Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pete Zerger, MVP System Center Central SCSS2009.

Published byHallie Poulton Modified over 10 years ago

Similar presentations

Presentation on theme: "Pete Zerger, MVP System Center Central SCSS2009."— Presentation transcript:

1 Pete Zerger, MVP System Center Central http://www.systemcentercentral.com SCSS2009

2 Updated version of the Definitive Guide to AD Integration in OpsMgr 2007 2 Sample MPs to correct issues and automate important processes Chance to win a copy of Operations Manager 2007 Unleashed

3 Active Directory Integration - What it does & how it works Configuration Steps Configuring Child and Untrusted Domains Using LDAP for Granular Control Agent Deployment & Maintenance Troubleshooting and Testing

4 What it does Automates the configuration of OpsMgr agents installed on domain member computers How it works Agent configuration is centrally maintained in OpsMgr and Published to Active Directory (by RMS) Agents query AD at startup (and hourly) IMPORTANT: Agent deployment and patching must be performed outside of OpsMgr. AD DCs and push-installed agents cannot participate

5 1. Publish mgmt group info to AD 2. Configure agent auto-assignment 3. Install Agents 4. Agents query AD for MG info 5. Agent reports to MS MOMADAdmin ACTIVE DIRECTORY MGMT GROUP OPSMAN CONSOLE

6 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents

7 Domain functional level must be higher than Windows 2000 Mixed Global Settings - Enable Review new manual agent installations User Account (in each domain) Security Group (in each domain) LDAP access (RMS to each domain) DNS resolution (RMS to each domain) Agent Grouping / Failover Strategy

8 Additional Configuration Steps: Define RunAs Account and RunAs Profile Run MomADAdmin IMPLEMENTATION TIPS: RunAs Profiles used for AD integration must be saved in the Default Management Pack. Must be targeted to the RMS! Optional for Local & Trusted Domains, but eliminates reconfiguration in event RMS is role moved!

9 Security for Untrusted Domains

10 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents

11 1. Creates a top level container in AD called OperationsManager 2. Adds the machine account of the RMS to the OpsMgr Admin security group. 3. Adds the OpsMgr Admin security group to the container's ACL with WriteChild access When you run the MOMADAdmin tool, it performs the following actions.

12 Can be run on any member server Requires Domain Admin rights Must be run in each AD domain (targeted for AD Integration feature) MomADAdmin.exe is found in the \SupportTools folder of the OpsMgr installation media Usage: MomADAdmin ManagementGroupName MOMAdminSecurityGroup {RootManagementServer | RunAsAccount} Domain Example: MomADAdmin ContosoMG CONTOSO \ OpsMgrAdmins CONTOSO

13 Prepare Active Directory and MG for AD Integration

14 OperationsManager Container Visible when Advanced Features are activated in Active Directory Users and Computers Must not be modified manually Can be deleted and then recreated by running MomADAdmin.exe again

15 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents

16 Must be configured for each MS or GTW to which agents must report Add one rule per domain (if multiple domains/forests) In Operations Console, Administration, choose Configure Active Directory (AD) Integration Choose appropriate Domain name, Domain Controller FQDN or IP address Run As Profile * * Use default if configuring local domain

17 Paste or generate LDAP query. Query Results should not overlap Optionally exclude computers using their FQDN Configure agent failover Location, Naming and Execution Agent assignment rules are saved to Default Management Pack Rule names start with AD rule for Domain: RMS runs rules hourly

18 Configured through the Agent Assignment & Failover Wizard (&(objectCategory=computer)(distinguishedName= *,OU=AppServers,DC=nwtraders,DC=msft))

19 Active Directory OU AD Security Group Avoid overlapping LDAP query results!

20 LDAP can be leveraged in Agent Auto-Assignment in a number of ways Computer name Computer description Computer account security group membership Operation system and service pack Registered Service Principal Names (SPN) Computer account Organizational Unit (OU) Never use LDAP queries with overlapping result sets!

