Problem solve Get help with specific problems with your technologies, process and projects.

MOM 2005 Solution Accelerators, part 1Optimizing MOM 2005 alert volume

Microsoft has performed another blitz against the systems management arena, with the release of Microsoft Operations Manager 2005 Solution Accelerators (SA).

This tip was submitted to by contributor David Williams. Please let other users know how useful it is by rating it below.

Microsoft has performed another blitz against the systems management arena, with the release of Microsoft Operations Manager 2005 Solution Accelerators (SA). As free enhancements for all licensed installs, they noticeably increase MOM's value in the enterprise.

In this five-part series, I will examine each of the SAs, dedicating an article on each one. Microsoft is currently offering five SAs, with each one focusing on its own subarea and showing how extensible MOM can be. In this first article, I'll review the Alert Tuning SA. The other articles will focus on autoticketing, service continuity, multiple management group rollup and notification workflow.

Each SA is packaged as a single ".msi" that consists of a guide, code in some cases, additional MSI packages, test plans and case details. It's interesting to note that the test plans and case details were not meant to assist customers with their own testing. Instead, Microsoft supplied its own internal test plan for validating the guidance provided in the guides and the details of the test case execution. However, if an organization wanted to run its own tests, it can use the test plans and case details as a model.

From the documentation, it's clear that each of the SAs reinforces the Microsoft Operations Framework (MOF). All of the SAs focus on the Service Monitoring and Control and service management function, which reside in the operating quadrant of the MOF. As their goal, the SAs help MOM complete its mission: To observe the health of IT services and act when necessary to maintain compliance.

Microsoft's focus with this SA is to help organizations optimize their MOM 2005 alert volume. As most administrators have experienced, an overwhelming volume of alerts can quickly be the most crippling factor affecting an administrator's productivity or even ability. "False positives" can chew up hours of an admin's day, requiring organizations to increase staffing without gaining ground in operational effectiveness.

By deploying this tool, Microsoft touts that organizations can increase operational efficiency by:

  • A reduction or prevention of service incidents by using proactive remedial action.
  • Faster and more effective responses to service incidents.
  • Improved overall availability of services.
  • An increase in user satisfaction.

After running the SA download from MS (available at:, the SA files will be extracted to your local system. This system does not need to be a MOM Management Server. However, it is recommended that this system have Visual Studio (VS) 2003 installed to take advantage of Reporting Services' Report Designer.

After installing the SA, browse the directory specified during the installation and you'll find the Optimizing MOM 2005 Alert Volume guide along with the Test Plan Word document and Test Case Details spreadsheet. You'll also find an MSI package containing the core reports for the SA. These reports -- AlertCountByDates, AlertCountByDevice and AlertCountByProcessingRule -- are the heart and soul of this SA.

To install the reports, run the "Alert Tuning Reports.msi" file. After installing them, browse to the specified directory and you'll find three ".rdl" files and the VS solution that you can open with VS2003. Although you don't need VS 2003 to use the reports, you won't be able to look at the report design or modify them without it. If you're familiar with Reporting Service, use the Reports Manager to upload the three reports and create a shared data source to your OnePoint database. Finally, link each of the reports with the shared data source that you created.

Once your reports are ready to run, it's simply a matter of flagging the most frequent or excessive alerts and tuning the management pack or processing rule(s) that are responsible for raising that alert. This is done as a two-step exercise. During the first step, MOM administrators create a Health Model or Health Specification for each management pack (MP). In some cases, a commercial ISV may provide this among the documentation of its application (if it came with a MOM MP). However, more likely than not, MOM administrators will need to create these documents on their own, often with the help of the development team or business owners. To capture all the information needed, you should perform the following activities:

  • Document all management instrumentation exposed by an application or service.
  • Write down all service health states and transitions that the application can experience when running.
  • Determine the instrumentation -- events, traces, performance counters, and Windows Management Instrumentation objects and probes -- necessary to detect, verify, diagnose and recover from bad or degraded health states.
  • Keep track of all dependencies, diagnostic steps and possible recovery actions.
  • Identify which conditions will require intervention from an administrator.
  • Improve the model over time by incorporating feedback from customers, product support and testing resources.

With this documentation, you'll have a description of what a specific MP should be monitoring and what conditions are important to the service owners.

Once you have the Health Model or Health Specification, you must then validate the event lists and alerts by creating and reviewing the results from the SAs' reports. Specifically, you should conduct a thorough review of each MP, paying special attention to the following:

  • Names: Ensure they make sense and are applicable to the condition they are used for.
  • Event IDs: Make sure they are not duplicated in this or any MPs that might be used together.
  • Any documented suppression: Validate that it makes sense and applies correctly to the situation it is used for.
  • Descriptive fields: Make sure the text is understandable and provides adequate information.

Additionally, review and update any knowledge based material associated with the MP. Include all the results of this second step in the Health documentation or any of the MP's supporting documentation. In the guide, you'll find some forms and additional job aids and metrics to help with your validation tasks.

Although Microsoft recommends creating both an isolated lab for MP validation and a pre-production environment for controlled release and monitoring of new packs into production, some shops may not find it feasible or cost effective to do so. What is important is to abide by your organization's change control processes and be sure that you test each change as thoroughly as possible.

Overall, this process will require a significant investment up front, especially in time. But the yields from this exercise are well worth it.

ABOUT THE AUTHOR: David Williams lives in Atlanta and is a Windows Services IT manager for the John H. Harland Company. He holds an MCSE, MCDBA and CCNA, and is currently working toward his CISSP. He can be contacted at

This article first appeared in myITforum, the premier online destination for IT professionals responsible for managing their corporations' Microsoft Windows systems. The centerpiece of is a collection of member forums where IT professionals actively exchange technical tips, share their expertise, and download utilities that help them better manage their Windows environments, specifically Microsoft Systems Management Server (SMS). It is part of the TechTarget network of Web sites. To register for the site and sign up for the myITforum daily newsletter, click here.

Dig Deeper on Windows administration tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.