Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pete Zerger, MVP System Center Central SCSS2009.

Similar presentations

Presentation on theme: "Pete Zerger, MVP System Center Central SCSS2009."— Presentation transcript:

1 Pete Zerger, MVP System Center Central SCSS2009

2 Updated version of the Definitive Guide to AD Integration in OpsMgr Sample MPs to correct issues and automate important processes Chance to win a copy of Operations Manager 2007 Unleashed

3 Active Directory Integration - What it does & how it works Configuration Steps Configuring Child and Untrusted Domains Using LDAP for Granular Control Agent Deployment & Maintenance Troubleshooting and Testing

4 What it does Automates the configuration of OpsMgr agents installed on domain member computers How it works Agent configuration is centrally maintained in OpsMgr and Published to Active Directory (by RMS) Agents query AD at startup (and hourly) IMPORTANT: Agent deployment and patching must be performed outside of OpsMgr. AD DCs and push-installed agents cannot participate

5 1. Publish mgmt group info to AD 2. Configure agent auto-assignment 3. Install Agents 4. Agents query AD for MG info 5. Agent reports to MS MOMADAdmin ACTIVE DIRECTORY MGMT GROUP OPSMAN CONSOLE

6 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents

7 Domain functional level must be higher than Windows 2000 Mixed Global Settings - Enable Review new manual agent installations User Account (in each domain) Security Group (in each domain) LDAP access (RMS to each domain) DNS resolution (RMS to each domain) Agent Grouping / Failover Strategy

8 Additional Configuration Steps: Define RunAs Account and RunAs Profile Run MomADAdmin IMPLEMENTATION TIPS: RunAs Profiles used for AD integration must be saved in the Default Management Pack. Must be targeted to the RMS! Optional for Local & Trusted Domains, but eliminates reconfiguration in event RMS is role moved!

9 Security for Untrusted Domains

10 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents

11 1. Creates a top level container in AD called OperationsManager 2. Adds the machine account of the RMS to the OpsMgr Admin security group. 3. Adds the OpsMgr Admin security group to the container's ACL with WriteChild access When you run the MOMADAdmin tool, it performs the following actions.

12 Can be run on any member server Requires Domain Admin rights Must be run in each AD domain (targeted for AD Integration feature) MomADAdmin.exe is found in the \SupportTools folder of the OpsMgr installation media Usage: MomADAdmin ManagementGroupName MOMAdminSecurityGroup {RootManagementServer | RunAsAccount} Domain Example: MomADAdmin ContosoMG CONTOSO \ OpsMgrAdmins CONTOSO

13 Prepare Active Directory and MG for AD Integration

14 OperationsManager Container Visible when Advanced Features are activated in Active Directory Users and Computers Must not be modified manually Can be deleted and then recreated by running MomADAdmin.exe again

15 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents

16 Must be configured for each MS or GTW to which agents must report Add one rule per domain (if multiple domains/forests) In Operations Console, Administration, choose Configure Active Directory (AD) Integration Choose appropriate Domain name, Domain Controller FQDN or IP address Run As Profile * * Use default if configuring local domain

17 Paste or generate LDAP query. Query Results should not overlap Optionally exclude computers using their FQDN Configure agent failover Location, Naming and Execution Agent assignment rules are saved to Default Management Pack Rule names start with AD rule for Domain: RMS runs rules hourly

18 Configured through the Agent Assignment & Failover Wizard (&(objectCategory=computer)(distinguishedName= *,OU=AppServers,DC=nwtraders,DC=msft))

19 Active Directory OU AD Security Group Avoid overlapping LDAP query results!

20 LDAP can be leveraged in Agent Auto-Assignment in a number of ways Computer name Computer description Computer account security group membership Operation system and service pack Registered Service Principal Names (SPN) Computer account Organizational Unit (OU) Never use LDAP queries with overlapping result sets!

