none
Monitoring Servers on a different domain with no trust and Workgroup servers RRS feed

  • Question

  • I have two different domains on my environment. SCOM is already installed on Domain A but would like to monitor servers in Domain b. There is no trust between the two.

    whats the best way to achieve this? I would also like to monitor workgroup servers

    1) Can i installed a gateway server on Domain B. domain joined it to Domain B and then configure certificate authentication with Domain A?

    2) do i install a gateway server that is not domain joined and let Domain B to communicate through it?

    Can the gateway servers be domain joined and still monitor workgroup computers?


    Thursday, February 8, 2018 8:22 PM

Answers

  • Hello,

    sir! the best way is you need to install a gateway server in Domain B and provide the MS server that gateway name in client machine during agent installation in domain B. And that Gateway server will communicate your SCOM MS which is installed in Domain A via certificate.

    Why we need it:- 

    In domain, SCOM use kerberos authentication so in Domain A MS will be communicating via it and in Domain B gateway will be communicating via same. 

    But for non domain we need certificate and it used X.509 method to communicate for further please check this BLOG.

    So conclusion is via this we would reduce the steps to install cert. on every server on B and time too.

    Even if we use certificate then we need to issue a whole cert. chain along with dedicated cert. for the server. i thought this is quite painful and wasting of time and increasing cert. count in environment and you also need to maintain those cert. once they are going to expire. 

    Now call is yours! 

    Please feel free if you need any more.


    Cheers, Gourav (Please do take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) or find my Facebook and LinkedIn link in profile.


    • Edited by GouravIN Friday, February 9, 2018 4:19 AM
    • Marked as answer by vintagevintage Sunday, February 11, 2018 7:42 PM
    Friday, February 9, 2018 4:16 AM
  • Hello,

    >>1) Can i installed a gateway server on Domain B. domain joined it to Domain B and then configure certificate authentication with Domain A?<<

    Yes, that is what's generally done. Here you need 2 certificates - 1 on GW and 1 on MS.

    >>2) do i install a gateway server that is not domain joined and let Domain B to communicate through it?<<

    Though that is theoretically possible (and implemented in rare cases), I'd advise you against that. It basically defeats the whole purpose of the GW. This case you'd need many more certificates - 1 on GW, 1 on MS and 1 each on every server you monitor in domain B. A lot more unnecessary work and overhead.

    >>Can the gateway servers be domain joined and still monitor workgroup computers?<<

    Yes, it can. All you need is a cert on GW and 1 on each workgroup computer.

    So, ultimately in my opinion,

    >>whats the best way to achieve this?<<

    Option 1st. Gaurav has already provided the reasons and technicality.

    Hope this helps.

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!)

    • Proposed as answer by CyrAz Friday, February 9, 2018 8:40 AM
    • Marked as answer by vintagevintage Sunday, February 11, 2018 7:42 PM
    Friday, February 9, 2018 5:50 AM

All replies

  • Hello,

    sir! the best way is you need to install a gateway server in Domain B and provide the MS server that gateway name in client machine during agent installation in domain B. And that Gateway server will communicate your SCOM MS which is installed in Domain A via certificate.

    Why we need it:- 

    In domain, SCOM use kerberos authentication so in Domain A MS will be communicating via it and in Domain B gateway will be communicating via same. 

    But for non domain we need certificate and it used X.509 method to communicate for further please check this BLOG.

    So conclusion is via this we would reduce the steps to install cert. on every server on B and time too.

    Even if we use certificate then we need to issue a whole cert. chain along with dedicated cert. for the server. i thought this is quite painful and wasting of time and increasing cert. count in environment and you also need to maintain those cert. once they are going to expire. 

    Now call is yours! 

    Please feel free if you need any more.


    Cheers, Gourav (Please do take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) or find my Facebook and LinkedIn link in profile.


    • Edited by GouravIN Friday, February 9, 2018 4:19 AM
    • Marked as answer by vintagevintage Sunday, February 11, 2018 7:42 PM
    Friday, February 9, 2018 4:16 AM
  • Hello,

    >>1) Can i installed a gateway server on Domain B. domain joined it to Domain B and then configure certificate authentication with Domain A?<<

    Yes, that is what's generally done. Here you need 2 certificates - 1 on GW and 1 on MS.

    >>2) do i install a gateway server that is not domain joined and let Domain B to communicate through it?<<

    Though that is theoretically possible (and implemented in rare cases), I'd advise you against that. It basically defeats the whole purpose of the GW. This case you'd need many more certificates - 1 on GW, 1 on MS and 1 each on every server you monitor in domain B. A lot more unnecessary work and overhead.

    >>Can the gateway servers be domain joined and still monitor workgroup computers?<<

    Yes, it can. All you need is a cert on GW and 1 on each workgroup computer.

    So, ultimately in my opinion,

    >>whats the best way to achieve this?<<

    Option 1st. Gaurav has already provided the reasons and technicality.

    Hope this helps.

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!)

    • Proposed as answer by CyrAz Friday, February 9, 2018 8:40 AM
    • Marked as answer by vintagevintage Sunday, February 11, 2018 7:42 PM
    Friday, February 9, 2018 5:50 AM
  • Hi There,

    Is there any update or you want any further clarification over it.


    Cheers, Gourav (Please do take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) or find my Facebook and LinkedIn link in profile.

    Sunday, February 11, 2018 5:45 AM
  • Thank you so much for your response. your advise has given me enough information on how to proceed..


    Sunday, February 11, 2018 7:46 PM
  • Hello,

    Just one more question. What type of certificate do i need? Computer certificate or IPsec. different blogs use different certificate.

    Tuesday, February 13, 2018 2:21 AM
  • its computer certificate!

    Cheers, Gourav (Please do take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) or find my Facebook and LinkedIn link in profile.

    Tuesday, February 13, 2018 3:42 AM
  • Hello,

    Just one more question. What type of certificate do i need? Computer certificate or IPsec. different blogs use different certificate.

    Hello,

    All the official sources I refer to use IPSec(Offline) certificate template, and that is what works for me. So I'd say IPSec :)

    Here's a reference -

    Installing the Root CA & Creating SCOM Certificate Template

    Hope this helps

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!)

    Tuesday, February 13, 2018 4:19 AM