Configuring MS agents
Restricting AD domain discovery
MS agents can be configured to restrict discovery on AD domains. This is accomplished by whitelisting or blacklisting AD domains on the MS agent or cluster.
Add AD domain discovery restrictions
-
Navigate to
. -
Select your agent and click Edit to open the Edit MS Agent window.
-
Open the AD Domains Restrictions tab.
-
Select a Restriction type.
-
only listed — Only the listed AD domains can be accessed.
-
excluding listed — Any AD domain that is not listed can be accessed.
-
-
Enter your AD domain(s) and click the Add icon.
-
Click Save.
Remove AD domain discovery restrictions
-
Navigate to
. -
Select your agent and click Edit to open the Edit MS Agent window.
-
Open the AD Domains Restrictions tab.
-
Locate the domain restriction to be removed, and click X.
You can remove all AD domain discovery restrictions from the agent by clicking Remove All.
Managing MS agent clusters
You can create agent clusters by grouping standalone MS agents that are installed on different servers.
Clustered agents ensure that if one or more agents go down, their certificate discovery and issuance functions are taken over by another agent in the cluster. This prevents delays and data loss during issuance and discovery operations.
Any number of agents can be included in a cluster. For the configuration to succeed, the clustered agents must have been installed with auto-update enabled.
In order to perform certificate enrollment, each agent in a cluster must be assigned the same MS AD certificate template.
Create an MS agent cluster
-
Navigate to
and click Create Cluster. -
In the Add MS Agent Cluster dialog, provide a name to help identify the cluster.
-
Select the organization and, optionally, the department for use in certificate issuance.
-
(Optional) In the Comments field, provide any relevant comments or notes related to the cluster.
-
Click Next.
-
(Optional) Configure AD domain restrictions for the cluster.
-
Open the AD Domains Restrictions tab.
-
Select a Restriction type.
-
only listed — Only the listed AD domains can be accessed
-
excluding listed — Any AD domain that is not listed can be accessed
-
-
Enter your AD domain(s) and click the Add icon.
-
-
Open the Nodes tab.
-
Click the Add icon.
-
Select the agent from the Available nodes menu and click Save.
If the agent you are attempting to add is not visible, check if the node has auto-update enabled. Clustered agents must have been installed with auto-update enabled
The agents are added to the cluster and listed in the Nodes list. These agents are then available for further configuration.
SCM automatically assigns one of the agents in the cluster as the Cluster master agent to receive the commands for discovery scans and certificate issuance.
If connection to the cluster master is lost, the next agent is set as the cluster master.
-
Click Save.
The clustered agents should now be displayed as a single agent on the MS Agents page.
Add nodes to a cluster
-
Navigate to
. -
Select your agent cluster and click Edit to open the Edit MS Agent Cluster window.
-
Open the Nodes tab and click the Add icon.
-
Select the agent from the Available nodes menu, and click Next.
If the agent you are attempting to add is not visible, check if the node has auto-update enabled. Clustered agents must have been installed with auto-update enabled
-
Click Save.