Brian McDermott | Escalation Engineer | Microsoft CTS Management and Security Division

toolsignHi everyone, Brian McDermott here with some info on how to change the Management Server Run As account on a clustered RMS in System Center Operations Manager 2007.

Isn’t that just the same as changing the Run As Account on any management server?

In a way, yes it is. You simply find the account whose password has changed in the console and then update it.

clip_image002

When you do this, you are updating the account information that is stored in the DB and this now needs to be distributed as a configuration update to all the machines that use this account. Once the machines receive the updated credentials they will log on with the updated credentials and all should be good.

So why are you writing a blog on this…and why on earth am I reading it?

With a clustered RMS, on failover to the passive node you will find things are not so good after all.

You will see that the Management Server Run As Account fails to be authenticated.

In a way you might expect this, as the other node does not yet know that the password has been changed on this account (credential information is securely stored locally on each server/agent in a similar way to how service account information is stored).

So you wait for the new configuration to be downloaded but you still receive an error in the Operations Manager event log similar to the one below.

Source: HealthService
Date:
Event ID: 7000
Task Category: Health Service
Level: Error
Keywords: Classic
User: N/A
Computer: RMSClusterNode1
Description:
The Health Service could not log on the RunAs account DOMAIN\MSActionAccount for management group ManagementGroupName. The error is Logon failure: unknown user name or bad password. (1326L). This will prevent the health service from monitoring or performing actions using this RunAs account

If you check the account settings for the default Run As Account Profile for your clustered RMS you will see something very unusual. It is now associated with a new Run As account named the same as your original account but with (Alternate Account) pegged onto the end.

clip_image004

On failover, the passive node attempted to update the account and discovered there was one in there already with the same name but a different password, so it ended up creating this alternate account and associating it with the Default Run As Account profile.

So even though a new configuration has now arrived with the new password, this node is attempting to log on with the old password associated with the newly created (Alternate Account), and this is failing.

How Can I Recover?

First you need to reset the association between the default Run As account profile and the original Action account.

clip_image006

Then, wait for the configuration containing this association to arrive. Once the next configuration is downloaded to the node all will be well again.

NOTE: In some larger Operations Manager environments you may have made a change to the following registry key in order to improve performance.

HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Config Service\Polling Interval Seconds

By default, this key does not exist and the Polling Interval is set to 30 seconds. If you have changed this to increase the polling interval, before you begin your password change and failover procedure, you should ensure it is set back to avoid any additional delay whilst waiting for the changed passwords/account associations to be delivered.

More details on that key (and some other useful ones) can be found here:

http://blogs.technet.com/b/mgoedtel/archive/2010/08/24/performance-optimizations-for-operations-manager-2007-r2.aspx

Brian McDermott | Escalation Engineer | Microsoft CTS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/