21 OperatorDescription |OR &AND !NOT =Equals ~=Approx. equals <=Less than or equal >=More than or equal ASCII character Escape sequence *\2a (\28 )\29 \\5c NUL\00 LDAP Comparison Operators LDAP Escape Sequences

22 Limit the query to computer accounts (objectCategory=computerOR (sAMAccountType=805306369) Exclude Domain Controllers (!(primaryGroupID=516)) Excludes OpsMgr Management Servers and Gateways (!(servicePrincipalName=MSOMHSvc/*)) Direct members of a security group (memberOf:=CN=Admin,OU=Security,DC=DOM,DC=NT)

23 Performance considerations when building LDAP filters Always use indexed attributes Filter unnecessary targets (DCs, MS, GWs) Target most specific data sets possible Global Catalog located in local site

24 Verifying query results BEFORE you deploy

25 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents

26 Define agent failover and load distribution

27 Agents deployment methods for AD integration can include: Manual installation (from install media) As part of OS image Group Policy Configuration Manager 2007 Hotfixes applicable to agent must be deployed manually when using any of the above methods!

28 1. Configure RunAs Security (untrusted domains) 2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents

29 Manual deployment for AD Integration

30 Hotfixes must be deployed manually to manually installed agents Multiple fixes can be applied at once MSI transform packages (.msp files) for the agents can be found on any management server or gateway patched management server in the following directory: Syntax (example) msiexec /p [c:\hotfixes\fix1].msp;[c:\hotfixes\fix2.msp /qn

31 Agents using AD Integration should never be repaired from the Operations console Results in agent configuration change to remotely manageable To return agent configuration to AD Integration Set EnableADIntegration registry key to 1 Sample Powershell script to perform in batch at http://OpsManJam.com http://OpsManJam.com

32 #Initialize the OpsMgr Provider $rootMS = "NOCMS01" #Initialize the OpsMgr Provider add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; set-location "OperationsManagerMonitoring::"; #set Management Group context to the provided RMS new-managementGroupConnection -ConnectionString:$rootMS; set-location $rootMS; get-agent | Group PrimaryManagementServerName -Noelement | sort Name | select Name, Count Retrieve number of agents reporting to each management server (to verify distribution of agent load):

33 Events logged in Operations Manager Event Log (on Agent) Event 20064 on agent (multiple primary relationships) Event 20070 on agent (agent not authorized) Event 21016 on agent (no failover) Event 21034 on agent (no configured parents)

34 Beware when using Powershell to configure agent failover instead of AD Integration. Use with caution, especially in distributed environments Can result in orphaned agents due to an unreachable MS!

35 Registry keys related to AD integration HKLM\SYSTEM\CCS\Services\HealthService\Parameters\ConnectorManager Enable AD Integration Key EnableADIntegration (DWord) AD Polling Interval ADPollIntervalMinutes (DWord) Is an agent using configuration retrieved from AD? IsSourcedFromAD (DWord) It is not recommended these keys be modified without guidance from Microsoft

36 Creating an LDAP Query Filter http://msdn2.microsoft.com/en-us/library/ms675768.aspx Microsoft Webcast: Enable AD Integration http://www.microsoft.com/winme/0703/28666/Active_Directory_Integration _Edited.asx AD Integration Deep Dive http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integration- how-it-works.aspx OpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding- how-active-directory-integration-feature-works-in-opsmgr-2007.aspx

37 OpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding- how-active-directory-integration-feature-works-in-opsmgr-2007.aspx Manageability Blog: Enable Untrusted Domain Integration http://blogs.technet.com/smsandmom/archive/2008/05/21/opsmgr-2007- how-to-enable-ad-integration-for-an-untrusted-domain.aspx To Repair or Not to Repair http://www.opsmanjam.com/Lists/OpsManJam%20Announcements/Disp Form.aspx?ID=12 Advanced AD Integration Whitepaper http://www.systemcentercentral.com/scugmy

38 Raymond Chou (MVP) Raphael Burri (OpsMgr guru-at-large) Steve Rachui (Microsoft) Rob Kuehfus (Microsoft)

39 SCUG Malaysia Blogging Contest Leading blogger between now and December 31 st will receive a copy of Operations Manager Unleashed Registration and session takeaways at http://www.systemcentercentral.com/scugmy

40

Download ppt "Pete Zerger, MVP System Center Central SCSS2009."

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.

MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.
COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
ACTIVE DIRECTORY GROUP POLICY MAEDS Spring PD Day 2012 Nicholas A. Hay Jefferson Schools

ACTIVE DIRECTORY GROUP POLICY MAEDS Spring PD Day 2012 Nicholas A. Hay Jefferson Schools
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 Active Directory (Week 8, Monday 2/26/2007) © Abdou Illia, Spring 2007.

1 Active Directory (Week 8, Monday 2/26/2007) © Abdou Illia, Spring 2007.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory

Administering Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management

Similar presentations

Ads by Google