Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

SCOM_ADInt_Zerger

advertisement 
SCSS2009
Pete Zerger, MVP
System Center Central
http://www.systemcentercentral.com
Updated version of the ‘Definitive Guide to AD
Integration in OpsMgr 2007’
2 Sample MPs to correct issues and automate
important processes
Chance to win a copy of Operations Manager
2007 Unleashed
Active Directory Integration - What it does & how it
works
Configuration Steps
Configuring Child and Untrusted Domains
Using LDAP for Granular Control
Agent Deployment & Maintenance
Troubleshooting and Testing
What it does
Automates the configuration of OpsMgr agents installed on domain member
computers
How it works
Agent configuration is centrally maintained in OpsMgr and
Published to Active Directory (by RMS)
Agents query AD at startup (and hourly)
IMPORTANT:
Agent deployment and patching must be performed outside of OpsMgr.
 AD DC’s and push-installed agents cannot participate
ACTIVE
DIRECTORY
1. Publish mgmt group info to AD
OPSMAN
CONSOLE
MOMADAdmin
2. Configure agent auto-assignment
3. Install Agents
4. Agents query AD for MG info
5. Agent reports to MS
MGMT
GROUP
1. Configure RunAs Security(untrusted
domains)
2. Run MOMADAdmin Utility
3. Configure Agent Auto Assignment
4. Deploy Agents
Domain functional level must be higher than ‘Windows
2000 Mixed’
Global Settings - Enable “Review new manual agent
installations”
User Account (in each domain)
Security Group (in each domain)
LDAP access (RMS to each domain)
DNS resolution (RMS to each domain)
Agent Grouping / Failover Strategy
Additional Configuration Steps:
Define RunAs Account and RunAs Profile
Run MomADAdmin
IMPLEMENTATION TIPS:
RunAs Profiles used for AD integration must be saved in the
Default Management Pack.
Must be targeted to the RMS!
Optional for Local & Trusted Domains, but eliminates
reconfiguration in event RMS is role moved!
Security for Untrusted Domains
1.
Configure RunAs Security (untrusted domains)
2. Run MOMADAdmin Utility
3. Configure Agent Auto Assignment
4. Deploy Agents
When you run the MOMADAdmin tool, it performs the
following actions.
1.
Creates a top level container in AD called
OperationsManager
2.
Adds the machine account of the RMS to the
OpsMgr Admin security group.
3.
Adds the OpsMgr Admin security group to the
container's ACL with WriteChild access




