Active Directory Integration in Large and Complex Environments - PowerPoint PPT Presentation

Slide1 l.jpg
1 / 47

  • Uploaded on
  • Presentation posted in: General

Active Directory Integration in Large and Complex Environments. Pete Zerger, MVP Consulting Partner AKOS Technology Services Session Code: MGT307. Agenda. Active Directory Integration - What it does and how it works Configuration steps Configuring child and untrusted domains

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Active Directory Integration in Large and Complex Environments

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Active directory integration in large and complex environments l.jpg

Active Directory Integration in Large and Complex Environments

Pete Zerger, MVP

Consulting Partner

AKOS Technology Services

Session Code: MGT307

Agenda l.jpg


  • Active Directory Integration - What it does and how it works

  • Configuration steps

  • Configuring child and untrusted domains

  • Using LDAP for granular control

  • Agent deployment and maintenance

  • Troubleshooting and testing

Takeaways l.jpg


  • Updated version of the ‘Definitive Guide to AD Integration’

  • Sample management packs to correct issues and automate important processes

  • Chance to win an autographed copy of, Operations Manager 2007 Unleashed

What it does and how it works l.jpg

What it Does and How it Works

What it Does

  • Automates the configuration of OpsMgr agents installed on domain member computers

    How it works

  • Agent configuration is centrally maintained in OpsMgr and published to Active Directory

  • Agents query AD at startup (and hourly) to learn their configuration


    Agent deployment and patching must be performed outside of OpsMgr

    AD DCs and push-installed agents cannot participate

How it works high level l.jpg

How it Works (High Level)

1. Publish mgmt group info to AD

2. Configure agent auto-assignment


3. Install Agents

4. Agents query AD for MG info

5. Agent reports to MS

Configuration steps l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Agent Auto Assignment

  • Deploy Agents

Prerequisites l.jpg


  • Domain functional level must be higher than ‘Windows 2000 Mixed’

  • Global Settings - Enable “Review new manual agent installations”

  • RunAs user account (in each domain)

  • Security group (in each domain)For local and trusted

  • LDAP access (RMS to each domain)

  • DNS resolution (RMS to each domain)

  • Server Grouping / Failover Strategy (using LDAP filters)

Global security settings l.jpg

Global Security Settings

  • As in MOM 2005, manually installed agents are rejected by default

  • Global Security Settings must be set to “Review” or “Auto-approve” manually installed agents

R unas security child and untrusted domains l.jpg

RunAs Security (Child and Untrusted Domains)

Additional Configuration Steps:

  • Define RunAs Account

  • Add Run As Profile*

  • Run MomADAdmin specifying RunAs Account


RunAs Profiles used for AD integration, which must be saved in the Default Management Pack.

Must be targeted to the RMS!

Optional for Local & Trusted Domains, but eliminates reconfiguration in event RMS is role moved!

1 configure runas security l.jpg


1. Configure RunAs Security

Security for Untrusted Domains

Configuration steps12 l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Agent Auto Assignment

  • Deploy Agents

Momadadmin what does it do l.jpg

MOMADAdmin– What Does it do?

MOMADAdmin performs the following actions:

  • Creates a top level container called OperationsManagerin AD

  • Adds the machine account of the RMS to the OpsMgr Admin security group

  • Adds the OpsMgr Admin security group to the container's ACL with WriteChild access

Momadadmin guidelines for use l.jpg

MOMADAdmin – Guidelines for Use

  • Can be run on any member server

  • Requires Domain Admin rights

  • Must be run in each AD domain (targeted for AD Int)

  • MomADAdmin.exe is found in the \SupportTools folder of the OpsMgr installation media


    MomADAdmin ManagementGroupName MOMAdminSecurityGroup {RootManagementServer | RunAsAccount} Domain


    MomADAdmin ContosoMG CONTOSO\OpsMgrAdmins CONTOSO

2 run momadadmin utility l.jpg


2. Run MOMADAdmin Utility

Prepare active directory and MG for AD Integration

Operationsmanager container l.jpg

OperationsManager Container

OperationsManager Container

  • Visible when ‘Advanced Features’ are activated in Active Directory Users and Computers

  • Must not be modified manually

  • Can be deleted and then recreated by running MomADAdmin.exe again

Configuration steps17 l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Auto Agent Assignment

  • Deploy agents

Auto agent assignment l.jpg

Auto Agent Assignment

  • Must be configured for each MS or GTW to which agents must report

  • Add one rule per domain if MS or GW reside in a multi-domain forest or multiple forests

  • In Operations Console, Administration, choose “Configure Active Directory (AD) Integration”

  • Choose appropriate domain name, DC FQDN or IP address and Run As Profile*

* Use default if configuring local domain and RMS’ account

Configure agent auto assignment l.jpg

Configure Agent Auto Assignment

  • Paste or generate LDAP query

  • Query Results should not overlap

  • Optionally exclude computers using their FQDN

  • Configure agent failover

    Location, Naming, and Execution

    Agent assignment rules are saved to ‘Default Management Pack’

    Their names start with ‘AD rule for Domain’

    The RMS executes them hourly

Agent auto assignment l.jpg

Agent Auto Assignment

Configured through the Agent Assignment & Failover Wizard


Auto assignment agent failover l.jpg

Auto Assignment & Agent Failover

Avoid overlapping LDAP query results!

