Why "enhanced monitoring" ?


SAP developed a very comprehensive and sophisticated monitoring framework over the years to monitor
SAP, OS, Database and the hardware infrastructure. All the numbers and output can be seen via the
SAP GUI using certain transactions ( e.g. OS07, ST06 ).
With virtualization a new challenge arose. Let's take root cause analysis in support as a perfect use case
for enhanced monitoring.Imagine a support engineer who simply uses SAP GUI for a remote connection
to a SAP system in order to analyze a performance bottleneck. First thing is to understand if the SAP
system is running on a virtual machine or on bare metal. Keep in mind that there might be many VMs
sharing the same underlying physical host. Therefore the performance counters which can be seen within
the virtual machine might not be enough to fully analyze a problem. Especially if the virtualization
technology allows over-commitment the numbers inside the VM might be misleading.That's why SAP
came up with "enhanced monitoring". The idea is to narrow down the root cause of a problem by
correlating the analysis of the virtual environment with a set of key numbers from the physical host on
which the VMs are running.

"Enhanced monitoring" is described in SAP Note 1409604 -
"Virtualization on Windows : Enhanced monitoring"


The Issue


Those who looked at SAP Note 1409604 in the past realized that it asked for giving admin permissions to
the virtual machine on the physical host :


  b) Add the user "NetworkService" of the virtual machine that is to be monitored to the group of local

      In the "Computer Management" tab, choose "System Tools" -> "Local Users and Groups" -> "Groups"
       -> "Administrators".

      In the "Administrator Properties" window, choose "Add".

      In the "Select Users, Computers, or Groups" window, choose "Object Types" and activate the
      "Computers" type.

      Choose "OK" to close the window.

      In the "Object Names" field, enter the name of the virtual machine with the additional character "$".

      Choose "Check Names", and then "OK" to close all windows.


Not every customer is willing to accept this.

The SAP note includes a description about how to set the WMI control security on the physical host. So
it's obvious that SAP is using remote WMI calls to retrieve the data for enhanced monitoring. The reason is
pretty simple - there is no suitable interface / API to do this within the VM. There are restrictions because a
VM is in general considered as an untrusted object from a physical host perspective.
Nevertheless there is in fact a mechanism to exchange data between a VM and the underlying host : KVP
Exchange ( see links below for more details ). While this would be fine for static information like hostname
or processor type it doesn't really work for very dynamic data coming e.g. from host performance counters.


The solution

In the meantime it turned out that there is an alternative which avoids the admin permissions.The
SAP Note will be adapted accordingly. The approach requires settings in three areas :

1. the virtual machine has to be added to the "Performance Monitor Users" group as well as the
    "Distributed COM Users" group

2. WMI Control security has to be set correctly via Server Manager

3. a new role has to be defined via the Authorization Manager ( azman.msc )


All these steps are shown in detail in the attached walkthrough document. It would be of course
a lot of work to do all this again and again for every single VM. But it's also possible to put all
VMs into a group and set the permissions for the whole group instead of individual VMs.





Configure Hyper-V tools for remote administration ( which is also valid for SAP enhanced monitoring ) :


Hyper-V authorization model ( azman ) :


AZMan role definitions :


WMI security :


Connecting to WMI on a remote computer :


KVP Exchange :