SCOM 2007 and AD

Operations Manager 2007 uses AD a lot more than 2005. I have collected some links that may help. I have included the link to the AD MP as that is essential for setting up AD monitoring correctly but you need to know about overrides to configure the MP and if you have a large number of DCs then there is a PowerShell script that can switch the proxy setting off for all of them. In the GUI you would have to do each one separately.

SCOM 2007 uses Kerberos to do mutual authentication between the agent and the management server. Unlike MOM 2005 this can not be switched off. In order to monitor systems that are not part of the domain or forest that do not have a two way trust you need to use certificates and perhaps the Gateway server. Although related to AD I do not cover PKI, certificates or Gateway servers in this post.

Installing 2007 – AD Domain Prerequisites

If fact before you can install 2007 you must have the domain level right. Operations Manager 2007 requires that the domain functional level be Windows 2000 native, Windows Server 2003 interim, or Windows Server 2003. For Operations Manager to function properly, you must check the domain functional level and raise it to at least Windows 2000 native. The lowest level of the 4 levels is called Windows 2000 Mixed and that is the only one of the 4 that OM 2007 can not work in. Note – this is the default domain functional level for Windows Server 2003 domains. See http://technet2.microsoft.com/WindowsServer/en/library/da255f53-ae6c-4af8-80f1-9b3c046022311033.mspx?mfr=true

Note – there are no schema changes with OM 2007 that I have come across. Containers do get created though.

AD Integration with security and controlling access to the console

One thing I have not come across is any papers looking at the use of AD integration to help lock down the console. There is this mini video though.

Create User Roles
Presenters: Joseph Chan, Microsoft
This video demonstrates how to create user roles to control access to Operations Manager data and monitoring objects like tasks and views according to the users business responsibilities and needs.
Running Time (minutes): 5:39
Date Posted: March 18, 2007

AD Management Pack

What’s new
• Domain discovery that enables Operations Manager 2007 to automatically discover domains in your Active Directory environment
• New performance and client monitoring views to provide more ways to view your monitoring data
• A new child domain topology view, allowing you to see subdomains of other domains
• New dashboard views that combine multiple views into one view to allow analysis of trends and similarities between related metrics

Caveats
• Neither of the Management Packs (the AD Client Monitoring is considered a separate pack and to be deployed on Exchange servers that are clients to AD) support agentless monitoring.
• The Active Directory Management Pack does not support monitoring across multiple forests. (This is strange as using the Gateway tool allows servers in multiple forests to be monitored by one OM management group.)
• You cannot monitor a domain controller running on the x64-bit version of Windows Server 2003 with Operations Manager 2007 and Microsoft Operations Manager 2005 simultaneously.
• If an Operations Manager 2007 64-bit agent is installed on a domain controller running in 64-bit mode, the existing 32-bit version of OOMADS remains and will not be upgraded. This means that the 2007 Active Directory Management Pack monitoring will not work. The Microsoft Operations Manager 2005 monitoring will continue to work.

Active Directory Management Pack Guide for Operations Manager 2007
March 27, 2007
This document includes a Management Pack overview, deployment procedures, and monitoring scenarios for the two Active Directory Domain Services (AD DS) Management Packs
Download the Guide

Enabling the Agency Proxy allows each domain controller to discover its connection object between other domain controllers. Connection objects are hosted by the forest, and the forest is discovered by the topology discovery, which is run on the Operations Manager 2007 principal Management Server. (I take it that they mean Root Management Server).

Agent “Act as a Proxy” Bulk Update  zip file from systemcenterforum.org
2007/04/12
A PowerShell script that will enable the ‘Act as a Proxy’ functionality on a group of agents. This is useful when an MP requires a large number of agents to have this functionality enabled.

In order to make any changes to the AD MP, such as changing the value for the “Intersite Replication Latency Threshold Value” you will need to use overrides as the MP is sealed. Although this video is not covering AD overrides it is useful to see the process especially as the menu options in the GUI are not that intuitive.

Adjusting Monitors with Overrides

Presenters: Lorenzo Rizzi, Microsoft
This video provides and overview of the overrides feature in Operations Manager 2007.
Running Time (minutes): 5:37
Date Posted: March 18, 2007

AD Integration

AD integration is new to OM 2007. This allows the agent to be deployed in a server build or by SMS and use the AD to notify the agent where to go for the management group, management server and failover management server. As you can see there is a lot of information covering this.

Note: If you are not planning to deploy the agents within a server build, via a tool like SMS etc but instead are planning to push the agents out from the console you can ignore this section.

AD integration concept, see Using Active Directory Domain Services to Assign Computers to Operations Manager 2007 Management Groups. http://technet.microsoft.com/en-us/library/bb309470.aspx
 
How to Create an Active Directory Domain Services Container for an Operations Manager 2007 Management Group – http://technet.microsoft.com/en-us/library/bb309685.aspx
Provides the procedure to create in a domain an AD DS container for an Operations Manager 2007 Management Group.
 
