Managing ‘Registered Servers’

  • Article

Whenever you install a Service Manager Management Server, it’ll go ahead and register a Service Connection Point (SCP) for itself in Active Directory.  This provides that functionality of listing the Management Servers when you open up the Service Manager Console:

 

Note: If for some reason (probably security), a MS isn’t registered, you can go ahead & manually create the SCP.  My colleague Richard Usher wrote a blog on this at https://blogs.technet.com/b/servicemanager/archive/2011/01/12/manually-creating-service-connection-points-scp-for-scsm.aspx.

In a production deployment of Service Manager, you’re going to want to deploy multiple Management Servers.  This gives us high availability, and allows us to split out the Workflow MS from the Console MS.  This is really well documented at https://technet.microsoft.com/en-us/library/hh495613.aspx

Say I’ve gone ahead & installed two management servers – at this point, both will show up as ‘Registered Servers’ when I open up the console.  What if I don’t want this?  Maybe I want to keep my console connections on one MS, and workflows on the other.

To block a MS from showing up as a Registered Server, we can simply edit the SCP in Active Directory.  Looking in ADSIEdit, I can see each of my Management Servers has the SCP, named SMSDKServiceSCP.

In this example, I want the following:

-       Service Manager Administrators can see all registered Management Servers

-       My Incident Analysts can only see the Management Servers I want to handle console connections

To achieve this, I’ll edit the permissions on the SCP, which I want to block.

-       Right click on CN=SMSDKServiceSCP under the Computer you wish to block > Properties

-       On the Security tab, you will see that Authenticated Users have Read access

-       Un-tick Read access for Authenticated Users

-       Ensure that your Service Manager Admin group has full access over the SCP still

 Now, when an analyst opens up their console, they’ll only see the Management Server I want them to connect to: 

In scale-out environments, you will want to install more than 2 Management Servers.  1 MS will handle Workflows, then add an additional MS for every 40 -50 concurrent console connections (https://technet.microsoft.com/en-us/library/hh495613.aspx).

In this scenario, rather than listing several Management Servers to connect to, you can implement an NLB.  The NLB will be listed as the console connection, then hand the connection over to your ‘pool’ of management servers.

To achieve this – you’ll want to block each of the Management Servers SCP, and create one manually for the NLB, as per https://blogs.technet.com/b/servicemanager/archive/2011/01/12/manually-creating-service-connection-points-scp-for-scsm.aspx.