Pete Zerger, MVP Consulting Partner AKOS Technology Services Session Code: MGT307
Agenda Active Directory Integration - What it does and how it works Configuration steps Configuring child and untrusted domains Using LDAP for granular control Agent deployment and maintenance Troubleshooting and testing
Takeaways Updated version of the ‘Definitive Guide to AD Integration’ Sample management packs to correct issues and automate important processes Chance to win an autographed copy of, Operations Manager 2007 Unleashed
What it Does and How it Works What it Does Automates the configuration of OpsMgr agents installed on domain member computers How it works Agent configuration is centrally maintained in OpsMgr and published to Active Directory Agents query AD at startup (and hourly) to learn their configuration IMPORTANT: Agent deployment and patching must be performed outside of OpsMgr AD DCs and push-installed agents cannot participate
How it Works (High Level) 1. Publish mgmt group info to AD 2. Configure agent auto-assignment 3. Install Agents 4. Agents query AD for MG info 5. Agent reports to MS MOMADAdmin
Configuration Steps 1.Configure RunAs Security (untrusted domains) 2.Run MOMADAdmin Utility 3.Configure Agent Auto Assignment 4.Deploy Agents
Prerequisites Domain functional level must be higher than ‘Windows 2000 Mixed’ Global Settings - Enable “Review new manual agent installations” RunAs user account (in each domain) Security group (in each domain)For local and trusted LDAP access (RMS to each domain) DNS resolution (RMS to each domain) Server Grouping / Failover Strategy (using LDAP filters)
Global Security Settings As in MOM 2005, manually installed agents are rejected by default Global Security Settings must be set to “Review” or “Auto-approve” manually installed agents
RunAs Security (Child and Untrusted Domains) Additional Configuration Steps: 1.Define RunAs Account 2.Add Run As Profile* 3.Run MomADAdmin specifying RunAs Account IMPLEMENTATION TIPS: RunAs Profiles used for AD integration, which must be saved in the Default Management Pack. Must be targeted to the RMS! Optional for Local & Trusted Domains, but eliminates reconfiguration in event RMS is role moved!
1. Configure RunAs Security Security for Untrusted Domains
Configuration Steps 1.Configure RunAs Security (untrusted domains) 2.Run MOMADAdmin Utility 3.Configure Agent Auto Assignment 4.Deploy Agents
MOMADAdmin – What Does it do? 1.Creates a top level container called OperationsManager in AD 2.Adds the machine account of the RMS to the OpsMgr Admin security group 3.Adds the OpsMgr Admin security group to the container's ACL with WriteChild access MOMADAdmin performs the following actions:
MOMADAdmin – Guidelines for Use Can be run on any member server Requires Domain Admin rights Must be run in each AD domain (targeted for AD Int) MomADAdmin.exe is found in the \SupportTools folder of the OpsMgr installation media Usage: MomADAdmin ManagementGroupName MOMAdminSecurityGroup {RootManagementServer | RunAsAccount} Domain Example: MomADAdmin ContosoMG CONTOSO \ OpsMgrAdmins CONTOSO
2. Run MOMADAdmin Utility Prepare active directory and MG for AD Integration
OperationsManager Container Visible when ‘Advanced Features’ are activated in Active Directory Users and Computers Must not be modified manually Can be deleted and then recreated by running MomADAdmin.exe again
Configuration Steps 1.Configure RunAs Security (untrusted domains) 2.Run MOMADAdmin Utility 3.Configure Auto Agent Assignment 4.Deploy agents
Auto Agent Assignment Must be configured for each MS or GTW to which agents must report Add one rule per domain if MS or GW reside in a multi- domain forest or multiple forests In Operations Console, Administration, choose “Configure Active Directory (AD) Integration” Choose appropriate domain name, DC FQDN or IP address and Run As Profile * * Use default if configuring local domain and RMS’ account
Configure Agent Auto Assignment Paste or generate LDAP query Query Results should not overlap Optionally exclude computers using their FQDN Configure agent failover Location, Naming, and Execution Agent assignment rules are saved to ‘Default Management Pack’ Their names start with ‘AD rule for Domain’ The RMS executes them hourly
Agent Auto Assignment Configured through the Agent Assignment & Failover Wizard (&(objectCategory=computer)(distinguishedNa me=*,OU=AppServers,DC=nwtraders,DC=msft))
AD Security Group Auto Assignment & Agent Failover Active Directory OU Avoid overlapping LDAP query results!
LDAP Tips for Granular Control LDAP can be leveraged in Agent Auto-Assignment in a number of ways: ‘ Computer name Computer description Computer account security group membership Operation system and service pack Registered Service Principal Names (SPN) Computer account Organizational Unit (OU) Never use LDAP queries with overlapping result sets!
