none
Is SCOM Agent multi homing possible between 2 different management groups which are in 2 different AD forests ?

    Question

  • Hi All,

    We have this scenario. We have 2 Agents which require multi homing.

    We have 2 management groups MG1 & MG2 both in different AD forest non trusted.

    Agent is currently reporting to MG1 using a certificate as the Agent also is in a different domain (Not in the domains which MG1 & MG2 are)

    Is there any possibility i can make the Agent communicate to both the management groups ?

    As already it is using 1 certificate it cannot be used to authenticate with the other management group.

    Also there seems to be no possibility of making SCOM use 2 certificates in Healthservice one for each Management group.

    Is there any other possibility any one has used to get this type of requirement possible ?


    Gautam.75801


    • Edited by Gautam.75801 Thursday, February 25, 2016 12:50 PM
    Thursday, February 25, 2016 12:50 PM

Answers

  • Hi All,

    So here is what it is.

    The Microsoft Monitoring Agent supports reporting to 4 management group at a time.

    So below are the possibilities i tested and got it working.

    1. Agent (Workgroup) -> Made it report to 2 different management groups which are in 2 different AD forest using one certificate.

    2. SCOM Agent which is in domain A and is reporting to a management group in Domain A and Also reports to another management group in Domain B where domain A does not have any kind of trust with Domain B

    1. Ideally based on my knowledge even you can make a workgroup Agent report to 4 different management groups which are in 4 different AD forests with no trust just by using certificates.

    Ensure you have opened TCP port 5723 from the Agent to all the 4 management servers in 4 different management groups.

    So 1st you will need to generate a certificate from a CA (any CA of any domain or from a vendor) does not necessarily to be of the same domain but make sure to export it with the ROOT certificate of the CA.

    Install the Microsoft monitoring Agent --> Go to Control panel --> Add all the 4 different management groups here. (Ideally 3 as you will mention 1 during the installation)

    Now Import the certificate you generated in the personal store of the  computer account of the Agent and make sure you import the root certificate in the Root store of the computer account.

    Now import the Root certificate on all the 4 management servers computer accounts Root store.

    Run MOMCertimport on the Agent and select the correct certificate.

    Bounce the Healthservice on the Agent and you should see the Agent in pending management of all 4 management group's management server which you pointed.

    Also ensure you generate 1 certificate each for each management server from the CA and import to the personal store and run MOMCertimport there as well it if you do not have one.

    You should see 20000 event id in the Operationsmanager Event log of the Management servers pointing to this Agent 
    You should see Event id 20070 followed 20016 in the Operationsmanager Event log of the Agent

    If you see 20071 in the Agent, The verify if you have generated the certificate correctly with the correct Name / OID of client / server authentication and imported the Root certificate and are able to Telnet to the MS on port 5723.

    So it will use the same 1 certificate to communicate to both the different management groups

    2. If you want to make the Agent which is in a Domain report to 2 Management servers.

    I have not tried making this report to more MS' nut just tried it for 2.

    My Agent is in Domain A and is reporting to a MS in domain A. I want to make this Agent report to Domain B where it does not have any AD trust with Domain B.

    Install the Microsoft monitoring Agent --> Go to Control panel --> Added the 2 different management groups here. (Ideally 1 as you will mention 1 during the installation)

    Got a certificate generate from a CA (any CA of any domain or from a vendor) does not necessarily to be of the same domain but make sure to export it with the ROOT certificate of the CA.

    Imported the certificate on the Agent on its personnel store and imported the Root certificate in the Root store of the computer account.

    Imported the Root certificate i got / generated of the CA for which i generated the cert for the Agent on the Management server of the Domain B's Management group.

    Also ensure you generate 1 certificate each for each management server from the CA and import to the personal store and run MOMCertimport there as well it if you do not have one.

    Now Run MOMCertimport on the Agent and select the appropriate certificate.

    Bounce the Healthservice.

    Check the Pending management of both the Management servers and approve the Agent

    Now the Agent in Domain A with communicate to its Management server in Domain A using Kerberos and will use the certificate to communicate to the management server in Domain B.

    If you see 20071 in the Agent for management group B, The verify if you have generated the certificate correctly with the correct Name / OID of client / server authentication and imported the Root certificate and are able to Telnet to the MS on port 5723.

