Hi, in this post I will try and clarify some of the issues surrounding agent deployment with OpsManager, plus how your agent deployment method is related to AD integration.
Firstly, lets look at how we can deploy the agent. This is one of the decisions that must be made at the design stage, you don’t want to be deciding this during the implementation phase!
So here they are:
- ‘Push’ using the discovery wizard in the Operations Console
- Manually, by running MOMAgent.msi
- Using a software delivery mechanism such as Configuration Manager
(there are others, but you get the idea)
Next, lets talk about AD integration…
AD integration is a method of storing agent configuration in the Active Directory. This means that agents will know which management groups to talk to, and also know their primary and failover management servers. The configuration is updated regularly, so using AD integration means that you have a central place to manage (nearly) all your agent configuraiton.
A few points though:
- AD integration does not install the agent. You must do this another way.
- AD integration does not work on Domain Controllers, agents in a DMZ or those behind a gateway server. We must resort to PowerShell again here.
- You should implement AD integration in every domain in the forest and every domain in a trusted forest.
So now that we’ve established the basics, lets look at the agent deployment methods:
Push – Discovery Wizard
This option is the often perceived as the simplest way of getting the client out there. There are, however, some things that must be considered:
Firstly, firewall ports must be open on the agent managed machines to allow RPC and WMI access. This makes push a less attractive option when dealing with DMZ machines or those behind network firewalls.
Secondly, you must have an account with which to install the agent. This must be a local admin on the computers that you wish to manage,
Thirdly – and this is the biggest problem for me…
Deploying the agent using the discovery wizard will disable AD integration for that agent (for that particular management group)
This means that agent failover for agents deployed using the discovery wizard must be managed using PowerShell. To prevent the configuration drifting, I recommend scheduling a suitable PowerShell script to run on a regular basis.
Why MS chose to do things this was is baffling to me. It’s also not talked about that much in the docs, therefore it can be confusing.
This has obvious scale limitations but may be your only option. AD integration is possible.
Deployment using Configuration Manager
I prefer this method. Of course you do have to have ConfigMgr installed :) It’s a great way of getting the agent out there and then having a reliable method of patching and maintaining the agents. It’s easy to set up a query based collection to automatically deploy the agent to the correct computers. There is no further configuration required because this would typically be combined with AD integration.
As you may have gathered, I like AD integration. It’s such a shame that Microsoft make it incompatible with the discovery wizard.
Here is a list of MSI parameters to use when you want to silently install the agent: