locked
SCOM 2007R2 Standard Across Forest RRS feed

  • Question

  • We have it running in Forest1 and works fine.

    Created a new forest2 with 2 way trust. 

    Is there any thing special I have to do.  Because when I go to my SCOM Admin Console in Forest1 I can see the other forest when I browse but it fails to connect to the server(s) in forest2?

    ANy !deas - Thanks!

    Thursday, October 13, 2011 1:08 PM

Answers

  • I am guessing you are just talking about pushing agents.  Once the computer accounts are registered in SCOM (because you push the agent), you don't have to worry about the action account.  Action account is what is used to log in and run monitoring tasks on the computer via the local agent.

    To install an agent you have to have an account that is a member of the computers administrator group.  The only account that can do that domain wide is typically the domain admin - which is why you need to specify credentials when pushing an agent.  A credential plus a choice of an action account credential or to use local system.  The credential has to have local admin account because it is installing software.

     


    Microsoft Corporation
    • Marked as answer by Vivian Xing Tuesday, October 25, 2011 8:56 AM
    Thursday, October 13, 2011 7:56 PM
  • And don't forget the firewalls between both forrests. You need to be able to push the agent from your management server.
    Regards,
    Marc Klaver
    http://jama00.wordpress.com/
    • Marked as answer by Vivian Xing Tuesday, October 25, 2011 8:56 AM
    Monday, October 17, 2011 7:18 AM

All replies

  • is it Forest trust? i.e. is it Kerberos trust? as NTLM trusts(AKA shortcut trusts) are not supported by SCOM.

     

    Thursday, October 13, 2011 2:15 PM
  •  

    Thanks Pavel ...its a forest trust.

    Thursday, October 13, 2011 2:17 PM
  • Could you elaborate a little more? what/where/how do you try? and what fails? 

    Thursday, October 13, 2011 2:36 PM
  • WOrk with your AD administrators - it needs to be a transitive two way trust.  Also, to install(push agents) you must have the admin account for each server in that other domain.  that would not be typical to have someone with the administrator account for every computer in a domain.  The domain administrator should be helping you by typing in the credentials to use to do the push agent task.
    Microsoft Corporation
    Thursday, October 13, 2011 4:22 PM
  • Thanks Dan.

    I added the Management Action Account Admin account to my server in forest2.  There is 2 way trasitive trust between the forests but its Selective Authentication. I am thinking we have to have both set to Forest-wide authentication????????????????? 

    • Edited by WildPacket Thursday, October 13, 2011 6:07 PM
    Thursday, October 13, 2011 5:28 PM
  • I am guessing you are just talking about pushing agents.  Once the computer accounts are registered in SCOM (because you push the agent), you don't have to worry about the action account.  Action account is what is used to log in and run monitoring tasks on the computer via the local agent.

    To install an agent you have to have an account that is a member of the computers administrator group.  The only account that can do that domain wide is typically the domain admin - which is why you need to specify credentials when pushing an agent.  A credential plus a choice of an action account credential or to use local system.  The credential has to have local admin account because it is installing software.

     


    Microsoft Corporation
    • Marked as answer by Vivian Xing Tuesday, October 25, 2011 8:56 AM
    Thursday, October 13, 2011 7:56 PM
  • And don't forget the firewalls between both forrests. You need to be able to push the agent from your management server.
    Regards,
    Marc Klaver
    http://jama00.wordpress.com/
    • Marked as answer by Vivian Xing Tuesday, October 25, 2011 8:56 AM
    Monday, October 17, 2011 7:18 AM