Why "enhanced monitoring" ?

 

SAP developed a very comprehensive and sophisticated monitoring framework over the years to monitor
SAP, OS, Database and the hardware infrastructure. All the numbers and output can be seen via the
SAP GUI using certain transactions ( e.g. OS07, ST06 ).
With virtualization a new challenge arose. Let's take root cause analysis in support as a perfect use case
for enhanced monitoring.Imagine a support engineer who simply uses SAP GUI for a remote connection
to a SAP system in order to analyze a performance bottleneck. First thing is to understand if the SAP
system is running on a virtual machine or on bare metal. Keep in mind that there might be many VMs
sharing the same underlying physical host. Therefore the performance counters which can be seen within
the virtual machine might not be enough to fully analyze a problem. Especially if the virtualization
technology allows over-commitment the numbers inside the VM might be misleading.That's why SAP
came up with "enhanced monitoring". The idea is to narrow down the root cause of a problem by
correlating the analysis of the virtual environment with a set of key numbers from the physical host on
which the VMs are running.

"Enhanced monitoring" is described in SAP Note 1409604 -
"Virtualization on Windows : Enhanced monitoring"

 

The Issue

 

Those who looked at SAP Note 1409604 in the past realized that it asked for giving admin permissions to
the virtual machine on the physical host :

******************

  b) Add the user "NetworkService" of the virtual machine that is to be monitored to the group of local
      administrators:

      In the "Computer Management" tab, choose "System Tools" -> "Local Users and Groups" -> "Groups"
       -> "Administrators".

      In the "Administrator Properties" window, choose "Add".

      In the "Select Users, Computers, or Groups" window, choose "Object Types" and activate the
      "Computers" type.

      Choose "OK" to close the window.

      In the "Object Names" field, enter the name of the virtual machine with the additional character "$".

      Choose "Check Names", and then "OK" to close all windows.

*********************

Not every customer is willing to accept this.

The SAP note includes a description about how to set the WMI control security on the physical host. So
it's obvious that SAP is using remote WMI calls to retrieve the data for enhanced monitoring. The reason is
pretty simple - there is no suitable interface / API to do this within the VM. There are restrictions because a
VM is in general considered as an untrusted object from a physical host perspective.
Nevertheless there is in fact a mechanism to exchange data between a VM and the underlying host : KVP
Exchange ( see links below for more details ). While this would be fine for static information like hostname
or processor type it doesn't really work for very dynamic data coming e.g. from host performance counters.

 

The solution


In the meantime it turned out that there is an alternative which avoids the admin permissions.The
SAP Note will be adapted accordingly. The approach requires settings in three areas :

1. the virtual machine has to be added to the "Performance Monitor Users" group as well as the
    "Distributed COM Users" group

2. WMI Control security has to be set correctly via Server Manager

3. a new role has to be defined via the Authorization Manager ( azman.msc )

 

All these steps are shown in detail in the attached walkthrough document. It would be of course
a lot of work to do all this again and again for every single VM. But it's also possible to put all
VMs into a group and set the permissions for the whole group instead of individual VMs.

 

 

Links

 

Configure Hyper-V tools for remote administration ( which is also valid for SAP enhanced monitoring ) :

http://technet.microsoft.com/en-us/library/cc794756(WS.10).aspx

Hyper-V authorization model ( azman ) :

http://blogs.technet.com/b/jhoward/archive/2009/08/31/explaining-the-hyper-v-authorization-model-part-one.aspx

AZMan role definitions :

http://social.technet.microsoft.com/wiki/contents/articles/what-vmm-does-with-azman-role-definitions-from-hyper-v.aspx

WMI security :

http://msdn.microsoft.com/en-us/library/windows/desktop/aa392291(v=vs.85).aspx

Connecting to WMI on a remote computer :

http://msdn.microsoft.com/en-us/library/aa389290(v=VS.85).aspx

KVP Exchange :

http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/12/02/sending-data-from-parent-to-virtual-machine-via-kvp.aspx

http://blogs.msdn.com/b/taylorb/archive/2008/07/06/hyper-v-wmi-kvp-exchange-aka-data-exchange-adding-new-items-from-parent-host.aspx

http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/11/18/hyper-v-script-looking-at-kvp-guestintrinsicexchangeitems.aspx

http://msdn.microsoft.com/en-us/library/cc136848(v=vs.85).aspx