How to Use Active Directory Domain Services to Assign Computers to an Operations Manager 2007 Management Group – http://technet.microsoft.com/en-us/library/bb381226.aspx
Provides the procedures to assign computers to Operations Manager 2007 Management Groups by using AD DS.

 Active Directory Integration
Presenters: Joseph Chan, Microsoft
This video demonstrates how to configure Active Directory integration to automatically assign agents to management servers.
Running Time (minutes): 6:03
Date Posted: March 18, 2007

Active Directory Integration in Ops Mgrs 2007 PDF from SystemCenterForum.org
(04/11/2007)
How to configure Active Directory integration for an Operations Manager 2007 management group.

Notes on AD Integration in Ops Mgr 2007 SystemCenterForum.org
Additional info.

InFront Consulting

Additional documentation (PDF) on how to Configure Active Directory integration in Ops Mgr 2007 RC2. (Some of the issues he saw when first doing the configuration)

Active Directory Integration in Operations Manager 2007
Posted by Rory on 2/17/2007
Learn how to configure Active Directory integration in Operations Manager 2007 using the new MOMADAdmin.exe utility. MOMADAdmin.exe is a new tool included in the Support Tools folder on the Operations Manager 2007 media that allows you to prepare the Act… (Registration Required)

Advertisements

12 Comments

  1. Hello,

    You comment relates directly to our SCOM 2007 implementation. We have several forests and plan to implement a Gateway server…however, if ADMP cannot monitor multiple domain controllers across forests, I guess it will only benefit other management packs.

    Any updates to your comment:

    “The Active Directory Management Pack does not support monitoring across multiple forests. (This is strange as using the Gateway tool allows servers in multiple forests to be monitored by one OM management group.)”

    Thanks,
    Alison

    • Roberto

      You can monitor a several servers in another forest/domains, but you cannot monitor the AD of these forest/domains.

  2. omkar umarani

    i am intrested to work with scom i have one problem regarding extending the scema of active directory.i am not able to extend the scema by using the exe.

  3. omkar umarani

    I am getting warning while installing scom on active directory integrated machine .
    “Don’t install it on primary and backup domain controller.”

    please give me replay.

  4. Nate

    Omkar, SCOM should not be extending your AD schema – it should only be creating containers. I think the error your are getting is because you are actually trying to install the RMS server on a DC…

    • omkar umarani

      thanks for your replay i am currently working on creatting mp packs.

  5. omkar umarani

    Hi,

    As I understand in MOM 2005 To use the FRS Management Pack, we have to install
    Ultrasound. Is it also needed for opsMgr2007. Is Ultrasound required to use
    FRS management pack for OPsMgr 2007

    you have any gmail contact so we can talk on this subject.We want to upgrade our ad monitoring from mom to scom so want some good info.this forum is really good but want some extra info.

  6. David Ip

    I ran the check in SCOM 2007 R2 Prerequisite Viewer. I resolved all the errors but down to one warning. “Installing on a primary or backup domain controller is not recommended.” I configured the Windows Server 2003 to be a AD domain controller, it is a new domain in a new forest (an isolated machine in the lab). Should I proceed with the installation? Please advise. Thanks.

  7. omkar umarani

    hi is there Ultrasound required require to monitor the
    active directory with Scom 2007 or r2.Hi David what you think.

  8. omkar umarani

    Hi
    you install it on different machine because it is in your test lab then fine but if it is in you production environment then you should install it on different machine.Use different machines for every thing sql, dc, and Rms.IF have only one machine in test lab then fine you can proceed. IF you install on different machine it is good chance for you take check how scom sp1 or r2 monitor the DC and there some things things related to them.

  9. omkar umarani

    is altra sound work with scom 2007 Sp1 or R2 please any one replay.

    • Hi,

      it is not a good idea to ask technical questions on a blog post. Especially on a post that is 2 years old. The fact that some people answered is quite lucky as most people do not track comments. I try and respond when I can but if I am busy or away on holiday then that is not possible. Repeatedly asking the same question does not help.

      Use the forums for technical questions as many people visit those and will respond to technical questions.

      Microsoft – http://social.technet.microsoft.com/Forums/en-US/category/systemcenteroperationsmanager

      SystemCenter Central – http://www.systemcentercentral.com/tabid/60/tag/Forums+Operations_Manager/Default.aspx

      The quick answer to the question is that the FRS MP for OpsMgr 2007 was a port of the 2005 MP and so will have all the same restrictions i.e. that 90% of the rules depend on Unltrasound. FRS is being phased out and being replaced by DFS-Replication. If you install a new Windows 2008 domain you do not get FRS installed unless you request it for backward compatability.

%d bloggers like this: