SCOM r2 monitoring of a ForeFront Reporting (management server) server


  • i have an environment for multiple customer to report to 1 management group. At the moment this works fine for all servers however i'll think we going to run into problems when forefront is using SCOM for reporting as well.

    my management group will not have room for forefront alerts/reporting for all clients of my customers (i estimate around 6000 servers in SCOM, so probably between half a million and a million clients). This means each customer will have it's own forefront management group. This will work fine, however how to monitor the management servers which hold the forefront management group? Management servers can't hold 2 management groups!

    Of course i could set up some basic agentless monitoring for these servers, but i'd like to have more comprehensive monitoring (currently i have the same issue with mom2005 and quite regularly i have to help the customer administrators to get mom2005-forefront working again, usually SQL problems :)).

    Another issue which might be problematic (currently i'm testing this so i'm not sure yet). The central management group doesn't have a trust relation to customers. We have certs on all servers (no gateways as we want to be in control of the network traffic to our central scom environment). Does a forefront management need to have this certs as well or can the scom agent use both certificates and kerberos? (kerberos for local management groups and a cert for a remote management group)

    • Moved by Rob Kuehfus Thursday, November 05, 2009 12:01 AM (From:Deployment)
    Tuesday, November 03, 2009 1:23 PM

All replies

  • anyone? i think this is an opsmgr issue. allthough forefront does introduce this issue, but i assume more ms products will follow...

    as for the cert and kerberos issue's. The agent will only work with a (just one) cert , so you need to add the root CA cert to all of the management servers of any management group to which the agent reports. This can lead to problems and makes me resent not be able to turn off the "have to authenticate" option from scom.

    ACS can still works with kerberos if the SCOM agent uses a cert.
    Thursday, November 05, 2009 12:32 PM
  • Hi,


    Thank you for the post.


    I think you may use Client Security Enterprise Manager tool which allows you to aggregate reporting and management of up to 10 Client Security down-level deployments. This allows you to manage up to 100,000 client computers from a single Client Security console. For more information, please refer to the following link.





    Nick Gu - MSFT
    Tuesday, November 10, 2009 10:09 AM
  • it's not about managing the clients, that will be done by different admin teams. it's about managing/monitoring the forefront "management server" itself. so i know if it's up, have perf monitoring, alerts about critical components etc. This info should be sent to another management group than forefront.
    Tuesday, November 10, 2009 12:41 PM
  • could someone move this back to the scom forum. i think i have more chance there, allthough i'm pretty sure there's no solution :)

    Tuesday, November 17, 2009 4:51 PM