locked
purpose of enabling agent proxy RRS feed

  • Question

  • i read in active directory management pack that I have to Enable the agent proxy setting as this setting allow a domain controller  to discover connection objects in other domain controllers

    first question what is the necessity to discover connections objects on other domain controllers and what is the purpose

    then in the same documents it says you could make an override

     to disable AD Remote Topology Discovery then click "allow this agent to act as a proxy

    and discover managed object on other computer "

    how come i disable ad remote topology discovery

    and meanwhile allow the agent to do the same thing I feel that I have a miss understanding

    attached the paragraph of enabling  agent proxy

    ######################################################################

    Enable the AgentProxySetting on All Domain Controllers

    Enabling the Agent Proxy makes it possible for each domain controller to discover the connection object to other domain controllers. Connection objects are hosted by the forest, and the forest is discovered by the topology discovery, which is run on the Operations Manager 2007 root management server.

    To perform the procedures in this section, you must be a member of the Operations Manager Administrators group in the Operations console. For more information, see Account Information for Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=165736).

    To discover domain controllers

    1.    In the Operations console, click Administration.
    2.    In the navigation pane, right-click Agent Managed, and then click Discovery Wizard.
    3.    In the Computer and Device Management Wizard, on the What would you like to manage? page, ensure that Windows computers is selected, and then click Next.
    4.    On the Auto or Advanced? page, select the type of discovery and the type of computers that you want the management server to use. Any discovery method should be able to locate the domain controllers. Click Next.
    5.    On the Discovery Method page, select one of the following options: Scan Active Directory or Browse for, or type-in computer names.

    If you select Scan Active Directory, you click the Configure button, and then you use the Find Computers dialog box to search for the computers that you want to be discovered.

    If you select Browse for, or type in computer names, you click the Browse button, and then you use the Select Computers dialog box to locate specific computers.

    You can use both methods to produce a list of computers to be discovered. Select the method that you want to use, and then click Next.

    Important

    The account that you select to use for browsing will also be used for installing the agent on the discovered computers. Therefore, ensure that you use an account that has permissions to install software on the domain controllers that you want to discover.

    1.    On the Administrator Account page, you can determine which account you want to use to discover the client computers. After you select the account that you want to use, click Discover.
    2.    On the Select Objects to Manage page, the discovery results are displayed. Use the check boxes to select the computer or computers that you want to configure for management, and then click Next.
    3.    On the Summary page, you can set the agent installation directory or you can accept the default. Also, you can determine the credentials that you want to use on the computer to run the management agent, or you can accept the Local System account as the default. When you are ready to install the agent on the selected computer, click Finish.
    4.    After the installation is complete, you see the Agent Management Task Status dialog box, which indicates the success of installation. If there are any problems with the installation, you can use the information in the dialog box to help resolve the problems. Click Close.

    To enable the Agent Proxy setting on all domain controllers

    1.    In the Operations Console, click Administration.
    2.    In the navigation pane, click Agent Managed.
    3.    Double-click a domain controller in the list.
    4.    Click the Security tab.

    Notes

    If you do not want to change this security setting or if you do not need to discover connection objects, disable AD Remote Topology Discovery by using an override:

    1.    In the Operations Console, click Authoring, and then click Object Discoveries.
    2.    In the Operations Console toolbar, click  Scope.
    3.    In the Scope Management Pack Objects dialog box, click View all targets.
    4.    Click Active Directory Connection Object, and then click OK.
    5.    The AD Remote Topology Discovery object is in the Object Discoveries pane. Right-click the object, click Overrides, and then click the override option that you want to implement.
      1.    Click Allow this agent to act as a proxy and discover managed objects on other computers.
      2.    Repeat steps 3 through 5 for each domain controller.

    Thursday, October 18, 2018 10:47 AM

Answers

  • Hi,

    I will try to explain this:

    Enabling the agent to act as a proxy (as you already know) gives you the possibility to gain information regarding objects in your Active Directory, which are not directly monitored (don't have agents or are of type that does not allow monitoring them directly) or are let's say on another hierarchy level (typically higher) then the agent computer itself. This is very often the case with AD objects, which are above the computer agent in the class hierarchy, so the only way to discover them would be to enable the proxy option on the computer, which is able to discover them (the domain controller). 

