Operations Manager 代理程式Operations Manager agents

重要

已不再支援此版本的 Operations Manager,建議升級至 Operations Manager 2019This version of Operations Manager has reached the end of support, we recommend you to upgrade to Operations Manager 2019.

在 System Center Operations Manager 中,代理程式是安裝在電腦上的一項服務,此服務會尋找設定資料,並主動收集分析和報表的資訊、衡量受監視物件 (例如 SQL 資料庫或邏輯磁碟) 的健全狀況狀態,以及因應操作員的要求或回應狀況而執行工作。In System Center Operations Manager, an agent is a service that is installed on a computer that looks for configuration data and proactively collects information for analysis and reporting, measures the health state of monitored objects like a SQL database or logical disk, and execute tasks on demand by an operator or in response to a condition. 它可讓 Operations Manager 監視 Windows、Linux 和 UNIX 作業系統,以及這些作業系統上安裝的 IT 服務的元件,例如網站或 Active Directory 網域控制站。It allows Operations Manager to monitor Windows, Linux, and UNIX operating systems and the components of an IT service installed on them, like a web site or an Active Directory domain controller.

Windows 代理程式Windows agent

在受監視的 Windows 電腦上,Operations Manager 代理程式會列為 Microsoft Monitoring Agent 服務。On a monitored Windows computer, the Operations Manager agent is listed as the Microsoft Monitoring Agent service. Microsoft Monitoring Agent 服務會收集事件及效能資料、執行工作及管理組件中定義的其他工作流程。The Microsoft Monitoring Agent service collects event and performance data, executes tasks, and other workflows defined in a management pack. 即使當服務無法與報告的管理伺服器通訊時,它仍會繼續執行並將收集到的資料和事件佇列在受監視電腦的磁碟上。Even when the service is unable to communicate with the management server it reports to, the service continues to run and queues the collected data and events on the disk of the monitored computer. 當連線恢復後,Microsoft Monitoring Agent 服務便會將收集的資料和事件傳送給管理伺服器。When the connection is restored, the Microsoft Monitoring Agent service sends collected data and events to the management server.

注意

Microsoft Monitoring Agent 服務有時稱為健全狀況服務。The Microsoft Monitoring Agent service is sometimes referred to as the health service.

Microsoft Monitoring Agent 服務也會在管理伺服器上執行。The Microsoft Monitoring Agent service also runs on management servers. 在管理伺服器上,此服務會執行監視工作流程及管理認證。On a management server, the service runs monitoring workflows and manages credentials. 為了執行工作流程,此服務會使用指定的認證起始 MonitoringHost.exe 處理序。To run workflows, the service initiates MonitoringHost.exe processes using specified credentials. 這些處理序會監視和收集事件記錄資料、效能計數器資料、Windows Management Instrumentation (WMI) 資料,以及執行如指令碼等動作。These processes monitor and collect event log data, performance counter data, Windows Management Instrumentation (WMI) data, and run actions such as scripts.

代理程式與管理伺服器之間的通訊Communication between agents and management servers

Operations Manager 代理程式會將警示和探索資料傳送到其獲指派的主要管理伺服器,之後再將資料寫入操作資料庫。The Operations Manager agent sends alert and discovery data to its assigned primary management server, which writes the data to the operational database. 代理程式也會傳送事件、效能和狀態資料到該代理程式的主要管理伺服器,再由後者將資料同時寫入操作和資料倉儲資料庫。The agent also sends events, performance, and state data to the primary management server for that agent, which writes the data to the operational and data warehouse databases simultaneously.

代理程式會根據每個規則和監視的排程參數來傳送資料。The agent sends data according to the schedule parameters for each rule and monitor. 使用最佳化集合規則時,只有當計數器的取樣與先前取樣之差異達到指定的容錯 (如 10%) 時,才會傳輸資料。For optimized collection rules, data is only transmitted if a sample of a counter differs from the previous sample by a specified tolerance, such as 10%. 這將有助於減少網路流量,以及儲存在操作資料庫中的資料量。This helps reduce network traffic and the volume of data stored in the operational database.

