There are lot of articles over Internet how to enable AD Integration for SCOM 2007 R2 but so far I haven’t found any on how to disable AD Integration. For the last couple of weeks I was faced with such task and it is not so easy as certain steps have to be followed.
The reason we had to disable AD Integration is because it was not working. Probably some rights were inherited from the root of the domain to the OperationsManager OU which led to agents being confused to which Management Server they have to connect. Because of this and various other reasons it was decided AD Integration to be disabled.
With the introduction of SCOM 2012 where RMS role is removed AD Integrations becomes more irrelevant because agents can leverage that high-availability of SCOM 2012 environment. Also it is much more easier to manage your agents trough SCOM directly. Because of these reasons I think before migrating to SCOM 2012 it is good idea to disable AD Integration if you have this feature enabled in your SCOM environment.
The steps bellow apply to SCOM 2007 R2 but as they are general steps they can also apply to 2012 also:
- As all agents are installed with AD Integration configuration they have to be reinstalled. It is best first to run uninstall command and completely remove the agent (uninstallation commands here). After complete removal of the agent it can be installed with new configuration (installation commands here). Do not forget to apply agent CU to the version your SCOM environment is. You can execute these task on all servers manually or create task sequence in SCCM and advertise it. If you have servers with System Center Service Manager roles in your environment it is best to exclude them from the collection to which you will advertise the task sequence as you know SCOM and SCSM share the same architecture. Agents on SCSM servers can be reinstalled manually. As you have SCSM service on these service not all registry keys related to SCOM agent are removed. Because of that before reinstalling the agent you have to change the value of REG DWORD key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration from 1 to 0:
After you change that key you can reinstall the SCOM agent on the server.
2. When all your agents have the new configuration the OperationsManager OU can be removed by executing the following command “MoMADAdmin.exe -d MANAGEMENT_GROU_NAME DOMAIN_NAME”. This will delete all objects under OperationsManager OU, the OU itself have to deleted manually.
3. When there is no OU any more, LDAP rules for agent distribution can also be deleted in SCOM console.
Note: If you have any agents left with the old configuration for AD Integration you probably will receive health service errors from these agents.
Now that you are in manual agent management you can take some steps to make distribution of agents among the management servers (if you have more than one) more automatic:
- First you need to make all agents remotely manageable (if all are in the same domain as SCOM), You can find how and more about this approach here.
- After all or almost of your agents are remotely manageable you can distribute them equally between two or more management servers with PowerShell script. You can find such script here.
- And finally if you want to make point 1 and 2 automatic and be applied to new agents you can create Scheduled Task in SQL Server Management Studio to run the query every day and Windows Task on the RMS server to run the script every day.
Note: Keep in mind that the solution provided for SCOM agent load balancing does not apply to all environments.