Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 47

Active Directory Integration in Large and Complex Environments PowerPoint PPT Presentation


  • 79 Views
  • Uploaded on
  • Presentation posted in: General

Active Directory Integration in Large and Complex Environments. Pete Zerger, MVP Consulting Partner AKOS Technology Services Session Code: MGT307. Agenda. Active Directory Integration - What it does and how it works Configuration steps Configuring child and untrusted domains

Download Presentation

Active Directory Integration in Large and Complex Environments

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Active directory integration in large and complex environments l.jpg

Active Directory Integration in Large and Complex Environments

Pete Zerger, MVP

Consulting Partner

AKOS Technology Services

Session Code: MGT307


Agenda l.jpg

Agenda

  • Active Directory Integration - What it does and how it works

  • Configuration steps

  • Configuring child and untrusted domains

  • Using LDAP for granular control

  • Agent deployment and maintenance

  • Troubleshooting and testing


Takeaways l.jpg

Takeaways

  • Updated version of the ‘Definitive Guide to AD Integration’

  • Sample management packs to correct issues and automate important processes

  • Chance to win an autographed copy of, Operations Manager 2007 Unleashed


What it does and how it works l.jpg

What it Does and How it Works

What it Does

  • Automates the configuration of OpsMgr agents installed on domain member computers

    How it works

  • Agent configuration is centrally maintained in OpsMgr and published to Active Directory

  • Agents query AD at startup (and hourly) to learn their configuration

    IMPORTANT:

    Agent deployment and patching must be performed outside of OpsMgr

    AD DCs and push-installed agents cannot participate


How it works high level l.jpg

How it Works (High Level)

1. Publish mgmt group info to AD

2. Configure agent auto-assignment

MOMADAdmin

3. Install Agents

4. Agents query AD for MG info

5. Agent reports to MS


Configuration steps l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Agent Auto Assignment

  • Deploy Agents


Prerequisites l.jpg

Prerequisites

  • Domain functional level must be higher than ‘Windows 2000 Mixed’

  • Global Settings - Enable “Review new manual agent installations”

  • RunAs user account (in each domain)

  • Security group (in each domain)For local and trusted

  • LDAP access (RMS to each domain)

  • DNS resolution (RMS to each domain)

  • Server Grouping / Failover Strategy (using LDAP filters)


Global security settings l.jpg

Global Security Settings

  • As in MOM 2005, manually installed agents are rejected by default

  • Global Security Settings must be set to “Review” or “Auto-approve” manually installed agents


R unas security child and untrusted domains l.jpg

RunAs Security (Child and Untrusted Domains)

Additional Configuration Steps:

  • Define RunAs Account

  • Add Run As Profile*

  • Run MomADAdmin specifying RunAs Account

IMPLEMENTATION TIPS:

RunAs Profiles used for AD integration, which must be saved in the Default Management Pack.

Must be targeted to the RMS!

Optional for Local & Trusted Domains, but eliminates reconfiguration in event RMS is role moved!


1 configure runas security l.jpg

demo

1. Configure RunAs Security

Security for Untrusted Domains


Configuration steps12 l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Agent Auto Assignment

  • Deploy Agents


Momadadmin what does it do l.jpg

MOMADAdmin– What Does it do?

MOMADAdmin performs the following actions:

  • Creates a top level container called OperationsManagerin AD

  • Adds the machine account of the RMS to the OpsMgr Admin security group

  • Adds the OpsMgr Admin security group to the container's ACL with WriteChild access


Momadadmin guidelines for use l.jpg

MOMADAdmin – Guidelines for Use

  • Can be run on any member server

  • Requires Domain Admin rights

  • Must be run in each AD domain (targeted for AD Int)

  • MomADAdmin.exe is found in the \SupportTools folder of the OpsMgr installation media

    Usage:

    MomADAdmin ManagementGroupName MOMAdminSecurityGroup {RootManagementServer | RunAsAccount} Domain

    Example:

    MomADAdmin ContosoMG CONTOSO\OpsMgrAdmins CONTOSO


2 run momadadmin utility l.jpg

demo

2. Run MOMADAdmin Utility

Prepare active directory and MG for AD Integration


Operationsmanager container l.jpg

OperationsManager Container

OperationsManager Container

  • Visible when ‘Advanced Features’ are activated in Active Directory Users and Computers

  • Must not be modified manually

  • Can be deleted and then recreated by running MomADAdmin.exe again


Configuration steps17 l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Auto Agent Assignment

