scom - understanding how active directory integration feature works in opsmgr 2007
TRANSCRIPT
-
8/4/2019 SCOM - Understanding How Active Directory Integration Feature Works in OpsMgr 2007
1/3
Understanding how Active Directory integration feature works in
OpsMgr 2007
DeploymentMan
2 Jan 2008 2:26 PM
3Happy New Year!!! One of my colleagues had shared with me some detailed information on
how Active Directory (AD) integration works (in particular how the service connection points
(SCP) are created) and I thought it would be a good blog post for this week. For those of you
who have never heard about AD integration in OpsMgr it is the ability for an OpsMgr agent to
query active directory and know which management server it needs to report to. AD integration
is useful to those customers that have larger deployment of over a thousand agents and helps
reduce manageability costs. By using AD integration you can specify the primary and secondary
management server for agents something that cannot be done using push agent where users
can only specify the primary management server.
http://blogs.technet.com/DeploymentMan/ProfileUrlRedirect.ashxhttp://blogs.technet.com/DeploymentMan/ProfileUrlRedirect.ashxhttp://blogs.technet.com/b/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx#commentshttp://blogs.technet.com/b/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx#commentshttp://blogs.technet.com/DeploymentMan/ProfileUrlRedirect.ashxhttp://blogs.technet.com/DeploymentMan/ProfileUrlRedirect.ashxhttp://blogs.technet.com/b/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx#commentshttp://blogs.technet.com/DeploymentMan/ProfileUrlRedirect.ashx -
8/4/2019 SCOM - Understanding How Active Directory Integration Feature Works in OpsMgr 2007
2/3
The MOMADAdmin.exe command line tool does the following:
1. Creates a top level OperationsManager container in AD under the root of the specified
DomainUnder that container, it creates a management group container - whose name consists of
the management group name and the suffix Root
2. Adds Machine account of the root management server to the MOM Admin security group.3. Adds the MOM Admin security group to the container's ACL with WriteChild access (only
with rights to create Security Groups and SCP objects, but not other objects like user
account) This allows members of the MOM administrator role and the root management
server to manage the objects within the container. Only Domain Administrators have the
right to remove or change the OperationsManager and container.
Note: The MOM Admin Security Group is the sole member of the MOM Administrator role. TheMOM AD based agent assignment feature requires it to be a domain global group or universal
group.
It can be modified in the MOM Console -> Administration space -> User Role node, right click
the MOM Administrator role and select properties.
4. Creates 2 default SCPs and one security group within the container: One isHealthServiceSCP which represents the management group and the other one is
SDKServiceSCP which represents the root management server. The security group is ACLd
to the HealthServiceSCP with Read permission its membership will control which
computers can read (hence discover) a particular management group, represented by theHealthServiceSCP. The Root MS and MOM Admins are given full rights over these objects.
Note: SCP (service connection point) is an AD object for publishing information that client
applications can use to bind to a service. MOM AD based agent assignment feature uses SCP to
represent a MOM server and contain connection info to that server. MOM Agents can
automatically discover MOM servers by querying for SCPs.
Note: If the root management server or the MOM admin security group is changed, the domain
administrator will have to either 1) modify the container ACL, HealthServiceSCP and
SDKServiceSCP manually to reflect the change, or 2) delete the container, re-runMOMADAdmin.exe with updated parameterAfter MOMADAdmin.exe is successfully ran by the Domain Administrator, a MOM
Administrator can use the MOM Console to specify the set of agents he/she wanted to assign to
particular management server, in the form of a LDAP query (the query should return a list of
computer accounts).
-
8/4/2019 SCOM - Understanding How Active Directory Integration Feature Works in OpsMgr 2007
3/3
The Ldap query and the other assignment settings are captured as configuration in a MOM rule.When the rule runs the first time, it will create a SCP (if not already exist) in AD for the
management server and domain specified in its configuration.The SCP name is the management server netbios name with the suffix _SCP.The rule also creates 2 security groups with the name of the management server netbios name,the first one with the suffix _PrimarySG and the second one
_SecondarySGThe first security group is ACLd to the management server SCP with Read and Read permission
rights.This SG contains the machine account of agents that report to the management server as the
primary server.It is also added as a member to the HealthServiceSCPs security group.The second security group is ACLd to the management server SCP with Read right only.This security group contains the machine account of agents that would failover to the
management server (hence secondary) in the event that the Primary server is not responsive.The rule would run every hour to update the members of the security groups (acld to the
management server SCP) with results from the specified LDAP query (machine accounts of
agents that the administrator intend to assign to the server)When an agent starts up (& periodically thereafter) to check AD for connection info using its
machine account, it would look in each Management Group container to find the management
server (represented by the SCP) that it should connect to. It will only see SCPs where its
machine account is a member of the associated security group.Satya Vel