此外,所有代理程式都會將稱為「活動訊號」 的資料封包,定期 (預設為每 60 秒) 傳送到管理伺服器。Additionally, all agents send a packet of data, called a heartbeat, to the management server on a regular schedule, by default every 60 seconds. 傳送活動訊號的目的是要驗證代理程式以及代理程式與管理伺服器之間通訊的可用性。The purpose of the heartbeat is to validate the availability of the agent and communication between the agent and the management server. 如需活動訊號的詳細資訊,請參閱 How Heartbeats Work in Operations Manager (活動訊號在 Operations Manager 中的運作方式)For more information on heartbeats, see How Heartbeats Work in Operations Manager.

Operations Manager 會針對每個代理程式執行「健全狀況服務監看員」 ,這項功能會從管理伺服器的角度,監視遠端健全狀況服務。For each agent, Operations Manager runs a health service watcher, which monitors the state of the remote Health Service from the perspective of the management server. 代理程式會透過 TCP 連接埠 5723,與管理伺服器進行通訊。The agent communicates with a management server over TCP port 5723.
代理程式對管理伺服器的通訊Agent to Management Server Communication

Linux/UNIX 代理程式Linux/UNIX agent

UNIX 和 Linux 代理程式的架構明顯不同於 Windows 代理程式。The architecture of the UNIX and Linux agent differs from a Windows agent significantly. Windows 代理程式的健全狀況服務負責評估受監視電腦的健全狀況。The Windows agent has a Health Service responsible for evaluating the health of the monitored computer. UNIX 和 Linux 代理程式不會執行健全狀況服務,而是將資訊傳遞到管理伺服器上要評估的健全狀況服務。The UNIX and Linux Agent does not run a health service, instead it passes information to the Health Service on a management server to be evaluated. 管理伺服器會執行所有工作流程,以監視 UNIX 和 Linux 管理組件實作中定義的作業系統健全狀況:The management server runs all of the workflows to monitor operating system health defined in our implementation of the UNIX and Linux management packs:

  • 磁碟Disk
  • 處理器Processor
  • 記憶體Memory
  • 網路介面卡Network adapters
  • 作業系統Operating System
  • ProcessesProcesses
  • 記錄檔Log files

適用於 Operations Manager 的 UNIX 和 Linux 代理程式均包含一個 CIM 物件管理員 (亦即 CIM 伺服器),以及一組 CIM 提供者。The UNIX and Linux agents for Operations Manager consist of a CIM Object Manager (that is, CIM Server), and a set of CIM Providers. CIM 物件管理員是實作 WS-Management 通訊、驗證、授權,以及將要求分派給提供者的「伺服器」元件。The CIM Object Manager is the “server” component that implements the WS-Management communication, authentication, authorization, and dispatch of requests to the providers. 提供者是代理程式中 CIM 實作的關鍵,其可定義 CIM 類別和屬性、與核心 API 接合以擷取原始資料、設定資料格式 (例如計算差異和平均值),以及服務從 CIM 物件管理員分派的要求。The providers are the key to the CIM implementation in the agent, defining the CIM classes and properties, interfacing with the kernel APIs to retrieve raw data, formatting the data (for example, calculating deltas and averages), and servicing the requests dispatched from the CIM Object Manager. 從 System Center Operations Manager 2007 R2 到 System Center 2012 SP1,Operations Manager UNIX 和 Linux 代理程式中使用的 CIM 物件管理員都是 OpenPegasus 伺服器。From System Center Operations Manager 2007 R2 through System Center 2012 SP1, the CIM Object Manager used in the Operations Manager UNIX and Linux agents is the OpenPegasus server. 用來收集和報告監視資料的提供者是由 Microsoft 所開發,並在 CodePlex.com 提供開放原始碼。The providers used to collect and report monitoring data are developed by Microsoft, and open-sourced at CodePlex.com.
Operations Manager UNIX/Linux 代理程式的軟體架構