21 OperatorDescription |OR &AND !NOT =Equals ~=Approx. equals <=Less than or equal >=More than or equal ASCII character Escape sequence *\2a (\28 )\29 \\5c NUL\00 LDAP Comparison Operators LDAP Escape Sequences

22 Limit the query to computer accounts (objectCategory=computerOR (sAMAccountType= ) Exclude Domain Controllers (!(primaryGroupID=516)) Excludes OpsMgr Management Servers and Gateways (!(servicePrincipalName=MSOMHSvc/*)) Direct members of a security group (memberOf:=CN=Admin,OU=Security,DC=DOM,DC=NT)

23 Performance considerations when building LDAP filters Always use indexed attributes Filter unnecessary targets (DCs, MS, GWs) Target most specific data sets possible Global Catalog located in local site

24 Verifying query results BEFORE you deploy

25 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents

26 Define agent failover and load distribution

27 Agents deployment methods for AD integration can include: Manual installation (from install media) As part of OS image Group Policy Configuration Manager 2007 Hotfixes applicable to agent must be deployed manually when using any of the above methods!

28 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents

29 Manual deployment for AD Integration

30 Hotfixes must be deployed manually to manually installed agents Multiple fixes can be applied at once MSI transform packages (.msp files) for the agents can be found on any management server or gateway patched management server in the following directory: Syntax (example) msiexec /p [c:\hotfixes\fix1].msp;[c:\hotfixes\fix2.msp /qn

31 Agents using AD Integration should never be repaired from the Operations console Results in agent configuration change to remotely manageable To return agent configuration to AD Integration Set EnableADIntegration registry key to 1 Sample Powershell script to perform in batch at

32 #Initialize the OpsMgr Provider $rootMS = "NOCMS01" #Initialize the OpsMgr Provider add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; set-location "OperationsManagerMonitoring::"; #set Management Group context to the provided RMS new-managementGroupConnection -ConnectionString:$rootMS; set-location $rootMS; get-agent | Group PrimaryManagementServerName -Noelement | sort Name | select Name, Count Retrieve number of agents reporting to each management server (to verify distribution of agent load):

33 Events logged in Operations Manager Event Log (on Agent) Event on agent (multiple primary relationships) Event on agent (agent not authorized) Event on agent (no failover) Event on agent (no configured parents)

34 Beware when using Powershell to configure agent failover instead of AD Integration. Use with caution, especially in distributed environments Can result in orphaned agents due to an unreachable MS!

35 Registry keys related to AD integration HKLM\SYSTEM\CCS\Services\HealthService\Parameters\ConnectorManager Enable AD Integration Key EnableADIntegration (DWord) AD Polling Interval ADPollIntervalMinutes (DWord) Is an agent using configuration retrieved from AD? IsSourcedFromAD (DWord) It is not recommended these keys be modified without guidance from Microsoft

36 Creating an LDAP Query Filter Microsoft Webcast: Enable AD Integration _Edited.asx AD Integration Deep Dive how-it-works.aspx OpsMgr Team Blog: How AD Integration Works how-active-directory-integration-feature-works-in-opsmgr-2007.aspx

37 OpsMgr Team Blog: How AD Integration Works how-active-directory-integration-feature-works-in-opsmgr-2007.aspx Manageability Blog: Enable Untrusted Domain Integration how-to-enable-ad-integration-for-an-untrusted-domain.aspx To Repair or Not to Repair Form.aspx?ID=12 Advanced AD Integration Whitepaper

38 Raymond Chou (MVP) Raphael Burri (OpsMgr guru-at-large) Steve Rachui (Microsoft) Rob Kuehfus (Microsoft)

39 SCUG Malaysia Blogging Contest Leading blogger between now and December 31 st will receive a copy of Operations Manager Unleashed Registration and session takeaways at


Download ppt "Pete Zerger, MVP System Center Central SCSS2009."

Similar presentations

Ads by Google