AD Integration explained

Two weeks ago I had the opportunity of talking about the Active Directory integration feature in Operations Manager 2007 at the 3rd meeting of the System Center Virtual User Group. The presentation included details of how to implement AD integration in complex enterprise environments.

As a follow up to the meeting, Pete Zerger invited me to participate in updating the AD integration guide at the System Center Forum Community site.

The document contains in depth information about:

• what AD Integration is
• how it works
• configuring for single as well as multiple domain sites
• agent roll-out
• troubleshooting
• LDAP query examples

If you plan to roll out AD integration this should give you the answers to most of the questions you might have.

Links

Active Directory Integration Guide (System Center Forum)

Active Directory Integration slide deck (3rd SCVUG Meeting)

AD Integration (untrusted domain)

Untrusted AD integration – Suppress misleading RunAs Alerts

When using OpsMgr’s Active Directory integration for remote (untrusted) domains, you will receive alerts by two monitors, complaining that the RunAs accounts used for the remote domain integration were not correctly configured. The monitors are defined in Microsoft.SystemCenter.2007 MP:

•   RunAs Account Monitoring Check
•   RunAs Successful Logon Check                                             

This is actually expected since the Root Management Server can not log on in its local domain using the remote user. In order to suppress these alerts you could disable the monitors (in the context of the RMS), using overrides. The downside of this is that you would miss out on any other locally defined RunAs accounts’ failures.

I chose an alternate approach by disabling the original monitors and replacing them with new ones, which allow filtering on the RunAs user account’s name.  The replacement monitors are:

• RunAs Successful Logon Check (Replaced)
• RunAs Account Monitoring Check (Replaced)

In order to reuse these two in your own environment, edit above monitors and replace the account names in the unhealthy event expression (FirstExpression) with the account names you would like to exclude from the RMS monitors. Should one of your RunAs accounts in the untrusted domains become invalid, you will receive other alerts from the AD writer.

Download link for a sample MP containing the RunAs overrides and monitors:
Custom.AD.Integration.Untrusted.RunASMonitorsExtension.xml MP V 1.0.0.0 (rename after downloading – it is a zip file)

AD Integration based on OU membership

Introduction

Operations Manager 2007 integration into Active Directory can significantly reduce the administration efforts. Agents rolled out using software delivery or even as part of the OS image read their configuration information (management group membership, primary and fail-over server) from AD. The rules are maintained using the ‘Configure Active Directory (AD) Integration‘ wizard inside OpsMgr’s Administration workspace. It allows grouping agent computers on the value of attributes of their computer accounts. Attributes include:

• name
• description (in AD)
• location (in AD)
• operatingSystem
• memberOf (Security Group Membership)

Assigning configuration to agents based on their computer accounts’ OU (Organizational Unit) membership is not directly possible.

Enable OU based rules (two options)

In order to group the computer accounts extra steps are required. One approach has been described by Pete Zerger and Anders Bengtsson in the Active Directory Integration Walkthrough on SystemCenterForum. The paper explains how Security Groups can be created for each Organizational Unit container an integration rule should be created for. 

While this works very well I did not like the idea of having to create extra security groups just to enable OU based rules. The reason why OU grouping does not work out of the box is that the LDAP provider does not accept wildcards on the ‘distinguishedName‘ attribute which contains the OU location information of the computer account. So I thought I was going to simply copy that information into an otherwise unused attribute field. Good candidates are ‘comment‘ or ’info‘. Their syntax is unicode string so the LDAP provider does accept wildcards.

To make things work automatically I wrote a script and included that into an management pack. The rule is targeted at domain controllers. That way any newly added or moved computer automatically gets assigned to the correct management group. A sample LDAP query string does now look like this:

(&(sAMAccountType=805306369)(!(primaryGroupID=516))(info=*,OU=SubUnit,OU=OrgUnit,DC=Domain,DC=info))

Management Pack Sample

The sample management pack can be downloaded here:

Custom.AD.Integration.OUExtension.xml MP V 1.0.0.0 (rename after downloading – it is a zip file)

I do not recommend using this MP in your production environment. Instead review its content, test it and reuse the bits you find usable in your own MP.

The sample contains the rule “Custom.Write.ComputerDN.to.Attribute.Rule” which calls the script “Custom.Write.ComputerDN.to.Attribute.vbs“. Note that the attribute can be easily changed from ‘info’ to whatever your prefer. Using ADSIEdit.msc you can check if the rule is working as expected.

Running Timed Script Discovery without getting warning event 21405

Post last updated on: January, 20 2008

When writing management packs, I do occasionally use timed script discovery providers (Microsoft.Windows.TimedScript.DiscoveryProvider). At times such a script may end without returning any discovery data. Consider the following example:

- A timed script discovery rule is looking for an element (e.g. Windows scheduled tasks)
- For each found, an object entity is created in OpsMgr’s DB
- If none exist on the computer, the script quits silently

It is expected that the script does exit without returning any discovery data when the object does not exist on a computer. However; OpsMgr’s default setting will lead to the following event being written into the Operations Manager event log of the target computer:

Event Type: Warning
Event Source: Health Service Modules
Event ID: 21405
Description: The process started at ....... failed to create

System.Discovery.Data, no errors detected in the output.

The process exited with 0

Workaround

After having tried various approaches, it was this post on the Operations Manager Product Team Blog that got me onto the right path.

If writing a discovery (or property bag) provider from which you expect to not return data at times.

1. Make sure you end the script gracefully: WScript.Quit(0)
2. At the end of the DataSource tag, add an EventPolicy tag:

<EventPolicy>

<!--Do not write Warning Event 21405 (no discovery data)

when the script doesn't return any data

(product not installed) -->

<StdOutMatches></StdOutMatches>

<!--Standard Error Out Matches (leave default) -->

<StdErrMatches>\a+</StdErrMatches>

<!--Exit Code matches (leave default) -->

<ExitCodeMatches>[^0]+</ExitCodeMatches>

</EventPolicy>

 By setting <StdOutMatches> to nothing, you override the default setting which would create an event if anything other than a valid OpsMgr DataItemis being returned. Note that this will only work on OpsMgr 2007 SP1 and beyond.

Disappearing objects that were once discovered

Depending on the logic of the discovery script there is some danger that already discovered objects vanish from OpsMgr if the script fails to successfully read data from the agent machine. This might be a temporary failure of a WMI object. Microsoft’s DNS management pack did suffer from that until recently. Boris Yanushpolsky has an enlightning post on how to avoid this from happening. He is making use of the (so far undoocumented) IsSnapshot property of the CreateDiscoveryData object.