Configuration and Deployment of MOM AgentsWhen planning to configure and deploy MOM agents, the first step in the deployment process is to identify and make a record of the computers that you want to manage by using MOM. All of these computers must meet the requirements listed in the Microsoft Operations Manager 2005 Supported Configurations documentation. To install agents, an administrator has several options. There is a wizard supporting the installation process along with command line support. Let's look at the steps involved in using the Install/Uninstall Agents Wizard, shown in Figure 7-1, to install agents on computers in your Management Group. You can add computers to any Management Server in the Management Group by running the Install/Uninstall Agents Wizard. The Management Server that you select will be the primary Management Server for the managed computers on which you install agents. To install an agent, you need to perform the following steps:
With MOM agent installations, you need to consider the security aspects of agent deployment. Agent installation, or deployment, involves a few security requirements and some security considerations. You can choose the security context that the agent runs under. You can deploy agents automatically by creating computer discovery rules, or manually by using the Agent Installation Wizard on the remote computer. When you use the Install/Uninstall Agents Wizard, MOM searches for and installs agents on computers on your network. The MOM Management Server performs a computer discovery based upon the criteria that you specify in the wizard and always installs (or uninstalls) the agents regardless of the setting on the Automatic Management tab of the Management Server properties. When the Management Server discovers new computers, it either installs agents or puts the computers in the Pending Actions folder, depending upon the setting on the Automatic Management tab of the Management Server properties. If you are using discovery-based agent deployment, you can either provide credentials for an account, or you can use the Management Server's action account. The account you use must be a local administrator on all of the computers to which you are deploying agents. The credential information that is used to install agents is encrypted before being communicated and then discarded after use. The Management Server's action account can be used for installing or uninstalling agents on remote computers and updating settings on agents. If you choose to use the account for this purpose, the account must be a domain account with administrator privileges on all target computers to which it is to install agents. An alternative to using this highly privileged account is to configure the Management Server's action account to be a low-privileged account and to either specify credentials for installing agents when you use the Install/Uninstall Agents Wizard, or manually install agents. The Management Server uses the following to deliver the files needed for agent installation on remote computers and for updating agent settings after installation:
If these ports are disabled on the Management Server or any of the target computers, or the target computer and Management Server are separated by a firewall, you cannot use discovery-based deployment to install agents. You must either enable these ports or install the agents manually. Manual installation does not require these ports. If you disable the File and Printer Sharing for Microsoft Networks and the Client for Microsoft Networks services, the SMB ports are disabled as well. Because of these security implications related to MOM agent deployment, MOM agents must be manually installed or updated under the following circumstances:
In some cases, you may find it necessary to manage a computer outside of a firewall. You can have normal communications between managed computers that are beyond a firewall from the Management Server if you open the TCP/UDP port 1270. However, you must manually install and update these agents. Mutual authentication and the signed and encrypted communications are still available if a full Active Directory trust relationship exists between the Management Server domain and the agent domain. Otherwise only signed and encrypted communications are available. You can also have agents in non-trusted domains or workgroups; however, mutual authentication is not available because, by definition, no two-way trust relationship exists between the Management Server domain and the agent domain. The secure channel is still available, however. You must install and update the agents manually. If the Management Server is configured to require mutual authentication, these agents will not be able to communicate with it. By default, MOM does not secure the files and other data that are used to deploy agents. The deployment process uses both the SMB ports and the RPC/DCOM port range. You can use either SMB packet signing or IPSec to secure the agent deployment. In the case of a manual agent deployment, there are command-line options available when installing a MOM agent by using the Agent Setup Wizard (MOMAgent.msi). The command-line options are shown in the following table.
Here's an example of an agent with control level of None installed in the default location using a domain account for the MOM Agent Action Account. msiexec /qn /I \\[location of setup program]\MOMAgent.msi CONFIG_GROUP="group_name" MANAGEMENT_SERVER="server_name" AM_CONTROL="None" ACTIONSUSER="account_name" ACTIONSPASSWORD="account_password" ACTIONSDOMAIN="domain_name" While agents are important in the MOM architecture, it is possible to perform some of the monitoring functions without the use of an agent. This is called agentless monitoring, and it describes the ability to monitor remote resources in a manner that is similar to how local resources are monitored through providers and responses in the local agent scenario. If providers that support remote access to resources are used and the responses can execute its logic remotely using tools such as RPC or DCOM, then those sets of rules work the same way on both agentless and agent-managed computers. Once a computer is identified, MOM starts monitoring the agentless computer as though there were an agent installed on the computer. You need to think about a few things before opting for agentless monitoring. First, the MOM Action Account must have administrative user rights on the computers you want to manage without an agent. So while there is less intrusion because there is no installed agent, the privileges required could be considered to be intrusive from a security perspective. As discussed in Chapter 2, administrators can achieve the following with agentless monitoring:
However, agentless monitoring has the following limitations:
Because agents are core to the MOM architecture and in general provide more functionality, it probably makes sense to use them whenever possible. However, for those cases where an agent cannot be deployed to the remote system, agentless monitoring remains an option. |