This Blog provides information about running SAP Applications on the Microsoft Platform. The Blog is written by people who are working with SAP on the Microsoft Platform for decades.
SAP developed a very comprehensive and sophisticated monitoring framework over the years to monitor SAP, OS, Database and the hardware infrastructure. All the numbers and output can be seen via the SAP GUI using certain transactions ( e.g. OS07, ST06 ).With virtualization a new challenge arose. Let's take root cause analysis in support as a perfect use case for enhanced monitoring.Imagine a support engineer who simply uses SAP GUI for a remote connection to a SAP system in order to analyze a performance bottleneck. First thing is to understand if the SAP system is running on a virtual machine or on bare metal. Keep in mind that there might be many VMs sharing the same underlying physical host. Therefore the performance counters which can be seen within the virtual machine might not be enough to fully analyze a problem. Especially if the virtualization technology allows over-commitment the numbers inside the VM might be misleading.That's why SAP came up with "enhanced monitoring". The idea is to narrow down the root cause of a problem by correlating the analysis of the virtual environment with a set of key numbers from the physical host on which the VMs are running.
"Enhanced monitoring" is described in SAP Note 1409604 -"Virtualization on Windows : Enhanced monitoring"
Those who looked at SAP Note 1409604 in the past realized that it asked for giving admin permissions to the virtual machine on the physical host :
b) Add the user "NetworkService" of the virtual machine that is to be monitored to the group of local administrators:
In the "Computer Management" tab, choose "System Tools" -> "Local Users and Groups" -> "Groups" -> "Administrators". In the "Administrator Properties" window, choose "Add". In the "Select Users, Computers, or Groups" window, choose "Object Types" and activate the "Computers" type. Choose "OK" to close the window. In the "Object Names" field, enter the name of the virtual machine with the additional character "$". Choose "Check Names", and then "OK" to close all windows.
*********************Not every customer is willing to accept this.The SAP note includes a description about how to set the WMI control security on the physical host. So it's obvious that SAP is using remote WMI calls to retrieve the data for enhanced monitoring. The reason ispretty simple - there is no suitable interface / API to do this within the VM. There are restrictions because aVM is in general considered as an untrusted object from a physical host perspective. Nevertheless there is in fact a mechanism to exchange data between a VM and the underlying host : KVPExchange ( see links below for more details ). While this would be fine for static information like hostnameor processor type it doesn't really work for very dynamic data coming e.g. from host performance counters.
In the meantime it turned out that there is an alternative which avoids the admin permissions.The SAP Note will be adapted accordingly. The approach requires settings in three areas :1. the virtual machine has to be added to the "Performance Monitor Users" group as well as the "Distributed COM Users" group2. WMI Control security has to be set correctly via Server Manager3. a new role has to be defined via the Authorization Manager ( azman.msc )
All these steps are shown in detail in the attached walkthrough document. It would be of coursea lot of work to do all this again and again for every single VM. But it's also possible to put allVMs into a group and set the permissions for the whole group instead of individual VMs.
Configure Hyper-V tools for remote administration ( which is also valid for SAP enhanced monitoring ) :
Hyper-V authorization model ( azman ) :
AZMan role definitions :
WMI security :
Connecting to WMI on a remote computer :
KVP Exchange :