這已在 System Center 2012 R2 Operations Manager 中變更,其中 UNIX 和 Linux 代理程式現在會以完全一致的開放管理基礎結構 (OMI) 實作做為其 CIM 物件管理員為基礎。This changed in System Center 2012 R2 Operations Manager, where UNIX and Linux agents are now based on a fully consistent implementation of Open Management Infrastructure (OMI) as their CIM Object Manager. 若是 Operations Manager UNIX/Linux 代理程式,則 OMI 將取代 OpenPegasus。In the case of the Operations Manager UNIX/Linux agents, OMI is replacing OpenPegasus. OMI 和 OpenPegasus 相同,是一個開放原始碼的輕量級、可攜式 CIM 物件管理員實作,但是相較於 OpenPegasus,OMI 的重量更輕,而且更容易攜帶。Like OpenPegasus, OMI is an open-source, lightweight, and portable CIM Object Manager implementation – though it is lighter in weight and more portable than OpenPegasus. 此實作會繼續適用於 System Center 2016 - Operations Manager 和更新版本。This implementation continues to be applied in System Center 2016 - Operations Manager and later.
更新的 Operations Manager UNIX/Linux 代理程式軟體架構

管理伺服器與 UNIX 和 Linux 代理程式之間的通訊分成兩個類別,分別是代理程式維護和健全狀況監視。Communication between the management server and the UNIX and Linux agent is split into two categories, agent maintenance and health monitoring. 管理伺服器使用兩種通訊協定與 UNIX 或 Linux 電腦進行通訊:The management server uses two protocols to communicate with the UNIX or Linux computer:

  • 安全殼層 (SSH) 和安全殼層檔案傳輸通訊協定 (SFTP)Secure Shell (SSH) and Secure Shell File Transfer Protocol (SFTP)

    用於代理程式維護工作,例如安裝、升級和移除代理程式。Used for agent maintenance tasks such as installing, upgrading, and removing agents.

  • Web Services for Management (WS-Management)Web Services for Management (WS-Management)

    用於所有監視操作,並包含探索已安裝的代理程式。Used for all monitoring operations and include the discovery of agents that were already installed.

Operations Manager 管理伺服器與 UNIX 和 Linux 代理程式之間的通訊會使用 WS-Man over HTTPS 和 WinRM 介面。Communication between the Operations Manager management server and UNIX and Linux agent uses WS-Man over HTTPS and the WinRM interface. 所有代理程式維護工作都是透過 SSH 連接埠 22 執行。All agent maintenance tasks are performed over SSH on port 22. 所有健全狀況監視則是透過 WS-MAN 連接埠 1270 執行。All health monitoring is performed over WS-MAN on port 1270. 管理伺服器會在評估資料以提供健全狀況狀態之前,先透過 WS-MAN 要求效能和組態資料。The management server requests performance and configuration data via WS-MAN before evaluating the data to provide health status. 所有動作 (例如代理程式維護、監視、規則、工作和復原) 均會根據其無特殊權限或特殊權限帳戶的需求,設定為使用預先定義的設定檔。All actions, such as agent maintenance, monitors, rules, tasks, and recoveries, are configured to use predefined profiles according to their requirement for an unprivileged or privileged account.

注意

本文提及的所有認證均與 UNIX 或 Linux 電腦上已建立的帳戶相關,而不是與安裝 Operations Manager 期間設定的 Operations Manager 帳戶相關。All credentials referred to in this article pertain to accounts that have been established on the UNIX or Linux computer, not to the Operations Manager accounts that are configured during the installation of Operations Manager. 請連絡您的系統管理員,瞭解認證和驗證資訊。Contact your system administrator for credentials and authentication information.

為了支援數種 UNIX 與 Linux 系統的新延展性改善,System Center 2016 - Operations Manager 和更新版本可以針對每部管理伺服器進行監視,而新的非同步 Windows 管理基礎結構 (MI) API 取代了預設使用的 WSMAN 同步 API。To support the new scalability improvements with the number of UNIX and Linux systems System Center 2016 - Operations Manager and later can monitor per management server, the new Async Windows Management Infrastructure (MI) APIs are available instead of WSMAN Sync APIs, which is in use by default. 若要啟用此變更,您需要建立新的登錄機碼 UseMIAPI,讓 Operations Manager 在監視 Linux/Unix 系統的管理伺服器上使用新的非同步 MI API。To enable this change, you need to create the new registry key UseMIAPI to enable Operations Manager to use the new Async MI APIs on management servers monitoring Linux/Unix systems.

  1. 從提升權限的命令提示字元中開啟登錄編輯程式Open the Registry Editor from an elevated command prompt.
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup 下方,建立登錄機碼 UseMIAPICreate registry key UseMIAPI under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup.