Can be run on any member server
Requires Domain Admin rights
Must be run in each AD domain (targeted for AD
Integration feature)
MomADAdmin.exe is found in the \SupportTools folder
of the OpsMgr installation media
Usage:
MomADAdmin ManagementGroupName MOMAdminSecurityGroup
{RootManagementServer | RunAsAccount} Domain
Example:
MomADAdmin ContosoMG CONTOSO\OpsMgrAdmins CONTOSO
Prepare Active Directory and MG for AD Integration
OperationsManager
Container
Visible when ‘Advanced Features’
are activated in Active Directory
Users and Computers
Must not be modified manually
Can be deleted and then recreated
by running MomADAdmin.exe
again
Configure RunAs Security (untrusted domains)
2. Run MOMADAdmin Utility
3. Configure Auto Agent Assignment
4. Deploy Agents
1.
Must be configured for each MS or GTW to which agents must
report
Add one rule per domain (if multiple domains/forests)
In Operations Console, Administration, choose “Configure Active
Directory (AD) Integration”
Choose appropriate
Domain name,
Domain Controller FQDN or IP address
Run As Profile*
* Use default if configuring local domain
Paste or generate LDAP query.
Query Results should not overlap
Optionally exclude computers using their FQDN
Configure agent failover
Location, Naming and Execution
Agent assignment rules are saved to ‘Default Management Pack’
Rule names start with ‘AD rule for Domain:’
RMS runs rules hourly
Configured through the
Agent Assignment & Failover Wizard
(&(objectCategory=computer)(distinguishedName=
*,OU=AppServers,DC=nwtraders,DC=msft))
Avoid overlapping LDAP query results!
Active
AD
Security
Directory
Group
OU
LDAP can be leveraged in Agent Auto-Assignment in a
number of ways
‘
Computer name
Computer description
Computer account security group membership
Operation system and service pack
Registered Service Principal Names (SPN)
Computer account Organizational Unit (OU)
Never use LDAP queries with overlapping result
sets!
LDAP Comparison Operators
Operator
Description
LDAP Escape Sequences
ASCII
character
Escape
sequence
|
OR
&
AND
*
\2a
!
NOT
(
\28
=
Equals
)
\29
~=
Approx. equals
\
\5c
<=
Less than or
equal
NUL
\00
>=
More than or
equal
Limit the query to computer accounts
(objectCategory=computerOR (sAMAccountType=805306369)
Exclude Domain Controllers
(!(primaryGroupID=516))
Excludes OpsMgr Management Servers and Gateways
(!(servicePrincipalName=MSOMHSvc/*))
Direct members of a security group
(memberOf:=CN=Admin,OU=Security,DC=DOM,DC=NT)
Performance considerations when building LDAP filters
Always use indexed attributes
Filter unnecessary targets (DCs, MS, GWs)
Target most specific data sets possible
Global Catalog located in local site
Verifying query results BEFORE you deploy
1. Configure RunAs Security (untrusted domains)
2. Run MOMADAdmin Utility
3. Configure Auto Agent Assignment
4. Deploy Agents
Define agent failover and load distribution
Agents deployment methods for AD integration can
include:
Manual installation (from install media)
As part of OS image
Group Policy
Configuration Manager 2007
Hotfixes applicable to agent must be deployed manually
when using any of the above methods!
1. Configure RunAs Security (untrusted domains)
2. Run MOMADAdmin Utility
3. Configure Auto Agent Assignment
4. Deploy Agents
Manual deployment for AD Integration
Hotfixes must be deployed manually to manually
installed agents
Multiple fixes can be applied at once
MSI transform packages (.msp files) for the agents can
be found on any management server or gateway
patched management server in the following directory:
Syntax (example)
msiexec /p [c:\hotfixes\fix1].msp;[c:\hotfixes\fix2.msp /qn
Agents using AD Integration should never be repaired from the
Operations console
Results in agent configuration change to “remotely manageable”
To return agent configuration to AD Integration
Set EnableADIntegration registry key to “1”
Sample Powershell script to perform in batch at
http://OpsManJam.com
Retrieve number of agents reporting to each management
server (to verify distribution of agent load):
#Initialize the OpsMgr Provider
$rootMS = "NOCMS01"
#Initialize the OpsMgr Provider
add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client";
set-location "OperationsManagerMonitoring::";
#set Management Group context to the provided RMS
new-managementGroupConnection -ConnectionString:$rootMS;
set-location $rootMS;
get-agent | Group PrimaryManagementServerName -Noelement | sort Name |
select Name, Count
Events logged in Operations Manager Event
Log (on Agent)
Event 20064 on agent (multiple primary relationships)
Event 20070 on agent (agent not authorized)
Event 21016 on agent (no failover)
Event 21034 on agent (no configured parents)
Beware when using Powershell to configure
agent failover instead of AD Integration.
Use with caution, especially in distributed environments
Can result in ‘orphaned agents’ due to an unreachable MS!
Registry keys related to AD integration
HKLM\SYSTEM\CCS\Services\HealthService\Parameters\ConnectorManager
Enable AD Integration Key
EnableADIntegration (DWord)
AD Polling Interval
ADPollIntervalMinutes (DWord)
Is an agent using configuration retrieved from AD?
IsSourcedFromAD (DWord)
It is not recommended these keys be modified without guidance from Microsoft
Creating an LDAP Query Filter
http://msdn2.microsoft.com/en-us/library/ms675768.aspx
Microsoft Webcast: Enable AD Integration
http://www.microsoft.com/winme/0703/28666/Active_Directory_Integration
_Edited.asx
AD Integration Deep Dive
http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integrationhow-it-works.aspx
OpsMgr Team Blog: How AD Integration Works
http://blogs.technet.com/momteam/archive/2008/01/02/understandinghow-active-directory-integration-feature-works-in-opsmgr-2007.aspx
OpsMgr Team Blog: How AD Integration Works
http://blogs.technet.com/momteam/archive/2008/01/02/understandinghow-active-directory-integration-feature-works-in-opsmgr-2007.aspx
Manageability Blog: Enable Untrusted Domain Integration
http://blogs.technet.com/smsandmom/archive/2008/05/21/opsmgr-2007how-to-enable-ad-integration-for-an-untrusted-domain.aspx
To Repair or Not to Repair
http://www.opsmanjam.com/Lists/OpsManJam%20Announcements/Disp
Form.aspx?ID=12
Advanced AD Integration Whitepaper
http://www.systemcentercentral.com/scugmy
Raymond Chou (MVP)
Raphael Burri (OpsMgr guru-at-large)
Steve Rachui (Microsoft)
Rob Kuehfus (Microsoft)
SCUG Malaysia Blogging Contest
Leading blogger between now and December 31st will
receive a copy of Operations Manager Unleashed
Registration and session takeaways at
http://www.systemcentercentral.com/scugmy
Related documents
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
Configured Screens - Midwest User Group
Configured Screens - Midwest User Group
Heading to go here heading to go here
Heading to go here heading to go here
identityconference_vds_kogit
identityconference_vds_kogit
The Directory and Brumaire Coup
The Directory and Brumaire Coup
LDAP Authentication Configuration
LDAP Authentication Configuration
ROCKY MOUNTAIN SYNOD - Our Saviour`s Lutheran Church
ROCKY MOUNTAIN SYNOD - Our Saviour`s Lutheran Church
Ride the Chaos through proper Care and Feeding of
Ride the Chaos through proper Care and Feeding of
PowerPoint Slides for session
PowerPoint Slides for session
RMS believes in developing happy, health and hardy students (H3).
RMS believes in developing happy, health and hardy students (H3).
Unit 07 - LO3
Unit 07 - LO3
Download
advertisement