Management Server_library
To enable or disable Mutual Authentication
In the MOM 2005 Administrator console, navigate to Administration / Global Settings.
Open the Security Properties.
On the Security tab of the Security Properties dialog box, clear the Mutual Authentication required check box. [Alternatively, select the checkbox to require mutual authentication.]
Right-click the Management Pack folder and click Commit Configuration Change.
Restart the MOM Service on all of the Management Servers in the management group.
Change this setting on all affected agents. See the procedures below. The first two procedure require that the Control Level=Full.
To change the settings on agents that all use the same Action Account
In the Administrator console, navigate to Administration / Computers and select Agent-managed Computers.
Multi-select all the agents that use the same Action Account, right-click them, and click Update Agent Settings.
In the Update Agent Settings Task dialog, enter the agent Action Account credentials and click OK. This will update the settings you made to the Management Server on all of these agents. If you do not specify the Action Account credentials, the Action Account on all of these agents will be set to Local System.
To change the setting on each agents that use different Action Accounts
In the Administrator console, navigate to Administration / Computers and select Agent-managed Computers.
Select the agent, right-click it and click Update Agent Settings.
In the Update Agent Settings Task dialog, enter the agent Action Account credentials and click OK. This will update the settings you made to the Management Server on only this agent. If you do not specify the Action Account credentials, the Action Account on this agent will be set to Local System.
To change the setting on agents where the Control Level = None
On the managed computer, logon with administrator-level privileges.
In Add or Remove Computers, select Microsoft Operations Manager 2005 Agent and click Change.
Select the Modify option and click Next.
Select the Modify Management Group option, select the management group from the drop-down list, and click Next.
On the Active Directory Configuration page, select the option that matches the change you made on the Management Server and finish the wizard.
To enable or disable Block legacy agents setting
In the MOM 2005 Administrator console, navigate to Administration / Global Settings.
Open the Security Properties.
On the Security tab of the Security Properties dialog box, clear the Mutual Authentication required check box.
Clear the Block legacy agents check box. [To block legacy agents, select the checkbox]
Right-click the Management Pack folder in the Administrator console and click Commit Configuration Change.
Restart the MOM Service on the Management Server.
To enable or disable the Reject new manually installed agents setting
In the MOM 2005 Administrator console, navigate to Administration / Global Settings.
Open the Management Server Properties.
On the Agent Install tab, clear the Reject new manual agent installations check box. (To reject new manually installed agents, select the check box.)
Right-click the Management Pack folder in the Administrator console and click Commit Configuration Change.
Note
Before you restart the MOM Service on the Management Server in the next step, use the Event Viewer under the Application Log on the Management Server to verify that Event ID 21241 appears. The description of Event ID 21241 is as follows: The MOM Server detected a change to the rules for one or more computers, and will begin downloading the new rules and configuration settings to the affected computers.
After Event ID 21241 appears on the Management Server, restart the MOM Service on the Management Server.
To enable or disable agent proxying in Global Agent Settings
In the MOM 2005 Administrator console, navigate to Administration / Global Settings.
Open the Agent Properties.
On the Security tab of the Agent Properties dialog box, select the Prevent agents from proxying for other computers or network devices check box. [To enable agent proxying, clear the checkbox]
To enable or disable Server-Side Responses
In the MOM 2005 Administrator console, navigate to Administration / Global Settings.
Open the Security Properties.
On the Security tab, clear the Disable execution of custom responses on Management Servers option. [To disable Server-Side responses, select the checkbox]
Click OK.
To enable or disable Read-Only access for the Web Console
On the server hosting the Microsoft Operations Manager 2005 Web Console application, open the %INSTALLDRIVE%\ Program Files\Microsoft Operations Manager 2005\WebConsole\web.config file in a text editor.
In the <appSettings> node change the node "<!--add key="Readonly" value="true"/-->" to "<add key="Readonly" value="true"/>".
Stop and Restart the Microsoft Operations Manager 2005 Web Console application in the Internet Information Services snap-in.
To update agent settings for a specific MOM 2005 agent (inside a firewall)
In the MOM Administrator console, expand the Administration node.
Expand the Computers node and click Agent-Managed Computers.
In the results pane, right-click the agent-managed computer and select Synchronize Communication Settings.
Note
You can use multi-select to select all the agents you want to update and then use the dialog to change all these agents.
In the Update Agent Settings Task dialog box, under Which account do you want to use to update the agent settings, either select the Management Server Action Account option, or select the Other and supply credentials that have administrator rights on the agents.
Note
If you have selected multiple agents, the credentials you supply for the account to update the agent settings must be a local administrator on all the agents.
Under Which account do you want to use for the Agent Action Account, either select the Local System option, or select the Other option and supply credentials for an account that has the "Log on as a batch job" privileges on the agent.
Note
If you have selected multiple agents, you must either supply credentials for a domain account for the Action Account on all agents, that is, all agents will use the same account, or use the local system account on each agent. If you do not specify an account, the local system is used by default. This setting overwrites the current setting.
Click OK.
To change the Identity of the DAS COM+ application
On the Management Server, open the Component Services snap-in.
Navigate to the Microsoft Operations Manager Data Access Server application and open its Properties dialog
On the Identity tab, enter the accounts <domain\user name> in the User textbox.
Enter the password in the Password and Confirm password textboxes.
Click OK.
Right-click the application and click Shut down.
When the application has completed shutting down, right-click it and click Start.
To use Network Service for DAS where the Management Server and MOM Database are on separate computers
This process requires procedures to be done on both the MOM Database Server and then the MOM Management Server.
