Active Directory Federation Services (AD FS) 2.0 has just released its first Management Pack (MP) for Microsoft System Center Operations Manager 2007 Service Pack 1 (SP1) and R2!! We have worked on it for quite some time, and it is exciting to finally get it out!
As you may know, there is an MP for AD FS v1. This MP is for AD FS 2.0. The goal of the AD FS 2.0 MP is to help your IT operators easily monitor the health of the AD FS 2.0 service and its different parts as well as to provide them with troubleshooting content in case some issues arise. If it’s your first time hearing about MP, don’t worry. Let’s do a quick overview by first explaining what an MP is and why you may want to use one.
Note: if you already have System Center Operations Manager 2007, you can download and use the AD FS 2.0 MP for free! For details about System Center Operations Manager 2007 licensing, see How to Buy Operations Manager 2007 R2.
What is a Management Pack?
A management pack (MP) contains predefined monitoring rules and other settings to work with System Center Operations Manager. Each product defines its own MP. You must import the product’s MP into System Center Operations Manager to use it. After it is imported, the monitoring agent of System Center Operations Manager will run on the computers to monitor the health of a specific service or application based on the monitoring settings that are defined in the MP.
The predefined settings in the MP include the following:
· Discovery information that makes it possible for System Center Operations Manager to automatically detect and begin monitoring services and applications
· Monitoring and alert rules that change the health state of the monitored services or applications in System Center Operations Manager and generate alerts when the corresponding health condition is detected
· A knowledge base that contains error and troubleshooting information that is associated with the alerts
For more information about the MP concept and System Center Operations Manager, see Microsoft Systems Center Operations Manager.
Benefit of using a Management Pack
We mentioned that an MP provides the monitoring mechanism for services and applications. The audience for a MOM Pack is primarily IT operators. They care about whether their application is healthy, the users of their application are happy, and how well the parts of their applications work together. IT operators can use the MP to pinpoint what is broken so that they do not need to do a manual diagnosis. By using an MP, the IT operators can have a central view of the health of multiple services or applications that they are monitoring, and they can make sure that such health information is up to date as things change. Also, the MP provides a knowledge base, which IT operators can use to quickly troubleshoot a problem without looking at other resources.
So, we talked about some basic concepts of MP; let’s take a look at AD FS 2.0 MP. As you may know, AD FS 2.0 is a security token service that authenticates users and generates security tokens. We can logically divide AD FS 2.0 into different parts. You can use the AD FS 2.0 MP to monitor the health of each part of AD FS 2.0 service as well as the overall health of AD FS 2.0 service. The primary mechanism that the AD FS 2.0 MP uses for health monitoring is the AD FS 2.0 events. Of course, you may think “I can use Event Viewer to do the same thing.” However, there are benefits of using AD FS 2.0 MP instead of using Event Viewer:
· First, the AD FS 2.0 MP does the filtering and analysis of the events for you. It alerts you only when it is very likely that there is something broken (compared to intermittent problems). Also, it alerts you only once so that you won’t be flooded with hundreds of events, which makes it hard to figure out the root cause of a problem.
· Second, besides reactive monitoring, AD FS 2.0 MP also provides proactive monitoring, which can detect a problem before it happens. For example, AD FS 2.0 MP proactively monitors the expiration status of the Secure Sockets Layer (SSL) certificate that is configured for the federation passive website.
· Third, the AD FS 2.0 MP separates and scopes down the issues to a particular AD FS 2.0 component and provides rich knowledge about the issues, all of which help you troubleshoot quickly.
· Fourth, AD FS 2.0 MP also integrates performance monitoring and provides a diagram view of the performance. It is very easy for you to tell the performance pattern from the diagram.
The AD FS 2.0 MP provides 10 localized versions, one for each supported language, including the following: Spanish, French, Italian, Japanese, Korean, Chinese (China), Chinese (Taiwan), Russian, German, and Portugese-Brasilian.
Ok, that’s enough conceptual talk. Let’s look at this stuff in action!
What’s in the AD FS 2.0 MP?
We have talked about what an MP is and what the benefits of using an AD FS 2.0 MP are. So, what’s in an AD FS 2.0 MP, and how do we use it? Let’s take a closer look at the AD FS 2.0 MP.
The AD FS 2.0 MP provides an intuitive way for IT operators to get an overview the topology of AD FS 2.0 deployments in a farm, as well as the AD FS 2.0 configurations of a single instance. It also makes it possible for IT operators to monitor the health of AD FS 2.0 deployments and diagnose and fix the issues that affect AD FS 2.0 health.
In detail, the AD FS 2.0 MP has the following functionality:
• Discovers AD FS 2.0 deployment (in either the federation server role or the federation server proxy role) in a farm or on a single, monitored computer
• Discovers different AD FS 2.0 parts that have been deployed on the monitored computer
• Monitors the health of different AD FS 2.0 parts and generates appropriate alerts
• Monitors the performance of AD FS 2.0
• Provides diagnostic knowledge for each alert
AD FS 2.0 Views
The following illustration shows what the AD FS 2.0 views in System Center Operations Manager 2007 looks like. As you can see, the views include the State View, Alerts View, Events View, and Performance View. All of these views are defined for each AD FS 2.0 role—federation server or federation server proxy. In the topmost State View, you can see the overall health state of the AD FS 2.0 service, as shown below. In this example, there is no federation server proxy discovered; so, the health state column for Federation Server Proxies is empty.
