question

AhmedEssam-4837 avatar image
0 Votes"
AhmedEssam-4837 asked ·

Best practice to use SCOM 2019 to monitor two different forest

Hello,

We've three different forests but all on the same hardware, I will install SCOM 2019 with the latest RU in the forest (ABC.LOCAL), how to monitor the devices in the other two forests (XYZ.LOCAL) (domain.local)


Thanks in advance

msc-operations-manager-general
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrilAzoulay avatar image
0 Votes"
CyrilAzoulay answered ·

If the other forests are trusted, you can deploy agents without doing anything particular.
Otherwise the best option would be to deploy SCOM Gateways in these forests.

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, @CyrilAzoulay for your help

If I went through the first scenario which forest type should I use (Forest Trust two-way) direction ?? if so should I use certificates too? if so should I install an active directory certificate service?

sorry for my questions this the first time for me to monitor other forest devices

Thanks again

0 Votes 0 ·

Technically speaking, you would need the SCOM Management Servers and SCOM Agents to be withinin the same "Kerberos boundaries". To achieve this, you indeed need a two-way forest trust.
As I said previously, in that case you do not do anything particular, so no need for certificates.

However, creating a two-way forest trust is not a decision you should take lightly and surely not just to make scom agents deployment easier... that's something you need to discuss with your AD admins.

0 Votes 0 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered ·

@AhmedEssam-4837, If we can deploy Forest Trust with two-way direction, That means users in one forest can access resource in any domain in the other forst. We can see more details about forest trust in the following link:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)#forest-trusts

For the authentication using kerberos between the agents in any domain of one forest and SCOM server in another forest can be routed. We can see more details in the following link:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)#kerberos-based-processing-of-authentication-requests-over-forest-trusts

However, if trust can be not built, to monitor the agent in an untrusted domain, certificate is needed for the authentication. For this situation, Gateway server is recommended to be used for agent management of computers that are outside the Kerberos trust boundary of management group. We can see more details in the following link:
https://docs.microsoft.com/en-us/system-center/scom/deploy-install-gateway-server?view=sc-om-2019

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AhmedEssam-4837, How's everything going? If there's still anything unclear, feel free to let us know.

0 Votes 0 ·