Boris Lentini: Bringing product innovation in complex environments
Active Directory Integration in Large and Complex Environments
description
Transcript of Active Directory Integration in Large and Complex Environments
![Page 1: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/1.jpg)
Active Directory Integration in Large and Complex Environments Pete Zerger, MVPSystem Center Centralhttp://www.systemcentercentral.com
SCSS2009
with System Center Operations Manager 2007
![Page 2: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/2.jpg)
TAKEAWAYSUpdated version of the ‘Definitive Guide to AD Integration in OpsMgr 2007’ 2 Sample MPs to correct issues and automate important processes Chance to win a copy of Operations Manager 2007 Unleashed
![Page 3: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/3.jpg)
AGENDA Active Directory Integration - What it does & how it works Configuration Steps Configuring Child and Untrusted Domains Using LDAP for Granular Control Agent Deployment & Maintenance Troubleshooting and Testing
![Page 4: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/4.jpg)
WHAT IT DOES AND HOW IT WORKS What it does
Automates the configuration of OpsMgr agents installed on domain member computers
How it works Agent configuration is centrally maintained in OpsMgr andPublished to Active Directory (by RMS)Agents query AD at startup (and hourly)
IMPORTANT:Agent deployment and patching must be performed outside of
OpsMgr. AD DC’s and push-installed agents cannot participate
![Page 5: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/5.jpg)
HOW IT WORKS (HIGH LEVEL)
1. Publish mgmt group info to AD2. Configure agent auto-assignment3. Install Agents 4. Agents query AD for MG info 5. Agent reports to MS
MOMADAdmin
ACTIVE DIRECTORY
MGMT GROUP
OPSMAN CONSOLE
![Page 6: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/6.jpg)
CONFIGURATION STEPS
1.Configure RunAs Security(untrusted domains)
2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents
![Page 7: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/7.jpg)
PREREQUISITES Domain functional level must be higher than ‘Windows 2000 Mixed’Global Settings - Enable “Review new manual agent installations”User Account (in each domain)Security Group (in each domain)LDAP access (RMS to each domain)DNS resolution (RMS to each domain)Agent Grouping / Failover Strategy
![Page 8: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/8.jpg)
RUNAS SECURITY (CHILD AND UNTRUSTED DOMAINS)Additional Configuration Steps:
Define RunAs Account and RunAs ProfileRun MomADAdmin
IMPLEMENTATION TIPS:RunAs Profiles used for AD integration must be saved in the Default Management Pack.Must be targeted to the RMS!Optional for Local & Trusted Domains, but eliminates reconfiguration in event RMS is role moved!
![Page 9: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/9.jpg)
1. Configure RunAs SecuritySecurity for Untrusted Domains
DEMO
![Page 10: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/10.jpg)
CONFIGURATION STEPS1. Configure RunAs Security (untrusted
domains)2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents
![Page 11: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/11.jpg)
MOMADADMIN – WHAT DOES IT DO?
1. Creates a top level container in AD called OperationsManager
2. Adds the machine account of the RMS to the OpsMgr Admin security group.
3. Adds the OpsMgr Admin security group to the container's ACL with WriteChild access
When you run the MOMADAdmin tool, it performs the following actions.
