The Operations Manager agent runs on each computer that Operations Manager monitors. To view the computer groups that the SMS 2003 Management Pack monitors, see the Computer Groups for SMS 2003 section in this guide. The Operations Manager 2007 agent collects monitoring data on the managed computer, applies rules to the collected data, and then sends the resulting data to the Data Consolidator Agent Manager (DCAM). Monitoring functionality on an agent computer is provided by the Operations Manager 2007 Service (HealthService.exe), Operations Manager 2007 Host (MonitoringHost.exe) and the Agent Action Account.
To deploy the Operations Manager 2007 agent, you can use the Operations Manager 2007 installation wizard or SMS software distribution. For details on deploying the Operations Manager 2007 agent and using the Operations Manager 2007 installation wizard, see “Discovering Computers and Deploying MOM Agents” in the Microsoft Operations Manager 2007 Deployment Guide. For more information, see the Operations Manager 2007 web page (http://go.microsoft.com/fwlink/?LinkID=83259).
 Note |
|---|
| It is recommended that you run the Operations Manager 2007 agent on the SMS Provider computers by using the LocalSystem account or an account with sufficient rights to access the SMS 2003 WMI namespaces root, root\cimv2, root\sms, and the SMS registry key and subkeys. |
To determine whether agentless monitoring can be used in your environment, see Agentless Monitoring Support in Management Pack Monitoring Scenarios.
Defining the SMS Environment Variable to Support Log-Based Rules
A number of rules in the SMS 2003 SP3 management pack read SMS based log files to check for errors. This task requires the path to the SMS installation folder be defined on the SMS Site Server.
The following rules under SMS Site Servers - Common are based on the sender.log and distmgr.log files respectively:
- SMS 2003 Component: The sender cannot connect to remote site
over the LAN (Standard Security)
- SMS 2003 Component: The sender cannot connect to remote site
over the RAS connection
- SMS 2003 Component: The sender cannot connect to remote site
over the LAN (Advanced Security)
- SMS 2003 Component: Distribution Manager failed to process a
package
To specify the location of the SMS installation folder the script uses a system environment variable on the SMS site server. The administrator must create the %SMS_INSTALL_DIR_PATH% environment variable as a system environment variable so that the MOM Agent running under any user context has access to the log files. The script will then look in the %SMS_INSTALL_DIR_PATH%\Logs directory for the sender.log and distmgr.log files. For more information about setting system environment variables, see the system environment variable web page (http://go.microsoft.com/fwlink/?LinkId=92316).
In order for the MOM Health Agent to use this system environment variable the SMS Site Server may need to be restarted.
Configuring Agent Computers to Run in Low Privilege Scenarios
Monitoring functionality on an agent computer is provided by the Operations Manager 2007 Service (HealthService.exe), Operations Manager 2007 Host (MonitoringHost.exe) and the Agent Action Account. On Microsoft Windows® 2000, the Action Account must be a member of the local administrators group. On Microsoft Windows™ 2003, you can use a low-privileged account for the agent’s Agent Action Account under certain circumstances. However, configuring the Action Account and the user context that the Operations Manager 2007 Service and Operations Manager 2007 Host process run under with the necessary rights and permissions to run the SMS 2003 Management Pack features requires significant manual configuration on the agent computer. On Microsoft Windows Server™ 2003, the Agent Action Account must have the following minimum user rights and permissions:
- Member of the Local Users group
- Access to Windows Event Logs
- Manage auditing and security log permission
(SeSecurityPrivilege)
- Generate security audits” permission (SeAuditPrivilege)
- Allow log on locally permission (SeInteractiveLogonRight)
In a low-privileged scenario, the SMS 2003 Management Pack requires that the account used for the Agent Action Account have additional rights and permissions. The following table details the access rights that must be configured manually.
Access Types Required By the SMS 2003 Management Pack
|
Resource |
Access Type |
Instructions |
|
Windows Event Log |
Read |
The Action Account must be given the Manage auditing and security log privilege using Local or Global Policy. |
|
SMS registry keys |
Read |
HKLM\Software\Microsoft\SMS Add the Action Account to the registry properties and provide read access that is inherited by all subkeys. |
|
Win32 Services registry keys |
Read |
HKLM\System\CurrentControlSet\Services Add Action Account to the local users group. |
|
Script generated temp files |
Read and Write |
%Windir%\Temp Add Action Account to the local users group . |
|
Script generated log files |
Read and Write |
%Windir%\Microsoft Operations Manager Add the Action Account to the folder properties. |
|
SMS log files |
Read |
\SMS\Logs Add the Action Account to the folder properties. |
|
WMI namespaces |
Read |
root and root\cimv2 No action should be required. |
|
SMS WMI namespaces |
Read |
No action should be required. |
|
SMS WMI classes |
Read |
SMS_Site SMS_R_System SMS_SystemResourceList SMS_SiteSystemSummarizer Add the Action Account to the class for all instances |
|
Security login rights to the default instance |
Grant access |
For the default instance on a managed SQL Server computer, the Action Account must be given Grant access rights for security logins. In SQL Server Enterprise Manager, add the Action Account to the following node: instancename\Security\Logins. |
|
Access to the Master database on the default instance (required to identify the SMS Site database) |
Permit |
For the default instance on a managed SQL Server computer, the Action Account must be given permit access to the Master database. In SQL Server Enterprise Manager, add the Action Account to the following node: instancename\Databases\Master\Users. Keep all default permissions associated with this new user. |
|
Access to the SMS Site database on the default instance |
Permit |
For the default instance on a managed SQL Server computer,
the Action Account must be given permit access to the SMS Site
database. In SQL Server Enterprise Manager, add the Action Account
to the following node: instancename\Databases\< Keep all default permissions associated with this new user. |