SCOM Across Trusted Domains in Multiple Forests

Published on
15,498 Points
Last Modified:
Justin Owens
We don't support machines, but rather, the people who rely upon them...
I recently ran into a question where someone wanted to deploy SCOM in two different domains.  The problem was that the two sites they used were two domains, and while they trusted each other, they were not in the same forest.   The person asking the question wanted to install the remote agent at his other site, but the installation was failing.

The solution to the question was to deploy a gateway server at the remote site as described in this Technet Article:


The procedural overview as laid out in that article is to:

Request certificates for any computer in the agent, gateway server, management server chain.
Import those certificates into the target computers by using the Operations Manager 2007 MOMCertImport.exe tool.
Distribute the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to the management server.
Run the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe tool to initiate communication between the management server and the gateway.
Install the gateway server.
The detailed directions for each step are laid out there in a simple to understand fashion.
This is actually a very good solution for conditions which require Cross Forest SCOM deployments.  While my personal preference would be to bring both domains into a single forest, there are many reasons (mostly legal or political) to not do so.  In the event you find yourself needing to have a single management point for multiple domains, this is the way I would go.
Here is the Experts-Exchange Question that prompted me to find this solution:


Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free