如果您需要還原使用 WSMAN 同步 API 的原始設定,則可以刪除 UseMIAPI 登錄機碼。If you need to restore the original configuration using the WSMAN Sync APIs, you can delete the UseMIAPI registry key.

代理程式安全性Agent security

UNIX/Linux 電腦的驗證Authentication on UNIX/Linux computer

在 Operations Manager 中,不再需要系統管理員將 UNIX 或 Linux 電腦的根密碼提供給管理伺服器。In Operations Manager, the system administrator is no longer required to provide the root password of the UNIX or Linux computer to the management server. 現在藉由提高權限,無特殊權限的帳戶可以取得 UNIX 或 Linux 電腦上特殊權限帳戶的身分識別。Now by elevation, an unprivileged account can assume the identity of a privileged account on the UNIX or Linux computer. 提高權限程序是由使用管理伺服器提供的認證的 UNIX su (超級使用者) 和 sudo 程式執行。The elevation process is performed by the UNIX su (superuser) and sudo programs that use the credentials that the management server supplies. 針對使用 SSH 的特殊權限代理程式維護作業 (例如探索、部署、升級、解除安裝和代理程式復原),系統提供 su 的支援、sudo 提高權限以及 SSH 金鑰驗證 (有或沒有複雜密碼) 的支援。For privileged agent maintenance operations that use SSH (such as discovery, deployment, upgrades, uninstallation, and agent recovery), support for su, sudo elevation, and support for SSH key authentication (with or without passphrase) is provided. 針對特殊權限 WS-Management 作業 (例如檢視安全記錄檔),系統新增 sudo 提高權限 (沒有密碼) 的支援。For privileged WS-Management operations (such as viewing secure log files), support for sudo elevation (without password) is added.

如需指定認證與設定帳戶的詳細指示,請參閱如何設定認證以存取 UNIX 和 Linux 電腦For detailed instructions for specifying credentials and configuring accounts, see How to Set Credentials for Accessing UNIX and Linux Computers.

使用閘道伺服器進行驗證Authentication with gateway server

閘道伺服器可以啟用管理群組 Kerberos 信任界限外部電腦的代理程式管理。Gateway servers are used to enable agent-management of computers that are outside the Kerberos trust boundary of a management group. 由於管理群組所在的網域不信任閘道伺服器所在的網域,因此必須使用憑證來建立每台電腦的識別碼、代理程式、閘道伺服器和管理伺服器。Because the gateway server resides in a domain that is not trusted by the domain that the management group is in, certificates must be used to establish each computer's identity, agent, gateway server, and management server. 這種安排可滿足 Operations Manager 對相互驗證的需求。This arrangement satisfies the requirement of Operations Manager for mutual authentication.

如此您必須針對將向閘道伺服器報告的每個代理程式要求憑證,並使用位於安裝媒體 SupportTools\ (amd64 或 x86) 目錄的 MOMCertImport.exe 工具,將那些憑證匯入目標電腦。This requires you to request certificates for each agent that will report to a gateway server and import those certificates into the target computer using the MOMCertImport.exe tool, which is located on the installation media SupportTools\ (amd64 or x86) directory. 您必須可以存取憑證授權單位 (CA),像是 VeriSign 之類的公用 CA,或者可以使用 Microsoft Certificate Services。You need to have access to a certification authority (CA) which can be a public CA such as VeriSign, or you can use Microsoft Certificate Services.

代理程式部署Agent deployment

System Center Operations Manager 代理程式可以使用下列其中一種方法來安裝。System Center Operations Manager Agents may be installed by using one of the following three methods. 大多數的安裝都使用這些方法的組合,適當地安裝不同組的電腦。Most installations use a combination of these methods to install different sets of computers, as appropriate.

