Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SCOM07 agent push from RMS server in one domain, to servers in another domain (with a two way non-transitive trust between them) fails

Posted on 2009-05-18
2
Medium Priority
?
815 Views
Last Modified: 2013-11-21
Discovery, authentication and agent installation seems to work fine, the agent installs fine on the servers in the 2nd domain when pushed from the RMS server in the 1st domain.  The active tasks window in the opsmgr console even reports that the agents were successfully installed, so no failed install log is generated on the RMS.  Our two domains are trusted, so a certificate based agent install shouldn't be necessary...On the servers, these three errors are listed in their opsmgr event logs:

Event ID:20057: Failed to initialize security context for target MSOMHSvc/rmsserver.domain1.com The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.

Event ID:21001: The OpsMgr Connector could not connect to MSOMHSvc/rmsserver.domain1.com because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

Event ID: 21016: OpsMgr was unable to set up a communications channel to rmsserver.domain1.com and there are no failover hosts.  Communication will resume when rmsserver.domain1.com is both available and allows communication from this computer.

I've run the remote agent prerequisite tool with no errors between the RMS and a host server in the 2nd domain.
I've also tested (via telnet) ports 5723 & 5724 between the RMS and remote host, and they are both open.  Any options for me before I may have to resort to a certificate based install?
Thank you.
0
Comment
Question by:guitar_dave
2 Comments
 
LVL 15

Accepted Solution

by:
wwwally earned 2000 total points
ID: 24414492
In an untrusted domain scenario you should us a gateway server.
This gateway will be a domain member of the untrusted domain and will service, by a certificate pair on RMS and gateway, the agents in the other domain.
Discovery, authentication and agent installation work fine because you use the domain credentials of the untrusted domain but in normal operation thats not enough.
Follow this guide to get it the gateway installed en configured.
http://weblogwally.spaces.live.com/blog/cns!A913F865098E0556!488.entry
You will need a CA for this!!!
Regards,
Walter
http://weblogwally.spaces.live.com
0
 

Author Comment

by:guitar_dave
ID: 24414944
So just to clarify...An external non-transitive trust is not enough then?
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Loops Section Overview
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question