with a Global Reach

A few months before the Christmas break, I had the pleasure of being invited over to the excellent SCOM Day event in Sweden to present a session and hang out with some of my friends from the Scandinavian region.

The event was organised by Approved Consulting in Gothenburg and the target audience had a mix of IT administrators, consultants and senior IT managers. This was my first-time visiting Sweden and from the venue, to the food, the craft beers and of course, the people, it was a really enjoyable experience.

While I was over there, I had the chance to sit down with Approved CEO Jonas Lenntun and go through some of the solutions they offer to complement System Center and OMS. I was already aware of the free community SCOM Health Check Report they released a couple of years ago (if you haven’t tried this out yet, then download it from here):

Free solutions like this for SCOM are always good and the Health Check Report delivers an excellent overview of the health of your SCOM deployments - showing you information about the top alerts, events, performance counters, discoveries and even state changes along with database space usage and grooming history.

IT Service Analytics from Approved

Another cool solution that Jonas and the guys have been working on is their new IT Service Analytics platform. This plug and play solution enables organisations to analyse their IT services being monitored with SCOM and then forecast potential issues – well before they occur. If you’ve deployed Service Manager (SCSM) or even Microsoft’s new Operations Management Suite (OMS), then the IT Service Analytics platform can pull data from any combination of SCOM, SCSM and OMS to give you an even deeper analysis of your IT estate.

Here’s an overview taken from their blog on how it works:

By optimizing and combining data from System Center Operations Manager, Microsoft OMS and System Center Service Manager into one holistic data model, you are able to put the IT service in focus. This allows you to extract, correlate and predict information about IT Service Management processes for things like event, capacity, availability, incident and change management.

We utilize most of the Microsoft Business Intelligence tools, such as SQL Server, SSIS, SSAS, R and SSRS. This allows our analytical platform to seamlessly blend with your System Center installation and tap software and hardware resources that are readily available.

Taking it for a Test Drive

Earlier this week I had a chance to take the IT Analytics platform for a test drive and my first impression is that it’s an awesome reporting tool to have in your locker to help with troubleshooting and predictive analysis.

From the home screen, you can choose from a wide range of pre-built reports with information about alerts, capacity management, events, configuration changes and IT service overviews to name just a few.

One of the reports I really like is the Services report. Clicking this tile from the main reports window brings me to the Service Overview shown in following image:

This report gives me a 30-day availability overview of all the IT services that I have modelled and monitored in my SCOM environment along with information about alerts, change tracking, capacity and predictive event risks.

Here’s a description of what the information in each of the report columns mean:

  • Goal – Has the SLA goal been met or not? IT Services that have met their SLA will be displayed as green instead of red (in this demo environment, I’ve sorted the column to display all SLA’s that haven’t been met).
  • Service – The name of the IT service.
  • Availability – Displays the last 12 months of the IT service availability.
  • Percentage – The SLA percentage that has been reached. The upwards arrow means that the SLA has reached a better result than the previous month.
  • Failures – The number of outages for the service during this period.
  • Downtime – Displays the number of minutes the service has been unavailable for the month.
  • Alerts – The number of alerts that have been generated by the service during this defined report period. The arrow shows decreasing or increasing compared to last month.
  • Events – The number of events that have been generated by the service during this period. The arrow shows decreasing or increasing compared to last month.
  • Change Tracking – The amount of changes made to servers or other components of the service.
  • Capacity Risks – Shows if there are risks with capacity, such as a server running out of free memory based on the usage.
  • Event Risks – Shows if there are any predicted events for the service.

Identifying Bottlenecks

When I drill into a particular IT Service from the Service Overview report, I get a more targeted Service Details report with a number of informational tiles and a Top N view of common KPI’s like % CPU, % Memory and % Disk Space used.

The Bottlenecks tile sparked my interest here so I clicked this one first…

This brought me deeper to the following view – where I could see that two of my servers in this IT service were displaying potential bottlenecks.

Clicking into the server with two potential bottlenecks identified, I was then presented with a performance chart that showed a very high percentage of bandwidth used on a new network adapter we recently installed into the server to support DPM backups. The performance chart also confirms for me that although my network adapter spiked on and off for the past few days (no doubt when backup jobs are running), the overall average performance of it seems fine and it’s projected to stay around the 10% utilisation mark for the next few months.

The other potential bottleneck that was identified relates to the % Free Disk Space of a logical disk on the Hyper-V server. I can see from the chart that in the past year, the free disk space on this logical disk has fluctuated from approx. 30% free to a minimum value of less than 1%. The chart looks ahead a few months and predicts that the best I can hope for (assuming I leave things as they are) is no more than 7% free disk space.

Predictive Alerts

Back at the Service Details report, I can click the Events tile shown in the image below to give me an Events Report with a heads-up on the forecasted events and alerts that are likely to occur in my environment within the next 24 hours.

All Alert and Event reports have built-in filters for every chart to give you a more scoped analysis view of what's going on. From the Event Report shown in the image below, I can see there are some predicted alerts and events that I need to pay attention to.

Drilling further into the predicted alert value for a particular monitored object, I’m presented with a ‘IIS 8 Web Server is unavailable’ alert that´s been predicted and the amount of times it has happened over the last month. I can see the time of day the alerts usually show up. In this example, these alerts typically occur around 6am every day.

If I go back to the previous view and click into the Events tile, I can see it’s broken down into three sections.

The first section is a summary where you can see information on the top hosts, data channels, rules, management packs etc. which are generating the most events. In the image below, we can see that the server generating the most events is SEGOTSQL01. The grey bar in the middle displays last month´s value. You can also see that this server alone has generated 88% of all events for the current period.

The middle section of this report displays the time and day of the week that the events are generated.

The final section of this report gives us an insight into both the last 30 days and the last 12 months for how events are being generated.

Custom Reports

It's easy to create your own custom reports and you can export them to PowerBi or Microsoft Excel in a matter of minutes. Here's a nice example of one-such custom exported report...


I mentioned earlier that I love free solutions for SCOM and when I quizzed Jonas on how much this awesome offering costs to license, I was delighted to hear that Approved have decided to release it for free! They do require a one-off nominal setup and training fee but aside from that, there's no other limitations on the platform.


If you're interested in deploying these free solutions into your SCOM environment, then use the contact info here to get in touch with the team at Approved. For more information on the IT Analytics platform, take a read of some blog posts written by well known SCOM community blogger Daniel Ă–rneling here and here.