Active Directory Integration in Large and Complex Environments

Pete Zerger, MVPConsulting PartnerAKOS Technology ServicesSession Code: MGT307

Agenda

Active Directory Integration - What it does and how it works Configuration steps Configuring child and untrusted domains Using LDAP for granular control Agent deployment and maintenance Troubleshooting and testing

Takeaways

Updated version of the ‘Definitive Guide to AD Integration’ Sample management packs to correct issues and automate important processes Chance to win an autographed copy of, Operations Manager 2007 Unleashed

What it Does and How it Works What it Does

Automates the configuration of OpsMgr agents installed on domain member computers

How it works Agent configuration is centrally maintained in OpsMgr and published to Active DirectoryAgents query AD at startup (and hourly) to learn their configuration

IMPORTANT:Agent deployment and patching must be performed outside of

OpsMgr AD DCs and push-installed agents cannot participate

How it Works (High Level) 1. Publish mgmt group info to AD

2. Configure agent auto-assignment

3. Install Agents 4. Agents query AD for MG info

5. Agent reports to MS

MOMADAdmin

Configuration Steps

1. Configure RunAs Security (untrusted domains)

2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents

Prerequisites Domain functional level must be higher than ‘Windows 2000 Mixed’Global Settings - Enable “Review new manual agent installations”RunAs user account (in each domain)Security group (in each domain)For local and trustedLDAP access (RMS to each domain)DNS resolution (RMS to each domain)Server Grouping / Failover Strategy (using LDAP filters)

Global Security Settings

As in MOM 2005, manually installed agents are rejected by defaultGlobal Security Settings must be set to “Review” or “Auto-approve” manually installed agents

RunAs Security (Child and Untrusted Domains)

Additional Configuration Steps:

1. Define RunAs Account2. Add Run As Profile*3. Run MomADAdmin specifying RunAs Account

IMPLEMENTATION TIPS:

RunAs Profiles used for AD integration, which must be saved in the Default Management Pack.

Must be targeted to the RMS!

Optional for Local & Trusted Domains, but eliminates reconfiguration in event RMS is role moved!

1. Configure RunAs SecuritySecurity for Untrusted Domains

demo

Configuration Steps

1. Configure RunAs Security (untrusted domains)

2. Run MOMADAdmin Utility 3. Configure Agent Auto Assignment 4. Deploy Agents

MOMADAdmin – What Does it do?

1. Creates a top level container called OperationsManager in AD

2. Adds the machine account of the RMS to the OpsMgr Admin security group

3. Adds the OpsMgr Admin security group to the container's ACL with WriteChild access

MOMADAdmin performs the following actions:

MOMADAdmin – Guidelines for Use

Can be run on any member serverRequires Domain Admin rightsMust be run in each AD domain (targeted for AD Int)MomADAdmin.exe is found in the \SupportTools folder of the OpsMgr installation media

Usage: MomADAdmin ManagementGroupName MOMAdminSecurityGroup {RootManagementServer | RunAsAccount} Domain

Example: MomADAdmin ContosoMG CONTOSO\OpsMgrAdmins CONTOSO

2. Run MOMADAdmin UtilityPrepare active directory and MG for AD Integration

demo

OperationsManager Container

OperationsManager Container

Visible when ‘Advanced Features’ are activated in Active Directory Users and Computers

Must not be modified manually

Can be deleted and then recreated by running MomADAdmin.exe again

Configuration Steps

1. Configure RunAs Security (untrusted domains)

2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy agents

Auto Agent Assignment

Must be configured for each MS or GTW to which agents must reportAdd one rule per domain if MS or GW reside in a multi-domain forest or multiple forestsIn Operations Console, Administration, choose “Configure Active Directory (AD) Integration”Choose appropriate domain name, DC FQDN or IP address and Run As Profile*

* Use default if configuring local domain and RMS’ account

Configure Agent Auto Assignment

Paste or generate LDAP queryQuery Results should not overlapOptionally exclude computers using their FQDNConfigure agent failover

Location, Naming, and ExecutionAgent assignment rules are saved to ‘Default

Management Pack’Their names start with ‘AD rule for Domain’The RMS executes them hourly

Agent Auto Assignment

Configured through the Agent Assignment & Failover Wizard

(&(objectCategory=computer)(distinguishedName=*,OU=AppServers,DC=nwtraders,DC=msft))

AD Security Group

Auto Assignment & Agent Failover

Active Directory

OU

Avoid overlapping LDAP query results!

LDAP Tips for Granular Control

LDAP can be leveraged in Agent Auto-Assignment in a number of ways:‘

Computer nameComputer descriptionComputer account security group membershipOperation system and service packRegistered Service Principal Names (SPN)Computer account Organizational Unit (OU)

Never use LDAP queries with overlapping result sets!

LDAP Query Resources Computer Account Attribute DescriptionDescription Computer description (in AD)distinguishedName DN: OU location of the computer account.

No wildcard matching possible!

DNSHostName FQDNLocation Location Field MemberOf Groups the computer account is a member of.

No wildcard matching possible!

