Share |

Get SCOM 2007 working in a trusted domain

I deployed a single management server in our windows 2003 active directory domain and started adding clients to it. So far no problem, everything works fine. But we have a second domain that is trusted. Lets's call the 2 domains Domain A and Domain B. The domains are Windows 2003 active directory domains that are in native 2003 mode.

When I deployed our management agents to Domain B (the other domain) I had some problems. Discovery and deployment worked fine but the agent was not able to authenticate with the management server. When I looked on the server's SCOM event log  where the agent was deployed I got this error:

Type: Error
Source: OpsMgr Connector
Event ID: 21001

The OpsMgr Connector could not connect to MSOMHSvc/scomsrv.domain.a because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

 And:

Type: Error
Source: OpsMgr Connector
Event ID: 20057

Failed to initialize security context for target MSOMHSvc/scomsrv.domain.a The error returned is 0x80090303(The specified target is unknown or unreachable
).  This error can apply to either the Kerberos or the SChannel package.


After searching I found that the problem was our domain trust. There was a two-way full trust between the two domains and the trust type was "External". Now, that's the problem, there must be a Forrest Trust between the two domains. One of the most important differences are that in a external trust there is NTLM authentication while in a forest trust there is Kerberos authentication, which is necesary for SCOM 2007.

One more thing you should know is that before you can create a Forest Trust is that your Domain functional level AND Forest functional level must be in Windows 2003 functional level.

After raising our Forest functional level on both Domain A and Domain B everything was working fine. Offcourse, your action account(s) and user rights on the SCOM server and windows server must be ok.

More on How to raise domain and forest functional levels in Windows Server 2003 can be found on the microsoft website:

http://support.microsoft.com/kb/322692

 

 

Updated: July 16, 2010