Download presentation
Presentation is loading. Please wait.
Published byHallie Poulton Modified over 10 years ago
1
Pete Zerger, MVP System Center Central http://www.systemcentercentral.com SCSS2009
2
Updated version of the Definitive Guide to AD Integration in OpsMgr 2007 2 Sample MPs to correct issues and automate important processes Chance to win a copy of Operations Manager 2007 Unleashed
3
Active Directory Integration - What it does & how it works Configuration Steps Configuring Child and Untrusted Domains Using LDAP for Granular Control Agent Deployment & Maintenance Troubleshooting and Testing
4
What it does Automates the configuration of OpsMgr agents installed on domain member computers How it works Agent configuration is centrally maintained in OpsMgr and Published to Active Directory (by RMS) Agents query AD at startup (and hourly) IMPORTANT: Agent deployment and patching must be performed outside of OpsMgr. AD DCs and push-installed agents cannot participate
5
1. Publish mgmt group info to AD 2. Configure agent auto-assignment 3. Install Agents 4. Agents query AD for MG info 5. Agent reports to MS MOMADAdmin ACTIVE DIRECTORY MGMT GROUP OPSMAN CONSOLE
6
1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents
7
Domain functional level must be higher than Windows 2000 Mixed Global Settings - Enable Review new manual agent installations User Account (in each domain) Security Group (in each domain) LDAP access (RMS to each domain) DNS resolution (RMS to each domain) Agent Grouping / Failover Strategy
8
Additional Configuration Steps: Define RunAs Account and RunAs Profile Run MomADAdmin IMPLEMENTATION TIPS: RunAs Profiles used for AD integration must be saved in the Default Management Pack. Must be targeted to the RMS! Optional for Local & Trusted Domains, but eliminates reconfiguration in event RMS is role moved!
9
Security for Untrusted Domains
10
1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents
11
1. Creates a top level container in AD called OperationsManager 2. Adds the machine account of the RMS to the OpsMgr Admin security group. 3. Adds the OpsMgr Admin security group to the container's ACL with WriteChild access When you run the MOMADAdmin tool, it performs the following actions.
12
Can be run on any member server Requires Domain Admin rights Must be run in each AD domain (targeted for AD Integration feature) MomADAdmin.exe is found in the \SupportTools folder of the OpsMgr installation media Usage: MomADAdmin ManagementGroupName MOMAdminSecurityGroup {RootManagementServer | RunAsAccount} Domain Example: MomADAdmin ContosoMG CONTOSO \ OpsMgrAdmins CONTOSO
13
Prepare Active Directory and MG for AD Integration
14
OperationsManager Container Visible when Advanced Features are activated in Active Directory Users and Computers Must not be modified manually Can be deleted and then recreated by running MomADAdmin.exe again
15
1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents
16
Must be configured for each MS or GTW to which agents must report Add one rule per domain (if multiple domains/forests) In Operations Console, Administration, choose Configure Active Directory (AD) Integration Choose appropriate Domain name, Domain Controller FQDN or IP address Run As Profile * * Use default if configuring local domain
17
Paste or generate LDAP query. Query Results should not overlap Optionally exclude computers using their FQDN Configure agent failover Location, Naming and Execution Agent assignment rules are saved to Default Management Pack Rule names start with AD rule for Domain: RMS runs rules hourly
18
Configured through the Agent Assignment & Failover Wizard (&(objectCategory=computer)(distinguishedName= *,OU=AppServers,DC=nwtraders,DC=msft))
19
Active Directory OU AD Security Group Avoid overlapping LDAP query results!
20
LDAP can be leveraged in Agent Auto-Assignment in a number of ways Computer name Computer description Computer account security group membership Operation system and service pack Registered Service Principal Names (SPN) Computer account Organizational Unit (OU) Never use LDAP queries with overlapping result sets!