LDAP Query Resources Computer Account AttributeDescription Computer description (in AD) distinguishedNameDN: OU location of the computer account. No wildcard matching possible! DNSHostNameFQDN LocationLocation Field MemberOfGroups the computer account is a member of. No wildcard matching possible! NameNetBIOS computer name operatingSysteme.g. Windows Server 2003 operatingSystemServicePacke.g. Service Pack 1 operatingSystemVersione.g. 5.2 (3790) primaryGroupID515: Computers, 516: Domain Controllers sAMAccountNameComputer account name ([name]$)
LDAP Query Resources (continued) OperatorDescription |OR &AND !NOT =Equals ~=Approx. equals <=Less than or equal >=More than or equal ASCII character Escape sequence *\2a (\28 )\29 \\5c NUL\00 LDAP Comparison Operators LDAP Escape Sequences
LDAP Samples Limit the query to computer accounts (objectCategory=computer) OR (sAMAccountType= ) Exclude Domain Controllers (!(primaryGroupID=516)) Excludes OpsMgr Management Servers and Gateways (!(servicePrincipalName=MSOMHSvc/*)) Direct members of a security group (memberOf:=CN=Admin,OU=Security,DC=DOM,DC=NT)
LDAP Samples (continued) Resolves nested security groups (requires at least Windows 2003 SP2) (memberOf: :=CN=Admin,OU=Security,DC=DOM,DC=NT) Returns odd servers if their NetBIOS names end with a number (e.g. AnySrv101) (|(name=*1)(name=*3)(name=*5)(name=*7)(name=*9)) Combination sample (&(objectCategory=computer)(!(primaryGroupID=516))(!(servicePrincipalName=M SOMHSvc/*))(|(name=*1)(name=*3)(name=*5)(name=*7)(name=*9)))
LDAP Performance Tips Consider the following when building LDAP filters to optimize performance: Always use indexed attributes Filter unnecessary targets (DCs, MS, GWs) Target most specific data sets possible Global catalog located in local site
Testing LDAP Filters Verifying query results BEFORE you deploy
3. Configure Agent Auto Assignment Define agent failover and load distribution
Agent Deployment Agents deployment methods for AD integration can include the following: Manual installation (from install media) As part of OS image Group Policy Configuration Manager 2007 Hotfixes applicable to agent must be deployed manually when using any of the above methods!
Configuration Steps 1.Configure RunAs Security (untrusted domains) 2.Run MOMADAdmin Utility 3.Configure Auto Agent Assignment 4.Deploy Agents
Configuration Steps 1.Configure RunAs Security (untrusted domains) 2.Run MOMADAdmin Utility 3.Configure Auto Agent Assignment 4.Deploy Agents
Manual deployment for AD Integration
Agent Maintenance Hotfixes must be deployed manually to manually- installed agents Multiple fixes can be applied at once MSI transform packages (.msp files) for the agents can be found on any patched management server C:\Program Files\System Center Operations Manager 2007\AgentManagement At the command prompt run the following command msiexec /p [Full Path to Transform 1].msp;[Full Path to Transform 2].msp /qn
Agent Maintenance (continued) Agents using AD Integration should never be repaired from the Operations console Results in agent configuration change to “remotely manageable” To return agent configuration to AD Integration Set EnableADIntegration registry key to “1” Sample Powershell script to perform in batch at
Check Your Results - Agent Distribution $rootMS = "NOCMS01" #Initialize the OpsMgr Provider add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; set-location "OperationsManagerMonitoring::"; #set Management Group context to the provided RMS new-managementGroupConnection -ConnectionString:$rootMS; set-location $rootMS; get-agent | Group PrimaryManagementServerName -Noelement | sort Name | select Name, Count Retrieve number of agents reporting to each management server:
Troubleshooting Events logged in Operations Manager Event Log (on Agent) Event on agent (multiple primary relationships) Event on agent (agent not authorized) Event on agent (no failover) Event on agent (no configured parents)
Troubleshooting (continued) Beware when using Powershell to configure agent failover instead of AD Integration Use with caution, especially in distributed environments Can result in ‘orphaned agents’ pointing to an unreachable Management Server!
Registry Keys Registry keys related to AD integration HKLM\SYSTEM\CCS\Services\HealthService\Parameters\Connector Manager Enable AD Integration Key EnableADIntegration (DWord) AD Poll Interval ADPollIntervalMinutes (DWord) Is an agent using configuration retrieved from AD? IsSourcedFromAD (DWord)
Additional Resources Creating an LDAP Query Filter Microsoft Webcast: Enable AD Integration _Edited.asx AD Integration Deep Dive how-it-works.aspx OpsMgr Team Blog: How AD Integration Works how-active-directory-integration-feature-works-in-opsmgr-2007.aspx
Additional Resources OpsMgr Team Blog: How AD Integration Works how-active-directory-integration-feature-works-in-opsmgr-2007.aspx Manageability Blog: Enable Untrusted Domain Integration how-to-enable-ad-integration-for-an-untrusted-domain.aspx To Repair or Not to Repair m.aspx?ID=12 Advanced AD Integration Whitepaper
Special Thanks Thanks to the following for their input Raphael Burri Steve Rachui (Microsoft) Rob Kuehfus (Microsoft)
Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification and Training Resources Microsoft Certification & Training Resources Resources
Management Track Resources Key Microsoft Sites System Center on Microsoft.com: System Center on TechNet: Virtualization on Microsoft.com: Community Resources System Center Team Blog: System Center Central: System Center Community: System Center on TechNet Edge: System Center on Twitter: Virtualization Feed: System Center Influencers Program: Content, connections, and resources for influencers in the System Center Community. For information, contact
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.