Forefront Client Security Support Blog

A place for CSS to share experiences supporting Forefront Client Security

Changing the management group to which an FCS client reports

Changing the management group to which an FCS client reports

  • Comments 1
  • Likes

During the course of your FCS deployment it may be necessary to redirect an FCS client from one FCS collection server to another.  Common reasons why an admin would do this include moving the machines from a test server to a production server or load balancing machines across down-level installations of an Enterprise Manager deployment.  Note: if you are migrating FCS topologies which involves changing the collection server name then you should follow the steps in the collection server topology migration guide.

 

After reading the FCS deployment guide, it is easy to fall into the misconception that you can simply deploy new policy to that computer and it will automatically see the server name change and begin reporting to the new server.  Unfortunately this is not the case.  As summarized here:

 

In standard Client Security deployment, Client Security agents are deployed to target managed computers by creating and deploying a Client Security policy. This policy writes the names of the Client Security collection server and the Client Security Management group to the target computers. The computers then download the Client Security agent from the distribution server, and they install it with the configuration information from the Client Security policy. This results in the target computers reporting to the Client Security Management group that created the Client Security policy.

 

The key aspect of this is that the management group and collection server names are only read during installation time.  Deploying new policy will change these registry keys but it will not change the configuration of the MOM agent, which is responsible for sending data to the collection server.  Therefore, to redirect the FCS client we must modify the configuration of the MOM agent.

 

There are several ways to do this, each having their advantages and disadvantages.  Your choice will likely depend on the number of clients being redirected and the configuration of those clients.  Note that special care should be used on a FCS collection server or a MOM 2005 management server, in most cases it is inappropriate to script the MOM agent to those machines and one should manually run clientsetup.exe.  Additionally, reconfiguring the MOM agent requires administrative rights and scripts shown below will require an elevated command prompt.

 

Add/Remove Programs (Uninstall or change a program)

Perhaps the most straightforward way to modify the MOM agent configuration is by going into Add/Remove Programs locating Microsoft Operations Manager 2005 Agent and choosing Change.  Click, Next on the welcome screen and then choose the Modify option.  What you do next will depend on the nature of the redirection, specifically the question you should be asking is “Does the name of the management group differ between these installations?” 

 

If the group name will be the same then you would want to choose the “Modify Management Group” and then change the Management server name field to be the new FCS collection server(yes this is a mix of FCS and MOM terminology)

 

If you are load balancing across down-level installations or moving from test to production then it is possible that the management group names will differ.  In this case, you will want to run the installation wizard twice.  The first time choose “Add a new management group” and enter the new management group name and the new collection server name.  The second time you should choose the “Remove management group” option and ensure that old management group is chosen in the dropdown list.   In effect, you are momentarily reporting to both installations.  This is the basic guidance presented in the MOM 2005 documentation.

 

In all the installation options during the wizard you should choose a port of 1270, an Agent Control Level of Full, and a MOM agent action account of LocalSystem.  These setting are what FCS clientsetup.exe uses.

 

Since this activity will modify/reinstall the MOM agent on the client after the agent has been redirected a service dependency on WMI must be recreated to ensure proper functioning of the MOM agent.  To recreate this service dependency enter the following from a command prompt which sets it and then restarts the MOM service: sc config mom depend= rpcSs/eventLog/winmgmt & net stop mom & net start mom (note the space after the equal sign in necessary).

 

Advantages

·         Changes made through UI wizards; no scripting required

·         No gap in data reporting

·         Does not require access to FCS CD media

·         Works with multi-homed agents

Disadvantages

·         Extremely time consuming and prone to error for a large number of clients

·         Requires familiarity with the previous and new management server and group names

 

 

Command line invocation of the MOM agent

As mentioned above if you have a large number of clients using Add/Remove can be cumbersome.  Luckily, the MOMAgent.msi file has documented command line parameters.  You can use the command line installation options in exactly the same way that you would use the wizards.  Additionally, since the MOM agent is already on the machine, we can invoke it using its local MSI package without requiring a copy of the FCS CD media, this is done using a GUID passed to MsiExec.exe.

