How to make Active Directory MP discover untrusted domains

Update: May 19, 2010

The latest released Active Directory product Management Pack is 6.0.7065.0. I have verified the unstrusted domain discovery extension MP and updated it. Following the changes of the product MP, the discovery interval was increased to once every 24 hours. You can download the updated version at the end of this post.

The current Active Directory management pack by Microsoft does discover trusted domains out of the box. However; it still does not discover forests and domains to which no trust exists. But it can be done:  The trick simply is to run the ‘AD Topology Discovery’ on OpsMgr gateways located in domains and not just on the RMS.

The management pack below consists of :

  • AD Discovery Management Server Computer Group: Gateways installed in domains
  • Discovery of the AD Discovery Management Server Computer Group
  • AD Topology Discovery (Custom script): targeted at all management servers – disabled by default
  • Override to enable the discovery on members of above group

In order to successfully discover domain objects, the OpsMgr security gateways need to have the right to ‘act as a proxy and discover managed objects on other computers‘.

Download the management pack

Download Custom AD Topology Discovery MP V (unsealed & sealed) (rename after downloading – it is a zip archive)

It should be mentioned that there is some overhead since the discovery is run on all gateways in an untrusted domain. For that reason I set the execution interval of the discovery script to 24 hours.

Note on earlier versions

If you happen to have been using the workaround MP I posted earlier this year: The old version (V does not work with Microsoft’s management pack  6.0.6452.0 and above.  Please replace it with the current MP.


AD Integration explained

Two weeks ago I had the opportunity of talking about the Active Directory integration feature in Operations Manager 2007 at the 3rd meeting of the System Center Virtual User Group. The presentation included details of how to implement AD integration in complex enterprise environments.

As a follow up to the meeting, Pete Zerger invited me to participate in updating the AD integration guide at the System Center Forum Community site.

The document contains in depth information about:

  • what AD Integration is
  • how it works
  • configuring for single as well as multiple domain sites
  • agent roll-out
  • troubleshooting
  • LDAP query examples

If you plan to roll out AD integration this should give you the answers to most of the questions you might have.


Active Directory Integration Guide (System Center Forum)

Active Directory Integration slide deck (3rd SCVUG Meeting)

AD Integration (untrusted domain)

AD Integration (untrusted domain)

Untrusted AD integration – Suppress misleading RunAs Alerts

When using OpsMgr’s Active Directory integration for remote (untrusted) domains, you will receive alerts by two monitors, complaining that the RunAs accounts used for the remote domain integration were not correctly configured. The monitors are defined in Microsoft.SystemCenter.2007 MP:

  •   RunAs Account Monitoring Check
  •   RunAs Successful Logon Check                                             

This is actually expected since the Root Management Server can not log on in its local domain using the remote user. In order to suppress these alerts you could disable the monitors (in the context of the RMS), using overrides. The downside of this is that you would miss out on any other locally defined RunAs accounts’ failures.

I chose an alternate approach by disabling the original monitors and replacing them with new ones, which allow filtering on the RunAs user account’s name.  The replacement monitors are:

  • RunAs Successful Logon Check (Replaced)
  • RunAs Account Monitoring Check (Replaced)

In order to reuse these two in your own environment, edit above monitors and replace the account names in the unhealthy event expression (FirstExpression) with the account names you would like to exclude from the RMS monitors. Should one of your RunAs accounts in the untrusted domains become invalid, you will receive other alerts from the AD writer.

Download link for a sample MP containing the RunAs overrides and monitors:
Custom.AD.Integration.Untrusted.RunASMonitorsExtension.xml MP V (rename after downloading – it is a zip file)