Solved

Authentication across 2 way External Forest Trust - SCOM

Posted on 2011-02-11
11
2,552 Views
Last Modified: 2012-05-11
Hi experts,

Having real troubles getting my SCOM server to discover and manage a server on a different forest.

The situation is a little complicated so let me explain.

We have two forests which have a two way trust, everything resolves via pings etc, DNS conditional forwarders have been setup and are correct.

We have Forest ABC which contains one domain called Domain-A

We have Forest B which contains a forest root domain called SYSROOT.LOCAL and a TREE domain called CORE.LOCAL.

SCOM is in the CORE.LOCAL domain.

I have created a service account for scom call "servscom" and this account is in the core.local tree domain. I have created a group called "Cross forest Admins" which is in the forest root called sysroot.local. Servscom is a member of Cross_forest_admins.

Cross_forest_admins has been added to "Administrators" in the other forest. Therefore as far as i can see i should have access to do a discovery and install a scom agent on a machine in the other forest.


Can anyone see why discovery fails on scom? or if its easier to explain, can anyone advise me on what rights a scom server requires on another machine to be able to manage it?

thankyou in advance
0
Comment
Question by:IT_Dept
  • 6
  • 5
11 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34873023
SCOM needs to authenticate with Kerberos. If if does not work you must install trusted certificate for cross-forest scenario.

Is the client able to communicate with RMS?
0
 

Author Comment

by:IT_Dept
ID: 34887023
having read documentation on technet i dont believe i need a gateway server or certificates. I have a two way trust set up, everything pings and has connectivity and DNS forwarders are set up. I installed the agent on the server in another forest and it said it was healthy for a good few minutes.

Can someone explain to me why i need certificates becuase at the moment im leaning away from thinking i need them, however if i do i would like to know what the reason for this is?
0
 
LVL 8

Expert Comment

by:Toxacon
ID: 34887161
I took a second glance at the problem and noticed that you have added your cross_forest_admins to Administrators group of the other domain. That group does not have access to other machines than domain controllers. Domain Admins will be granted full control to domain member machines.

Based on that, your servscom account does not have adequate permissions on the other domain machines. As it does not have permissions, it can't do a computer verification and therefore it cannot discover anything. I think that this is the most likely reason.
0
 

Author Comment

by:IT_Dept
ID: 34887320
The server  I have mentioned that I am having problems with is a domain controller itself.

Also in your other point you mention adding servscom to domain admins. This is not possible, you cant add resources from another forest into domain admins. I have just tried it again and only my source forest appears.
0
 
LVL 8

Expert Comment

by:Toxacon
ID: 34887531
Ummm, I didn't say add servscom to Domain Admins. I said that Administrators do not have access to domain members like Domain Admins do.

Will it start to work if you install the SCOM client manually along with Oomads?

If you log in to your SCOM server with the SCOM account, are you able to fully manage the other domain? You should have full control. Also use Kerbtray to see if you have Kerberos working ok for the foreign forest.
0
 

Author Comment

by:IT_Dept
ID: 34888560
Thanks for that Toxacon and sorry for the confusion on my part.

I have created a restricted groups GPO which is now adding SYSROOT_Cross_Forest_admins to the local admins on all member servers and i can now manage member machines in the other forest.

I still cannot manage domain controllers in the other forest though. My cross forest admins group is a member of administrators on the other forest which i would think should be enough.

I have just gone through health explorer and navigated to the only red "X" which is the Runas authorization check. the error message is :

The health service blocked access to the windows credential NT AUTHORITY\SYSTEM because it is not authorized on management group Primary_Management_Group. You can run the HSLockdown tool to change which credentials are authorized.

any ideas what could be causing this?
0
 
LVL 8

Accepted Solution

by:
Toxacon earned 500 total points
ID: 34888760
Oh, well, try

hslockdown Primary_Management_Group /R "NT AUTHORITY\SYSTEM"

Open in new window


or

hslockdown Primary_Management_Group /A "NT AUTHORITY\SYSTEM"

Open in new window


depending on the domain configuration. /R removes it from the explicit deny list or alternatively /A adds explicit permission. Set permissions on every DC. After setting restart Health Service.
0
 

Author Comment

by:IT_Dept
ID: 34895508
Thanks Toxacon, im getting closer to solving this now.

I have added NT AUTHORITY\SYSTEM  and restarted the health service. Almost immediately the greyed out machine on the other domain in the other forest came back to say healthy apart from  on the agent status which is now a yellow warning sign.

I have ran a health explorer and found the yellow warning relates to the Runas account monitoring check. I now have the following error:


The Health Serivce cannot verify the future validity of the Runas account CORExxx\servscom for management group Primary_Management_Group due to an error retrieving information from the Active Directory (for domain accounts) or the local security authority(for local accounts) The error is the network address is invalid.

I have just added servscom to the allowed list and restarted the health service but this has not changed anything. Any clues as to what is causing this?
0
 

Author Comment

by:IT_Dept
ID: 34895738

I have just found what I would describe at best a "work around" which seems really rubbish but works. I have gone on to the DC in the other forest that Im trying to manage and added in the DNS SUFFIX of the other domain. I did this in the advanced tcp/ip settings on the DNS tab.

Surely there is a way around this, otherwise it seems I will need another group policy to add the suffix to all domain machines?

Is this purely Microsoft design and is this expected behaviour?
0
 
LVL 8

Expert Comment

by:Toxacon
ID: 34895851
You could also try to create servscom account to both forests with the same password.
0
 

Author Closing Comment

by:IT_Dept
ID: 34895866
Thanks Toxacon, much appreciated
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Trasfering FSMO roles 8 81
DNS Name Pointing 6 31
Do we need servers??? 5 138
active directory 1 11
Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now