Here's a great tip sent to me by Sam Allen, one of the top Support Escalation Engineers in our Texas office. If you find that some of your agents are reporting to the wrong server or are generating OpsMgr Connector sourced 20064 events then this is something you'll definitely want to check out at:
Issue: After enabling AD integration in SCOM 2007, agents start getting 20064 events similar to the following:
Event Type: Warning
Event Source: OpsMgr Connector
Event Category: None
Event ID: 20064
Description: The OpsMgr Connector has found multiple primary relationships in Active Directory for management group <group>. The primary relationship to <ServerName> has been ignored and treated as a secondary relationship; <OtherServerName> is the accepted primary. To address this issue, you can add an exclusion to the Active Directory assignment rule for the incorrect primary relationship.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Cause: This is caused by improper permissions on the container in Active Directory (AD). The way an agent determines which management group and server it should report to is by the permissions on the containers. On the MOM Team product group blog they discuss the correct permissions that should exist:
Resolution: Ensure that the proper permissions exist for all containers which are inherited by the Operations Manager containers. Typically the easiest way to do this is set the proper permissions at the root level container (OperationsManager in AD) then remove and re-add it using the MOMADAdmin tool.
More Information: I recently worked and issue where Read permissions for Authenticated Users had been given to all the OperationsManager containers. The result was that all computers could read the information and therefore thought that they should report to those machines. To fix this we removed Authenticated Users from the root folder and forced that change down the hierarchy. We then used the MOMADAdmin tool to remove the container (the root OperationsManager container remained) and then re-added it. Once we did this the permissions were correct and agents only reported to the correct servers.
J.C. Hornbeck | Manageability Knowledge Engineer