  • 從 Operations 主控台探索和安裝一或多個代理程式。The discovery and installation of one or more agents from the Operations console. 這是最常見的安裝形式。This is the most common form of installation. 管理伺服器必須能夠使用 RPC 連接電腦,而且管理伺服器動作帳戶或其他提供的認證必須具有目標電腦的系統管理權限。A management server must be able to connect the computer with RPC, and either the management server Action Account or other provided credentials must have administrative access to the target computer.
  • 包含在安裝映像中。Inclusion in the installation image. 這是基礎映像的手動安裝,用於準備其他電腦。This is a manual installation to a base image that is used for the preparation of other computers. 在此情況下,可以在初始啟動時使用 Active Directory 整合,將電腦自動指派給管理伺服器。In this case, Active Directory integration may be used to automatically assign the computer to a management server upon the initial startup.
  • 手動安裝。Manual installation. 當代理程式無法透過其中一種其他方法安裝時,就會使用這個方法,例如,當遠端程序呼叫 (RPC) 因為防火牆而無法使用時。This method is used when the agent cannot be installed by one of the other methods—for example, when remote procedure call (RPC) is unavailable because of a firewall. 安裝程式是在代理程式上手動執行,或透過現有的軟體發佈工具部署。The setup is manually run on the agent or deployed through an existing software distribution tool.

使用探索精靈安裝的代理程式可以從 Operations 主控台管理,例如更新代理程式版本、套用修補程式,以及設定代理程式向其回報的管理伺服器。Agents that are installed by using the Discovery Wizard can be managed from the Operations console, such as updating agent versions, applying patches, and configuring the management server that the agent reports to.

當您使用手動方式安裝代理程式時,代理程式的更新也必須手動執行。When you install the agent using a manual method, updates to the agent must also be performed manually. 您將可以使用 Active Directory 整合將代理程式指派給管理群組。You will be able to use Active Directory integration to assign agents to management groups. 如需詳細資訊,請參閱整合 Active Directory 和 Operations ManagerFor more information, see Integrating Active Directory and Operations Manager.

Windows 系統的代理程式部署Agent deployment to Windows system

探索 Windows 系統需要 TCP 135 (RPC)、RPC 範圍和 TCP 445 (SMB) 連接埠保持開啟,並在代理程式電腦上啟用 SMB 服務。Discovery of a Windows system requires that the TCP 135 (RPC), RPC range, and TCP 445 (SMB) ports remain open and that the SMB service is enabled on the agent computer.

  • 探索到目標裝置後,即可將代理程式部署至該裝置。After a target device has been discovered, an agent can be deployed to it. 代理程式安裝要求:Agent installation requires:
  • 從端點對應程式 TCP 135 及伺服器訊息區 (SMB) 連接埠 TCP/UDP 445 開始,開啟 RPC 連接埠。Opening RPC ports beginning with endpoint mapper TCP 135 and the Server Message Block (SMB) port TCP/UDP 445.
  • 啟用 File and Printer Sharing for Microsoft Networks 和 Client for Microsoft Networks 服務Enabling the File and Printer Sharing for Microsoft Networks and the Client for Microsoft Networks services. (這可確保 SMB 連接埠是使用中)。(This ensures that the SMB port is active.)
  • 如果啟用,[允許遠端系統管理例外] 和 [允許檔案及印表機共用例外] 的 Windows 防火牆群組原則設定必須將 [允許下列來源的未經要求傳入訊息] 設為代理程式主要及次要管理伺服器的 IP 位址和子網路。If enabled, Windows Firewall Group Policy settings for Allow remote administration exception and Allow file and printer sharing exception must be set to Allow unsolicited incoming messages from to the IP address and subnets for the primary and secondary management servers for the agent.
  • 在目標電腦上具有本機系統管理員權限的帳戶。An account that has local administrator rights on the target computer.
  • Windows Installer 3.1。Windows Installer 3.1. 若要安裝,請參閱 Microsoft 知識庫中的文章 893803 https://go.microsoft.com/fwlink/?LinkId=86322 To install, see article 893803 in the Microsoft Knowledge Base https://go.microsoft.com/fwlink/?LinkId=86322
  • Microsoft Core XML Services (MSXML) 6 (位於 Operations Manager 產品安裝媒體上的 \msxml 子目錄中)。Microsoft Core XML Services (MSXML) 6 on the Operations Manager product installation media in the \msxml sub directory. 推入代理程式安裝會在目標裝置上安裝 MSXML 6 (如果尚未安裝)。Push agent installation installs MSXML 6 on the target device if it is not already installed.