![Page 12: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/12.jpg)
MOMADADMIN – GUIDELINES FOR USE Can be run on any member server Requires Domain Admin rights Must be run in each AD domain (targeted for AD
Integration feature) MomADAdmin.exe is found in the \
SupportTools folder of the OpsMgr installation mediaUsage: MomADAdmin ManagementGroupName MOMAdminSecurityGroup {RootManagementServer | RunAsAccount} DomainExample: MomADAdmin ContosoMG CONTOSO\OpsMgrAdmins CONTOSO
![Page 13: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/13.jpg)
2. Run MOMADAdmin UtilityPrepare Active Directory and MG for AD Integration
DEMO
![Page 14: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/14.jpg)
OPERATIONSMANAGER CONTAINER
OperationsManager Container
Visible when ‘Advanced Features’ are activated in Active Directory Users and ComputersMust not be modified manuallyCan be deleted and then recreated by running MomADAdmin.exe again
![Page 15: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/15.jpg)
CONFIGURATION STEPS
1. Configure RunAs Security (untrusted domains)
2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents
![Page 16: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/16.jpg)
AUTO AGENT ASSIGNMENTMust be configured for each MS or GTW to which agents must reportAdd one rule per domain (if multiple domains/forests)In Operations Console, Administration, choose “Configure Active Directory (AD) Integration”Choose appropriate Domain name, Domain Controller FQDN or IP addressRun As Profile* * Use default if configuring local domain
![Page 17: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/17.jpg)
CONFIGURE AGENT AUTO ASSIGNMENT
Paste or generate LDAP query. Query Results should not overlapOptionally exclude computers using their FQDNConfigure agent failover
Location, Naming and ExecutionAgent assignment rules are saved to ‘Default Management
Pack’Rule names start with ‘AD rule for Domain:’RMS runs rules hourly
![Page 18: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/18.jpg)
AGENT AUTO ASSIGNMENT
Configured through the Agent Assignment & Failover Wizard
(&(objectCategory=computer)(distinguishedName=*,OU=AppServers,DC=nwtraders,DC=msft))
![Page 19: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/19.jpg)
AUTO ASSIGNMENT & AGENT FAILOVER
Active Directory
OUAD
Security Group
Avoid overlapping LDAP query results!
![Page 20: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/20.jpg)
LDAP TIPS FOR GRANULAR CONTROL
LDAP can be leveraged in Agent Auto-Assignment in a number of ways‘
Computer nameComputer descriptionComputer account security group membershipOperation system and service packRegistered Service Principal Names (SPN)Computer account Organizational Unit (OU)
Never use LDAP queries with overlapping result sets!
![Page 21: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/21.jpg)
LDAP QUERY RESOURCES (CONT)
Operator Description| OR
& AND! NOT = Equals
~= Approx. equals<= Less than or
equal>= More than or
equal
ASCII character
Escape sequence
* \2a( \28) \29\ \5c
NUL \00
LDAP Comparison Operators LDAP Escape Sequences
![Page 22: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/22.jpg)
LDAP SAMPLES Limit the query to computer accounts(objectCategory=computerOR (sAMAccountType=805306369)
Exclude Domain Controllers(!(primaryGroupID=516))
Excludes OpsMgr Management Servers and Gateways(!(servicePrincipalName=MSOMHSvc/*))
Direct members of a security group(memberOf:=CN=Admin,OU=Security,DC=DOM,DC=NT)
![Page 23: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/23.jpg)
LDAP PERFORMANCE TIPS
Performance considerations when building LDAP filters
Always use indexed attributes Filter unnecessary targets (DCs, MS, GWs)Target most specific data sets possible Global Catalog located in local site
![Page 24: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/24.jpg)
Testing LDAP Filters Verifying query results BEFORE you deploy
DEMO
![Page 25: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/25.jpg)
CONFIGURATION STEPS1. Configure RunAs Security (untrusted
domains)2. Run MOMADAdmin Utility 3.Configure Auto Agent
Assignment 4. Deploy Agents
![Page 26: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/26.jpg)
3. Configure Agent Auto Assignment Define agent failover and load distribution
DEMO
![Page 27: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/27.jpg)
AGENT DEPLOYMENTAgents deployment methods for AD integration can include:
Manual installation (from install media)As part of OS image Group Policy Configuration Manager 2007
Hotfixes applicable to agent must be deployed manually when using any of the above methods!
