none
When to use a Gateway server vs a Management Server - Design questions RRS feed

  • Question

  • I'm currently planning an enterprise deployment for SCOM, and some of the documentation is ambiguous or confusing.  I have two data centers each with the same 6 domains.  I want to deploy the RMS and Operations dabase in one datacenter, and have management points for local agent communication in the other.  Questions below.

    In the remote site, and in a trusted domain, what kind of server role is to be used?  My understanding is a Management Server because it's in the same domain as the RMS, but the design docs aren't clear.  For instance, one design doc for remote sites is suggesting a Gateway server, but my understanding is that is for non-trusted domains only.

    Secondly, The environment is well within the limits of the capacity of a single management group and/or server, but multiple management groups are required.  The plan is to partition and create multiple management group boundaries between functionality, ACS, Geography, and Administrative using the local/connected management group design.  

    When using multiple management groups, is a management server required for each of the management groups?

    Does an untrusted domain Gateway server deployment make a new management group necessary?

    Thanks in advance for the input.

    Friday, January 20, 2012 5:31 PM

Answers

All replies

  • Friday, January 20, 2012 6:02 PM
    Moderator
  • I notice that you mention ACS - just be aware that ACS Forwarders can't leverage a gateway server. It does require some extra configuration:

    http://technet.microsoft.com/en-us/library/bb735416.aspx

    http://technet.microsoft.com/en-us/library/bb735410.aspx

    http://technet.microsoft.com/en-us/library/bb735420.aspx


    New SCOM 2012 Blog! - http://www.systemcentersolutions.com/blog/
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Saturday, January 21, 2012 4:51 PM
    Moderator
  • Trying to catch some of your questions.

    1. You can put gateways into trusted domain as well as untrusted domain, that is your choice. The point of GW's is that it only needs one hole in the firewall and it also compresses data. This is a good place to look for GW facts even though it's couple of years old. http://blogs.technet.com/b/momteam/archive/2008/02/19/10-reasons-to-use-a-gateway-server.aspx
    2. With ACS you might want to dedicate one management group to it, but it depends on your case and especially size of your deployment.
    3. With GW's you can set sitename parameter to _easily_ show from which location the alerts are coming from. You can get to the same situation with custom solutions, but it's a lot harder. Too bad management servers don't have sitename possibility.

    Hope this helped a little.

    -Tero


    MCT | MCSE | MCITP | MCTS SCOM, SCCM, SCVMM, SCDPM | Open CITS
    Monday, January 23, 2012 10:53 PM
  • Just to clarify what Graham is writing.

    • A GW cannot relay audit data from an ACS Forwarder to a "central" ACS Collector.
    • A GW can, however, act as an ACS Collector but as such it need its own database.

     

    One thing you have to consider is that all management servers need fast database access. If you have offices on slower WAN-connections, I would actually deploy a gateway server to avoid alerts about write latencies towards the OpsDB/OpsDW.

    Although not an intended feature, if you have a couple of hundred agents (or less actually) on a WAN, you might gain some network performance from using a GW as you get less session overhead in the traffic.

    The /sitename tag is a great feature to easily distinguish different sub-organizations or offices, but be aware that you will get errors when decommissioning you GW using the GatewayApprovalTool with /action=delete because of the tool doing a bad job at cleaning up references to the "SiteName" pseudo group. No biggie though as it is perfectly possible to delete the GW through the console instead. Haven't noticed any side-effects from it either.

    Be aware that a GW is considered an MS and is licensed as such.

    Trusted domains or not is a matter of cert/no cert and would be considered irrelevant to the design in my book, DB-IO is not.

    Regards,
    Sam

    Tuesday, January 24, 2012 10:15 AM
  • @Samuel's comment about licensing. System Center licensing just changed and you don't have to license gateways or management servers... :)
    MCT | MCSE | MCITP | MCTS SCOM, SCCM, SCVMM, SCDPM | Open CITS
    Thursday, January 26, 2012 9:42 PM
  • Missed this one - When using multiple management groups, is a management server required for each of the management groups?" -

    Yes, each management group has its own set of SQL Servers and Management Servers \ Gateways. It also adds considerably to administrative overhead. I'd try to avoid multiple management groups where possible.

    The licensing still isn't clear to me - there certainly isn't a management server license as such but you would possibly \ probably still need an agent license for each management server \ gateway as there is agent functionality within the Management Server \ Gateway and you don't have any option but to monitor that component. Easy to make it a non-issue by virtualising the components!

    Sam is correct with his clarification - "Just to clarify what Graham is writing.

    • A GW cannot relay audit data from an ACS Forwarder to a "central" ACS Collector.
    • A GW can, however, act as an ACS Collector but as such it need its own database."

    It depends on how many agents (forwarders) you have as to whether you want to deploy multiple SQL Servers (or instances) for ACS.

    Be aware also with ACS that data retention is very short term. Weeks rather than months. Certainly not in itself a compliance solution that requires years of data retention. You'll either need a 3rd party archiving solution (Secure Vantage) or have some way of archiving the data yourself.

    Cheers

    Graham

     


    New SCOM 2012 Blog! - http://www.systemcentersolutions.com/blog/
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Thursday, January 26, 2012 10:17 PM
    Moderator