UNIX 和 Linux 系統的代理程式部署Agent deployment to UNIX and Linux system

在 System Center Operations Manager 中,管理伺服器會使用兩種通訊協定來與 UNIX 或 Linux 電腦進行通訊:In System Center Operations Manager, the management server uses two protocols to communicate with the UNIX or Linux computer:

  • 安全殼層 (SSH),用於安裝、升級和移除代理程式。Secure Shell (SSH) for installing, upgrading, and removing agents.
  • Web Services for Management (WS-Management),用於所有監視操作,並包含探索已安裝的代理程式。Web Services for Management (WS-Management) for all monitoring operations and include the discovery of agents that were already installed.

使用的通訊協定會視管理伺服器上要求的動作或資訊而定。The protocol that is used depends on the action or information that is requested on the management server. 所有動作 (例如代理程式維護、監視、規則、工作和復原) 均會根據其無特殊權限或特殊權限帳戶的需求,設定為使用預先定義的設定檔。All actions, such as agent maintenance, monitors, rules, tasks, and recoveries, are configured to use predefined profiles according to their requirement for an unprivileged or privileged account.

注意

本節提及的所有認證均與 UNIX 或 Linux 電腦上已建立的帳戶相關,而不是與安裝 Operations Manager 期間設定的 Operations Manager 帳戶相關。All credentials referred to in this section pertain to accounts that have been established on the UNIX or Linux computer, not to the Operations Manager accounts that are configured during the installation of Operations Manager. 請連絡您的系統管理員,瞭解認證和驗證資訊。Contact your system administrator for credentials and authentication information.

藉由提高權限,無特殊權限的帳戶可以取得 UNIX 或 Linux 電腦上特殊權限帳戶的身分識別。By elevation, an unprivileged account can assume the identity of a privileged account on the UNIX or Linux computer. 提高權限程序是由使用管理伺服器提供的認證的 UNIX su (超級使用者) 和 sudo 程式執行。The elevation process is performed by the UNIX su (superuser) and sudo programs that use the credentials that the management server supplies. 針對使用 SSH 的特殊權限代理程式維護作業 (例如探索、部署、升級、解除安裝和代理程式復原),系統提供 su、sudo 提高權限以及 SSH 金鑰驗證 (有或沒有複雜密碼) 的支援。For privileged agent maintenance operations that use SSH (such as discovery, deployment, upgrades, uninstallation, and agent recovery), support for su, sudo elevation, and SSH key authentication (with or without passphrase) is provided. 針對特殊權限 WS-Management 作業 (例如檢視安全記錄檔),系統支援 sudo 提高權限 (沒有密碼) 的支援。For privileged WS-Management operations (such as viewing secure log files), support for sudo elevation (without password) is supported.

Active Directory 代理程式指派Active Directory agent assignment

System Center Operations Manager 可讓您使用 Active Directory Domain Services (AD DS) 來將受代理程式管理的電腦指派給管理群組,從而充分利用您在 Active Directory Domain Services (AD DS) 中的投資。System Center Operations Manager allows you to take advantage of your investment in Active Directory Domain Services (AD DS) by enabling you to use it to assign agent-managed computers to management groups. 此功能通常用於搭配代理程式,部署為伺服器部署建置程序的一部分。This feature is commonly used in conjunction with the agent deployed as part of a server deployment build process. 當電腦第一次上線時,Operations Manager 代理程式會在 Active Directory 中查詢其主要和容錯移轉管理伺服器指派,並自動開始監視電腦。When the computer comes online for the first time, the Operations Manager agent queries Active Directory for its primary and failover management server assignment and automatically starts monitoring the computer.

若要使用 AD DS 將電腦指派給管理群組:To assign computers to management groups by using AD DS:

  • AD DS 網域的功能等級必須是 Windows 2008 原生或以上The functional level of AD DS domains must be Windows 2008 native or higher
  • 代理程式管理的電腦與所有管理伺服器都必須位於相同網域,或雙向信任的網域。Agent-managed computers and all management servers must be in the same domain or in two-way trusted domains.