21
OperatorDescription |OR &AND !NOT =Equals ~=Approx. equals <=Less than or equal >=More than or equal ASCII character Escape sequence *\2a (\28 )\29 \\5c NUL\00 LDAP Comparison Operators LDAP Escape Sequences
22
Limit the query to computer accounts (objectCategory=computerOR (sAMAccountType=805306369) Exclude Domain Controllers (!(primaryGroupID=516)) Excludes OpsMgr Management Servers and Gateways (!(servicePrincipalName=MSOMHSvc/*)) Direct members of a security group (memberOf:=CN=Admin,OU=Security,DC=DOM,DC=NT)
23
Performance considerations when building LDAP filters Always use indexed attributes Filter unnecessary targets (DCs, MS, GWs) Target most specific data sets possible Global Catalog located in local site
24
Verifying query results BEFORE you deploy
25
1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents
26
Define agent failover and load distribution
27
Agents deployment methods for AD integration can include: Manual installation (from install media) As part of OS image Group Policy Configuration Manager 2007 Hotfixes applicable to agent must be deployed manually when using any of the above methods!
28
1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents
29
Manual deployment for AD Integration
30
Hotfixes must be deployed manually to manually installed agents Multiple fixes can be applied at once MSI transform packages (.msp files) for the agents can be found on any management server or gateway patched management server in the following directory: Syntax (example) msiexec /p [c:\hotfixes\fix1].msp;[c:\hotfixes\fix2.msp /qn
31
Agents using AD Integration should never be repaired from the Operations console Results in agent configuration change to remotely manageable To return agent configuration to AD Integration Set EnableADIntegration registry key to 1 Sample Powershell script to perform in batch at http://OpsManJam.com http://OpsManJam.com
32
#Initialize the OpsMgr Provider $rootMS = "NOCMS01" #Initialize the OpsMgr Provider add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; set-location "OperationsManagerMonitoring::"; #set Management Group context to the provided RMS new-managementGroupConnection -ConnectionString:$rootMS; set-location $rootMS; get-agent | Group PrimaryManagementServerName -Noelement | sort Name | select Name, Count Retrieve number of agents reporting to each management server (to verify distribution of agent load):
33
Events logged in Operations Manager Event Log (on Agent) Event 20064 on agent (multiple primary relationships) Event 20070 on agent (agent not authorized) Event 21016 on agent (no failover) Event 21034 on agent (no configured parents)
34
Beware when using Powershell to configure agent failover instead of AD Integration. Use with caution, especially in distributed environments Can result in orphaned agents due to an unreachable MS!
35
Registry keys related to AD integration HKLM\SYSTEM\CCS\Services\HealthService\Parameters\ConnectorManager Enable AD Integration Key EnableADIntegration (DWord) AD Polling Interval ADPollIntervalMinutes (DWord) Is an agent using configuration retrieved from AD? IsSourcedFromAD (DWord) It is not recommended these keys be modified without guidance from Microsoft
36
Creating an LDAP Query Filter http://msdn2.microsoft.com/en-us/library/ms675768.aspx Microsoft Webcast: Enable AD Integration http://www.microsoft.com/winme/0703/28666/Active_Directory_Integration _Edited.asx AD Integration Deep Dive http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integration- how-it-works.aspx OpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding- how-active-directory-integration-feature-works-in-opsmgr-2007.aspx
37
OpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding- how-active-directory-integration-feature-works-in-opsmgr-2007.aspx Manageability Blog: Enable Untrusted Domain Integration http://blogs.technet.com/smsandmom/archive/2008/05/21/opsmgr-2007- how-to-enable-ad-integration-for-an-untrusted-domain.aspx To Repair or Not to Repair http://www.opsmanjam.com/Lists/OpsManJam%20Announcements/Disp Form.aspx?ID=12 Advanced AD Integration Whitepaper http://www.systemcentercentral.com/scugmy
38
Raymond Chou (MVP) Raphael Burri (OpsMgr guru-at-large) Steve Rachui (Microsoft) Rob Kuehfus (Microsoft)
39
SCUG Malaysia Blogging Contest Leading blogger between now and December 31 st will receive a copy of Operations Manager Unleashed Registration and session takeaways at http://www.systemcentercentral.com/scugmy
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.