Using Active Directory Domain Services to Assign Computers to Operations Manager Management Groups
Updated: May 13, 2016
Applies To: System Center 2012 R2 Operations Manager, System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager
System Center 2012 – Operations Manager allows you to take advantage of your investment in Active Directory Domain Services (AD DS) by enabling you to use it to assign agent-managed computers to management groups. This feature is commonly used in conjunction with the agent deployed as part of a server deployment build process. When the computer comes online for the first time, the Operations Manager agent queries Active Directory for its primary and failover management server assignment and automatically starts monitoring the computer.
To assign computers to management groups by using AD DS:
The functional level of AD DS domains must be Windows 2008 native or higher.
Agent-managed computers and all managements servers in the AD Agent Assignment resource pool must be in the same or two-way trusted domains.
Regardless of whether AD DS is used to assign computers to a management group, agent-managed computers and their primary management server and secondary management server must be in the same or two-way trusted domains or a gateway server must be used. For more information about gateway servers, see About Gateway Servers in Operations Manager.
Following are the phases for using AD DS to assign computers to Operations Manager management groups.
A domain administrator uses MOMADAdmin.exe to create an AD DS container for an Operations Manager management group in the domains of the computers it will manage. The AD DS security group that is specified when running MOMADAdmin.exe is granted Read and Delete Child permissions to the container. By creating a container this way, Operations Manager administrators are given the permission necessary to add management servers to the container and assign computers to them, without needing to be domain administrators.
An Operations Manager administrator uses the Agent Assignment and Failover Wizard to assign computers to a primary management server and secondary management server.
An agent that determines it is installed on a domain controller will not query Active Directory for configuration information. This is for security reasons. Active Directory Integration is disabled by default on domain controllers because the agent runs under the Local System account. The Local System account on a domain controller has Domain Administrator rights; therefore, it will detect all Management Server Service Connection Points that are registered in Active Directory, regardless of the domain controller’s security group membership. As a result, the agent will try to connect to all management servers in all management groups. The results can be unpredictable, thus presenting a security risk.
The Operations Manager agent is deployed using MOMAgent.msi to the desired computers and configured to get its management group information from Active Directory.
Active Directory Integration is disabled for agents that were installed from the Operations console. By default, Active Directory Integration is enabled for agents installed manually using MOMAgent.msi. To disable Active Directory Integration for manual installs, use the command line parameter
USE_SETTINGS_FROM_AD=0as explained in Install Agent Using the Command Line.
Agent assignment is accomplished by using a Service Connection Point (SCP), which is an Active Directory object for publishing information that client applications can use to bind to a service. This is created by a domain administrator running the MOMADAdmin.exe command-line tool to create an AD DS container for an Operations Manager management group in the domains of the computers it will manage. The AD DS security group that is specified when running MOMADAdmin.exe is granted Read and Delete Child permissions to the container. The SCP will contain connection information to the management server, including the server’s FQDN and port number. Operations Manager agents can automatically discover management servers by querying for SCPs. Inheritance is not disabled, and because an agent can read the integration information registered in AD, if you force inheritance for the Everyone group to read all objects at the root level in Active Directory, this will severely affect and essentially interrupt AD Integration functionality. If you explicitly force inheritance throughout the entire directory by granting the Everyone group read permissions, you must block this inheritance at the top-level AD Integration container, named OperationsManager, and all child objects. If you fail to do this, AD Integration will not work as designed and you will not have reliable and consistent primary and failover assignment for agents deployed. Additionally, if you happen to have more than one management group, all agents in both management groups will be multi-homed as well.
This feature works well for controlling agent assignment in a distributed management group deployment, to prevent agents from reporting to management servers that are dedicated to resource pools or management servers in a secondary data center in a warm-standby configuration to prevent agent failover during normal operation.
Configuration of agent assignment is managed by an Operations Manager administrator using the Agent Assignment and Failover Wizard to assign computers to a primary management server and secondary management server.
Integrating Active Directory and Operations Manager
How to Create an Active Directory Domain Services Container for a Management Group
How to Use Active Directory Domain Services to Assign Computers to Management Servers
Changing the Active Directory Integration Setting for an Agent