Get more out of Active Directory forest and domain discovery
Posted by rburri on January, 15 2008
Update (Dec. 8, 2008)
After finding the time to investigate the new Microsoft managemement pack (6.0.6452.0) it was not too difficult to find a way to re-enable untrusted domain discovery. More information here:
How to make Active Directory MP discover untrusted domains
Update (Nov. 10, 2008)
Microsoft has just released Version 6.0.6452.0 of the AD management packs: See catalog. The discovery process has changed significantly so the workaround below does not work any longer.
The good news are that MS does now support discovery of TRUSTED domains and domain controllers in OUs. For UNTRUSTED domains, integrated using security gateways I will post an update soon.
As for now I am pulling the worrkaround below.
Using the currently available AD management packs it is only possible to discover AD forests, the root management server (RMS) has access to. When implementing gateway servers to extend OpsMgr’s management group to other forests (domains), only the remote domain controllers (DCs) but not their domains and forests are added to the repository.
Furthermore the discovery explicitly expects finding all DCs in the AD OU ‘Domain Controllers‘. If DCs’ computer objects are organized into sub OUs (in our installation this was required to make applying different IPSec policies possible), the AD topology discovery won’t be able to find them.
The actual monitoring will be active since most monitors and rules are targeted at DCs und underlying objects but the diagram views will only show the RMS’ forest. When DCs are placed in sub OUs the domain objects will be empty as well. As a side effect you’ll see event IDs 3333 (source DataAccessLayer) and 10801 (source Health Service Modules) logged to the Operations Manager event log. The DC discovery script attempts to add relationship instances to objects that do not exist in the database.
When taking a look at the MP Active Directory Server Common Library, one can see that the discovery rule AD Topology Discovery is targeted at the RMS only. The rule’s knowledge article states: “The version AD MP does not support multiple AD Forest topology discovery. This feature will be implemented in a future version of the AD MP.” All the forest and domain discovery is done by the script ADTopologyDiscovery.vbs. It looks for DCs with this LDAP query:strQuery = “<LDAP://” & sPDC & “/OU=Domain Controllers,” & sDNC & “>;(objectCategory=computer);cn,distinguishedName,dNSHostName,serverReferenceBL;onelevel“
The ‘onelevel’ switch makes it fail to enumerate DCs in sub OUs
Enabling full topology discovery
To enable discovery of AD forests joined in using gateways, I took the existing discovery rule and added it to a custom management pack, targeting it at OpsMgr security gateway servers located in domains as well as to the RMS. I also altered the above LDAP query to allow the script finding DCs in sub OUs. It is even possible to use an override should the DCs’ computer objects not be in an OU called ‘Domain Controllers‘.
The management pack consists of :
- AD Discovery Management Server Computer Group: RMS and gateways installed in domains
- Discovery of the AD Discovery Management Server Computer Group
- AD Topology Discovery (Custom script): targeted at all management servers - disabled by default
- Override to enable the discovery on members of above group
- Override to disable the original discovery
The additional computer group was required to make sure that the discovery is only active for gateways that are actually inside a domain in addition to the RMS. Note that the only changes to the discovery script required were adding references to Microsoft’s management pack, changing the LDAP query’s option switch and adding command line parameters to make overriding of the DC’s OU name possible. Other than that the script is the same as found in Active Directory Server Common Library, 6.0.5000.0
Download the management pack: (not compatible with Microsoft’s MP
Download Custom AD Topology Discovery MP (rename after downloading – it is a zip archive)
Note that this MP is thought to work with Operations Manager 2007 – RTM (AD Management Packs 6.0.5000.0). I have tested it with the RC of SP1 as well but if a newer AD management pack is delivered the above solution will likely have to be altered.
Update(March 11th, 2008): SP1 includes AD Management Packs version 6.0.6278.0. There are no changes to the discovery process. Hence the above solution works for SP1 installation as well.
Update(March 26th, 2008): Version 6.0.6278.10 works as well with this workaround.
The following screen-shot shows an AD topology with two forests. Both have only one domain. The left consists of two sites and a total of four DCs. The forest on the right only has one site and two DCs.
This entry was posted on January, 15 2008 at 16:21 and is filed under OpsMgr 2007. Tagged: Active Directory Management Pack, AD Topology Discovery, Operations Manager 2007, Security Gateway. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.