active directory integration in large and complex environments
DESCRIPTION
SCSS2009. Active Directory Integration in Large and Complex Environments . with System Center Operations Manager 2007. Pete Zerger, MVP System Center Central http://www.systemcentercentral.com. Takeaways. Updated version of the ‘Definitive Guide to AD Integration in OpsMgr 2007’ - PowerPoint PPT PresentationTRANSCRIPT
Active Directory Integration in Large and Complex Environments Pete Zerger, MVPSystem Center Centralhttp://www.systemcentercentral.com
SCSS2009
with System Center Operations Manager 2007
TAKEAWAYSUpdated version of the ‘Definitive Guide to AD Integration in OpsMgr 2007’ 2 Sample MPs to correct issues and automate important processes Chance to win a copy of Operations Manager 2007 Unleashed
AGENDA Active Directory Integration - What it does & how it works Configuration Steps Configuring Child and Untrusted Domains Using LDAP for Granular Control Agent Deployment & Maintenance Troubleshooting and Testing
WHAT IT DOES AND HOW IT WORKS What it does
Automates the configuration of OpsMgr agents installed on domain member computers
How it works Agent configuration is centrally maintained in OpsMgr andPublished to Active Directory (by RMS)Agents query AD at startup (and hourly)
IMPORTANT:Agent deployment and patching must be performed outside of
OpsMgr. AD DC’s and push-installed agents cannot participate
HOW IT WORKS (HIGH LEVEL)
1. Publish mgmt group info to AD2. Configure agent auto-assignment3. Install Agents 4. Agents query AD for MG info 5. Agent reports to MS
MOMADAdmin
ACTIVE DIRECTORY
MGMT GROUP
OPSMAN CONSOLE
CONFIGURATION STEPS
1.Configure RunAs Security(untrusted domains)
2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents
PREREQUISITES Domain functional level must be higher than ‘Windows 2000 Mixed’Global Settings - Enable “Review new manual agent installations”User Account (in each domain)Security Group (in each domain)LDAP access (RMS to each domain)DNS resolution (RMS to each domain)Agent Grouping / Failover Strategy
RUNAS SECURITY (CHILD AND UNTRUSTED DOMAINS)Additional Configuration Steps:
Define RunAs Account and RunAs ProfileRun MomADAdmin
IMPLEMENTATION TIPS:RunAs Profiles used for AD integration must be saved in the Default Management Pack.Must be targeted to the RMS!Optional for Local & Trusted Domains, but eliminates reconfiguration in event RMS is role moved!
1. Configure RunAs SecuritySecurity for Untrusted Domains
DEMO
CONFIGURATION STEPS1. Configure RunAs Security (untrusted
domains)2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents
MOMADADMIN – WHAT DOES IT DO?
1. Creates a top level container in AD called OperationsManager
2. Adds the machine account of the RMS to the OpsMgr Admin security group.
3. Adds the OpsMgr Admin security group to the container's ACL with WriteChild access
When you run the MOMADAdmin tool, it performs the following actions.
MOMADADMIN – GUIDELINES FOR USE Can be run on any member server Requires Domain Admin rights Must be run in each AD domain (targeted for AD
Integration feature) MomADAdmin.exe is found in the \
SupportTools folder of the OpsMgr installation mediaUsage: MomADAdmin ManagementGroupName MOMAdminSecurityGroup {RootManagementServer | RunAsAccount} DomainExample: MomADAdmin ContosoMG CONTOSO\OpsMgrAdmins CONTOSO
2. Run MOMADAdmin UtilityPrepare Active Directory and MG for AD Integration
DEMO
OPERATIONSMANAGER CONTAINER
OperationsManager Container
Visible when ‘Advanced Features’ are activated in Active Directory Users and ComputersMust not be modified manuallyCan be deleted and then recreated by running MomADAdmin.exe again
CONFIGURATION STEPS
1. Configure RunAs Security (untrusted domains)
2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents
AUTO AGENT ASSIGNMENTMust be configured for each MS or GTW to which agents must reportAdd one rule per domain (if multiple domains/forests)In Operations Console, Administration, choose “Configure Active Directory (AD) Integration”Choose appropriate Domain name, Domain Controller FQDN or IP addressRun As Profile* * Use default if configuring local domain
CONFIGURE AGENT AUTO ASSIGNMENT
Paste or generate LDAP query. Query Results should not overlapOptionally exclude computers using their FQDNConfigure agent failover
Location, Naming and ExecutionAgent assignment rules are saved to ‘Default Management
Pack’Rule names start with ‘AD rule for Domain:’RMS runs rules hourly
AGENT AUTO ASSIGNMENT
Configured through the Agent Assignment & Failover Wizard
(&(objectCategory=computer)(distinguishedName=*,OU=AppServers,DC=nwtraders,DC=msft))
AUTO ASSIGNMENT & AGENT FAILOVER
Active Directory
OUAD
Security Group
Avoid overlapping LDAP query results!
LDAP TIPS FOR GRANULAR CONTROL
LDAP can be leveraged in Agent Auto-Assignment in a number of ways‘
Computer nameComputer descriptionComputer account security group membershipOperation system and service packRegistered Service Principal Names (SPN)Computer account Organizational Unit (OU)
Never use LDAP queries with overlapping result sets!
