none
Remove Active Directory integration

    Question

  • Hi,

    I've configured my OpsMgr environment with Active Directory integration. But we want to remove this to configure it with a powershell script.

    Through the console I removed the auto assignment, but my script still fails; telling me the agent is configured for Active Directory.

    Looking in AD I still see the OperationsManager container with sub-containers and filled groups, can I just remove those?

    I already restarted the Config and SDK services and the healthservice on the managed server.

    Thanks!
    • Moved by Rob KuehfusOwner Wednesday, June 03, 2009 7:49 PM AD Integration is a deployment questions. You may get better results over there. (From:General)
    Tuesday, June 02, 2009 10:30 AM

Answers

All replies

  • If you remove the LDAP query in the console, and remove the container in AD manuelly, the AD integration feature should be removed.
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    Tuesday, June 02, 2009 11:28 AM
    Moderator
  • I saw something like this about a week ago, turns out the AD Integration rule stuck around even after it was deleted from the console.  You can try running a couple of powershell queries which should reveal if your rule is still there.  Post the results if you can.

    # This will get all ad int rules assuming nothing was renamed
    Get-rule |where {$_.DisplayName –match ‘AD rule for domain’ } |select Name,@{N=’MP’;E={$_.GetManagementPack().Name}} | format-list

    # Results from this should match up with ad int rules from previous query.  If not, there is some problem.
    Get-ManagementServer |foreach {$_.Name; $_.GetAgentAssignments()}

    Thanks,
    -Lincoln

    Tuesday, June 02, 2009 5:56 PM
  • You should also be able to export your default MP and examine it - there is where the AD assignment rule is stored.  It could potentially be cleaned manually if it is still present with everything else removed.

    Remember - your AD integrated agents will need to be reset to not use AD integration.  You could potentially do this is a repair... or hotfix... or by modifying the appropriate registry entyr and restarting the healthservice.
    Wednesday, June 03, 2009 6:04 AM
    Moderator
  • Thanks for the replies. I deleted the container but for one agent I still get the message that the Agent assignment cannot be updated because it is managed through AD.

    I tried a repair with same results.

    Kevin: which hotfix should I apply, or which registry can I modify?

    Thanks
    Wednesday, June 03, 2009 9:40 AM
  • Hi Mark,

    For just one agent you might want to change the registry key. In a blog post from Steve Rachui on
    http://blogs.msdn.com/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspx
    at the end it mentions the registry key. Change that one and restart the healthservice on the agent.

    HTH
    Greetz,

    Arie de Haan
    MVP SCOM
    This posting is provide "AS IS" with no guarantees, warranties, rigths etc.
    Wednesday, June 03, 2009 10:26 AM
    Moderator
  • Hmm, I would have thought between removing the AD Integration rule and running agent repair this would have change the agent back to a push install behavior.  What are you seeing in the event log after you restart the agent's health service?

     


    Rob Kuehfus | System Center Operations Manager | Setup and Deployment Program Manager
    Wednesday, June 03, 2009 7:47 PM
    Owner
  • I assume you installed this agent using manual install (MOMAGENT.msi)
    If so and if you are short on time and you don't mind removing the agent - the cleanest way to deal with this is to reinstall the agent with the issue. During the reinstall, be sure to specify a specific management group + management server, instead of looking up AD.

    Alternatively, you can also try to do under add/remove program, select the OpsMgr agent and click "Change"... then remove the option to check Active Directory and specifically specify a Management Group + Management Server... not sure how effective this is... but you can try.

    Joseph Chan [MSFT]
    -------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    Wednesday, June 03, 2009 8:12 PM
  • I believe Rob Kuehfus published a document and Powershell script that could be modified to manipulate the registry key that control the AD Integration setting. Seems to me that would be appropriate in this case to revert agent configuration to the desired setting.


    Pete Zerger, MVP-MOM | http://www.systemcenterforum.org
    Thursday, June 04, 2009 6:11 AM
    Moderator
  • Hi all,

    Update on this is that I managed to get it work with the agent. I repaired the agent again and verified that the registry key was set to 0. After that I managed to apply the script.

    But we actually have the same problem for our gateway server. For this one I used this script:

    $primaryMS = Get-ManagementServer | where {$_.Name –eq server001.contoso.local’ }
    $failoverMS = Get-ManagementServer | where {$_.Name –eq server002.contoso.local’ }
    $gatewayMS = Get-ManagementServer | where {$_.Name –eq gateway.contoso.local’ }
    Set-ManagementServer -GatewayManagementServer: $gatewayMS -PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS


    We receive simmilar error as with the agent:

    ServersImmutableException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.ManagementServersImmutableException: Agent gateway.contoso.local is currently managed through
    Active Directory. To change the agent assignment, please update the Active Directory integration configuration.).

    Here I also verified the reg key:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager]
    "EnableADIntegration"=dword:00000000

    Please help.
    Thursday, June 04, 2009 2:02 PM
  • I wonder if you got into this state with the gateway by installed the gateway server role first and then running the gateway approval tool.  Can you confirm this?

    Rob Kuehfus | System Center Operations Manager | Setup and Deployment Program Manager
    • Marked as answer by Rob KuehfusOwner Thursday, June 11, 2009 6:03 PM
    • Unmarked as answer by Mark009 Tuesday, June 16, 2009 2:16 PM
    Friday, June 05, 2009 10:18 PM
    Owner
  • Hi all,

    Sorry for the late reply but I was on a holiday. I checked and we are not sure if we ran the tool after or before the deployment of the gateway. If we did it afterwards what is the procedure to get this fixed?

    Thanks.
    Tuesday, June 16, 2009 2:18 PM
  • No workaround that I know of.  Unistall and reinstall gateway.


    Rob Kuehfus | System Center Operations Manager | Setup and Deployment Program Manager
    Tuesday, June 16, 2009 11:19 PM
    Owner
  • I came across this thread today

    http://www.eggheadcafe.com/software/aspnet/33767070/gateway-server-cannot-set.aspx

    You can give it a try and see if it clears things up.  This has not been tested by the product group. 

    Use at your own risk.  :)

    I am closing this thread at this point.
    Rob Kuehfus | System Center Operations Manager | Setup and Deployment Program Manager
    Friday, June 19, 2009 4:33 AM
    Owner