Some time ago I posted an article about gateway servers, Ops Mgr R2 and Server 2008. This week I have extended that scenario by adding two more management servers and one more gateway server.
To make this scenario work I had to configure both my gateway servers to use corp-MS03 and corp-MS02 as primary and secondary management servers. You can do that with operations manager command shell.
Log on to a machine with command shell installed, for example a workstation. Run the following script (save it as a .ps1 script file)
$primaryMS = Get-ManagementServer | where {$_.Name -eq 'corp-ms02.corp.contoso.local'}
$failoverMS = Get-ManagementServer | where {$_.Name -eq 'corp-r2.corp.contoso.local'}
$gatewayMS = Get-GatewayManagementServer | where {$_.Name -eq 'dmz01'}
Set-ManagementServer -GatewayManagementServer: $gatewayMS -primarymanagementserver: $primaryMS -FailoverServer: $failoverMS
That script configure the gateway server, DMZ01, to use corp-MS02 as primary management server and corp-R2 as failover management server. When you run this command you have to be aware that when the current management server gets this update it will stop accepting connections from your gateway server (if it is not primary or failover management server in the new configuration). That could result in a orphaned gateway server, the gateway server is not allowed to communicate with any management server. If this happends you will have to logon to your gateway server, check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Server Management Group\<Management Group Name>\Parent Health Services\0
and look for the authenticationName string. You must then run the set-managementserver cmdlet again and change the management server back to the one in the register. To make sure you don´t end up with orphaned gateway servers use your current management server as failover server in your script, then the gateway server can receive new configuration from the new failover server (current management server) and when you have confirm the configuration change, you can update the failover server for the gateway server.
To verify that your gateway server has received the new configuration you can look in the OpsMgrConnector.Config.XML file on your Gateway server, search for Parents in the file. Default location is C:\Program Files\System Center operations Manager 2007\Health Service State\Connector Configuration Cache\.
You can also run the following command shell commands to see he primary and failover server for a gateway server
Get-GatewayManagementServer | where {$_.Name -like 'DMZ01'} | Get-PrimaryManagementServer
Get-GatewayManagementServer | where {$_.Name -like 'DMZ01'} | Get-FailoverManagementServer
If everything looks ok, you could now run the power shell script again, and update the failoverMS to the correct failover management server.
To configure the agent to communicate with the two gateway servers I ran the following two scripts. corp-r2 was the primary/only management server for the agent when I started.
$primaryMS = Get-GatewayManagementServer | where {$_.Name -eq 'dmz01'}
$failoverMS = Get-ManagementServer | where {$_.Name -eq 'corp-r2.corp.contoso.local'}
$agent = Get-agent | where {$_.Name -eq 'DMZ-A01'}
Set-ManagementServer -AgentManagedComputer: $agent -PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS
after I verified that the agent had recived the new configuration I ran
$primaryMS = Get-GatewayManagementServer | where {$_.Name -eq 'dmz01'}
$failoverMS = Get-gatewayManagementServer | where {$_.Name -eq 'dmz-02'}
$agent = Get-agent | where {$_.Name -eq 'DMZ-A01'}
Set-ManagementServer -AgentManagedComputer: $agent -PrimaryManagementServer: $primaryMS -FailoverServer: $failoverMS
The result of these commands is that my agent (DMZ-A01) can communicate with both gateway servers. Both my gateway servers can communicate with both my management servers. If I shutdown DMZ01 my agent, DMZ-A01, failover to DMZ-02. If I start DMZ01 again the agent will automatic return to DMZ01. If I shutdown corp-MS02 my gateway server will automatic failover to corp-ms03. If I shutdown one gateway server and one management server the agent will still communicate with the management group.
[…] There is a nice article on how to use multiple gateways by Anders Bengtsson: http://contoso.se/blog/?p=831 And yet another good article from Marnix about some of the advantages of a gateway: […]
Hi, it was years since I configured this last time 🙂 But I don’t think you should put management servers or gateway servers between NLB as authentication with Kerberos or certificate will not work then. Explain a bit more about your scenario and I will see if I can help more.
Hello , Thanks for all your help
please if we have 2 Gateway servers as your scenario and we need the 2 gateway refering to our scom Management server with Windows NLB( 2 management servers) , how we can do this ??
