Brian McDermott | Escalation Engineer | Microsoft CTS Management and Security Division
Hi everyone, Brian McDermott here with some info on how to change the Management Server Run As account on a clustered RMS in System Center Operations Manager 2007.
In a way, yes it is. You simply find the account whose password has changed in the console and then update it.
When you do this, you are updating the account information that is stored in the DB and this now needs to be distributed as a configuration update to all the machines that use this account. Once the machines receive the updated credentials they will log on with the updated credentials and all should be good.
With a clustered RMS, on failover to the passive node you will find things are not so good after all.
You will see that the Management Server Run As Account fails to be authenticated.
In a way you might expect this, as the other node does not yet know that the password has been changed on this account (credential information is securely stored locally on each server/agent in a similar way to how service account information is stored).
So you wait for the new configuration to be downloaded but you still receive an error in the Operations Manager event log similar to the one below.
Source: HealthService Date: Event ID: 7000 Task Category: Health Service Level: Error Keywords: Classic User: N/A Computer: RMSClusterNode1 Description: The Health Service could not log on the RunAs account DOMAIN\MSActionAccount for management group ManagementGroupName. The error is Logon failure: unknown user name or bad password. (1326L). This will prevent the health service from monitoring or performing actions using this RunAs account
If you check the account settings for the default Run As Account Profile for your clustered RMS you will see something very unusual. It is now associated with a new Run As account named the same as your original account but with (Alternate Account) pegged onto the end.
On failover, the passive node attempted to update the account and discovered there was one in there already with the same name but a different password, so it ended up creating this alternate account and associating it with the Default Run As Account profile.
So even though a new configuration has now arrived with the new password, this node is attempting to log on with the old password associated with the newly created (Alternate Account), and this is failing.
First you need to reset the association between the default Run As account profile and the original Action account.
Then, wait for the configuration containing this association to arrive. Once the next configuration is downloaded to the node all will be well again.
NOTE: In some larger Operations Manager environments you may have made a change to the following registry key in order to improve performance.
HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Config Service\Polling Interval Seconds
By default, this key does not exist and the Polling Interval is set to 30 seconds. If you have changed this to increase the polling interval, before you begin your password change and failover procedure, you should ensure it is set back to avoid any additional delay whilst waiting for the changed passwords/account associations to be delivered.
More details on that key (and some other useful ones) can be found here:
Get the latest System Center news on Facebook and Twitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/ System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/ System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/ System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/ WSUS Support Team blog: http://blogs.technet.com/sus/ The AD RMS blog: http://blogs.technet.com/b/rmssupp/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/