  • Deploy agents


Auto agent assignment l.jpg

Auto Agent Assignment

  • Must be configured for each MS or GTW to which agents must report

  • Add one rule per domain if MS or GW reside in a multi-domain forest or multiple forests

  • In Operations Console, Administration, choose “Configure Active Directory (AD) Integration”

  • Choose appropriate domain name, DC FQDN or IP address and Run As Profile*

* Use default if configuring local domain and RMS’ account


Configure agent auto assignment l.jpg

Configure Agent Auto Assignment

  • Paste or generate LDAP query

  • Query Results should not overlap

  • Optionally exclude computers using their FQDN

  • Configure agent failover

    Location, Naming, and Execution

    Agent assignment rules are saved to ‘Default Management Pack’

    Their names start with ‘AD rule for Domain’

    The RMS executes them hourly


Agent auto assignment l.jpg

Agent Auto Assignment

Configured through the Agent Assignment & Failover Wizard

(&(objectCategory=computer)(distinguishedName=*,OU=AppServers,DC=nwtraders,DC=msft))


Auto assignment agent failover l.jpg

Auto Assignment & Agent Failover

Avoid overlapping LDAP query results!

Active Directory OU

AD Security Group


Ldap tips for granular control l.jpg

LDAP Tips for Granular Control

LDAP can be leveraged in Agent Auto-Assignment in a number of ways:

  • Computer name

  • Computer description

  • Computer account security group membership

  • Operation system and service pack

  • Registered Service Principal Names (SPN)

  • Computer account Organizational Unit (OU)

Never use LDAP queries with overlapping result sets!


Ldap query resources l.jpg

LDAP Query Resources


Ldap query resources continued l.jpg

LDAP Query Resources (continued)

LDAP Escape Sequences

LDAP Comparison Operators


Ldap samples l.jpg

LDAP Samples

Limit the query to computer accounts

(objectCategory=computer) OR (sAMAccountType=805306369)

Exclude Domain Controllers

(!(primaryGroupID=516))

Excludes OpsMgr Management Servers and Gateways

(!(servicePrincipalName=MSOMHSvc/*))

Direct members of a security group

(memberOf:=CN=Admin,OU=Security,DC=DOM,DC=NT)


Ldap samples continued l.jpg

LDAP Samples (continued)

Resolves nested security groups (requires at least Windows 2003 SP2)

(memberOf:1.2.840.113556.1.4.1941:=CN=Admin,OU=Security,DC=DOM,DC=NT)

Returns odd servers if their NetBIOS names end with a number (e.g. AnySrv101)

(|(name=*1)(name=*3)(name=*5)(name=*7)(name=*9))

Combination sample

(&(objectCategory=computer)(!(primaryGroupID=516))(!(servicePrincipalName=MSOMHSvc/*))(|(name=*1)(name=*3)(name=*5)(name=*7)(name=*9)))


Ldap performance tips l.jpg

LDAP Performance Tips

Consider the following when building LDAP filters to optimize performance:

  • Always use indexed attributes

  • Filter unnecessary targets (DCs, MS, GWs)

  • Target most specific data sets possible

  • Global catalog located in local site


Testing ldap filters l.jpg

demo

Testing LDAP Filters

Verifying query results BEFORE you deploy


3 configure agent auto assignment l.jpg

demo

3. Configure Agent Auto Assignment

Define agent failover and load distribution


Agent deployment l.jpg

Agent Deployment

Agents deployment methods for AD integration can include the following:

  • Manual installation (from install media)

  • As part of OS image

  • Group Policy

  • Configuration Manager 2007

    Hotfixes applicable to agent must be deployed manually when using any of the above methods!


Configuration steps31 l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Auto Agent Assignment

  • Deploy Agents


Configuration steps32 l.jpg

Configuration Steps

  • Configure RunAs Security (untrusted domains)

  • Run MOMADAdmin Utility

  • Configure Auto Agent Assignment

  • Deploy Agents


4 deploy agents l.jpg

demo

4. Deploy Agents

Manual deployment for AD Integration


Agent maintenance l.jpg

Agent Maintenance

  • Hotfixes must be deployed manually to manually- installed agents

  • Multiple fixes can be applied at once

  • MSI transform packages (.msp files) for the agents can be found on any patched management server