    I am nost sure which MP version you are using, but I can tell for sure that you need to enable the Topology Discovery Workflow) in the newest version of the AD Management Pack because otherwise you won't be able to discover your Active Directory connection objects.

    From the guide:

    "The major task of the Microsoft.AD.Remote.Topology.Discovery workflow is to discover connection objects. Also in this workflow, the proxy must be enabled (as described in Enable the AgentProxySetting on All Domain Controllers) at each of the agents to complete discovery data submission."

    In my opinion AD connections objects are pretty important to monitor, so disabling the workflow is a "no go" for me.

    My suggestion: enable all DC to act as proxy. This is just fine (read the blog post of Kevin Holman here). Makes sure your Topology Discovery workflow is enabled and forget about it. 

    P.S. I think the guide states that it does not makes sense to have the AD Toplogy Discovery workflow enabled if proxying is not enabled for the domain controllers. This is the case becasue in this case it (the workflow) won't work. The reson for this: the workflow will still be executed and will fail, will most probably generate events, even alerts and will cost you resources on the targeted systems. I think this is the particular answer you were looking for :)

    I hope I could help you out with this. 

    Regards,



    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov




    • Proposed as answer by CyrAz Thursday, October 18, 2018 11:37 AM
    • Edited by Stoyan ChalakovMVP Thursday, October 18, 2018 12:11 PM
    • Marked as answer by om zeyad Friday, October 19, 2018 8:46 AM
    Thursday, October 18, 2018 11:29 AM
  • Agree with Stoyan, and I'll suggest to enable proxy not only on the DCs but all your agents.

    Cheers



    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) Blog:AnalyticOps Insights Twitter:Sameer Mhaisekar

    • Marked as answer by om zeyad Friday, October 19, 2018 8:47 AM
    Thursday, October 18, 2018 1:09 PM

All replies

  • Hi,

    I will try to explain this:

    Enabling the agent to act as a proxy (as you already know) gives you the possibility to gain information regarding objects in your Active Directory, which are not directly monitored (don't have agents or are of type that does not allow monitoring them directly) or are let's say on another hierarchy level (typically higher) then the agent computer itself. This is very often the case with AD objects, which are above the computer agent in the class hierarchy, so the only way to discover them would be to enable the proxy option on the computer, which is able to discover them (the domain controller). 

    I am nost sure which MP version you are using, but I can tell for sure that you need to enable the Topology Discovery Workflow) in the newest version of the AD Management Pack because otherwise you won't be able to discover your Active Directory connection objects.

    From the guide:

    "The major task of the Microsoft.AD.Remote.Topology.Discovery workflow is to discover connection objects. Also in this workflow, the proxy must be enabled (as described in Enable the AgentProxySetting on All Domain Controllers) at each of the agents to complete discovery data submission."

    In my opinion AD connections objects are pretty important to monitor, so disabling the workflow is a "no go" for me.

    My suggestion: enable all DC to act as proxy. This is just fine (read the blog post of Kevin Holman here). Makes sure your Topology Discovery workflow is enabled and forget about it. 

    P.S. I think the guide states that it does not makes sense to have the AD Toplogy Discovery workflow enabled if proxying is not enabled for the domain controllers. This is the case becasue in this case it (the workflow) won't work. The reson for this: the workflow will still be executed and will fail, will most probably generate events, even alerts and will cost you resources on the targeted systems. I think this is the particular answer you were looking for :)

    I hope I could help you out with this. 

    Regards,



    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov




    • Proposed as answer by CyrAz Thursday, October 18, 2018 11:37 AM
    • Edited by Stoyan ChalakovMVP Thursday, October 18, 2018 12:11 PM
    • Marked as answer by om zeyad Friday, October 19, 2018 8:46 AM
    Thursday, October 18, 2018 11:29 AM
  • Agree with Stoyan, and I'll suggest to enable proxy not only on the DCs but all your agents.

    Cheers



    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) Blog:AnalyticOps Insights Twitter:Sameer Mhaisekar

    • Marked as answer by om zeyad Friday, October 19, 2018 8:47 AM
    Thursday, October 18, 2018 1:09 PM
  • thanks

    I really appreciate your support

    Friday, October 19, 2018 8:47 AM