 

If the management group will remain the same and only the server name is different you would use the ModifyConfigGroup operation like(bolded parameters should be changed to match your environment):

 

MsiExec.exe /I{F692770D-0E27-4D3F-8386-F04C6F434040} /norestart /qn /l*v "C:\MOMReinstall.log" CONFIG_GROUP=" SameManagementGroup "
CONFIG_GROUP_OPERATION="ModifyConfigGroup" MANAGEMENT_SERVER="newserver.corp.com" AM_CONTROL="Full" REQUIRE_AUTH_COMMN=1 REINSTALL="ALL"

 

 

If the new server the client will report to has a different management group name you would use an AddConfigGroup operation and then a RemoveConfigGroup operation:

 

MsiExec.exe /I{F692770D-0E27-4D3F-8386-F04C6F434040} /norestart /qn /l*v "C:\MOMAdd.log" CONFIG_GROUP="NewManagementGroup" CONFIG_GROUP_OPERATION="AddConfigGroup" MANAGEMENT_SERVER="newserver.corp.com" AM_CONTROL="Full" REQUIRE_AUTH_COMMN=1 REINSTALL="ALL"

  

MsiExec.exe /I{F692770D-0E27-4D3F-8386-F04C6F434040} /norestart /qn /l*v "C:\MOMRemove.log" CONFIG_GROUP="OldManagementGroup" CONFIG_GROUP_OPERATION="RemoveConfigGroup" MANAGEMENT_SERVER="oldserver.corp.com" AM_CONTROL="Full" REQUIRE_AUTH_COMMN=1 REINSTALL="ALL"

 

Since this activity will modify/reinstall the MOM agent on the client after the change has been made a service dependency on WMI must be recreated to ensure proper functioning of the MOM agent.  To recreate this service dependency use the following from a command prompt which sets it and then restarts the MOM service: sc config mom depend= rpcSs/eventLog/winmgmt & net stop mom & net start mom (note the space after the equal sign in necessary).

 

Advantages

·         Can be automated and widely deployed to change a large number of clients

·         No gap in data reporting

·         Does not require access to FCS CD media

·         Works with multi-homed agents

Disadvantages

·         Requires some scripting or batch file creation

·         Requires a method of deploying the command line invocations

·         Requires familiarity with the previous and new management server and group names

 

 

Removing the FCS MOM agent and rerunning clientsetup.exe

As you may have seen from the first option, you can remove the MOM agent by going into Add/Remove Programs, locate Microsoft Operations Manager 2005 Agent, and choosing Change.  Click, Next on the welcome screen and then choose the “Remove management group” option and ensure that old management group is chosen in the dropdown list.  The machine now has no agent.  Then you can use the FCS CD media and run \client\clientsetup.exe (or \client\x64\clientsetup.exe if x64 platform).  Rerunning clientsetup.exe will cause clientsetup.exe to read the new policy settings which contain the new MOM server and group name and it will install a new MOM agent appropriately.  If you do not have FCS policy deployed you can call clientsetup.exe /MS newserver.corp.com /CG NewManagementGroup

 

Since clientsetup.exe is used to install the MOM agent it will properly set a service dependency on WMI without additional steps.

