Configuring Connected Management Groups in OpsMgr 2007
I've set this up a couple of times - but it's been a while. I had an occasion to set this up again just the other day and thought it would be worth a brief discussion.
Connected management groups is the mechanism in OpsMgr to allow a 'single pane of glass' view of an OpsMgr environment with more than one management group. This is the OpsMgr answer to the MOM-to-MOM connector available in MOM 2005.
Configuring connected management groups is straight forward. For sake of discussion let's define a couple of terms. The local management group is the one where you want to establish this 'single pane of glass' view. The connected management group is the one that you are connecting to from the top level.
Configure Connected Management Groups To start configuration, connect to the OpsMgr console of the top level management group and navigate to the administration node. On the administration node click on 'Connected Management Groups' In the detail pane, right click on an open area and select 'Add Management Group'
In the 'Add Management Group' box enter the name of the second tier management group and the name of the RMS server for the second tier management group in FQDN format. If the local management group and the connected management group are not using the same SDK and Config service account, select 'Other user account' and complete the User name, Password and Domain fields with the SDK account of the connected management group.
Note: Don't let the name of my connected management group fool you! It's listed as primaryMG but for this example the primaryMG management group is truly the connected management group.
There can be problems at this stage but most of the time all goes smoothly. If all goes well you now have now connected your management groups.
Configuring Permissions
Users of the local management group will now be able to view alerts, set overrides and monitor objects in the connected management groups if they have permissions in the connected management group.
Note: If your management groups are not in the same domain and don't share a trust, you will have to create pass through accounts in the connected management group domain to allow authentication to work properly.
Connected Management Group
To grant users from the local management group permissions to the connected management group, add them to the appropriate user role in the connected management group.
In my example I have created a custom operator user role called 'OpsMgr Operators from Local Management Group' and have added my testuser account to the role.
Note: To avoid confusion it might be easier to have a User Role specifically to assign rights to users from the local management group.
Use the Group Scope, Tasks and View tabs to configure the permissions that testuser will have to the connected management group. By default, full permission is allowed.
Local Management Group
To grant users in the local management group rights to view data from the connected management group open the OpsMgr console of the local management group, go to the administration node and expand security and click User Roles. In the detail pane right click the user role you want to grant connected management group access to and select properties.
In my example I have created a custom operator user role called 'Opsmgr Operators Scope - Custom' and have added the testuser account to it.
On the 'group scope' tab, select the management group you want the role to be able to access. In my case, there is only a single connected management group but there could be multiple.
Note: To avoid confusion it might be easier to have a User Role specifically to assign rights to connected management groups
Verifying Operation
So now we have everything configured - so let's switch to the monitoring node in the OpsMgr console of the local management group to take a look at all of the new alerts that are visible from our connected management group.
All of the systems shown are actually agents of my connected management group - so everything is working. Note, however, that you won't see connected alerts until you select the option 'show connected alerts' which is highlighted above.
Conclusion
A couple of things to note about connected management groups.
1. You can't see them in the Web Console - and there are no plans for this to change in R2.
2. Every time you launch the OpsMgr console you will need to supply credentials if you want to see alert data from a connected management group.
Comments
Anonymous
February 09, 2009
PingBack from http://blog.a-foton.ru/index.php/2009/02/10/configuring-connected-management-groups-in-opsmgr-2007/Anonymous
February 11, 2009
Feed: The Operations Manager Support Team Blog Posted on: Tuesday, February 10, 2009 11:45 AM AuthorAnonymous
February 17, 2009
Feed: The Operations Manager Support Team Blog Our very own Steve Rachui just posted a cool how-to onAnonymous
February 28, 2010
How many onnected management groups can be connected to a local management group? Is there any limit?Anonymous
March 08, 2010
I don't know of any hard coded limit but there are practical limitations. What specifically are you considering?Anonymous
August 09, 2010
Can you explain how to create AD pass through accounts in case of the domains are not share trust relationship. Thanks, Y.Anonymous
August 10, 2010
Pass through auth simply means that you have an account with the same name and password in both domains that have no trust relationship - then when you ty to access the untrusted domain it should let you through since the passwords match. I haven't tested if this works with Kerberos but with NTLM it should so if NTLM auth is available as fallback you should be able to make the connection.