Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Authentication across 2 way External Forest Trust - SCOM

Posted on 2011-02-11
Medium Priority
Last Modified: 2012-05-11
Hi experts,

Having real troubles getting my SCOM server to discover and manage a server on a different forest.

The situation is a little complicated so let me explain.

We have two forests which have a two way trust, everything resolves via pings etc, DNS conditional forwarders have been setup and are correct.

We have Forest ABC which contains one domain called Domain-A

We have Forest B which contains a forest root domain called SYSROOT.LOCAL and a TREE domain called CORE.LOCAL.

SCOM is in the CORE.LOCAL domain.

I have created a service account for scom call "servscom" and this account is in the core.local tree domain. I have created a group called "Cross forest Admins" which is in the forest root called sysroot.local. Servscom is a member of Cross_forest_admins.

Cross_forest_admins has been added to "Administrators" in the other forest. Therefore as far as i can see i should have access to do a discovery and install a scom agent on a machine in the other forest.

Can anyone see why discovery fails on scom? or if its easier to explain, can anyone advise me on what rights a scom server requires on another machine to be able to manage it?

thankyou in advance
Question by:IT_Dept
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5

Expert Comment

ID: 34873023
SCOM needs to authenticate with Kerberos. If if does not work you must install trusted certificate for cross-forest scenario.

Is the client able to communicate with RMS?

Author Comment

ID: 34887023
having read documentation on technet i dont believe i need a gateway server or certificates. I have a two way trust set up, everything pings and has connectivity and DNS forwarders are set up. I installed the agent on the server in another forest and it said it was healthy for a good few minutes.

Can someone explain to me why i need certificates becuase at the moment im leaning away from thinking i need them, however if i do i would like to know what the reason for this is?

Expert Comment

ID: 34887161
I took a second glance at the problem and noticed that you have added your cross_forest_admins to Administrators group of the other domain. That group does not have access to other machines than domain controllers. Domain Admins will be granted full control to domain member machines.

Based on that, your servscom account does not have adequate permissions on the other domain machines. As it does not have permissions, it can't do a computer verification and therefore it cannot discover anything. I think that this is the most likely reason.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 34887320
The server  I have mentioned that I am having problems with is a domain controller itself.

Also in your other point you mention adding servscom to domain admins. This is not possible, you cant add resources from another forest into domain admins. I have just tried it again and only my source forest appears.

Expert Comment

ID: 34887531
Ummm, I didn't say add servscom to Domain Admins. I said that Administrators do not have access to domain members like Domain Admins do.

Will it start to work if you install the SCOM client manually along with Oomads?

If you log in to your SCOM server with the SCOM account, are you able to fully manage the other domain? You should have full control. Also use Kerbtray to see if you have Kerberos working ok for the foreign forest.

Author Comment

ID: 34888560
Thanks for that Toxacon and sorry for the confusion on my part.

I have created a restricted groups GPO which is now adding SYSROOT_Cross_Forest_admins to the local admins on all member servers and i can now manage member machines in the other forest.

I still cannot manage domain controllers in the other forest though. My cross forest admins group is a member of administrators on the other forest which i would think should be enough.

I have just gone through health explorer and navigated to the only red "X" which is the Runas authorization check. the error message is :

The health service blocked access to the windows credential NT AUTHORITY\SYSTEM because it is not authorized on management group Primary_Management_Group. You can run the HSLockdown tool to change which credentials are authorized.

any ideas what could be causing this?

Accepted Solution

Toxacon earned 2000 total points
ID: 34888760
Oh, well, try

hslockdown Primary_Management_Group /R "NT AUTHORITY\SYSTEM"

Open in new window


hslockdown Primary_Management_Group /A "NT AUTHORITY\SYSTEM"

Open in new window

depending on the domain configuration. /R removes it from the explicit deny list or alternatively /A adds explicit permission. Set permissions on every DC. After setting restart Health Service.

Author Comment

ID: 34895508
Thanks Toxacon, im getting closer to solving this now.

I have added NT AUTHORITY\SYSTEM  and restarted the health service. Almost immediately the greyed out machine on the other domain in the other forest came back to say healthy apart from  on the agent status which is now a yellow warning sign.

I have ran a health explorer and found the yellow warning relates to the Runas account monitoring check. I now have the following error:

The Health Serivce cannot verify the future validity of the Runas account CORExxx\servscom for management group Primary_Management_Group due to an error retrieving information from the Active Directory (for domain accounts) or the local security authority(for local accounts) The error is the network address is invalid.

I have just added servscom to the allowed list and restarted the health service but this has not changed anything. Any clues as to what is causing this?

Author Comment

ID: 34895738

I have just found what I would describe at best a "work around" which seems really rubbish but works. I have gone on to the DC in the other forest that Im trying to manage and added in the DNS SUFFIX of the other domain. I did this in the advanced tcp/ip settings on the DNS tab.

Surely there is a way around this, otherwise it seems I will need another group policy to add the suffix to all domain machines?

Is this purely Microsoft design and is this expected behaviour?

Expert Comment

ID: 34895851
You could also try to create servscom account to both forests with the same password.

Author Closing Comment

ID: 34895866
Thanks Toxacon, much appreciated

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question