[…] http://contoso.se/blog/?p=831 […]
[…] with certificate there is a number of steps to carry out. I have a couple of blog posts around that here, here and here. As you can see it is a pretty complicated process and easy that you miss a step or […]
[…] a orphaned gateway server. For writing this script, I took my idea from this excellent post : Ops Mgr R2 and multiple gateway servers 1234567891011121314151617######################################## # Gateway Server : Primary / […]
I did a little script for adding a failover server to a gateway
########################################
# Gateway Server : Primary / Failover
# Autor : Christopher Keyaert
# Email : christopher@vnext.be
# Website : http://www.vnext.be
# Date : 8 DEC 2010
# Version : 0.1
#
# Inspired by : http://contoso.se/blog/?p=831
########################################
# PARAM
########################################
#FQN NAME
$RMS = “xxx.CONTOSO.COM”
$Gateway = “xxx.CONTOSO.COM”
$PrimaryMS = “xxx.CONTOSO.COM”
$failoverMS = “xxx.CONTOSO.COM”
#Waiting time
$WaitingTime = 3 # Minutes
########################################
# SNAP-IN + RMS Conenction
########################################
if(-not (Get-pssnapin | Where-Object {$_.Name -eq “Microsoft.EnterpriseManagement.OperationsManager.Client”}))
{
Add-PSSnapin Microsoft.EnterpriseManagement.OperationsManager.Client
}
new-managementGroupConnection -ConnectionString:$RMS
Set-Location “OperationsManagerMonitoring::” -ErrorVariable errSnapin ;
Set-Location $RMS -ErrorVariable errSnapin ;
########################################
# SCRIPT
########################################
Write-Host “#######################”
Write-Host “# Gateway Failover #”
Write-Host “#######################”
Write-Host “”
Write-Host “Gateway : “$Gateway
Write-Host “Primary : “$PrimaryMS
Write-Host “Failover : “$FailoverMS
Write-Host “”
#Get server details
$primaryMS = Get-ManagementServer | where {$_.Name -eq $PrimaryMS}
$failoverMS = Get-ManagementServer | where {$_.Name -eq $failoverMS}
$gatewayMS = Get-GatewayManagementServer | where {$_.Name -eq $Gateway}
#Get current primary
$CurrentPrimary = $gatewayMS | Get-PrimaryManagementServer
#Set Primary as failover for configuration transfert
Set-ManagementServer -GatewayManagementServer: $gatewayMS -primarymanagementserver: $primaryMS -FailoverServer: $CurrentPrimary
#Wait for config change
For($i = $WaitingTime; $i -gt 0; $i–)
{
Write-Host “Waiting $i minutes for configuration changes”
Start-Sleep 60
}
#Set the real configuration
Set-ManagementServer -GatewayManagementServer: $gatewayMS -primarymanagementserver: $primaryMS -FailoverServer: $failoverMS
#You can also run the following command shell commands to see he primary and failover server for a gateway server
$CheckPrimary = Get-GatewayManagementServer | where {$_.Name -like $Gateway} | Get-PrimaryManagementServer
If($CheckPrimary.Name -eq $PrimaryMS)
{Write-Host “Primary server OK : $PrimaryMS”}
else{Write-Host “Primary server Failed : “$CheckPrimary.Name}
$CheckFailover = Get-GatewayManagementServer | where {$_.Name -like $Gateway} | Get-FailoverManagementServer
If($CheckFailover.Name -eq $failoverMS)
{Write-Host “FailOver server OK : “$failoverMS}
else{Write-Host “FailOver server Failed : “$CheckFailover.Name}
Write-Host “”
Write-Host “END.”
if there is no kerberos you will need certificates. So certificates on all health services that are not in the domain.
Thanks for the info, a quick question. In order to set up agent failover between two gateway servers, how are your agent computers set up? Are they in a domain or a workgroup config? I suppose you need to install x.509 certs to enable communication between agent and Gateway servers in a workgroup environment as no Kerberos boundry is there. How do you set up two gateway servers in this scenario?
You could also do like this:
$primaryMS = Get-ManagementServer | where {$_.Name -eq ‘corp-ms02.corp.contoso.local’}
$failoverMS = Get-ManagementServer | where {$_.Name -eq ‘corp-r2.corp.contoso.local’}
$failoverMS2 = Get-ManagementServer | where {$_.Name -eq ‘corp-ms03.corp.contoso.local’}
$gatewayMS = Get-GatewayManagementServer | where {$_.Name -eq ‘dmz01’}
Set-ManagementServer -GatewayManagementServer: $gatewayMS -primarymanagementserver: $primaryMS -FailoverServer: $failoverMS,$failoverMS2
This will give you both CORP-R2 and CORP-MS03 as failover hosts.
great comment! Thanks. I did not post that command, but
“To make sure you don´t end up with orphaned gateway servers use your current management server as failover server in your script, then the gateway server can receive new configuration from the new failover server (current management server) and when you have confirm the configuration change, you can update the failover server for the gateway server.”
So after I ran the first command (that I have in the post) I ran it again to configure the failover management server.
Great topic to blog about and it covers some much needed info…
One quick question – you mention the following: “If I shutdown corp-MS02 my gateway server will automatic failover to corp-ms03.”
How does the ‘corp-ms03’ come into play if in your PS script you determine the following:
Primary MS = corp-ms02.corp.contoso.local
and
Failover MS = corp-r2.corp.contoso.local
Did I mis-read something in your post?