注意

判斷其安裝載網域控制站上的代理程式將不會查詢 Active Directory 中的組態資訊。An agent that determines it is installed on a domain controller will not query Active Directory for configuration information. 這是基於安全性考量。This is for security reasons. 因為代理程式是以本機系統帳戶的身分執行,因此 Active Directory 整合在網域控制站上預設為停用狀態。Active Directory Integration is disabled by default on domain controllers because the agent runs under the Local System account. 網域控制站上的本機系統帳戶具有網域系統管理員權限,因此,不論網域控制站的安全性群組成員資格為何,它都會偵測到已在 Active Directory 中註冊的所有管理伺服器服務連接點。The Local System account on a domain controller has Domain Administrator rights; therefore, it detects all Management Server Service Connection Points that are registered in Active Directory, regardless of the domain controller’s security group membership. 如此一來,代理程式會嘗試連線到所有管理群組中的所有管理伺服器。As a result, the agent tries to connect to all management servers in all management groups. 結果可能無法預測,因此會呈現安全性風險。The results can be unpredictable, thus presenting a security risk.

代理程式指派是使用服務連接點 (SCP) 所完成,這是一個 Active Directory 物件,用於發行用戶端應用程式可用來繫結至服務的資訊。Agent assignment is accomplished by using a Service Connection Point (SCP), which is an Active Directory object for publishing information that client applications can use to bind to a service. 這是由網域系統管理員所建立,而網域系統管理員會執行 MOMADAdmin.exe 命令列工具,來為管理的電腦網域中的 Operations Manager 管理群組建立 AD DS 容器。This is created by a domain administrator running the MOMADAdmin.exe command-line tool to create an AD DS container for an Operations Manager management group in the domains of the computers it manages. 授與執行 MOMADAdmin.exe 時指定的 AD DS 安全性群組對該容器的 [讀取] 和 [刪除子系] 權限。The AD DS security group that is specified when running MOMADAdmin.exe is granted Read and Delete Child permissions to the container. SCP 包含管理伺服器的連線資訊,包括伺服器的 FQDN 和連接埠號碼。The SCP contains connection information to the management server, including the server’s FQDN and port number. Operations Manager 代理程式可以透過查詢 SCP,自動探索管理伺服器。Operations Manager agents can automatically discover management servers by querying for SCPs. 未停用繼承,而且,因為代理程式可以讀取 AD 中所註冊的整合資訊,所以如果您強制 Everyone 群組的繼承讀取 Active Directory 中根層級的所有物件,則這會嚴重影響而且基本上會插斷 AD 整合功能。Inheritance is not disabled, and because an agent can read the integration information registered in AD, if you force inheritance for the Everyone group to read all objects at the root level in Active Directory, this will severely affect and essentially interrupt AD Integration functionality. 如果您授與 Everyone 群組的讀取權限來明確地強制整個目錄的繼承,則必須在名為 OperationsManager 的最上層 AD 整合容器和所有子物件封鎖這項繼承。If you explicitly force inheritance throughout the entire directory by granting the Everyone group read permissions, you must block this inheritance at the top-level AD Integration container, named OperationsManager, and all child objects.  如果您無法執行這項作業,AD 整合將無法如設計般運作,而您將無法部署代理程式之可靠且一致的主要和容錯移轉指派。  If you fail to do this, AD Integration will not work as designed and you will not have reliable and consistent primary and failover assignment for agents deployed. 此外,如果您剛好有多個管理群組,則這兩個管理群組中的所有代理程式也會具有多重主目錄。Additionally, if you happen to have more than one management group, all agents in both management groups will be multi-homed as well. 

此功能非常適用於控制分散式管理群組部署中的代理程式指派,以防止代理程式向資源集區專用的管理伺服器回報,或向暖待命組態中次要資料中心的管理伺服器回報,以防代理程式在正常操作期間容錯移轉。This feature works well for controlling agent assignment in a distributed management group deployment, to prevent agents from reporting to management servers that are dedicated to resource pools or management servers in a secondary data center in a warm-standby configuration to prevent agent failover during normal operation.

代理程式指派的設定是由 Operations Manager 系統管理員所管理,而 Operations Manager 系統管理員使用 [代理程式指派和容錯移轉精靈] 將電腦指派給主要管理伺服器和次要管理伺服器。Configuration of agent assignment is managed by an Operations Manager administrator using the Agent Assignment and Failover Wizard to assign computers to a primary management server and secondary management server.

注意

從 Operations 主控台安裝的代理程式會停用 Active Directory 整合。Active Directory Integration is disabled for agents that were installed from the Operations console. 依預設,使用 MOMAgent.msi 手動安裝的代理程式會啟用 Active Directory 整合。By default, Active Directory Integration is enabled for agents installed manually using MOMAgent.msi.

後續步驟Next steps