Name NetBIOS computer nameoperatingSystem e.g. Windows Server 2003operatingSystemServicePack e.g. Service Pack 1operatingSystemVersion e.g. 5.2 (3790)primaryGroupID 515: Computers, 516: Domain ControllerssAMAccountName Computer account name ([name]$)

LDAP Query Resources (continued)

Operator Description

| OR

& AND

! NOT

= Equals

~= Approx. equals

<= Less than or equal

>= More than or equal

ASCII character

Escape sequence

* \2a

( \28

) \29

\ \5c

NUL \00

LDAP Comparison Operators LDAP Escape Sequences

LDAP Samples

Limit the query to computer accounts(objectCategory=computer) OR (sAMAccountType=805306369)

Exclude Domain Controllers(!(primaryGroupID=516))

Excludes OpsMgr Management Servers and Gateways(!(servicePrincipalName=MSOMHSvc/*))

Direct members of a security group(memberOf:=CN=Admin,OU=Security,DC=DOM,DC=NT)

LDAP Samples (continued)Resolves nested security groups (requires at least Windows 2003 SP2)(memberOf:1.2.840.113556.1.4.1941:=CN=Admin,OU=Security,DC=DOM,DC=NT)

Returns odd servers if their NetBIOS names end with a number (e.g. AnySrv101)(|(name=*1)(name=*3)(name=*5)(name=*7)(name=*9))

Combination sample(&(objectCategory=computer)(!(primaryGroupID=516))(!(servicePrincipalName=MSOMHSvc/*))(|(name=*1)(name=*3)(name=*5)(name=*7)(name=*9)))

LDAP Performance Tips

Consider the following when building LDAP filters to optimize performance:

Always use indexed attributes Filter unnecessary targets (DCs, MS, GWs)Target most specific data sets possible Global catalog located in local site

Testing LDAP Filters Verifying query results BEFORE you deploy

demo

3. Configure Agent Auto Assignment Define agent failover and load distribution

demo

Agent Deployment

Agents deployment methods for AD integration can include the following:

Manual installation (from install media)As part of OS image Group Policy Configuration Manager 2007

Hotfixes applicable to agent must be deployed manually when using any of the above methods!

Configuration Steps

1. Configure RunAs Security (untrusted domains)

2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents

Configuration Steps

1. Configure RunAs Security (untrusted domains)

2. Run MOMADAdmin Utility 3. Configure Auto Agent Assignment 4. Deploy Agents

4. Deploy AgentsManual deployment for AD Integration

demo

Agent Maintenance

Hotfixes must be deployed manually to manually- installed agentsMultiple fixes can be applied at onceMSI transform packages (.msp files) for the agents can be found on any patched management server

C:\Program Files\System Center Operations Manager 2007\AgentManagement

At the command prompt run the following command

msiexec /p [Full Path to Transform 1].msp;[Full Path to Transform 2].msp /qn

Agent Maintenance (continued)

Agents using AD Integration should never be repaired from the Operations consoleResults in agent configuration change to “remotely manageable”

To return agent configuration to AD IntegrationSet EnableADIntegration registry key to “1”

Sample Powershell script to perform in batch at http://OpsManJam.com

Check Your Results - Agent Distribution

$rootMS = "NOCMS01" 

#Initialize the OpsMgr Provider add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; set-location "OperationsManagerMonitoring::";

#set Management Group context to the provided RMS new-managementGroupConnection -ConnectionString:$rootMS; set-location $rootMS;

get-agent | Group PrimaryManagementServerName -Noelement | sort Name | select Name, Count

Retrieve number of agents reporting to each management server:

Troubleshooting

Events logged in Operations Manager Event Log (on Agent)

Event 20064 on agent (multiple primary relationships)Event 20070 on agent (agent not authorized)Event 21016 on agent (no failover)Event 21034 on agent (no configured parents)

Troubleshooting (continued)

Beware when using Powershell to configure agent failover instead of AD Integration

Use with caution, especially in distributed environments

Can result in ‘orphaned agents’ pointing to an unreachable Management Server!

Registry Keys

Registry keys related to AD integration

HKLM\SYSTEM\CCS\Services\HealthService\Parameters\ConnectorManager

Enable AD Integration KeyEnableADIntegration (DWord)

AD Poll IntervalADPollIntervalMinutes (DWord)

Is an agent using configuration retrieved from AD?IsSourcedFromAD (DWord)

Additional ResourcesCreating an LDAP Query Filterhttp://msdn2.microsoft.com/en-us/library/ms675768.aspx

Microsoft Webcast: Enable AD Integration http://www.microsoft.com/winme/0703/28666/Active_Directory_Integration_Edited.asx

AD Integration Deep Dive http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspx

OpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx

Additional ResourcesOpsMgr Team Blog: How AD Integration Works http://blogs.technet.com/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx

Manageability Blog: Enable Untrusted Domain Integration http://blogs.technet.com/smsandmom/archive/2008/05/21/opsmgr-2007-how-to-enable-ad-integration-for-an-untrusted-domain.aspx

To Repair or Not to Repairhttp://www.opsmanjam.com/Lists/OpsManJam%20Announcements/DispForm.aspx?ID=12

Advanced AD Integration Whitepaper http://systemcenterforum.org/wp-content/uploads/ADIntegration_final.pdf

Special Thanks

Thanks to the following for their input

Raphael BurriSteve Rachui (Microsoft)Rob Kuehfus (Microsoft)

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Management Track ResourcesKey Microsoft Sites

System Center on Microsoft.com: http://www.microsoft.com/systemcenterSystem Center on TechNet: http://technet.microsoft.com/systemcenter/Virtualization on Microsoft.com: http://www.microsoft.com/virtualization

Community ResourcesSystem Center Team Blog: http://blogs.technet.com/systemcenterSystem Center Central: http://www.systemcentercentral.comSystem Center Community: http://www.myITforum.com System Center on TechNet Edge: http://edge.technet.com/systemcenterSystem Center on Twitter: http://twitter.com/system_centerVirtualization Feed: http://www.virtualizationfeed.com System Center Influencers Program: Content, connections, and resources for influencers in the System Center Community. For information, contact scnetsup@microsoft.com

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.