![Page 28: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/28.jpg)
CONFIGURATION STEPS1. Configure RunAs Security (untrusted
domains)2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4.Deploy Agents
![Page 29: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/29.jpg)
4. Deploy AgentsManual deployment for AD Integration
DEMO
![Page 30: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/30.jpg)
AGENT MAINTENANCEHotfixes must be deployed manually to manually installed agentsMultiple fixes can be applied at onceMSI transform packages (.msp files) for the agents can be found on any management server or gateway patched management server in the following directory:
Syntax (example)
msiexec /p [c:\hotfixes\fix1].msp;[c:\hotfixes\fix2.msp /qn
![Page 31: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/31.jpg)
AGENT MAINTENANCE (CONT)Agents using AD Integration should never be repaired from the Operations consoleResults in agent configuration change to “remotely manageable”
To return agent configuration to AD IntegrationSet EnableADIntegration registry key to “1”Sample Powershell script to perform in batch at http://OpsManJam.com
![Page 32: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/32.jpg)
CHECK YOUR RESULTS:AGENT DISTRIBUTION
#Initialize the OpsMgr Provider $rootMS = "NOCMS01"
#Initialize the OpsMgr Provider add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; set-location "OperationsManagerMonitoring::";#set Management Group context to the provided RMS new-managementGroupConnection -ConnectionString:$rootMS; set-location $rootMS;get-agent | Group PrimaryManagementServerName -Noelement | sort Name | select Name, Count
Retrieve number of agents reporting to each management server (to verify distribution of agent load):
![Page 33: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/33.jpg)
TROUBLESHOOTING
Events logged in Operations Manager Event Log (on Agent)
Event 20064 on agent (multiple primary relationships)Event 20070 on agent (agent not authorized)Event 21016 on agent (no failover)Event 21034 on agent (no configured parents)
![Page 34: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/34.jpg)
TROUBLESHOOTING (CONT)
Beware when using Powershell to configure agent failover instead of AD Integration.Use with caution, especially in distributed
environments
Can result in ‘orphaned agents’ due to an unreachable MS!
![Page 35: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/35.jpg)
REGISTRY KEYS Registry keys related to AD integration HKLM\SYSTEM\CCS\Services\HealthService\Parameters\ConnectorManager
Enable AD Integration KeyEnableADIntegration (DWord)AD Polling IntervalADPollIntervalMinutes (DWord)Is an agent using configuration retrieved
from AD?IsSourcedFromAD (DWord)It is not recommended these keys be modified without guidance from
Microsoft
![Page 36: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/36.jpg)
ADDITIONAL RESOURCESCreating an LDAP Query Filterhttp://msdn2.microsoft.com/en-us/library/ms675768.aspxMicrosoft Webcast: Enable AD Integration http://www.microsoft.com/winme/0703/28666/Active_Directory_Integration_Edited.asxAD Integration Deep Dive http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspxOpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx
![Page 37: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/37.jpg)
ADDITIONAL RESOURCESOpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspxManageability Blog: Enable Untrusted Domain Integration http://blogs.technet.com/smsandmom/archive/2008/05/21/opsmgr-2007-how-to-enable-ad-integration-for-an-untrusted-domain.aspxTo Repair or Not to Repairhttp://www.opsmanjam.com/Lists/OpsManJam%20Announcements/DispForm.aspx?ID=12 Advanced AD Integration Whitepaper http://www.systemcentercentral.com/scugmy
![Page 38: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/38.jpg)
SPECIAL THANKS
Raymond Chou (MVP)Raphael Burri (OpsMgr guru-at-large)Steve Rachui (Microsoft)Rob Kuehfus (Microsoft)
![Page 39: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/39.jpg)
ANNOUNCEMENTS
SCUG Malaysia Blogging Contest Leading blogger between now and December 31st will receive a copy of Operations Manager Unleashed
Registration and session takeaways at
http://www.systemcentercentral.com/scugmy
![Page 40: Active Directory Integration in Large and Complex Environments](https://reader035.fdocuments.in/reader035/viewer/2022070501/56816926550346895de0604d/html5/thumbnails/40.jpg)
QUESTIONS