locked
Monitoring SharePoint 2010 in untrusted domain RRS feed

  • Question

  • We currently have MOM 2005 and SCOM 2007 and are migrating to the newer platform.  In testing SharePoint monitoring for SCOM, it appears that in order to have it monitor SharePoint you have to create a RunAs account that has rights to SharePoint.  We will be monitoring several different SharePoint farms, each in a completely separate forest, and none with a trust to the domain where SCOM runs.

    Has anyone figured out how to monitor SharePoint 2010 with SCOM 2007 if they live in different forests and have no trust relationship, with a firewall between that only allows port 5723?  Note that we've read the Admin Pack Guide, have done the required setup tasks, have edited the .config file as appropriate, etc, but the key appears to be the inability to create a RunAs account in DomainX if that domain is not trusted by the SCOM forest.

    Thanks.

    Monday, September 12, 2011 8:16 PM

Answers

  • Piece of cake.


    As with all things in untrusted domains, you need gateway server roles in each untrusted domain, and you need to use certificates for the encrypted communication to the agents.  Each agent needs a separate cert pair.

    After that, the same advice as you see in other threads applies:  Create a plain-old-computer-group, and manually populate it via FQDN list.  Add the name of each sharepoint server in each domain and let there be a group to represent each of the untrusted farms.

    Then create an override that scopes a new run-as account to the individual groups, using the farm admin account for each of these.  If you are unable to convince someone in an untrusted domain to share the farm admin account, stop now, as you would be completely blocked.

     


    Microsoft Corporation
    • Proposed as answer by Nicholas Li Wednesday, September 14, 2011 2:19 AM
    • Marked as answer by Bob CornelissenMVP Thursday, March 29, 2012 7:09 AM
    Monday, September 12, 2011 10:07 PM
  • You can just create the runas accounts in scom. When you create for instance windows runas account you do not see the required domain name in the dropdown box next to the domain name field... In that case just type in that field the domain name you want. It will work.
    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    • Proposed as answer by Nicholas Li Wednesday, September 14, 2011 2:19 AM
    • Marked as answer by Bob CornelissenMVP Thursday, March 29, 2012 7:09 AM
    Tuesday, September 13, 2011 12:34 PM

All replies

  • Piece of cake.


    As with all things in untrusted domains, you need gateway server roles in each untrusted domain, and you need to use certificates for the encrypted communication to the agents.  Each agent needs a separate cert pair.

    After that, the same advice as you see in other threads applies:  Create a plain-old-computer-group, and manually populate it via FQDN list.  Add the name of each sharepoint server in each domain and let there be a group to represent each of the untrusted farms.

    Then create an override that scopes a new run-as account to the individual groups, using the farm admin account for each of these.  If you are unable to convince someone in an untrusted domain to share the farm admin account, stop now, as you would be completely blocked.

     


    Microsoft Corporation
    • Proposed as answer by Nicholas Li Wednesday, September 14, 2011 2:19 AM
    • Marked as answer by Bob CornelissenMVP Thursday, March 29, 2012 7:09 AM
    Monday, September 12, 2011 10:07 PM
  • You can just create the runas accounts in scom. When you create for instance windows runas account you do not see the required domain name in the dropdown box next to the domain name field... In that case just type in that field the domain name you want. It will work.
    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    • Proposed as answer by Nicholas Li Wednesday, September 14, 2011 2:19 AM
    • Marked as answer by Bob CornelissenMVP Thursday, March 29, 2012 7:09 AM
    Tuesday, September 13, 2011 12:34 PM
  • Hi,

     

    First of all, please deploy the agents to the SharePoint Servers in the untrusted domain and ensure they can be managed.

     

    For the Run As Account, I think you can create it for the specific server and associate it with the corresponding Run As Profile. For details, please refer to:

     

    How to Create a Run As Account in Operations Manager 2007

    http://technet.microsoft.com/en-us/library/bb309445.aspx

     

    How to Create and Configure a Run As Profile in Operations Manager 2007

    http://technet.microsoft.com/en-us/library/bb309525.aspx

     

    Run As Profiles in Operations Manager 2007 R2

    http://blogs.technet.com/b/mgoedtel/archive/2009/01/25/run-as-profiles-in-operations-manager-2007-r2.aspx

     

    Meanwhile, I would like to share the following post about configuring SharePoint 2010 MP with you for your reference:

     

    Configuring SCOM R2 Management Pack for SharePoint 2010 Foundation Monitoring

    http://blogs.technet.com/b/berryst/archive/2011/03/25/configuring-scom-r2-management-pack-for-sharepoint-2010-foundation-monitoring.aspx

     

    Hope this helps.


    Leon Liu - Technical Lead
    Wednesday, September 14, 2011 3:16 AM
  • Hello, could you let us know if this question is answered or if you have found a solution?
    --------------------------------------------------------------------------------
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     


    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    Tuesday, September 27, 2011 10:51 AM
  • Unfortunately I had already tried all of the above, and none has resulted in any discovery of SharePoint despite being in place for days/weeks.  I have enabled debug logging and will see if that exposes the issue(s), and I'll report back on findings.  

     

    At this point there are no SharePoint servers discovered, not even in the "Unidentified Machines" view.  For the RunAs account I used the same account that was used to install SharePoint, and is the current primary farm admin account.  Currently I am focusing on a single SharePoint farm to see if I can get it working, then plan to duplicate across the other separate and distinct farms/forests.

    Tuesday, September 27, 2011 1:09 PM
  • Hi

    First step - is the agent installed and healthy and windows monitoring working fine. Lets make sure there isn't an underlying problem.

    Check the operations manager event log on the agent to see if there are any errors relating to SharePoint discovery.

    Could you also elaborate on this " key appears to be the inability to create a RunAs account in DomainX if that domain is not trusted by the SCOM forest." - you can create run as accounts for other forests \ domains by just typing the domain name in the domain combo box.

    Cheers

    Graham


    New SCOM 2012 Blog! - http://www.systemcentersolutions.com/blog/
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Tuesday, September 27, 2011 1:38 PM
  • Hi,

     

    I've actually ran to the same type of issue. The configuration script just fails on error about permissions.

    Here's the setup

    RMS is in DomainA.

    Sharepoint 2010 farm is in DomainB.

    in DomainB there is a Gateway server which can communicate with RMS using certificates. All DomainB computers are monitored OK with RMS (sharepoint farm computers are seen with Win, IIS, and SQL MPs).

    I have created Run As account for DomainB, call it DomainB\SharepointMonitoring. This account exist in DomainB and has been given farm admin rights, admin rights to the SQL server and sql admin rights (just to make sure rights are not the issue).

    When running the Configuration script, I get error "DomainA\scom-action does not have sufficient permissions to perform the operation". Should the configuration script work in this type of scenario? Is there a way to setup the MP without running the script?

    All help is highly appreciated

    Jukka.

    Thursday, September 29, 2011 9:49 AM
  • The reason is the task is a user task.  have the sharepoint admin for your domain run this task for you.
    Microsoft Corporation
    Thursday, September 29, 2011 3:59 PM
  • Thanks for the reply,

    If I try to run the task on RMS server with DomainB user credentials, it will fail, as there are no trusts between the domains. Or have I misunderstood something?

    Wednesday, October 5, 2011 6:32 AM
  • Hi,
    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as "Answered" as the previous steps should be helpful for many similar scenarios.
    In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.
    Thanks,

    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    Thursday, March 29, 2012 7:10 AM