In the article “MOM for SMBs” (January 2007, InstantDoc ID 94361), I introduced you to Microsoft Operations Manager (MOM) 2005 Workgroup Edition, a powerful monitoring tool that helps you oversee your servers and business-critical infrastructure. Right out of the box, MOM 2005 Workgroup Edition is optimized for small and midsized networks that have as many as 10 servers. With management packs, you can extend MOM to monitor a wide variety of specific server-health indicators and alert you to important events that require administrator intervention, helping you prevent or quickly correct problem situations. Unlike the enterprise version of MOM, MOM 2005 Workgroup Edition comes with several management packs pre-installed, but you can always add more or create your own.

Using Management Packs

MOM management packs process data from a MOM client and look for information related to a specific product or service. For example, Microsoft provides management packs for products such as Microsoft ISA Server, Systems Management Server (SMS), Exchange Server, SQL Server, Windows Rights Management Services (RMS), and others. Microsoft also provides management packs for services such as DFS, DHCP, and DNS, and for monitoring conditions such as availability. MOM 2005 Workgroup Edition comes bundled with several common management packs; the MOM Enterprise Edition doesn’t.

You administer management packs in the MOM 2005 Administrator Console. To administer management packs, launch the console and expand the Management Packs node, which contains several subnodes. The first node, Computer Groups, lists groups of computers in your network that you can manage with management packs. Groups allow you to manage collections of related servers--for example, all IIS Web servers or all SQL Server database servers. The management packs contain criteria that MOM uses to identify computers in your network that belong to groups added or removed. When you add or remove management packs, the groups are updated with information contained within the packs.

For most deployments of MOM 2005 Workgroup Edition, you can safely ignore the Computer Groups node as well as the Discovered Groups node. For enterprise deployments, you can create your own computer groups. Right-click the Computer Groups node, then select Create Computer Group to launch the Create Computer Group wizard. In the wizard, click Next to move from the Welcome screen to the first step. Enter a name and description for the group, click Next, then click the Add button to build your group membership by adding subgroups from your list of existing groups. After you’ve finished adding subgroups, click Next to move to the next step, where you can click the Add button to manually add a domain (or domains) of computers or individual computers.

Installed management packs appear under the Rule Groups node as groups of rules, as Figure 1 shows. When you select a rule group, details appear in the right console pane. Each rule group listed under the Rule Groups node is considered a top-level processing rule group and can have its own subgroups. Because management packs query a MOM client for information differently depending on the product version, each version of a Microsoft OS or server usually has its own subgroup, and such subgroups can also have subgroups. The lowest-level subgroups are typically assigned to one or more of the Computer Groups listed in the Computer Groups node.

Each rule group or subgroup has three nodes: Event Rules, Alert Rules, and Performance Rules. Typically, only the lowest-level nodes contain preset rules that, when data from MOM clients fits the criteria required by each rule, fire an event to the MOM Operator Console and appear in the Alerts, Events, or Performance views. Alert, Event, and Performance rules can also specify predefined responses—for example, running a script, notifying a Notification Group, sending an SNMP Trap, transferring a file, and so on—that are carried out when the event occurs. To examine the details of these predefined rules, select one of the rules nodes and double-click a rule entry in the right pane (Figure 2 shows the rule properties and details that appear).

By modifying the rules in the three rules groups, you can optimize MOM for your environment and for your particular way of managing your systems and servers. I recommend that you do this for enterprise deployments of MOM where you could easily be inundated with Alerts, Events, and Performance events. For workgroup deployments of MOM, I recommend that you not modify the predefined rules. In a workgroup environment, it’s easier to ignore events in the Operator Console that are of little or no significance to your environment than it is to change the rules. In an enterprise environment, you’ll want to take the time to modify rules to minimize the number of events that fire for nonrelevant reasons. To configure rules, simply follow the instructions available at, but before you do, I recommend that you use the Management Pack Import/Export Wizard to export any management packs that contain rules you intend to modify. Then, if you make a mistake, you can easily undo the mistake by re-importing the management pack.

Management Pack Features

Management packs can contain predefined tasks that can be viewed in the Administrator Console and initiated from the Operator Console. These predefined tasks can launch common Active Directory (AD) troubleshooting tools, start the Telnet client to a named computer, query the NetBIOS status of remote systems, restart IIS on a target computer, and so on. You can add your own tasks, which you can run from the MOM Operator Console, the MOM server, or a MOM-managed client. To add your own tasks--for example, command-line programs, scripts, file transfers, managed (.NET) programs--right-click the Tasks node and select Create Task to launch the Create Task Wizard. To add custom tasks, follow the steps in the wizard.