The following illustration shows the Performance View of one of the AD FS 2.0 federation servers being monitored. The performance area of the AD FS 2.0 service that is being monitored is Token Request per second.
AD FS 2.0 Discovery
The AD FS 2.0 MP can discover all the AD FS 2.0 instances in a farm. The following illustration shows an example of a State View of two AD FS 2.0 federation servers in a Windows Internal Database (WID) farm. As you can see, the parts that AD FS 2.0 is monitoring for the federation server are Trust Management and Authentication, which contain token issuance and token acceptance monitoring; WID Sync for the synchronization among primary and secondary computers, Web Sites, and Certificate Management. For the federation server proxy, the parts that AD FS 2.0 MP monitors are Authentication and Web Sites.
Besides monitoring the health of these parts, the AD FS 2.0 MP also retrieves the important configuration information for each part (shown in the detail view in the previous illustration). In the previous example, the AD FS 2.0 MP detects that those two computers belong to a WID farm and that the highlighted computer in the farm is the primary computer in the farm.
You can also open the Diagram View to get an idea of the overall deployment topologies of the AD FS 2.0 servers and proxies. All the stand-alone federation servers are grouped under a single federation service node, and each farm has its own node. The following illustrationi shows an example. The AD FS 2.0 MP has detected an AD FS 2.0 farm that consists of two federation servers and one stand-alone AD FS 2.0 instance on the Adfsidentity computer.
The following illustration shows all the monitored AD FS 2.0 parts on one of the federation servers in the AD FS 2.0 farm.
AD FS 2.0 Monitoring
The AD FS 2.0 MP monitors the AD FS 2.0 service, based on two mechanisms: Events and Scripts. If any monitored event occurs, it changes the health state of the related AD FS 2.0 component or generates an alert or both. AD FS 2.0 also has its own PowerShell based scripts that run periodically to monitor the health of different AD FS 2.0 parts proactively (See AD FS 2.0 MP Guide for a complete set of AD FS 2.0 monitoring scripts). Also, we have defined custom overrides in the MP for different script-based objects apart from the standard objects that System Center Operations Manager provides. Users can override the default values, such as the frequency, to run the scripts.
The health state of AD FS 2.0 parts are changes, based on the rules that are defined in the MP. It is reset to Healthy state in two cases automatically:
1. When there is a clear counter event that indicates that the issue has been resolved.
2. After some period of time, if there is no indication that this problem still persists, the health state resets.
The default time for 2 is 15 minutes, which the user can override. Besides these two conditions, you have to manually reset the AD FS 2.0 health state after you make sure that the corresponding issue has been resolved.
The following is an illustration of the Alert View that shows the Alerts that the AD FS 2.0 MP generated. The following example is an alert for Trust Management because AD FS 2.0 failed to create the Federation Metadata document. The knowledge for this alert contains a summary of this monitoring, a description of the cause of this alert, and the detailed steps for resolution.
To avoid duplicate alerts, the AD FS 2.0 MP has implemented a monitoring mechanism, provided by System Center Operations Manager 2007, called Alert Suppression. In events occur, the same events may be generated multiple times for the same issue and continue to be generated as long as the issue still exists. For example, federation passive requests may fail because the web.config file is corrupted. When this issue is mapped to an alert in the AD FS 2.0 MP, only one alert is generated, even when this issue triggers a lot of events. Basically, the AD FS 2.0 MP analyzes the events per root cause and generates an alert per root cause accordingly.
Also, to avoid over-alerting, AD FS 2.0 refrains from generating alerts for issues that may be caused by intermittent problems. For example, the AD FS 2.0 MP waits for multiple occurrences of events that indicate that the AD FS 2.0 service cannot reach a domain controller before it generates an alert. For a detailed look at how the AD FS 2.0 MP implements alert suppression and event counting for key monitoring scenarios, see the AD FS 2.0 MP Guide.
· The AD FS 2.0 MP uses events and scripts to monitor the health of the AD FS 2.0 service. Scripts are used for proactive monitoring, such as detecting whether the federation passive website is up and running and whether the SSL certificate is expiring.
· The health state of the AD FS 2.0 service and its parts may be autoreset or need manual reset, depending on the conditions.
· The AD FS 2.0 MP generates alerts when an issue is detected. An alert contains rich knowledge that can help troubleshooting.
· The AD FS 2.0 MP implements alert suppression and event counting so that your Alert View is not flooded with duplicate alerts or alerts that may not indicate a persistent issue.
Where to download AD FS 2.0 MP
Feel like you have a good understanding of what AD FS 2.0 MP has to offer? Give it a try! You can download the AD FS 2.0 MP and AD FS 2.0 MP Guide at Active Directory Federation Services 2.0 (ADFS) Monitoring Management Pack.
The AD FS 2.0 MP supports localization of 10 languages. Choose the language of the MP in the drop-down list when you download the MP. This action redirects you to the localized download page where you can download the localized MP guide as well.
Have fun trying it out! J