none
Remote management from SCOM Console of untrusted computers

    Question

  • Scenario:
    In monitoring workspace I access Windows Computers view, select a computer and click in Computer Management (in Windows Computer Tasks).

    Problem:
    In selected computer is in trusted domain (same domain of SCOM), all works fine. But if selected computer is in a untrusted domain (other than SCOM domain, so monitored by a Gateway) I can't access Computer Management. I receive the error: Computer ABC123.MSFT.COM cannot be managed. The network path not found

    How can I fix it?

    Friday, October 01, 2010 1:02 PM

Answers

  • Hi

    Even if you resolve the network issues, I think you'll still have a problem as you are logged into the SCOM console with an account that doesn't have any rights on the target server. And sadly, you can't specify a run as account for this task. So ultimately, I don't think there is a fix from within the SCOM console.

    Aplogies if I have misunderstood.

    Cheers

    Graham


    Cheers Graham View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Friday, October 01, 2010 3:07 PM
  • Pedro, you need to understand that SCOM is a monitoring and alerting app, all the GW server does is allow you to receive alerts from the untrusted domain and to authenticate with the server in that domain.  

    If there is no trust between the two domains then you can either 

    • use the RDP task from the console 
    • create a custom task in a custom mp with an account that has admin rights in the other domain (maybe)
    • or create a trust..


    Paul Keely
    Friday, October 01, 2010 3:26 PM

All replies

  • Hey Pedro, 2 things

    You are trying to get to the PC via its host name and its not working due to either firewall or name res, OR 

    The PC in the untrusted domain does not trust the action account that is used to run the "computermgmt.msc" command.

    On your local servers it works because it used the scom action account and your action account must have permission on that server. 

    Can you ping the machine in question?

     

     


    Paul Keely
    Friday, October 01, 2010 2:01 PM
  • No, I cant PING. But, I am using GW Server to monitor many computers from other company... I will need to have a relationship with all computers? This is a incomplete solution :( I cant do this.

    GW Server don't serves me.

    Friday, October 01, 2010 2:21 PM
  • Hey Pedro 

    All machines in SCOM have to authenticate with each other.

    So if there are all in the same domain then they just use AD 

    If they are not in the same forest then you have only one option that is to use certificates.

    So if you have an untrusted domain then you can sue a gateway server

    If its a DMZ with a few servers and they are not in a domain then its not actually needed to use a gateway server.

    If you use a GW server and there is no firewall between the domains and you want to be able to open the server manager on the untrusted computer then you have to get the action account as a member of the local admins on that server 

    If you have a firewall in place and you have enabled the ports for the certificate to communicate then all you have enabled is the port that SCOM uses to talk from agent to servre

    If you want to use server manager then you need ports like RPC


    Paul Keely
    Friday, October 01, 2010 2:35 PM
  • Hi Paul,

    I have GW Server in my environment, the untrusted computers are monitored using GW. All works fine, I receive alerts form all computer (trusted and untrusted domain). But I want to access all Computer Management for Managed Agents using SCOM Console. Then for agent-certificate managed computers this dont work.

    Friday, October 01, 2010 2:44 PM
  • Pedro 

    Do you have a firewall between the two environments 


    Paul Keely
    Friday, October 01, 2010 2:52 PM
  • No, I don't.

    But I think this can be a DNS name, becase the untrusted computers has another domain. My SCOM Console is installed in a ABC.COM doamin, untrusted computer is on DEF.COM domain... without trust.

    This can be solved using Run As Account or something like this?

    Friday, October 01, 2010 2:56 PM
  • Hi

    Even if you resolve the network issues, I think you'll still have a problem as you are logged into the SCOM console with an account that doesn't have any rights on the target server. And sadly, you can't specify a run as account for this task. So ultimately, I don't think there is a fix from within the SCOM console.

    Aplogies if I have misunderstood.

    Cheers

    Graham


    Cheers Graham View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Friday, October 01, 2010 3:07 PM
  • Pedro, you need to understand that SCOM is a monitoring and alerting app, all the GW server does is allow you to receive alerts from the untrusted domain and to authenticate with the server in that domain.  

    If there is no trust between the two domains then you can either 

    • use the RDP task from the console 
    • create a custom task in a custom mp with an account that has admin rights in the other domain (maybe)
    • or create a trust..


    Paul Keely
    Friday, October 01, 2010 3:26 PM