MOM sends alerts when specific events occur, using Notification Groups to organize the people to be notified. You can add people to these groups and specify whether to notify each person by email or page, or by running a command that then notifies specific users when certain events occur. You can also manage operators, listed individually under the Operators node.

The Scripts node lists scripts launched by tasks and in response to events. Scripts are added when you install management packs. You can create your own Visual Basic and JScript scripts by selecting the Scripts node and then Create Script to launch the Create Script Wizard. You can specify the script name and a description, note whether it is VBScript or JScript, and copy and paste the script code into the wizard.

The Computer Attributes node contains various checks that MOM uses to automatically assign computers to computer groups. Because these checks are critical to the correct functioning of management packs, I recommend that you not modify any of these checks.

The Providers node contains a list of timed events, performance-sampling intervals, and other events that MOM relies on to function. As with the Computer Attributes node, I recommend that you not modify any of these providers in a workgroup environment. In an enterprise environment, you might want to modify these providers when you tune MOM.

Adding Management Packs

Management packs for third-party products—for example, antivirus software, Check Point firewalls, Dell servers, Cisco routers—extend MOM’s ability to monitor specific applications and services for various events, including security-related events. For server products and services that don’t have preinstalled management packs in MOM 2005 Workgroup Edition, you can download and install additional management packs from

To add a management pack, first download it. Next, launch the MOM 2005 Administrator Console, right-click the Management Packs node, and select Import/Export Management Pack to launch the Management Pack Import/Export Wizard. Follow the steps in the wizard. The Import Status dialog box shows the progress of the operation.

After importing a management pack, you can customize it. If you want to undo changes you’ve made to rules, you can simply download the affected management pack from the Microsoft catalog, import it, and then, in the Import/Export Wizard’s Import Options, select Replace Existing Management Pack. As I mentioned earlier, I recommend that you not modify rules in workgroup installations.

Creating Your Own Management Packs

Being able to create your own management packs is a powerful feature, and MOM provides two ways to do this: You can customize and then export an existing management pack, importing it on a server that doesn’t already have the pack installed, or you can download and use the Management Pack Wizard from the Management Pack Toolkit (available in the MOM 2005 Resource Kit at You can use the Management Pack Wizard to create a management pack for monitoring a Windows service, for watching specific performance counters, or for monitoring a Windows Event Log for certain events.

As an example, perhaps you want a management pack that monitors your MOM clients for interactive logons and logoffs. To create this management pack, from the Start menu, select All Programs, Microsoft Operations Manager 2005 Resource Kit, Tools. When the list of available resource kit tools appears, open the Management Pack Wizard folder and double-click mpwizard.exe to launch the Management Pack Wizard. Check Event Source Monitoring on the wizard’s Welcome screen, then click Next. The wizard prompts you for a Rule group name. This name must be unique and contain a maximum of 16 characters; it’s used as the basis for the filename that the management pack will be stored under, so use only legal filename characters (e.g., don’t use / or \). Click Next. Click Add to add the specific events you want to monitor. If you want to create a management pack to monitor events from a proprietary service or application on a remote computer, you can select that computer and browse its event sources (you’ll need to know the event source). For standard events, as is the case in this example, you can simply select the event log of interest, Security, and select the events you want to monitor, as in Figure 3.

After you’ve added an event, you can edit its properties by selecting the event in the wizard and clicking Edit. In the current example, let's say we want to change the event default name and alert severity. The default name is the event string written to the security event log and the severity is Warning, but let’s use a friendly name and change the severity to Security Issue. Figure 4 shows these changes. When you’ve finished adding and customizing events in the wizard, click Next, confirm the details, then click Next again. The last step of the wizard shows where the management pack is stored. Under certain circumstances, the wizard can report an error even though it was successful in creating the management pack. If this happens, be sure to check whether the pack exists before you click Finish and close the wizard.

After you’ve created the management pack, use the Import/Export Wizard to import it to the MOM Administrator Console. You can then configure your management pack. You must associate the management pack with computer groups so that it can generate events and it will appear in the Operator Console. In the Administrator Console, right-click your newly imported management pack and select Associate with Computer Group. Click Add to add computer groups from the list of available groups or to create a new computer group using the directions I outlined earlier.

Power in Management Packs

Management packs add real power to MOM. They enable you to configure MOM to monitor a wide variety of server indicators and crucial events and to alert key people who can intervene to prevent or correct problems.

The MOM Web site,, contains a wealth of resources and information that can help you run MOM 2005, including the Workgroup Edition, effectively. I also recommend that you read Essential Microsoft Operations Manager by Chris Fox (O’Reilly, 2006) to learn additional ways that you can get the most out of using MOM.