LDAP QUERY RESOURCES (CONT)
Operator Description| OR
& AND! NOT = Equals
~= Approx. equals<= Less than or
equal>= More than or
equal
ASCII character
Escape sequence
* \2a( \28) \29\ \5c
NUL \00
LDAP Comparison Operators LDAP Escape Sequences
LDAP SAMPLES Limit the query to computer accounts(objectCategory=computerOR (sAMAccountType=805306369)
Exclude Domain Controllers(!(primaryGroupID=516))
Excludes OpsMgr Management Servers and Gateways(!(servicePrincipalName=MSOMHSvc/*))
Direct members of a security group(memberOf:=CN=Admin,OU=Security,DC=DOM,DC=NT)
LDAP PERFORMANCE TIPS
Performance considerations when building LDAP filters
Always use indexed attributes Filter unnecessary targets (DCs, MS, GWs)Target most specific data sets possible Global Catalog located in local site
Testing LDAP Filters Verifying query results BEFORE you deploy
DEMO
CONFIGURATION STEPS1. Configure RunAs Security (untrusted
domains)2. Run MOMADAdmin Utility 3.Configure Auto Agent
Assignment 4. Deploy Agents
3. Configure Agent Auto Assignment Define agent failover and load distribution
DEMO
AGENT DEPLOYMENTAgents deployment methods for AD integration can include:
Manual installation (from install media)As part of OS image Group Policy Configuration Manager 2007
Hotfixes applicable to agent must be deployed manually when using any of the above methods!
CONFIGURATION STEPS1. Configure RunAs Security (untrusted
domains)2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4.Deploy Agents
4. Deploy AgentsManual deployment for AD Integration
DEMO
AGENT MAINTENANCEHotfixes must be deployed manually to manually installed agentsMultiple fixes can be applied at onceMSI transform packages (.msp files) for the agents can be found on any management server or gateway patched management server in the following directory:
Syntax (example)
msiexec /p [c:\hotfixes\fix1].msp;[c:\hotfixes\fix2.msp /qn
AGENT MAINTENANCE (CONT)Agents using AD Integration should never be repaired from the Operations consoleResults in agent configuration change to “remotely manageable”
To return agent configuration to AD IntegrationSet EnableADIntegration registry key to “1”Sample Powershell script to perform in batch at http://OpsManJam.com
CHECK YOUR RESULTS:AGENT DISTRIBUTION
#Initialize the OpsMgr Provider $rootMS = "NOCMS01"
#Initialize the OpsMgr Provider add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; set-location "OperationsManagerMonitoring::";#set Management Group context to the provided RMS new-managementGroupConnection -ConnectionString:$rootMS; set-location $rootMS;get-agent | Group PrimaryManagementServerName -Noelement | sort Name | select Name, Count
Retrieve number of agents reporting to each management server (to verify distribution of agent load):
TROUBLESHOOTING
Events logged in Operations Manager Event Log (on Agent)
Event 20064 on agent (multiple primary relationships)Event 20070 on agent (agent not authorized)Event 21016 on agent (no failover)Event 21034 on agent (no configured parents)
TROUBLESHOOTING (CONT)
Beware when using Powershell to configure agent failover instead of AD Integration.Use with caution, especially in distributed
environments
Can result in ‘orphaned agents’ due to an unreachable MS!
REGISTRY KEYS Registry keys related to AD integration HKLM\SYSTEM\CCS\Services\HealthService\Parameters\ConnectorManager
Enable AD Integration KeyEnableADIntegration (DWord)AD Polling IntervalADPollIntervalMinutes (DWord)Is an agent using configuration retrieved
from AD?IsSourcedFromAD (DWord)It is not recommended these keys be modified without guidance from
Microsoft
ADDITIONAL RESOURCESCreating an LDAP Query Filterhttp://msdn2.microsoft.com/en-us/library/ms675768.aspxMicrosoft Webcast: Enable AD Integration http://www.microsoft.com/winme/0703/28666/Active_Directory_Integration_Edited.asxAD Integration Deep Dive http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspxOpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx
ADDITIONAL RESOURCESOpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspxManageability Blog: Enable Untrusted Domain Integration http://blogs.technet.com/smsandmom/archive/2008/05/21/opsmgr-2007-how-to-enable-ad-integration-for-an-untrusted-domain.aspxTo Repair or Not to Repairhttp://www.opsmanjam.com/Lists/OpsManJam%20Announcements/DispForm.aspx?ID=12 Advanced AD Integration Whitepaper http://www.systemcentercentral.com/scugmy
SPECIAL THANKS
Raymond Chou (MVP)Raphael Burri (OpsMgr guru-at-large)Steve Rachui (Microsoft)Rob Kuehfus (Microsoft)
ANNOUNCEMENTS
SCUG Malaysia Blogging Contest Leading blogger between now and December 31st will receive a copy of Operations Manager Unleashed
Registration and session takeaways at
http://www.systemcentercentral.com/scugmy
QUESTIONS