vrijdag 20 april 2012

Migrate agents to new SCOM gateway with Operations Manager Shell

We are using SCOM to monitor our customers infrastructure, therefore we need to deploy SCOM gateways in the untrusted domain of the customer.

A gateway is used to monitor devices that are not in the same active directory as the management server and uses certificates on the managed computer and management server to provide mutual authentication. The devices in the active directory of the gateway server can communicate with the gateway by using kerberos.

From time to time gateways need to be replaced, moved or added.

In this blog I will explain how to replace a Gateway server  with a new one, without having to reconfigure the agents manually. To do this we use SCOM powershell to set the failover management server option.

It is important that you understand you can easily orphan an agent to where it cannot communicate with ANY management server.

If you change the primary management server (PMS) in the console or via powershell, the management server (MS) will receive a configuration update to not let the old GateWay (GW) communicate with it anymore.
This happens before the old GW receives a configuration update, resulting in it not knowing about the new configuration, and it still trying to communicate with the MS – which denies communication with the old GW.
So, this basically means that you just cut the communication with this Gateway.

To prevent this from happening, I am using the FailoverManagementServer (FMS) option in SCOM.

To create a new Gateway Server :

  • Run Gateway Approval Tool
  • Install new Operations Manager Gateway Server
  • Deploy and Import certificates on the Gateway Server

Documentation on the above steps can be found here :

The steps below will be addressed in this topic.

  • Configure New GW as PMS and Old GW as FMS
  • Confirm PMS and FMS configuration.
  • Configure Remove Failover Management Server value.

Step one is to configure a Failover Management Server (FMS)
Connect to your MS with remote desktop.
Open “Operations Manager Shell” from the start menu.
Execute the below script, edit the names of the PMS to the new GW name, and the FMS to the old GW name.

$primaryMS = Get-ManagementServer | where {$_.Name –eq 'NewGW.domain.local’ }
$failoverMS = Get-ManagementServer | where {$_.Name –eq 'OldGW.domain.local'}
$agent = Get-Agent | where {$_.PrimaryManagementServerName -eq 'OldGW.domain.local  }
Set-ManagementServer -AgentManagedComputer: $agent -PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS

What happens is that we configure the OldGW as a failover server.
In this case  we do not tell the MS to deny communications from the OldGW and the MS can still transfer the configuration updates to the OldGW and its agents.

To confirm the configuration change navigate to : “C:\Program Files\System Center Operations Manager 2007\Health Service State\Connector Configuration Cache\Managementgroup name” and open the OpsMgrConnector.config.xml with notepad.


Look for the OldGW name and NewGW name.
You should be able to see the NewGW where the IsPrimary = True, and the OldGW where the IsPrimary = False.


Event 1210 will also be logged on the agent saying that New Configuration Became Active.

When all agents have the new configuration ( I suggest you wait at least 30 minutes ) it is safe to change the failover server from the OldGW value to the real failover server you want to configure.

$failoverMS = Get-ManagementServer | where {$_.Name –eq 'NewFailoverGW.domain.local'}
$agent = Get-Agent | where {$_.PrimaryManagementServerName -eq 'NewGW.domain.local  }
Set-ManagementServer -AgentManagedComputer: $agent -FailoverServer: $failoverMS

How to configure agent failover to multiple gateways or gateway failover to multiple management servers can also be configured with above method.
Documentation on this can be found here :

Source : http://technet.microsoft.com/en-us/library/cc540382.aspx

1 opmerking: