-
제목
How to Change the Password of the Foglight Agent Account Without Locking Out SQL Server Agents Using the Connection Details - Verify Connection Option -
설명
When monitoring hosts and database instances using a shared Active Directory (AD) service account across multiple agents, a password change in AD may result in mass account lockouts. This typically occurs when one or more Foglight agents continue to use the old password, leading to repeated authentication failures and triggering AD lockout policies.
-
원인
All Foglight agents using a shared AD account attempt to authenticate at frequent intervals (every second or less). If even one agent uses an outdated password, it can rapidly cause the account to become locked across the entire monitored environment. This issue is especially prevalent in environments with:
-
A large number of agents (hundreds or more)
-
Multiple Foglight Management Servers (FMS) using the same AD account
-
Duplicate or inconsistent credential/resource mappings
Without proper coordination, identifying the exact agent responsible for the lockout can be extremely difficult due to excessive log entries.
-
-
해결 방안
To prevent account lockouts and ensure that all Foglight agents use the updated password, follow these steps to reset and validate credentials cleanly using the Connection Details - Verify Connection workflow:
1. Stop All Affected Agents
-
Navigate to Administration > Agents > Agent Status.
-
Deactivate all database agents (e.g., SQL Server, Oracle) and infrastructure agents (e.g., Windows, Unix) that use the shared AD service account.
2. Remove Old Credentials
-
Go to Administration > Credentials > Manage Credentials.
-
Delete all credentials for this AD account except those related to the System Local Account.
-
Ensure no hostname resource mappings remain in the remaining credentials.
This step clears the credential lockbox and eliminates potential conflicts from duplicate or stale credentials.
3. Unlock the AD Account
-
Work with your AD administrator to manually unlock the shared AD service account to reset the lockout status.
4. Validate a Single Agent Connection
-
From Global View > Databases, select one database agent that uses the shared AD account.
-
Click Connection Details > Verify Connection as described in KB 4235896 (for SQL Server) and KB 4235896 (for Oracle).
-
Enter the new AD password and click Verify.
-
If the validation is successful, click Save Changes.
This creates a new, clean credential in the DB-Agent lockbox with updated resource mappings.
5. Re-Validate Additional Agents
-
Repeat the Verify Connection process for each remaining agent.
-
Use the newly created credential where applicable, or create new credentials as needed.
-
Ensure each validation completes successfully before proceeding to the next agent.
6. Confirm Credential Creation
-
Return to Administration > Credentials > Manage Credentials.
-
Confirm that the new credential(s) were added correctly, and review their resource mappings.
7. Restart All Affected Agents
-
Navigate back to Administration > Agents > Agent Status.
-
Activate the database and infrastructure agents that were previously disabled.
Alternate Method:
Alternatively, you can update the credentials directly using the Agent Status and Credentials dashboards, as outlined in KB 4308764.
To Update SQL PI Repository Password:
Refer to knowledgebase article 4228874 for steps to update the SQL PI repository password after changing the Foglight service account credentials.
Additional Best Practices:
-
Always coordinate account changes with your AD administrators and schedule during maintenance windows.
-
Avoid using the same AD account across multiple FMS instances without a credential management strategy.
-
Minimize the number of credentials and standardize resource mappings across the environment.
-