Active Directory OU

AD Security Group

Ldap tips for granular control l.jpg

LDAP Tips for Granular Control

LDAP can be leveraged in Agent Auto-Assignment in a number of ways:

  • Computer name

  • Computer description

  • Computer account security group membership

  • Operation system and service pack

  • Registered Service Principal Names (SPN)

  • Computer account Organizational Unit (OU)

Never use LDAP queries with overlapping result sets!

Ldap query resources l.jpg

LDAP Query Resources

Ldap query resources continued l.jpg

LDAP Query Resources (continued)

LDAP Escape Sequences

LDAP Comparison Operators

Ldap samples l.jpg

LDAP Samples

Limit the query to computer accounts

(objectCategory=computer) OR (sAMAccountType=805306369)

Exclude Domain Controllers


Excludes OpsMgr Management Servers and Gateways


Direct members of a security group


Ldap samples continued l.jpg

LDAP Samples (continued)

Resolves nested security groups (requires at least Windows 2003 SP2)


Returns odd servers if their NetBIOS names end with a number (e.g. AnySrv101)


Combination sample


Ldap performance tips l.jpg

LDAP Performance Tips

Consider the following when building LDAP filters to optimize performance:

  • Always use indexed attributes

  • Filter unnecessary targets (DCs, MS, GWs)

  • Target most specific data sets possible

  • Global catalog located in local site

Testing ldap filters l.jpg


Testing LDAP Filters

Verifying query results BEFORE you deploy

3 configure agent auto assignment l.jpg


3. Configure Agent Auto Assignment

Define agent failover and load distribution

Agent deployment l.jpg

Agent Deployment

Agents deployment methods for AD integration can include the following:

  • Manual installation (from install media)

  • As part of OS image

  • Group Policy

  • Configuration Manager 2007

    Hotfixes applicable to agent must be deployed manually when using any of the above methods!

Configuration steps31 l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Auto Agent Assignment

  • Deploy Agents

Configuration steps32 l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Auto Agent Assignment

  • Deploy Agents

4 deploy agents l.jpg


4. Deploy Agents

Manual deployment for AD Integration

Agent maintenance l.jpg

Agent Maintenance

  • Hotfixes must be deployed manually to manually- installed agents

  • Multiple fixes can be applied at once

  • MSI transform packages (.msp files) for the agents can be found on any patched management server

  • C:\Program Files\System Center Operations Manager 2007\AgentManagement

  • At the command prompt run the following command

  • msiexec /p [Full Path to Transform 1].msp;[Full Path to Transform 2].msp /qn

Agent maintenance continued l.jpg

Agent Maintenance (continued)

  • Agents using AD Integration should never be repaired from the Operations console

  • Results in agent configuration change to “remotely manageable”

  • To return agent configuration to AD Integration

  • Set EnableADIntegration registry key to “1”

  • Sample Powershell script to perform in batch at

Check your results agent distribution l.jpg

Check Your Results - Agent Distribution

Retrieve number of agents reporting to each management server:

$rootMS = "NOCMS01" 

#Initialize the OpsMgr Provideradd-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; set-location "OperationsManagerMonitoring::";

#set Management Group context to the provided RMSnew-managementGroupConnection -ConnectionString:$rootMS; set-location $rootMS;

get-agent | Group PrimaryManagementServerName -Noelement | sort Name | select Name, Count

Troubleshooting l.jpg


Events logged in Operations Manager Event Log (on Agent)

  • Event 20064 on agent (multiple primary relationships)

  • Event 20070 on agent (agent not authorized)

  • Event 21016 on agent (no failover)

  • Event 21034 on agent (no configured parents)

Troubleshooting continued l.jpg

Troubleshooting (continued)

Beware when using Powershell to configure agent failover instead of AD Integration

Use with caution, especially in distributed environments

Can result in ‘orphaned agents’ pointing to an unreachable Management Server!

Registry keys l.jpg

Registry Keys

Registry keys related to AD integration


Enable AD Integration Key

EnableADIntegration (DWord)

AD Poll Interval

ADPollIntervalMinutes (DWord)

Is an agent using configuration retrieved from AD?

IsSourcedFromAD (DWord)

Additional resources l.jpg

Creating an LDAP Query Filter

Microsoft Webcast: Enable AD Integration

AD Integration Deep Dive

OpsMgr Team Blog: How AD Integration Works

Additional Resources

Additional resources41 l.jpg

OpsMgr Team Blog: How AD Integration Works

Manageability Blog: Enable Untrusted Domain Integration

To Repair or Not to Repair

Advanced AD Integration Whitepaper

Additional Resources

Special thanks l.jpg

Thanks to the following for their input

Raphael Burri

Steve Rachui (Microsoft)

Rob Kuehfus (Microsoft)

Special Thanks

Slide43 l.jpg

question & answer

Resources l.jpg



    Sessions On-Demand & Community


  • Microsoft Certification & Training Resources


    • Resources for IT Professionals


    Resources for Developers

Microsoft Certification and Training Resources

Management track resources l.jpg

Management Track Resources

  • Key Microsoft Sites

    • System Center on

    • System Center on TechNet:

    • Virtualization on

  • Community Resources

    • System Center Team Blog:

    • System Center Central:

    • System Center Community:

    • System Center on TechNet Edge:

    • System Center on Twitter:

    • Virtualization Feed:

    • System Center Influencers Program: Content, connections, and resources for influencers in the System Center Community. For information, contact

Slide46 l.jpg

Complete an evaluation on CommNet and enter to win!

Slide47 l.jpg

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  • Login