none
How can I add a user Role member that is from a different domain

    Question

  • We are currently building out SCOM 2012 R2 to provide monitoring as a service to some of our customers.  As of now we have the RMS on our own department's domain (Domain A) which we have full control of and we have a gateway server that is on the company wide domain (Domain B) so that we can monitor other departments devices as the leverage this system.

    Monitoring is working just fine on both domains and we are just working on fine tuning SCOM so that we can roll it out as a service we offer to our customers.  One of the next steps we are working on before rolling it out is giving specific users access to view only their own devices, dashboards, and groups.  So I created a Read-Only profile and went to add a user to test it out, but that user is on Domain B and SCOM is unable to resolve this account.  I'm seeing Event ID 26319 with Error Code 1332.

    How can I get SCOM to discover devices on a different domain so that I can give them different permissions for accessing the Operations Console and/or Web Console?  Is this possible?

    Here is the Error I'm seeing.

    Log Name:      Operations Manager
    Source:        OpsMgr SDK Service
    Date:          2/4/2015 1:11:59 PM
    Event ID:      26319
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      xxxxx.xxxx.xxxxxxxx.xxx
    Description:
    An exception was thrown while processing UpsertUserRolesV2 for session ID uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40.
     Exception message: The creator of this fault did not specify a Reason.
     Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException: Unable to resolve the user xxxxxxx@xx.xxx associated with the user role. Error code 1332. Check your active directory configuration.).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="OpsMgr SDK Service" />
        <EventID Qualifiers="49152">26319</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2015-02-04T21:11:59.000000000Z" />
        <EventRecordID>172748</EventRecordID>
        <Channel>Operations Manager</Channel>
        <Computer>xxxxx.xxxx.xxxxxxxx.xxx</Computer>
        <Security />
      </System>
      <EventData>
        <Data>UpsertUserRolesV2</Data>
        <Data>uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40</Data>
        <Data>The creator of this fault did not specify a Reason.</Data>
        <Data>System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException: Unable to resolve the user xxxxxxx@xx.xxx  associated with the user role. Error code 1332. Check your active directory configuration.).</Data>
      </EventData>
    </Event>

    Thanks for any help I can get in resolving this issue.

    Jake

    Wednesday, February 4, 2015 9:26 PM

Answers

  • Got it.

    Please try to create a domain group in the SCOM domain that reflects the user role (something like Group_SCOM_ReadOnlyOperators_blabla) and add that group to the role members.

    As soon as that works, move on and add the user from the other domain to that group.

    Works?


    Please remember to click “Mark as Answer” on the post that helped you.
    Patrick Seidl (System Center and Private Cloud)
    Website: http://www.syliance.com
    Blog: http://www.systemcenterrocks.com

    Wednesday, February 4, 2015 11:23 PM

All replies

  • Jake, hi!

    No trusts between domains? No chance.

    The user must exist in the domain or trust must exist.

    HTH,
    Patrick


    Please remember to click “Mark as Answer” on the post that helped you.
    Patrick Seidl (System Center and Private Cloud)
    Website: http://www.syliance.com
    Blog: http://www.systemcenterrocks.com

    Wednesday, February 4, 2015 10:15 PM
  • There is a one way trust between the domains but not two way.  Do you need to have a two way trust for this to work?

    Thanks,

    Jake

    Wednesday, February 4, 2015 10:22 PM
  • Which direction?

    As long as you're able to see the user when you browse/search for it in the SCOM domain you're set.


    Please remember to click “Mark as Answer” on the post that helped you.
    Patrick Seidl (System Center and Private Cloud)
    Website: http://www.syliance.com
    Blog: http://www.systemcenterrocks.com

    Wednesday, February 4, 2015 10:32 PM
  • Domain A can authenticate Domain B users but not vice versa.  When you say as long as I can see the user when broswing/searching for it in the SCOM domain do you mean when using AD Users and Computers?
    Wednesday, February 4, 2015 10:39 PM
  • Ok, and where is SCOM located?

    Yes, that's a common way. Try that from the domain where SCOM is either.


    Please remember to click “Mark as Answer” on the post that helped you.
    Patrick Seidl (System Center and Private Cloud)
    Website: http://www.syliance.com
    Blog: http://www.systemcenterrocks.com

    Wednesday, February 4, 2015 10:46 PM
  • The SCOM Management Server is in Domain A.  I've tried it already and it has failed.  

    So just to clarify the method I used was to go to Administration>Security>User Roles.  Then New User Role>Read-Only Operator.  In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.  Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine.  On the next page which is Group Scope I checked the one group I want this account to have access to and then click next.  This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are approved" and chose the folder of dashboards I want this account to access and then click next.  This brings me to the Summary and I click "Create".  At this point it thinks for a moment then closes out the wizard but the new Read-Only Operator does not appear.  I then look in Event Viewer and see the Event I pasted above.

    Am I doing something wrong here?  Any guidance on how to get around this issue would be much appreciated.

    Thanks,

    Jake

    Wednesday, February 4, 2015 10:59 PM
  • Got it.

    Please try to create a domain group in the SCOM domain that reflects the user role (something like Group_SCOM_ReadOnlyOperators_blabla) and add that group to the role members.

    As soon as that works, move on and add the user from the other domain to that group.

    Works?


    Please remember to click “Mark as Answer” on the post that helped you.
    Patrick Seidl (System Center and Private Cloud)
    Website: http://www.syliance.com
    Blog: http://www.systemcenterrocks.com

    Wednesday, February 4, 2015 11:23 PM
  • I was able to create a group on the SCOM domain (Domain A) and add that group to the Read Only Role.  I verified it worked by adding a User from the SCOM domain to the group.  Then I added the user account from Domain B and they now have access.

    So the only way to add a user from a different domain that has a one way trust is to add them to a Security Group that is in the SCOM domain?  You can't add individual users from other domains?

    Thanks so much for your help with this!

    Jake

    Thursday, February 5, 2015 5:51 PM
  • Jake,

    I did not verify that behavior in my lab. However, it is best practice anyways to work with nested groups in AD instead of direct memberships in the application (SCOM, in that case).

    Enjoy,
    Patrick


    Please remember to click “Mark as Answer” on the post that helped you.
    Patrick Seidl (System Center and Private Cloud)
    Website: http://www.syliance.com
    Blog: http://www.systemcenterrocks.com

    Thursday, February 5, 2015 8:12 PM