Ian Blyth Deployment link http://ianblythmanagement.wordpress.com/2007/04/18/scom-2007-and-ad/ it looks good to me… read above more …  

SCOM 2007 and AD

Operations Manager 2007 uses AD a lot more than 2005. I have collected some links that may help. I have included the link to the AD MP as that is essential for setting up AD monitoring correctly but you need to know about overrides to configure the MP and if you have a large number of DCs then there is a PowerShell script that can switch the proxy setting off for all of them. In the GUI you would have to do each one separately. SCOM 2007 uses Kerberos to do mutual authentication between the agent and the management server. Unlike MOM 2005 this can not be switched off. In order to monitor systems that are not part of the domain or forest that do not have a two way trust you need to use certificates and perhaps the Gateway server. Although related to AD I do not cover PKI, certificates or Gateway servers in this post. Installing 2007 – AD Domain Prerequisites If fact before you can install 2007 you must have the domain level right. Operations Manager 2007 requires that the domain functional level be Windows 2000 native, Windows Server 2003 interim, or Windows Server 2003. For Operations Manager to function properly, you must check the domain functional level and raise it to at least Windows 2000 native. The lowest level of the 4 levels is called Windows 2000 Mixed and that is the only one of the 4 that OM 2007 can not work in. Note – this is the default domain functional level for Windows Server 2003 domains. Seehttp://technet2.microsoft.com/WindowsServer/en/library/da255f53-ae6c-4af8-80f1-9b3c046022311033.mspx?mfr=true Note – there are no schema changes with OM 2007 that I have come across. Containers do get created though. AD Integration with security and controlling access to the console One thing I have not come across is any papers looking at the use of AD integration to help lock down the console. There is this mini video though. Create User Roles
Presenters: Joseph Chan, Microsoft
This video demonstrates how to create user roles to control access to Operations Manager data and monitoring objects like tasks and views according to the users business responsibilities and needs.
Running Time (minutes): 5:39
Date Posted: March 18, 2007 AD Management Pack What’s new
• Domain discovery that enables Operations Manager 2007 to automatically discover domains in your Active Directory environment
• New performance and client monitoring views to provide more ways to view your monitoring data
• A new child domain topology view, allowing you to see subdomains of other domains
• New dashboard views that combine multiple views into one view to allow analysis of trends and similarities between related metrics Caveats
• Neither of the Management Packs (the AD Client Monitoring is considered a separate pack and to be deployed on Exchange servers that are clients to AD) support agentless monitoring.
• The Active Directory Management Pack does not support monitoring across multiple forests. (This is strange as using the Gateway tool allows servers in multiple forests to be monitored by one OM management group.)
• You cannot monitor a domain controller running on the x64-bit version of Windows Server 2003 with Operations Manager 2007 and Microsoft Operations Manager 2005 simultaneously.
• If an Operations Manager 2007 64-bit agent is installed on a domain controller running in 64-bit mode, the existing 32-bit version of OOMADS remains and will not be upgraded. This means that the 2007 Active Directory Management Pack monitoring will not work. The Microsoft Operations Manager 2005 monitoring will continue to work. Active Directory Management Pack Guide for Operations Manager 2007
March 27, 2007
This document includes a Management Pack overview, deployment procedures, and monitoring scenarios for the two Active Directory Domain Services (AD DS) Management Packs
Download the Guide Enabling the Agency Proxy allows each domain controller to discover its connection object between other domain controllers. Connection objects are hosted by the forest, and the forest is discovered by the topology discovery, which is run on the Operations Manager 2007 principal Management Server. (I take it that they mean Root Management Server). Agent “Act as a Proxy” Bulk Update  zip file from systemcenterforum.org
2007/04/12
A PowerShell script that will enable the ‘Act as a Proxy’ functionality on a group of agents. This is useful when an MP requires a large number of agents to have this functionality enabled. In order to make any changes to the AD MP, such as changing the value for the “Intersite Replication Latency Threshold Value” you will need to use overrides as the MP is sealed. Although this video is not covering AD overrides it is useful to see the process especially as the menu options in the GUI are not that intuitive.
Adjusting Monitors with Overrides
Presenters: Lorenzo Rizzi, Microsoft
This video provides and overview of the overrides feature in Operations Manager 2007.
Running Time (minutes): 5:37
Date Posted: March 18, 2007 AD Integration AD integration is new to OM 2007. This allows the agent to be deployed in a server build or by SMS and use the AD to notify the agent where to go for the management group, management server and failover management server. As you can see there is a lot of information covering this. Note: If you are not planning to deploy the agents within a server build, via a tool like SMS etc but instead are planning to push the agents out from the console you can ignore this section. AD integration concept, see Using Active Directory Domain Services to Assign Computers to Operations Manager 2007 Management Groups.http://technet.microsoft.com/en-us/library/bb309470.aspx
How to Create an Active Directory Domain Services Container for an Operations Manager 2007 Management Group –http://technet.microsoft.com/en-us/library/bb309685.aspx
Provides the procedure to create in a domain an AD DS container for an Operations Manager 2007 Management Group.
How to Use Active Directory Domain Services to Assign Computers to an Operations Manager 2007 Management Group –http://technet.microsoft.com/en-us/library/bb381226.aspx
Provides the procedures to assign computers to Operations Manager 2007 Management Groups by using AD DS. Active Directory Integration
Presenters: Joseph Chan, Microsoft
This video demonstrates how to configure Active Directory integration to automatically assign agents to management servers.
Running Time (minutes): 6:03
Date Posted: March 18, 2007 Active Directory Integration in Ops Mgrs 2007 PDF from SystemCenterForum.org
(04/11/2007)
How to configure Active Directory integration for an Operations Manager 2007 management group. Notes on AD Integration in Ops Mgr 2007 SystemCenterForum.org
Additional info. InFront Consulting Additional documentation (PDF) on how to Configure Active Directory integration in Ops Mgr 2007 RC2. (Some of the issues he saw when first doing the configuration) Active Directory Integration in Operations Manager 2007
Posted by Rory on 2/17/2007
Learn how to configure Active Directory integration in Operations Manager 2007 using the new MOMADAdmin.exe utility. MOMADAdmin.exe is a new tool included in the Support Tools folder on the Operations Manager 2007 media that allows you to prepare the Act… (Registration Required)

 

Leave a Reply