SMS 2003: HOW TO CONNECT ACROSS DOMAINS
Dear all,
I have a MS windows 2003 Domain called "A" and SMS 2003 installed on it. I have a secodn windows 2000 domain called "B" without SMS. There is a firewall to separate them. There is no any relationship between Domain "A" and Domain "B".
I need to install in a PC, in the Domain "B", the SMS console and take remote control of PCs and Servers in the domain "A". The only restriction that I have is do not create trust relationships.
What I need to accomplish this mission? (I mean, first of all, it is possible? which firewall ports I need to open? what name I should provide for site server when installing the console in the Domain "B" pc?)
Please, please, HEEEEEEELP!!!
Thank you very very much in advance
I have a MS windows 2003 Domain called "A" and SMS 2003 installed on it. I have a secodn windows 2000 domain called "B" without SMS. There is a firewall to separate them. There is no any relationship between Domain "A" and Domain "B".
I need to install in a PC, in the Domain "B", the SMS console and take remote control of PCs and Servers in the domain "A". The only restriction that I have is do not create trust relationships.
What I need to accomplish this mission? (I mean, first of all, it is possible? which firewall ports I need to open? what name I should provide for site server when installing the console in the Domain "B" pc?)
Please, please, HEEEEEEELP!!!
Thank you very very much in advance
ASKER
Thanks wpadron, I'll test it tomorrow and I let you know what happened.. seems to be the right article.
Hi CJRODRIG,
We are evaluating SP2. Quoted from the "Systems Management Server 2003 Service Pack 2 Overview"
http://www.microsoft.com/smserver/evaluation/2003/sp2.mspx
"Instead of using the previously required 15-character NetBIOS computer name, you can now enter an FQDN value for site server name"
cheers
We are evaluating SP2. Quoted from the "Systems Management Server 2003 Service Pack 2 Overview"
http://www.microsoft.com/smserver/evaluation/2003/sp2.mspx
"Instead of using the previously required 15-character NetBIOS computer name, you can now enter an FQDN value for site server name"
cheers
ASKER
Hello WPADRON,
Unfortunately, I opened all ports described in your previous post but didn't work. Maybe because I have a console behind the firewall instead the SMS primery site server.
my topology looks like this:
COMPANY B DOMAIN COMPANY A DOMAIN
Helpdesk PC ------------firewall ------------ Firewall -------- SMS site ---- SMS DB
SMS Console company B Company A server server
Company B has no SMS.
Any Idea?
Unfortunately, I opened all ports described in your previous post but didn't work. Maybe because I have a console behind the firewall instead the SMS primery site server.
my topology looks like this:
COMPANY B DOMAIN COMPANY A DOMAIN
Helpdesk PC ------------firewall ------------ Firewall -------- SMS site ---- SMS DB
SMS Console company B Company A server server
Company B has no SMS.
Any Idea?
Hi CJRODRIG,
Maybe is the resolution process, you should test if you can resolve your SMS server IP from a Netbios name.
Also recheck in both firewalls if something is blocked from/to your SMS server, besides ports described by Microsoft ;)
cheers
Maybe is the resolution process, you should test if you can resolve your SMS server IP from a Netbios name.
Also recheck in both firewalls if something is blocked from/to your SMS server, besides ports described by Microsoft ;)
cheers
ASKER
Hey guys, I think we got an advace on this. I'm getting this error on the SMS Site Server:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/18/2006
Time: 5:02:16 PM
User: NT AUTHORITY\SYSTEM
Computer: SMS_SERVER_DOMAIN_A
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: username_in_domain_b
Domain: DOMAIN_B
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Computer_name_in_domain_B
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: computer-IP-Address-on-dom
Source Port: 4552
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
How can I do to validate domain b users in a domain A server without a trust????
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/18/2006
Time: 5:02:16 PM
User: NT AUTHORITY\SYSTEM
Computer: SMS_SERVER_DOMAIN_A
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: username_in_domain_b
Domain: DOMAIN_B
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Computer_name_in_domain_B
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: computer-IP-Address-on-dom
Source Port: 4552
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
How can I do to validate domain b users in a domain A server without a trust????
You can't.
Logon on Computer_name_in_domain_B with username_in_domain_A
Logon on Computer_name_in_domain_B with username_in_domain_A
ASKER
I couldn't logon on Computer_in_domain_b with domain A credentials because the username is unknown by domain B. So do you think that it is impossible to do without a trust?
Do you know if there is way to use another authentication type (as in SQL that uses integrated or its own authentication method) for SMS?
Do you know if there is way to use another authentication type (as in SQL that uses integrated or its own authentication method) for SMS?
Hi CJRODRIG,
You can't logon because Computer_in_domain_b doesn't know how to reach Domain_Controllers_in_doma
And no, i don't know of another authentication type.
cheers
You can't logon because Computer_in_domain_b doesn't know how to reach Domain_Controllers_in_doma
And no, i don't know of another authentication type.
cheers
ASKER
No way to make it work without a bidirectional trust relationship... I modified LMHOSTS and HOSTS files, opened firewall ports described in MS article but no results...
Any other Idea?
Any other Idea?
ASKER
Ideas please????
ASKER
I'm still having this issue and I'm waiting for another Idea/solution to make it work.
It looks like you answered the Q yourself, with the tip of the others, and you need a trust to get it to work. Without that it isn't possible. Based on that you won't get another answer, so I suggest you either close the Q and distribute points however you think is correct, or follow the instructions in my link above to get a refund and get the question closed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't have a lab to test the configuration but i think this article could help you, also they explain how to set an lmhosts file to resolve NetBIOS names in other domains.
"Ports that Systems Management Server 2003 uses to communicate through a firewall or through a proxy server"
http://support.microsoft.com/default.aspx?kbid=826852
good luck!