Important
You can only do this if the Management Server is running on Windows Server 2003. Windows 2000 does not support the Network Service account.
On the MOM Database Server:
On the MOM Database Server, verify that the MSSQLSvc Service Principal Name is registered by using "setspn.exe -L <SQL Server FQDN>" at the command line, where <SQL Server FQDN> is the Fully-Qualified Domain Name of the MOM Database Server Instance.
In SQL Server Enterprise Manager, expand the OnePoint folder.
Add a new database user by right-clicking on the Users sub-node of the OnePoint database folder and selecting New Database User.
In the Database Users - New User dialog, enter the computer name in the Login name text box. Computer names follow the format domain\computername$. Do not forget the trailing "$".
Grant this computer account user the db_owner database role membership and click OK.
Navigate to the Security folder for the SQL Server instance.
Add a new SQL Server Login by right-clicking on the Logins folder and selecting New Login.
On the General tab of the SQL Server Properties - New Login dialog, enter the computer name in the Name textbox. Computer names follow the format domain\computername$. Do not forget the trailing "$".
On the Database Access tab, grant this computer account db_owner access to the OnePoint database by selecting the Permit checkbox next to the OnePoint database and then the db_owner checkbox below.
Click OK.
On the Management Server
On the Management Server, stop the MOM Service.
In the Component Services snap-in, expand Component Services / Computers / My Computer / COM+ Applications.
Right-click the Microsoft Operations Manager Data Access Server node and click Shut down.
After the application has stopped, open its properties.
On the Identity tab, select the System Account and the Network Service options, and then click OK.
Start the MOM Service.
After the MOM Service has started, open the MOM Administrator console and confirm that you do not see any DAS errors.
To use Local Service for DAS where the Management Server and MOM Database are on the same computer
Follow this process to use the lower-privileged Local Service account for the DAS component when the MOM Management Server and MOM Database are installed on the same computer.
Important
You can only do this if the Management Server is running on Windows Server 2003. Windows 2000 does not support the Local Service account.
In the Microsoft SQL Server Enterprise Manager, navigate to the Security folder for the SQL Server instance.
Add a new SQL Server Login by right-clicking on the Logins folder and selecting New Login.
On the General tab of the SQL Server Properties - New Login dialog, enter "NT AUTHORITY\Local Service" in the Name text box.
On the Database Access tab, grant the "NT AUTHORITY\Local Service" account db_owner access to the OnePoint database by selecting the Permit checkbox next to the OnePoint database and then the db_owner checkbox below.
Click OK.
In SQL Server Enterprise Manager, expand the OnePoint folder.
Add a new database user by right-clicking on the Users sub-node of the OnePoint database folder and selecting New Database User.
In the Database Users - New User dialog, select the account "NT AUTHORITY\Local Service" from the Login name combo box.
Grant the Local Service account user the db_owner database role membership and click OK.
Stop the MOM Service.
In the Component Services snap-in, expand Component Services / Computers / My Computer / COM+ Applications.
Right-click the Microsoft Operations Manager Data Access Server node and click Shut down.
After the application has stopped, open its properties.
On the Identity tab, select the System Account and the Local Service options, and then click OK.
Start the MOM Service.
After the MOM Service has started, open the MOM Administrator console and confirm that you do not see any DAS errors.
To use client certificates and SSL with MCF or MMPC
On the source management groups Management Server:
Run the utility runas.exe /user <mmpc_service_account> mmc.exe.
On the File menu, select Add/Remove Snap-in.
On the Standalone tab, click Add.
Double-click on Certificates, click Finish, and then click Close.
Click OK to close the Add/Remove Snap-in dialog.
In the console, expand Console Root/Certificates - Current User/Personal/Certificates. If Certificates does not exist, select Personal.
Right-click and select All Tasks/Request New Certificate.
Click Next and select User certificate type from the list, or select any other certificate type that has client authentication as the certificate purpose.
Click Next and enter a friendly name and description. Click Next.
Verify the settings you entered are correct, and click Finish.
Note
On Windows 2000, the wizard requests that you install the certificate. Click Install Certificate to continue.
Verify that the client certificate is present in the Personal Certificates folder of the MMPC service account.
Right-click on the client certificate and select All Tasks/Export.
Click Next and select No, do not export the private key.
Click Next and select DER encoded binary x.509 (.CER).
Click Next, save the file, and then click Next.
Verify that the information you exported is correct, and then click Finish.
Create a directory under the DATADIR directory called "ConnectorService" if one does not already exist. The DATADIR is specified in the HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint registry key and is %Installation Root%\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager\ by default.
Rename the certificate file to "ClientCertificate.cer" and put a copy of it on the source Management Server in the ConnectorService directory.
Restart momconn.exe on the source Management Server.
On the destination management groups Management Server:
Obtain a server certificate in Base-64 encoding format. Install the certificate on the destination Management Server. For more information about obtaining server certificates, see the Internet Information Services (IIS) help.
Note
If you already have a server certificate, this step is not necessary.
In the IIS Manager, right-click the Microsoft Operations Manager 2005 Connector Framework Web site and click Properties.
On the Directory Security tab, under Secure communications, click Edit. If the Edit button is not enabled, you must install a server certificate.
In the Secure Communications dialog, select the Require secure channel (SSL) checkbox.
Under Client certificates, select the Require client certificates option.
Select the Enable client certificate mapping checkbox.
Click Edit to configure the client certificate mapping. Map the certificate the DAS account (or the account used for the MOM to MOM Connector service if it is different). For more information about completing the mapping, see the Internet Information Services (IIS) help.