locked
SCOM 2012 R2 Different Forest Trusted Domain RRS feed

  • Question

  • Hello,

    We have another domain in a separate forest but we have a full 2 way trust between both. My management servers are in Domain A.  I want to manage the other domain in different forest (lets call it B)

    What is the best practice to deploy agents to domain B?  I am working working with our networking team to open up the firewall.  

    What I read from other posts on here they said to have a gateway server for an unstrusted domain such as DMZ.  In my case both domains have a two way trust. 

    Would I still need a gateway server in domain B?

    Thank you.


    Ishan

    Thursday, February 11, 2016 5:42 PM

Answers

  • Hi,

    Best option is always to use a Gateway, even with a 2 way trust.

    Check here some reasons for it, a bit old, but still gold :)

    https://blogs.technet.microsoft.com/momteam/2008/02/19/10-reasons-to-use-a-gateway-server/

    Cheers.

    Thursday, February 11, 2016 9:56 PM
  • Gateways are usually deployed across network boundaries.

    You'll need a gateway inside DMZ network, and a gateway on the remote site, two gateways.

    Imagine, if you have only one server in DMZ you don't need a gateway, a agent with certificate should be enough, but if you have more than one server there, administrative effort will increase, and if the number of Servers in DMZ increase, you are prepared.

    Cheers.

    Thursday, February 11, 2016 10:47 PM

All replies

  • Hi,

    Best option is always to use a Gateway, even with a 2 way trust.

    Check here some reasons for it, a bit old, but still gold :)

    https://blogs.technet.microsoft.com/momteam/2008/02/19/10-reasons-to-use-a-gateway-server/

    Cheers.

    Thursday, February 11, 2016 9:56 PM
  • Simon,

    Thank you for your reply.  I will go with a gateway server.

    This leads me to some additional questions.

    1. We also have a few servers in DMZ where the RMS exists.  Can I use the same gateway server for both DMZ and different forest domain?  DMZ does not exists in the different forest.

    2. Where do I have to deploy this gateway server? From the link I see it is being deployed at the remote site and not where the RMS is at.  If I have to deploy it at the remote site will it work with our DMZ which is on the Primary Site?

    Below is a diagram that I made to show how our environment looks like right now. Thank you again.

    SCOMEnvironment


    Ishan


    • Edited by ipatel18 Thursday, February 11, 2016 10:36 PM
    Thursday, February 11, 2016 10:35 PM
  • Gateways are usually deployed across network boundaries.

    You'll need a gateway inside DMZ network, and a gateway on the remote site, two gateways.

    Imagine, if you have only one server in DMZ you don't need a gateway, a agent with certificate should be enough, but if you have more than one server there, administrative effort will increase, and if the number of Servers in DMZ increase, you are prepared.

    Cheers.

    Thursday, February 11, 2016 10:47 PM
  • Thanks a lot for your suggestion.   Currently we only have about 4 or 5 servers in DMZ on primary site.  I think I will assign the agent certificate for them manually.  The remote site has about 70 servers so I will deploy a DMZ on their network.

    Appreciate your help and quick answers.


    Ishan

    Thursday, February 11, 2016 11:12 PM