• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 835
  • Last Modified:

SCOM07 agent push from RMS server in one domain, to servers in another domain (with a two way non-transitive trust between them) fails

Discovery, authentication and agent installation seems to work fine, the agent installs fine on the servers in the 2nd domain when pushed from the RMS server in the 1st domain.  The active tasks window in the opsmgr console even reports that the agents were successfully installed, so no failed install log is generated on the RMS.  Our two domains are trusted, so a certificate based agent install shouldn't be necessary...On the servers, these three errors are listed in their opsmgr event logs:

Event ID:20057: Failed to initialize security context for target MSOMHSvc/rmsserver.domain1.com The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.

Event ID:21001: The OpsMgr Connector could not connect to MSOMHSvc/rmsserver.domain1.com because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

Event ID: 21016: OpsMgr was unable to set up a communications channel to rmsserver.domain1.com and there are no failover hosts.  Communication will resume when rmsserver.domain1.com is both available and allows communication from this computer.

I've run the remote agent prerequisite tool with no errors between the RMS and a host server in the 2nd domain.
I've also tested (via telnet) ports 5723 & 5724 between the RMS and remote host, and they are both open.  Any options for me before I may have to resort to a certificate based install?
Thank you.
0
guitar_dave
Asked:
guitar_dave
1 Solution
 
wwwallyCommented:
In an untrusted domain scenario you should us a gateway server.
This gateway will be a domain member of the untrusted domain and will service, by a certificate pair on RMS and gateway, the agents in the other domain.
Discovery, authentication and agent installation work fine because you use the domain credentials of the untrusted domain but in normal operation thats not enough.
Follow this guide to get it the gateway installed en configured.
http://weblogwally.spaces.live.com/blog/cns!A913F865098E0556!488.entry
You will need a CA for this!!!
Regards,
Walter
http://weblogwally.spaces.live.com
0
 
guitar_daveAuthor Commented:
So just to clarify...An external non-transitive trust is not enough then?
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now