Windows LiveWindows Live
 
 
Stuart's profileStuart Renes: The BlogPhotosBlogListsMore Tools Help

Blog
    August 21

    Deploying MOM 2005 agents on Windows Server 2008 Domain Controllers

    Here's a tip to help you avoid the pitfall of the AD MP scripts not working after agent deployment on Windows Server 2008 DC's. Turns out that you may need to use LocalSystem as the Agent Action account for all of this to work properly. I had been using a Domain Administrator account as my Agent Action account for years until Server 2008 came along. Until I switched my x64-based W2K8 DC's to a LocalSystem agent action account, the agents couldn't create their MOM Latency containers and most of the AD-based script tests would fail with "Access Denied" errors.

    Here's some background on this account. It exists on every Windows computer -- whether it is a client workstation, domain controller or server and it has total control over the computer and cannot be locked out or denied any privilege.

    The characteristics of this account include:

    • Access to all processes, including system processes
    • Full access to local resources
    • Applications that may run in the context of the LocalSystem account
    • Pre-defined account in Windows
    • Use of the computer account's privileges to access network resources

    On a domain controller, the LocalSystem account has full access to Active Directory because a replica exists on the local computer's file system and is, therefore, considered a local resource.

    I haven't yet figured out what has changed in Server 2008 to require the use of this all too powerful account as an agent action account but when I do I'll post details here.

    4:22 PM | Add a comment | Permalink | Blog it
    August 11

    .NET 2.0 causes MOM 2005 Computer Discovery Problems

    If you're planning on managing any Windows Server 2008 machines with MOM 2005, you'll no doubt want to apply the following new MOM 2005 SP1 hotfix:

    The MOM service does not start and event 9014 is logged when you deploy a Microsoft Operations Manager 2005 agent to a domain controller that is running Windows Server 2008

    http://support.microsoft.com/default.aspx/kb/919154

    You'll note that the deployment of this hotfix on your MOM DAS server requires .NET 2.0 as a prerequisite! Not good. This is where the problem occurs because adding .NET 2.0 to a MOM 2005 DAS server causes MOM 2005 computer discovery to break.

    Never fear, this was fixed earlier this year by a little known hotfix:

    After you install version 2.0 of the .NET Framework on a server that is running Microsoft Operations Manager 2005 with SP1, you can no longer discover computers in Active Directory

    http://support.microsoft.com/kb/913812/en-us

    4:13 PM | Add a comment | Permalink | Blog it