none
Central Console across multiple untrusted forests across firewalls RRS feed

  • Question

  • We have an environment with multiple separate forests that do not and cannot have any sort of trust relationship. We run DPM in several of these forests.

    We monitor all of the servers, including DPM, using a single centralized SCOM 2012 R2 management group. We are investigating the use of the DPM Central Console add-in for SCOM, but can't seem to find any documentation about the networking and trust requirements.

    Specifically, we will have SCOM 2012 R2 in ForestA, and there will be SCOM agents installed on DPM servers in ForestB, ForestC, ForestD, etc. There are no forest trusts in place, and none can or will be put into place.

    All of the DPM servers have manually-installed SCOM agents. There is no outbound connectivity from the SCOM servers to the DPM servers. The only connectivity is from the DPM servers to the SCOM servers on the SCOM port (5723).

    In this situation, will we be able to achieve any functionality with Central Console?

    Thursday, February 26, 2015 7:10 PM

All replies

  • You will need to open firewall ports between them and import certificate between scom and DPM to can monitor DPM in different forest or you will need to have SCOM Gateway.

    https://technet.microsoft.com/en-us/library/jj860391.aspx?f=255&MSPPError=-2147217396


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog: Technical | Twitter: Mai Ali

    Thursday, February 26, 2015 11:33 PM
  • Mai

    Just to be clear, if I have the SCOM server in ForestA and the DPM server in ForestB, and there is no trust relationship between ForestA and ForestB, you're saying that if I have certificates between SCOM and DPM then I'll be able to use the full functionality of the Central Console, such as querying for job status, running tasks in the SCOM sidebar, remote powershell, etc?

    All the documentation that I've seen says that the user logged into SCOM has to be granted rights to the DPM server, and if there is no trust relationship then it's not possible to grant those rights. Is DPM going to allow a connection secured only with a certificate to access and manage the DPM instance?


    Friday, February 27, 2015 2:46 AM