Use Active Directory to Assign Computers
Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1
You can use Active Directory Domain Services to assign agent-managed computers to management groups. To assign computers to management groups by using Active Directory Domain Services:
The functional level of Active Directory Domain Services domains must be Windows 2000 native, Windows Server 2003, or Windows Server 2008.
Agent-managed computers and the root management server must be in the same domain or in two-way trusted domains.
Note
Regardless of whether Active Directory Domain Services is used to assign computers to a management group, agent-managed computers and their root management server and secondary management server must be in the same domain or in two-way trusted domains, or a gateway server must be used. For more information about gateway servers, see the Operations Manager 2007 Security Guide (https://go.microsoft.com/fwlink/?LinkId=64017).
Configuring agents to get their management group information from Active Directory Domain Services is also helpful if your organization uses images to deploy computers. For example, add the Operations Manager 2007 agent to the Microsoft SQL Server image and configure the agent to get its management group information from Active Directory. When you initialize a new server running SQL Server from an image, the server is automatically configured to be managed by the appropriate Microsoft System Center Operations Manager 2007 management group and to download the applicable management packs.
When Active Directory Domain Services assigns computers to Operations Manager 2007 management groups, the following phrases are used:
A domain administrator uses MOMADAdmin.exe to create an Active Directory Domain Services container for an Operations Manager 2007 management group in the domains of the computers it will manage. The Active Directory Domain Services security group that is specified when you are running MOMADAdmin.exe is granted read and delete child permissions to the container. By creating a container this way, Operations Manager administrators are given the necessary permission to add management servers to the container and assign computers to them, without needing to be domain administrators.
An Operations Manager administrator assigns computers to the root management server and secondary management server. For more information, see How to Use Active Directory to Assign Computers to Operations Manager 2007 Management Servers in the next section.
The Operations Manager 2007 agent is deployed to the computers that you want, and it is configured to get its management group information from Active Directory by using MOMAgent.msi. See Use the Command Line to Deploy Agents for information.
Note
Active Directory Integration is disabled for agents that were installed from the Operations console. By default, Active Directory Integration is enabled for agents installed manually by using MOMAgent.msi. To disable Active Directory Integration for manual installations, use the command-line parameter USE_SETTINGS_FROM_AD=0 as it is explained in Use the Command Line to Deploy Agents.
How to Use Active Directory to Assign Computers to Operations Manager 2007 Management Servers
The Operations Manager 2007 Agent Assignment and Failover Wizard creates an agent assignment rule that uses Active Directory Domain Services to assign computers to a management group and assign the computers' primary management server and secondary management servers. Use the following procedures to start and use the wizard.
Note
The Agent Assignment and Failover Wizard does not deploy the agent. You must deploy the agent to the computers by using MOMAgent.msi.
Changing the agent assignment rule can result in computers no longer being assigned to, and therefore monitored by, the management group. The state of these computers will change to critical, because the computers no longer send heartbeats to the management group. These computers can be deleted from the management group and, if the computer is not assigned to other management groups, the Operations Manager 2007 agent can be uninstalled.
To start the Operations Manager 2007 Agent Assignment and Failover Wizard
Log on to the Operations console with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group.
Click the Administration button.
In the Administration pane, expand Administration, expand Device Management, and then click Management Servers.
In the Management Servers pane, right-click the management server or gateway server to be Primary Management Server for the computers that are returned by the rules you will create in the following procedure, and then click Properties.
In the Management Server Properties dialog box, click the Agent Management tab, and then click Add to start the Agent Assignment and Failover Wizard.
To use the Operations Manager 2007 Agent Assignment and Failover Wizard to assign computers to a management group
In the Agent Assignment and Failover Wizard, on the Introduction page, click Next.
Note
The Introduction page does not appear if the wizard has been run and Do not show this page again was selected.
On the Domain page, do the following:
Note
To assign computers from multiple domains to a management group, run the Agent Assignment and Failover Wizard for each domain.
- Select the domain of the computers from the Domain name drop-down list. The management server must be able to resolve the domain name.
Important
The management server and the computers that you want to manage must be in two-way trusted domains.
Set Select Run As Profile to the Run As profile associated with the Run As account that was provided when MOMADAdmin.exe was run for the domain. The default account that is used to perform agent assignment is the computer account for the root management server, also referred to as the Active Directory Based Agent Assignment Account. If this was not the account that was used to run MOMADAdmin.exe, select Use a different account to perform agent assignment in the specified domain, and then select or create the account from the Select Run As Profile drop-down list.
Note
For more information about Run As Profiles and Run As Accounts, see the Operations Manager 2007 Security Guide.
On the Inclusion Criteria page, either type the LDAP query for assigning computers to this management server in the text box and then click Next, or click Configure. If you click Configure, do the following:
In the Find Computers dialog box, type the criteria that you want to use for assigning computers to this management server.
Click OK, and then click Next.
Note
The following LDAP query returns computers with a name starting with MsgOps, (&(sAMAccountType=805306369)(objectCategory=computer)(cn=MsgOps*)) For more information about LDAP queries, see Creating a Query Filter available in the Microsoft Developer Network Library (https://go.microsoft.com/fwlink/?LinkId=73366).
On the Exclusion Rule page, type the fully qualified domain name (FQDN) of computers that you explicitly want to prevent from being managed by this management server, and then click Next.
Important
You must separate the computer FQDNs that you type with a semicolon, colon, or a new line (CTRL+ENTER).
On the Agent Failover page, either select Automatically manage failover and click Create or select Manually configure failover. If you select Manually configure failover, do the following:
Clear the check boxes of the management servers to which you do not want the agents to fail over.
Click Create.
Note
With the Manually configure failover option, you must run the wizard again if you subsequently add a management server to the management group and want the agents to fail over to the new management server.
In the Management Server Properties dialog box, click OK.
Note
It can take up to one hour for the agent assignment setting to propagate in Active Directory Domain Services.