Getting and keeping the SCOM agent on a Domain Controller – how do YOU do it?

<!--[if lt IE 9]>

<![endif]-->

Comments

• Anonymous
  January 01, 2003
  Hi Kevin, In my opinion we only need a domain policy, 'Allow logon locally'. Then the issue is solved and now domain admin rights needed. Kind regards, André Borgeld

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  @Brumsky - Never heard of that issue.

• Anonymous
  January 01, 2003
  @Sam - I dont have any details - it was just a plausible idea.  :-)

• Anonymous
  March 05, 2009
  The comment has been removed

• Anonymous
  March 24, 2009
  Yes i tried manual installation. But there is still some sort of validation problem. Now i get alot of these "Object enumeration failed" errors. Here are 2 of them. Object enumeration failed Query: 'SELECT NumberOfProcessors FROM Win32_ComputerSystem WHERE DomainRole >3' HRESULT: 0x80041003 Details: Access denied One or more workflows were affected by this.   Workflow name: Microsoft.SystemCenter.DiscoverWindowsServerDCComputer Object enumeration failed Query: 'SELECT * FROM Win32_Service WHERE Name="ClusSvc" and State="Running"' HRESULT: 0x80041003 Details: Access denied One or more workflows were affected by this.   Workflow name: Microsoft.Windows.Cluster.Service.Discovery The action account i'm using is a domain administrator. Any idea ?

• Anonymous
  May 19, 2009
  I am looking at maybe a web front end that allows a domain admin to enter their credentials to deploy an agent. I got it to deploy an agent so far but the agent never comes out of pending. That's just me though

• Anonymous
  October 31, 2009
  Although this is unlikely to solve all the issues described here, it looks like enabling Automatic Updates is part of the story. http://support.microsoft.com/kb/938993

• Anonymous
  November 30, 2010
  Kevin - We are planning to use the option 7 in our environment.  Can you please give us more details on the part b? thx

• Anonymous
  May 31, 2011
  The comment has been removed

• Anonymous
  July 07, 2011
  Make sure your Domain Admin account has "Log on Locally" rights or you will not be able to install the Agent! We have several Domain Admin rights which do not have this permission and the installation will fail: "Access is denied".

• Anonymous
  September 08, 2016
  The comment has been removed

  • Anonymous
    September 08, 2016
    Tony - in MOST correctly configured environments, the SCOM management server action account will NOT have rights on agents, and we would always expect someone to input credentials to push agents. Once an agent is pushed, the management server action account does not need any rights to the agent managed machine. This defaults to the MSAA only for convenience, if customers wanted to grant rights to the MSAA to be able to manage agent push installs, updates, etc. I'd call that a non-issue.
    • Anonymous
      September 08, 2016
      Afternoon and thanks for the response Kevin! I can breath a little easier now. So I can focus on figuring out if the firewall rules/ports I have requested open have been done correctly. Could I impose with another question for this: I have requested Ports to open on all subnets where servers reside that we will monitor: bi-directional-5723,5724,135-139,445,ping,icmp//to be able to deploy, install, repair, update via the scom console....would that be sufficient or am I missing any?Thank you again for your time!Tony
      • Anonymous
        September 08, 2016
        All you seek is here: https://blogs.technet.microsoft.com/kevinholman/2007/12/12/agent-discovery-and-push-troubleshooting-in-opsmgr-2007/https://blogs.technet.microsoft.com/kevinholman/2009/01/27/console-based-agent-deployment-troubleshooting-table/

• Anonymous
  April 26, 2017
  I am using SCOm 2016 COnsole Discovery wizard to install agents , I have admin rights and use my account in Administrator account to discover and then push the agent s . I was able to do this for all our servers .Now that all servers were done i started the discovery wizard and choose the domain controllers , this time i used my domain admin account as the Administrator account , however it is not able to discover the DC's Yes, i am using teh domain admin account and i can login to the DC's with that account interactivelyWhat am i missing - any ideaThank you Kevin :)

• Anonymous
  February 01, 2018
  Hi Kevin,In our environment the Management Server Account is member of Domain Admin Group in AD. The same account we used in SCOM 2007 R2 Infrastructure and when the environment migrated to SCOM 2012 R2 we used the same account with same level of permission. As per your above statement Management server action account need to have Domain Admin rights only if we need to push the agent to the DC servers using SCOM console. Can we remove the Domain Admin rights for the Management Server action account now? if yes then is there any challenge we face post the Domain Admin access removal?. Note - This account will remain have Local Administrator rights on all managed agents.Bijesh

  • Anonymous
    February 05, 2018
    Hi Kevin,it will be great if you can help me on my query posted belowBijesh
  • Anonymous
    February 05, 2018
    There is NO requirement for Domain Admin rights in SCOM. Management Server Action account should not have domain admin rights generally.It should be safe to remove Domain Admin group membership from your Management Server Action account. However, I cannot tell you for certain because it will depends on custom workflows you have written, database configurations and security settings, etc. The best way to tell, is to remove it and see what happens by watching the event logs. If you have other security misconfigurations, there might be some impact on the way to cleaning it up.
    • Anonymous
      February 06, 2018
      Hi Kevin,Thanks for your valuable feedback.Bijesh