Discovery-Based Deployment

  • Article

Discovery-based agent deployment is where you use the Install/Uninstall Agents wizard from the MOM 2005 Administrator console to search for, and install agents on, computers on your network. The Management Server will perform a computer discovery based upon the criteria you specify in the wizard and will always install the agents (or uninstall them) regardless of the setting on the Automatic Management tab of the Management Server properties.

When the Management Server periodically discovers new computers using Full Discovery it will either install agents or put the computers in the Pending Action folder, depending upon the setting on the Automatic Management tab of the Management Server properties. For more information about this setting and agent deployment in general, see the MOM 2005 Deployment Guide.

Account Used for Deployment

If you are using discovery-based agent deployment, you can either provide credentials for an account, or you can use the Management Server's Action Account. The account you use must be a local administrator on all of the computers you are deploying agents to. The credential information used to install agents is encrypted before being communicated and discarded after use.

Deployment Requirements

The Management Server uses the Server Message Block (SMB) port (TCP/UDP 445)and the RPC port (TCP 135) to deliver the files needed for agent installation on remote computers and for updating agent settings after installation. If these ports are disabled on the Management Server, disabled on any of the target computers, or the target computer and Management Server are separated by a firewall, you cannot use discovery-based deployment to install agents. You must either enable these ports or install these agents manually. Manual installation does not require these ports.

Disabling the File and Printer Sharing for Microsoft Networks and the Client for Microsoft Networks services disables the SMB ports.

Important

To push-install agents to Windows XP SP2 computers with the Windows Firewall enabled, you must create an exception for the MsMgmtAuxillary.exe program. For more information about how to do this, see the Microsoft Support article 885726. Push-installing agents across other firewalls is not supported.

Deployment Limitations

MOM 2005 agents cannot be automatically installed or updated and must be manually installed or updated under the following circumstances:

  • The agent and Management Server are separated by a firewall and required ports cannot be opened.

  • The target computer is in an IPSec-enabled domain and the Management Server is in a non-IPSec-enabled domain (see "Deploying Agents Across IPSec Boundaries").

  • The agent is running MOM 2000 RTM (the agent must be either manually removed and a MOM 2005 agent installed, or the agent must be upgraded to a MOM 2000 SP1 agent before upgrading to a MOM 2005 agent).

  • The agent cannot be installed on a computer running Windows NT 4.0.

  • The agent cannot be installed on a Microsoft Cluster Services virtual server. You can install an agent on a physical node.

For more information about these limitations, see the MOM 2005 Supported Configurations Guide.

Deploying Agents Across IPSec Boundaries

You cannot use discovery-based (push) deployment, or monitor agents, if the Management Server is in a non-IPSec-enabled domain and the target computer is in an IPSec-enabled domain.

To push-install and monitor agents from a Management Server in an IPSec-enabled domain to a computer in a non-IPSec-enabled domain, you must configure the IPSec-enabled Management Server as a Boundary Server. A boundary server is an IPSec-enabled computer that allows non-IPSec communications across it between non-IPSec domains and IPSec domains.

To allow non-IPSec clients to communicate as well, you should assign the Server policy, instead of Secure Server. This always requests security, but allows unsecured communication with clients, by falling back to clear text if the client does not reply to the IKE negotiation request. If at any time the client does reply, then a negotiation is in progress and must succeed completely. If negotiation fails the communication will be blocked for one minute, whereupon another negotiation will be attempted.

Unassign the Secure Server or Server and Client policies to return your computers to their previous states. For more information about IPSec and this configuration, see the Windows 2000 or Windows Server 2003 documentation.

Security While Deploying Agents

The files and other data that are used to deploy agents are not secured by MOM by default. The deployment process uses both the SMB ports and the RPC port (TCP 135) and the DCOM port range. You can use either SMB packet signing or IPSec to secure the agent deployment. For more information see the "Using SMB Packet Signing" or "IP Security (IPSec)" sections in this guide.