locked
AD Mgmt Pack - Multiple Untrusted Forests RRS feed

  • Question

  • Hi all.  We have multiple single domain forests, some of which do not have trust relationships setup with the primary domain where SCOM resides.  The AD management pack has my primary domain figured out pretty well, but I hesitate to install the SCOM agent on these other domain controllers outside of my primary domain (using certificate authentication).  I assume (hope) that it will recognize that it is a new AD forest/domain, and treat it as such, like building a new distributed application for it, or partitioning it off in the existing one.

    In looking at the management pack documentation, it doesn't seem to address this situation (or else it did, and I missed it).  Am I asking for trouble by installing the agent on all these different domain controllers?

    Thanks in advance!

    Tuesday, December 22, 2009 7:08 PM

Answers

  • Hi,
    The AD MP will only monitor the local forest and forests with two way trust as AD. The other domain controllers will be discovered but AD will not be discovered. As long as name resolution works and there is a two way forest tru you can deploy agent in the same way as with agents in the local forest. If there is no trust you need to use certificates for authentication. You could also place a gateway server in the other forest and then let the agents in that forest communicate with Kerberos to the gateway server, and then user certificate authentication between gateway server and a local management server.
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    • Marked as answer by RLindell Tuesday, December 22, 2009 8:59 PM
    Tuesday, December 22, 2009 8:32 PM

All replies

  • Hi,
    The AD MP will only monitor the local forest and forests with two way trust as AD. The other domain controllers will be discovered but AD will not be discovered. As long as name resolution works and there is a two way forest tru you can deploy agent in the same way as with agents in the local forest. If there is no trust you need to use certificates for authentication. You could also place a gateway server in the other forest and then let the agents in that forest communicate with Kerberos to the gateway server, and then user certificate authentication between gateway server and a local management server.
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    • Marked as answer by RLindell Tuesday, December 22, 2009 8:59 PM
    Tuesday, December 22, 2009 8:32 PM
  • The other domain controllers will be discovered but AD will not be discovered.

    Great!  This is what I was looking for.  I just need to monitor uptime/performance/disk space, etc.  These other domains are very small <10 servers, so I'm opting against a gateway server for now.

    Thank you!
    Tuesday, December 22, 2009 8:59 PM
  • hi,
    if you only want that kind of info you dont even need to include the AD MP, stick to the base OS MP.
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    Wednesday, December 23, 2009 7:14 PM
  • I do want it for my primary AD domain though.  Just not these small, 2 DC resource domains.  Thanks again!
    Wednesday, December 23, 2009 8:15 PM