• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 405
  • Last Modified:

SMS 2003: HOW TO CONNECT ACROSS DOMAINS

Dear all,

I have a MS windows 2003 Domain called "A" and SMS 2003 installed on it. I have a secodn windows 2000 domain called "B" without SMS. There is a firewall to separate them. There is no any relationship between Domain "A" and Domain "B".

I need to install in a PC, in the Domain "B", the SMS console and take remote control of PCs and Servers in the domain "A". The only restriction that I have is do not create trust relationships.

What I need to accomplish this mission? (I mean, first of all, it is possible? which firewall ports I need to open? what name I should provide for site server when installing the console in the Domain "B" pc?)

Please, please, HEEEEEEELP!!!

Thank you very very much in advance
0
CJRODRIG
Asked:
CJRODRIG
1 Solution
 
Walter PadrónCommented:
Hi CJRODRIG,

I don't have a lab to test the configuration but i think this article could help you, also they explain how to set an lmhosts file to resolve NetBIOS names in other domains.

"Ports that Systems Management Server 2003 uses to communicate through a firewall or through a proxy server"
http://support.microsoft.com/default.aspx?kbid=826852

good luck!
0
 
CJRODRIGAuthor Commented:
Thanks wpadron, I'll test it tomorrow and I let you know what happened.. seems to be the right article.
0
 
Walter PadrónCommented:
Hi CJRODRIG,

We are evaluating SP2. Quoted from the "Systems Management Server 2003 Service Pack 2 Overview"
http://www.microsoft.com/smserver/evaluation/2003/sp2.mspx

"Instead of using the previously required 15-character NetBIOS computer name, you can now enter an FQDN value for site server name"

cheers
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
CJRODRIGAuthor Commented:
Hello WPADRON,

Unfortunately, I opened all ports described in your previous post but didn't work. Maybe because I have a console behind the firewall instead the SMS primery site server.

my topology looks like this:

COMPANY B DOMAIN                                               COMPANY A DOMAIN
Helpdesk PC ------------firewall  ------------ Firewall -------- SMS site ---- SMS DB
SMS Console             company B            Company A          server           server


Company B has no SMS.

Any Idea?

0
 
Walter PadrónCommented:
Hi CJRODRIG,

Maybe is the resolution process, you should test if you can resolve your SMS server IP from a Netbios name.
Also recheck in both firewalls if something is blocked from/to your SMS server, besides ports described by Microsoft ;)

cheers
0
 
CJRODRIGAuthor Commented:
Hey guys, I think we got an advace on this. I'm getting this error on the SMS Site Server:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            5/18/2006
Time:            5:02:16 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SMS_SERVER_DOMAIN_A
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      username_in_domain_b
       Domain:            DOMAIN_B
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      Computer_name_in_domain_B
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      computer-IP-Address-on-domain-b
       Source Port:      4552


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

How can I do to validate domain b users in a domain A server without a trust????
0
 
Walter PadrónCommented:
You can't.

Logon on Computer_name_in_domain_B with username_in_domain_A
0
 
CJRODRIGAuthor Commented:
I couldn't logon on Computer_in_domain_b with domain A credentials because the username is unknown by domain B. So do you think that it is impossible to do without a trust?

Do you know if there is way to use another authentication type (as in SQL that uses integrated or its own authentication method) for SMS?


0
 
Walter PadrónCommented:
Hi CJRODRIG,

You can't logon because Computer_in_domain_b doesn't know how to reach Domain_Controllers_in_domain_a or the domain_a. Configure an LMHosts file http://www.howtonetworking.com/Windows/lmhosts.htm

And no, i don't know of another authentication type.

cheers
0
 
CJRODRIGAuthor Commented:
No way to make it work without a bidirectional trust relationship... I modified LMHOSTS and HOSTS files, opened firewall ports described in MS article but no results...

Any other Idea?
0
 
CJRODRIGAuthor Commented:
Ideas please????
0
 
CJRODRIGAuthor Commented:
I'm still having this issue and I'm waiting for another Idea/solution to make it work.
0
 
rindiCommented:
It looks like you answered the Q yourself, with the tip of the others, and you need a trust to get it to work. Without that it isn't possible. Based on that you won't get another answer, so I suggest you either close the Q and distribute points however you think is correct, or follow the instructions in my link above to get a refund and get the question closed.
0
 
DarthModCommented:
PAQed with points refunded (500)

DarthMod
Community Support Moderator
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now