 

Advantages

·         Changes made through UI wizards and commands; no scripting required

·         Typically does not require familiarity with the previous and new management server and group names

·         Works with multi-homed agents

Disadvantages

·         Requires access to FCS CD media

·         Gap in reporting between uninstallation and reinstallation

·         Maybe time consuming for a large number of clients

 

 

Removing the entire MOM agent and rerunning WSUS deployment

Basically this is the similar to the above, in that the MOM agent is removed.  If you are looking to push this out you can combine it with the command line option like:

 

MsiExec.exe /qn /x{F692770D-0E27-4D3F-8386-F04C6F434040}

 

Then instead of manually installing the FCS agent from the media you can approve it on your WSUS/Distribution server and allow it to be redeployed automatically.  The detection logic of the FCS deployment package checks for the presence of all three client components(antimalware, security assessment, and MOM agents).  Since the MOM agent will be missing it will redeploy the package and reinstall only the MOM agent using the new settings deployed via policy.  For more information on how to configure WSUS client deployment see the FCS deployment guide.

 

Note that you can force automatic detection and installation by configuring the FCS client installation package with a WSUS deadline for a date in the past and then, after uninstalling the MOM agent, do a “wuauclt /detectnow” from the command line.  This should force a detection cycle and the deadline should cause the package to be installed immediately.

 

Since clientsetup.exe is used to install the MOM agent it will properly set a service dependency on WMI without additional steps.

 

This technique should not be used with a multi-home MOM agent(an agent also reporting to a traditional MOM 2005 infrastructure).  As described above, it requires that the MOM agent is completely removed to meet the WSUS deployment logic.  After the command above uninstalls the entire MOM agent, the FCS client is reinstalled but not the traditional MOM configuration.

 

Advantages

·         Typically does not require familiarity with the previous and new management server and group names

·         Can be automated and widely deployed to change a large number of clients

·         Does not require access to FCS CD media

Disadvantages

·         Should not be used with multi-homed agents

·         Gap in reporting between uninstallation and reinstallation

·         Requires some scripting or batch file creation

·         Requires a method of deploying the command line invocations

 

 

Multi-homing via MOM Administration console Install/Uninstall Agent Wizard

Built into MOM 2005 is a Install/Uninstall Agent Wizard.  This wizard can be invoked as either the server action account or a user account and it will try to remotely install or uninstall a MOM agent for the management group and server from which the wizard is run.  The wizard and steps are documented in the MOM Deployment Guide.  The steps are:

1.    From a MOM admin console in the new deployment, run the Install Agent Wizard to add the new client machine(s).  Upon success the machine will be multi-homed to both installations.

2.    From a MOM admin console in the old deployment, run the Uninstall Agent Wizard to remove the client machine(s). 

 

On the surface this looks like the easiest and most desirable method, but in reality probably has the highest failure rate.  Reasons for this include:

·         The installation wizard is server->client, therefore if any firewalls exist over the MOM/SMB/RPC ports this will fail.  The required firewall configuration it enable this is described in:

The Microsoft Operations Manager 2005 agent does not install on computers that are running Windows XP with Service Pack 2 (SP2) and Windows Server 2003 with Service Pack 1 (SP1)

http://support.microsoft.com/default.aspx?scid=kb;EN-US;885726

 

·         Using the wizards requires that the machines be online at the time the wizard(or the resulting computer discovery action) is run to use a specified account

·         An account must be used in both wizards with admin permissions on the client, usually this means all domains are trusted

 

 

Advantages

·         Typically does not require familiarity with the previous and new management server and group names

·         Can be automated and widely deployed to change a large number of clients

·         Does not require access to FCS CD media

·         No gap in data reporting

·         No scripting required

Disadvantages

·         Error prone and potentially problematic to implement

·         May require changes to the firewall configuration of the client machines

 

 

Since this activity will modify/reinstall the MOM agent on the client after the change has been made a service dependency on WMI must be recreated to ensure proper functioning of the MOM agent.  To recreate this service dependency use the following from a command prompt which sets it and then restarts the MOM service: sc config mom depend= rpcSs/eventLog/winmgmt & net stop mom & net start mom (note the space after the equal sign in necessary).

 

 

Thanks,
Craig Wiand
Forefront Client Security Escalation Engineer

 

Comments
  • The FCS Nerds have a great blog post describing how to relocate an FCS client to a new management group,

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment