If you are monitoring Active Directory in a multi-domain environment you might only want to monitor certain domain controller because you don’t have the administrative sovereignty nor any permission to access the other systems.
In that case you probably installed the SCOM agents to your domain controllers and imported the Active Directory management pack. If so SCOM will discover all other domain controller in the entire forest which don’t belong to you. They will appear under Windows Computers in the SCOM console as not monitored.
If you are aware of this BEFORE you deploy the agents to the domain controller you could enable DiscoverAgentOnly according to this article http://technet.microsoft.com/en-us/library/dd262020.aspx after the sealed Active Directory MP import and before deploying any SCOM agent to the domain controller. But what happen AFTER you installed agents, management pack and set your overrides? The only (fast) way to get rid of these not monitored domain controller objects was the following:
- uninstall the agents from the domain controllers
- export and delete the unsealed Active Directory override management pack
- delete all sealed Active Directory management pack
- get a coffee
- import the sealed Active Directory management packs from Microsoft
- import the unsealed Active Directory override management pack
- enable DiscoverAgentOnly discovery
- override the AD topology discovery for your RMS from 86400 seconds to 60 seconds
- deploy the agents to the domain controllers
- get another coffee
- Check back and you just will see only your monitored domain controllers under windows computer and also the Active Directory DA as well
- Make sure you set the AD topology discovery for your RMS back to 86400 seconds otherwise the discovery will run every minute
Cool 8)
Update Note 19.12.2011: Here a very nice tutorial how to implement DiscoverAgentOnly. Please note that the SCOM Action Account needs Operations Manager Administration permission.
What has your experience with Agent Only Discovery been like since you wrote this? I have it setup, (changed the OpsMgr Install path to match 2012 R2) and turned on verbose logging. I can see that its running and discovering objects with agents installed, but overnight another 500 domain controllers showed up. I’m open to the possibility that I’ve done something wrong, but I’m also suspicious that this doesn’t work as advertised. Appreciate your feedback.
Hi Blake
The discovery runs every 24h as far I remember. Last time I had to use this setting was about 2 years ago and since then there was no need. Important is, that the account permissions are set properly and also the path to PowerShell (Discovery). I currently don’t have a proper setup to test it any deeper with current versions of SCOM and AD MP.
Sorry, that I cannot give you any more input at the moment.
Best regards,
Stefan