  • C:\Program Files\System Center Operations Manager 2007\AgentManagement

  • At the command prompt run the following command

  • msiexec /p [Full Path to Transform 1].msp;[Full Path to Transform 2].msp /qn


Agent maintenance continued l.jpg

Agent Maintenance (continued)

  • Agents using AD Integration should never be repaired from the Operations console

  • Results in agent configuration change to “remotely manageable”

  • To return agent configuration to AD Integration

  • Set EnableADIntegration registry key to “1”

  • Sample Powershell script to perform in batch at http://OpsManJam.com


Check your results agent distribution l.jpg

Check Your Results - Agent Distribution

Retrieve number of agents reporting to each management server:

$rootMS = "NOCMS01" 

#Initialize the OpsMgr Provideradd-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; set-location "OperationsManagerMonitoring::";

#set Management Group context to the provided RMSnew-managementGroupConnection -ConnectionString:$rootMS; set-location $rootMS;

get-agent | Group PrimaryManagementServerName -Noelement | sort Name | select Name, Count


Troubleshooting l.jpg

Troubleshooting

Events logged in Operations Manager Event Log (on Agent)

  • Event 20064 on agent (multiple primary relationships)

  • Event 20070 on agent (agent not authorized)

  • Event 21016 on agent (no failover)

  • Event 21034 on agent (no configured parents)


Troubleshooting continued l.jpg

Troubleshooting (continued)

Beware when using Powershell to configure agent failover instead of AD Integration

Use with caution, especially in distributed environments

Can result in ‘orphaned agents’ pointing to an unreachable Management Server!


Registry keys l.jpg

Registry Keys

Registry keys related to AD integration

HKLM\SYSTEM\CCS\Services\HealthService\Parameters\ConnectorManager

Enable AD Integration Key

EnableADIntegration (DWord)

AD Poll Interval

ADPollIntervalMinutes (DWord)

Is an agent using configuration retrieved from AD?

IsSourcedFromAD (DWord)


Additional resources l.jpg

Creating an LDAP Query Filter

http://msdn2.microsoft.com/en-us/library/ms675768.aspx

Microsoft Webcast: Enable AD Integration

http://www.microsoft.com/winme/0703/28666/Active_Directory_Integration_Edited.asx

AD Integration Deep Dive

http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspx

OpsMgr Team Blog: How AD Integration Works

http://blogs.technet.com/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx

Additional Resources


Additional resources41 l.jpg

OpsMgr Team Blog: How AD Integration Works

http://blogs.technet.com/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx

Manageability Blog: Enable Untrusted Domain Integration

http://blogs.technet.com/smsandmom/archive/2008/05/21/opsmgr-2007-how-to-enable-ad-integration-for-an-untrusted-domain.aspx

To Repair or Not to Repair

http://www.opsmanjam.com/Lists/OpsManJam%20Announcements/DispForm.aspx?ID=12

Advanced AD Integration Whitepaper

http://systemcenterforum.org/wp-content/uploads/ADIntegration_final.pdf

Additional Resources


Special thanks l.jpg

Thanks to the following for their input

Raphael Burri

Steve Rachui (Microsoft)

Rob Kuehfus (Microsoft)

Special Thanks


Slide43 l.jpg

question & answer


Resources l.jpg

Resources

  • www.microsoft.com/teched

    Sessions On-Demand & Community

  • www.microsoft.com/learning

  • Microsoft Certification & Training Resources

  • http://microsoft.com/technet

    • Resources for IT Professionals

  • http://microsoft.com/msdn

    Resources for Developers

www.microsoft.com/learning

Microsoft Certification and Training Resources


Management track resources l.jpg

Management Track Resources

  • Key Microsoft Sites

    • System Center on Microsoft.com: http://www.microsoft.com/systemcenter

    • System Center on TechNet: http://technet.microsoft.com/systemcenter/

    • Virtualization on Microsoft.com: http://www.microsoft.com/virtualization

  • Community Resources

    • System Center Team Blog: http://blogs.technet.com/systemcenter

    • System Center Central: http://www.systemcentercentral.com

    • System Center Community: http://www.myITforum.com

    • System Center on TechNet Edge: http://edge.technet.com/systemcenter

    • System Center on Twitter: http://twitter.com/system_center

    • Virtualization Feed: http://www.virtualizationfeed.com

    • System Center Influencers Program: Content, connections, and resources for influencers in the System Center Community. For information, contact [email protected]


Slide46 l.jpg

Complete an evaluation on CommNet and enter to win!


Slide47 l.jpg

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


  • Login