-
标题
Steps to change the password of the Foglight agent account without locking out the SQL Server agents (using Agent Status and Credentials dashboards) -
说明
The same Active Directory (AD) service account is used for the OS connection and the Database connection by the SQL Server agents used for Foglight monitoring often gets locked. How can the password be changed so that the account is not locked out while the password is changed?
-
原因
When a common password is used for multiple FMS systems, then the password change must be done for all agents sharing the same AD account at the same time.
Collections are done every second and with hundreds of agents there can be a millisecond of difference between each agent trying to make the connections.
If the password change is not managed, then any single account can lock out the account because agents run constantly hitting the AD account.
As the number of agents using a single AD credential increases, the more critical it is to
- keep the credentials organized,
- there are numerous credentials in the same FMS that share the same account and reference the same agents multiple times in several resource mappings
- disable all of the agents when updating password
- keep the credentials organized,
-
解决办法
The quickest means to prevent account lockups is to stop the OS account from being use and reset the agents and credentials. There isn't a way to easily determine which agent is causing the lockout because the logs will quickly fill up with error messages.
- Navigate to Administration | Agents | Agent Status
- Stop all SQL Server and WindowsAgents (any agents that are using that user ID)
These steps you the existing working credentials without multiple lockbox credentials that might be contradicting one another. Knowledgebase article 4311979 provided details on merging multiple credentials.To update the SQL Server agent passwords (DB connections)
- Make sure ID is not locked out and nothing is locking the account out in the environment.
- Navigate to Administration | Agents | Agent Status
- Highlight all database agents in the FMS that are using the userid (the properties of only one database agent type at a time can be updated)
- Edit properties for ALL of these SQL Server agents
- Update the password.
- Turn off OS monitoring for these database agents
- Click the Save button
- Activate all of the database agents (all of them at once or groups of a few agents at a time)
- After all of the database agents are enabled. Wait to confirm that the AD account is not locked out.
KB 4301974 includes a groovy script to make a mass update for the password in all SQL Server agents on the FMS. This could be done in place of steps 3-5.
To update OS credentials
- In Administration | Agents | Agent Status, confirm the WindowsAgents using the same userid are still disabled
- Navigate to Administration | Credentials, click Manage Credentials
- Select the notepad icon next to each of the credentials in the list that use the userid to edit the Credential Properties
- Update the AD password in the popup, and then click the Save button
- Repeat this for all of the credentials in the lockbox to set all credentials to use the new password.
- Navigate to Administration | Agents | Agent Status
- Highlight all database agents in the FMS that are using the userid (the properties of only one database agent type at a time can be updated)
- Edit properties for ALL of these database agents of the same type
- Turn on OS monitoring for these database agents in Agent Status Properties
- Click the Save button
- Turn on one WindowsAgent
- Wait 5-15 minutes to confirm the lockout is not happening.
- Continue turning on groups of WindowsAgents, confirming that the AD lockout does not occur.
NOTE: KB 4228645 provides steps how to change the Foglight service account password using the SQL Server and Oracle verify connection utilities in the Connection Details panel.