     


    Gautam.75801



    • Marked as answer by Gautam.75801 Monday, February 29, 2016 5:56 PM
    • Edited by Gautam.75801 Monday, February 29, 2016 6:19 PM
    Monday, February 29, 2016 5:56 PM

All replies

  • Hi All,

    After quiet few efforts i got this requirement working.

    I will post the steps on Monday / Tuesday for the same how i made this work.


    Gautam.75801

    Saturday, February 27, 2016 1:44 PM
  • Hi Sir,

    Thanks , it must be very useful to others who are running into same issue .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com .

    Sunday, February 28, 2016 4:00 PM
    Moderator
  • Hi All,

    So here is what it is.

    The Microsoft Monitoring Agent supports reporting to 4 management group at a time.

    So below are the possibilities i tested and got it working.

    1. Agent (Workgroup) -> Made it report to 2 different management groups which are in 2 different AD forest using one certificate.

    2. SCOM Agent which is in domain A and is reporting to a management group in Domain A and Also reports to another management group in Domain B where domain A does not have any kind of trust with Domain B

    1. Ideally based on my knowledge even you can make a workgroup Agent report to 4 different management groups which are in 4 different AD forests with no trust just by using certificates.

    Ensure you have opened TCP port 5723 from the Agent to all the 4 management servers in 4 different management groups.

    So 1st you will need to generate a certificate from a CA (any CA of any domain or from a vendor) does not necessarily to be of the same domain but make sure to export it with the ROOT certificate of the CA.

    Install the Microsoft monitoring Agent --> Go to Control panel --> Add all the 4 different management groups here. (Ideally 3 as you will mention 1 during the installation)

    Now Import the certificate you generated in the personal store of the  computer account of the Agent and make sure you import the root certificate in the Root store of the computer account.

    Now import the Root certificate on all the 4 management servers computer accounts Root store.

    Run MOMCertimport on the Agent and select the correct certificate.

    Bounce the Healthservice on the Agent and you should see the Agent in pending management of all 4 management group's management server which you pointed.

    Also ensure you generate 1 certificate each for each management server from the CA and import to the personal store and run MOMCertimport there as well it if you do not have one.

    You should see 20000 event id in the Operationsmanager Event log of the Management servers pointing to this Agent 
    You should see Event id 20070 followed 20016 in the Operationsmanager Event log of the Agent

    If you see 20071 in the Agent, The verify if you have generated the certificate correctly with the correct Name / OID of client / server authentication and imported the Root certificate and are able to Telnet to the MS on port 5723.

    So it will use the same 1 certificate to communicate to both the different management groups

    2. If you want to make the Agent which is in a Domain report to 2 Management servers.

    I have not tried making this report to more MS' nut just tried it for 2.

    My Agent is in Domain A and is reporting to a MS in domain A. I want to make this Agent report to Domain B where it does not have any AD trust with Domain B.

    Install the Microsoft monitoring Agent --> Go to Control panel --> Added the 2 different management groups here. (Ideally 1 as you will mention 1 during the installation)

    Got a certificate generate from a CA (any CA of any domain or from a vendor) does not necessarily to be of the same domain but make sure to export it with the ROOT certificate of the CA.

    Imported the certificate on the Agent on its personnel store and imported the Root certificate in the Root store of the computer account.

    Imported the Root certificate i got / generated of the CA for which i generated the cert for the Agent on the Management server of the Domain B's Management group.

    Also ensure you generate 1 certificate each for each management server from the CA and import to the personal store and run MOMCertimport there as well it if you do not have one.

    Now Run MOMCertimport on the Agent and select the appropriate certificate.

    Bounce the Healthservice.

    Check the Pending management of both the Management servers and approve the Agent

    Now the Agent in Domain A with communicate to its Management server in Domain A using Kerberos and will use the certificate to communicate to the management server in Domain B.

    If you see 20071 in the Agent for management group B, The verify if you have generated the certificate correctly with the correct Name / OID of client / server authentication and imported the Root certificate and are able to Telnet to the MS on port 5723.

     


    Gautam.75801



    • Marked as answer by Gautam.75801 Monday, February 29, 2016 5:56 PM
    • Edited by Gautam.75801 Monday, February 29, 2016 6:19 PM
    Monday, February 29, 2016 5:56 PM