Solved

SCOM07 agent push from RMS server in one domain, to servers in another domain (with a two way non-transitive trust between them) fails

Posted on 2009-05-18
2
787 Views
Last Modified: 2013-11-21
Discovery, authentication and agent installation seems to work fine, the agent installs fine on the servers in the 2nd domain when pushed from the RMS server in the 1st domain.  The active tasks window in the opsmgr console even reports that the agents were successfully installed, so no failed install log is generated on the RMS.  Our two domains are trusted, so a certificate based agent install shouldn't be necessary...On the servers, these three errors are listed in their opsmgr event logs:

Event ID:20057: Failed to initialize security context for target MSOMHSvc/rmsserver.domain1.com The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.

Event ID:21001: The OpsMgr Connector could not connect to MSOMHSvc/rmsserver.domain1.com because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

Event ID: 21016: OpsMgr was unable to set up a communications channel to rmsserver.domain1.com and there are no failover hosts.  Communication will resume when rmsserver.domain1.com is both available and allows communication from this computer.

I've run the remote agent prerequisite tool with no errors between the RMS and a host server in the 2nd domain.
I've also tested (via telnet) ports 5723 & 5724 between the RMS and remote host, and they are both open.  Any options for me before I may have to resort to a certificate based install?
Thank you.
0
Comment
Question by:guitar_dave
2 Comments
 
LVL 15

Accepted Solution

by:
wwwally earned 500 total points
Comment Utility
In an untrusted domain scenario you should us a gateway server.
This gateway will be a domain member of the untrusted domain and will service, by a certificate pair on RMS and gateway, the agents in the other domain.
Discovery, authentication and agent installation work fine because you use the domain credentials of the untrusted domain but in normal operation thats not enough.
Follow this guide to get it the gateway installed en configured.
http://weblogwally.spaces.live.com/blog/cns!A913F865098E0556!488.entry
You will need a CA for this!!!
Regards,
Walter
http://weblogwally.spaces.live.com
0
 

Author Comment

by:guitar_dave
Comment Utility
So just to clarify...An external non-transitive trust is not enough then?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now