Authentication across 2 way External Forest Trust - SCOM

Posted on 2011-02-11
Last Modified: 2012-05-11
Hi experts,

Having real troubles getting my SCOM server to discover and manage a server on a different forest.

The situation is a little complicated so let me explain.

We have two forests which have a two way trust, everything resolves via pings etc, DNS conditional forwarders have been setup and are correct.

We have Forest ABC which contains one domain called Domain-A

We have Forest B which contains a forest root domain called SYSROOT.LOCAL and a TREE domain called CORE.LOCAL.

SCOM is in the CORE.LOCAL domain.

I have created a service account for scom call "servscom" and this account is in the core.local tree domain. I have created a group called "Cross forest Admins" which is in the forest root called sysroot.local. Servscom is a member of Cross_forest_admins.

Cross_forest_admins has been added to "Administrators" in the other forest. Therefore as far as i can see i should have access to do a discovery and install a scom agent on a machine in the other forest.

Can anyone see why discovery fails on scom? or if its easier to explain, can anyone advise me on what rights a scom server requires on another machine to be able to manage it?

thankyou in advance
Question by:IT_Dept
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5

Expert Comment

ID: 34873023
SCOM needs to authenticate with Kerberos. If if does not work you must install trusted certificate for cross-forest scenario.

Is the client able to communicate with RMS?

Author Comment

ID: 34887023
having read documentation on technet i dont believe i need a gateway server or certificates. I have a two way trust set up, everything pings and has connectivity and DNS forwarders are set up. I installed the agent on the server in another forest and it said it was healthy for a good few minutes.

Can someone explain to me why i need certificates becuase at the moment im leaning away from thinking i need them, however if i do i would like to know what the reason for this is?

Expert Comment

ID: 34887161
I took a second glance at the problem and noticed that you have added your cross_forest_admins to Administrators group of the other domain. That group does not have access to other machines than domain controllers. Domain Admins will be granted full control to domain member machines.

Based on that, your servscom account does not have adequate permissions on the other domain machines. As it does not have permissions, it can't do a computer verification and therefore it cannot discover anything. I think that this is the most likely reason.
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.


Author Comment

ID: 34887320
The server  I have mentioned that I am having problems with is a domain controller itself.

Also in your other point you mention adding servscom to domain admins. This is not possible, you cant add resources from another forest into domain admins. I have just tried it again and only my source forest appears.

Expert Comment

ID: 34887531
Ummm, I didn't say add servscom to Domain Admins. I said that Administrators do not have access to domain members like Domain Admins do.

Will it start to work if you install the SCOM client manually along with Oomads?

If you log in to your SCOM server with the SCOM account, are you able to fully manage the other domain? You should have full control. Also use Kerbtray to see if you have Kerberos working ok for the foreign forest.

Author Comment

ID: 34888560
Thanks for that Toxacon and sorry for the confusion on my part.

I have created a restricted groups GPO which is now adding SYSROOT_Cross_Forest_admins to the local admins on all member servers and i can now manage member machines in the other forest.

I still cannot manage domain controllers in the other forest though. My cross forest admins group is a member of administrators on the other forest which i would think should be enough.

I have just gone through health explorer and navigated to the only red "X" which is the Runas authorization check. the error message is :

The health service blocked access to the windows credential NT AUTHORITY\SYSTEM because it is not authorized on management group Primary_Management_Group. You can run the HSLockdown tool to change which credentials are authorized.

any ideas what could be causing this?

Accepted Solution

Toxacon earned 500 total points
ID: 34888760
Oh, well, try

hslockdown Primary_Management_Group /R "NT AUTHORITY\SYSTEM"

Open in new window


hslockdown Primary_Management_Group /A "NT AUTHORITY\SYSTEM"

Open in new window

depending on the domain configuration. /R removes it from the explicit deny list or alternatively /A adds explicit permission. Set permissions on every DC. After setting restart Health Service.

Author Comment

ID: 34895508
Thanks Toxacon, im getting closer to solving this now.

I have added NT AUTHORITY\SYSTEM  and restarted the health service. Almost immediately the greyed out machine on the other domain in the other forest came back to say healthy apart from  on the agent status which is now a yellow warning sign.

I have ran a health explorer and found the yellow warning relates to the Runas account monitoring check. I now have the following error:

The Health Serivce cannot verify the future validity of the Runas account CORExxx\servscom for management group Primary_Management_Group due to an error retrieving information from the Active Directory (for domain accounts) or the local security authority(for local accounts) The error is the network address is invalid.

I have just added servscom to the allowed list and restarted the health service but this has not changed anything. Any clues as to what is causing this?

Author Comment

ID: 34895738

I have just found what I would describe at best a "work around" which seems really rubbish but works. I have gone on to the DC in the other forest that Im trying to manage and added in the DNS SUFFIX of the other domain. I did this in the advanced tcp/ip settings on the DNS tab.

Surely there is a way around this, otherwise it seems I will need another group policy to add the suffix to all domain machines?

Is this purely Microsoft design and is this expected behaviour?

Expert Comment

ID: 34895851
You could also try to create servscom account to both forests with the same password.

Author Closing Comment

ID: 34895866
Thanks Toxacon, much appreciated

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS forwarder or DNS forwarder records missing. 1 26
GPO reset 2 45
EXCHANGE 2010, EXCHANGE 2013 4 22
Promote Server 2012 R2 on Server 2003 domain 13 24
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question