Enable Application Partition Discovery

  • Article

Applies To: Operations Manager 2007

The AD LDS Management Pack requires access to an account in order to discover the AD LDS application partition information on each AD LDS server. To enable application partition discovery, you must perform the following procedures:

  1. Enable configuration container permissions for the AD LDS monitoring account

    Note

    The Other Requirements section specified the need for a user account for the AD LDS Management Pack to discover application partitions and to monitor replication. This account is referred to as the AD LDS monitoring account in this guide.

  2. Create a Run As Account to utilize the AD LDS monitoring account

  3. Add the Run As Account to the Lightweight Directory Service LDAP Reader/Writer Account profile.

Enabling Permissions for the AD LDS Monitoring Account

For the AD LDS monitoring account to discover application partitions and monitor replication between them, the account must be configured as an administrator in the AD LDS instance’s configuration container. To do this, you can use any LDAP editing tool. The following directions describe how to use ADSI Edit to grant the appropriate permissions to the AD LDS monitoring account.

Warning

If the user account password expires, AD LDS application partition discovery and replication monitoring will stop.

To perform the following procedure, you must be a member an AD LDS administrator of the instances you want to configure.

Granting configuration container permissions to the AD LDS monitoring account

  1. Open ADSI Edit on any Windows Server 2008 or Windows Server 2008 R2 computer or Windows Vista® with the Remote Server Administration Tools for Windows Vista(https://go.microsoft.com/fwlink/?LinkId=89361) or Windows® 7 computer with the Remote Server Administration Tools for Windows 7 (https://go.microsoft.com/fwlink/?LinkId=167131). To open ADSI Edit, click Start and then type adsiedit.msc and press ENTER.

    Note

    To use ADSI Edit, you may have to enable the Active Directory Domain Controller Tools as discussed in the article Installing Remote Server Administration Tools(https://go.microsoft.com/fwlink/?LinkId=153624).

  2. In ADSI Edit console, right click ADSI Edit in the navigation pane, and then click Connect to.

  3. In the Connection Settings dialog box, under Connection Point ensure that Select a well known Naming Context is selected and the drop down menu to select Configuration. Under Computer, select the Select or type a domain or server: (Server | Domain [:port]) and then enter the FQDN of the LDAP server hosting the instance that you want to configure followed by a colon and the port number. For example, if you want to connect a server named ADLDS1.humongousinsurance.com hosting an AD LDS instance on LDAP port 5000, you would enter ADLDS1.humongousinsurance.com:50000. Click OK.

  4. In the navigation pane of the ADSI Edit console, expand the Configuration container and then expand the **CN=Configuration,CN=**GUID, where GUID represents the actual globally unique identifier of your AD LDS instance.

  5. In the ADSI Edit console navigation pane, click CN=Roles. In the details pane, double-click Administrators.

  6. In the CN=Administrators Properties dialog box under Attributes, double-click the member attribute.

  7. In the Multi-valued Distinguished Name with Security principal Editor dialog box, click Add Windows Account.

  8. Use the Select Users, Computers, or Groups dialog box to locate the AD LDS monitoring account. Click OK on the three open dialog boxes from the ADSI Edit console and then close the console.

Creating a Run As Account

Creating a Run As Account allows Operations Manager 2007 utilize the user account created for application partition monitoring.

To perform the procedures in this section, you must be a member of the Operations Manager Administrators group in the Operations console. For more information, see Account Information for Operations Manager 2007(https://go.microsoft.com/fwlink/?LinkId=165736).

To create a Run As Account

  1. On your management server, open the Operations Console, and then click Administration.

  2. In the navigation pane, right-click Security, and then click Create Run As Account.

  3. If the Introduction page of the Create Run As Account Wizard appears, click Next.

  4. On the General Properties page, ensure that Windows is selected for Run As Account type and for Display Name type AD LDS MP. You can optionally type additional information in Description.

    Note

    You may type any name that you like for the Run As Account to use, the name AD LDS MP is a suggested name and is used to make writing these directions more concise. If you type a different name, substitute that name for AD LDS MP in any steps which make reference to the AD LDS Run As Account.

    Important

    For monitoring to work successfully in a workgroup environment, you need to specify a “Windows” type Run As account which uses the <machine>&lt;account> format to make the discovery workflow possible. If you specify the Run As account as “Basic authentication” or “Simple authentication” type account which uses account name only, the workflow will not be initialized and loaded.

  5. On the Credentials page, enter the user name of the account you designated for monitoring replication. Then, enter and confirm the passwords you set for the account. Click Next.

  6. On the Distribution Security page, ensure that More secure is selected and then click Create.

  7. Once the Run As account is created, click Close.

Add the Run As Account to the Lightweight Directory Service LDAP Reader/Writer Account Profile

The last major task enabling application partition discovery is to add the Run As account to the Lightweight Directory Service LDAP Reader/Writer Account Profile.

Adding the Run As Account to the Run As Profile

  1. In the Administration navigation pane of the Operations Console, click Profiles.

  2. In the Profiles pane, double-click Lightweight Directory Service LDAP Reader/Writer Account.

  3. If the Introduction page of the Run As Profile Wizard appears, click Next.

  4. In Display name, confirm that Lightweight Directory Service LDAP Reader/Writer Account appears as the name of the profile and then click Next.

  5. On the Run As Accounts page, click Add.

  6. In the Add a Run As Account dialog box, under Run As account, use the drop-down menu to select the Run As account.

  7. In This Run As Account will be used to manage the following objects, select A selected class, group, or object.

    Tip

    If you have created a group for all your AD LDS servers, then you may want to select that in the next step rather than following the steps to select AD LDS servers individually. See How to Create Groups in Operations Manager 2007 (https://go.microsoft.com/fwlink/?LinkId=165736) for more information.

  8. Click Select and then click Object.

  9. Use the Object Search dialog box to locate all the AD LDS servers you want to monitor, select one and then click OK.

    Tip

    In the Object Search dialog box, you can set Look for to Windows Server to reduce the number of objects returned.

    Repeat this step as needed until you have all the AD LDS server computer accounts you want to monitor in the Run As accounts list, and then click Save.

  10. If on the Completion page, under More-secure Run As accounts, you see AD LDS MP then click AD LDS MP. Otherwise, click Close.

  11. If you clicked AD LDS MP, then in the Run As Account Properties, in the Distribution tab, with More secure selected, click Add. Use the Computer Search dialog box to locate the AD LDS servers to which you want to distribute these credentials. When you locate the computers you want, click Add, then click OK twice and then click Close.