From an earlier post I wrote about a repeating Ops Mgr Event on our RMS: Event ID: 1106.
I’m adding to that post with an update for Ops Mgr 2007 R2.
Like most shops, we integrated Active Directory into our Ops Mgr 2007 SP1 environment.
We accomplished this by following the Active Directory Integration documentation produced by Rory McCaw with Infront Consulting.
Fast forward to our upgrading to Ops Mgr 2007 R2 (July 2009)…
About one month after we upgraded we started to receive the Event ID: 1106 (again).
This time I took more of a deeper look into really what was going on and resolving the issue.
When you originally perform the steps outlined above for Active Directory Integration, you actually only create a rule that is only used in the setup of Active Directory Integration.
Wha?
Yep – you need to go into the Active Directory Based Agent Assignment Account (Profiles) and change the Run As Account from Local System Windows Account to a Active Directory domain account that has Read / Write permissions to the Operations Manager management container in Active Directory.
This leads me to wonder how many other Ops Mgr instances out there are still setup in this manner (?).
Actually, it will continue to work until either an upgrade to Ops Mgr 2007 R2 is performed or one day it will just stop working and start spewing out Event ID: 1106 events in the RMS Ops Mgr Event Log.
This is what our issue / problem was and once we assigned the correct domain account (with perms) and restarted the Health Service on the RMS, all was well…
Below is a more outlined event of steps to take:
We deleted the Local System Windows Account and then created a new Run As Account (Ops Mgr 2007 R2 allows you to create the account within the Run As Profile; Ops Mgr 2007 SP1 didn’t allow that and you had to close the wizard, create the account and then go back in):
General Properties: Select Run As Account Type
Enter the Display Name and Description (optional).
Credentials: Enter User Name (of Active Directory account); Password and Domain:
Distribution Security: Remember this should be a domain account with perms to Read / Write to the Operations Manager management container in Active Directory.
This is where you would chose to Automatically allow agents to be managed or if you want to Manually approve them. Since we want a little more control on which servers will be approved to be monitored, we’ll select More Secure. Your environment might be different.
Wizard completed successfully – now we need to associate our newly created Run As Account with an appropriate Run As Profile. Since we created this within the Active Directory Based Agent Assignment Account it is pretty simple…
Back to the original screen with our newly created Run As Account:
So where does the AD Integration improvement come in?
Before we get to the improvements, let have a brief explanation of both the Run As Account and Run As Profile (taken from System Center Operations Manager 2007 Unleashed:
The Run As Account represents an identity that can be associated with a Run As Profile.
The profile maps the Run As Account to a specific computer.
Rather than assigning additional rights to the Action Account, using Run As Accounts and Run As Profiles provide the ability to run a task, rule or monitor with an account that has the necessary rights. – System Center Ops Mgr 2007 Unleashed
We know Ops Mgr 2007 R2 can now monitor Unix / Linux nodes, but most people are not aware that the Ops Mgr Product team had to make some modifications to some of the Default Profiles because of this inclusion.
Let’s take a look at the Active Directory Based Agent Assignment Account Profile as an example.
Our newly created Run As Account – Active Directory SLP Publisher Account could have easily target a specific class, group or object (RMS).
I like the option to chose All targeted objects or A selected class, group or object, but keep in mind the more specific or granular you get, the more difficult it might be to troubleshoot.
In Ops Mgr 2007 SP1 this was not an option, it was ‘All targeted objects’ or nothing…
I would like to thank Tim Helton of Microsoft who provided some background on how the Run As Account and Run As Profile accounts have changed in Ops Mgr 2007 R2.
System Center Spartan 