OpsMgr 2007: How to enable AD integration for an untrusted domain

I get asked about how to enable AD integration for an untrusted domain in Microsoft System Center Operations Manager 2007 from time to time and since I didn’t see it documented anywhere I thought I’d post a step-by-step here.

1. If you’re still on the RTM version of Microsoft System Center Operations Manager 2007, install the hotfix documented in KB943211.  If you’re running Service Pack 1 then the hotfix is already included.

2. Create an account in the untrusted domain that will be used for AD integration.  For our example here, let’s call the domain YourUntrustedDomain.com and the user YourUser. As it is effectively a service account, you will need to ensure that the password doesn’t expire, etc.

3. Create a security group in the domain named something like “OpsMgr Admins”, as the momadmin tool expects one.

4. Prepare each untrusted domain first by running momadamin.exe. Using the names above the syntax will be

momadadmin <ManagementGroupName> “OpsMgr Admins” “YourUntrustedDomain\YourUser” YourUntrustedDomain

5. Create a new RunAs Account of type Windows, specifying the user credentials as above.

6. Create a new RunAs Profile “YourUntrustedDomain.com AD Integration Profile” in the Default Management Pack, adding the account above to this profile for your RMS server.

7. Set up your Agent Assignment Rule for your Gateway server, specifying the domain name YourUntrustedDomain.com, and ticking the box to select the RunAs Profile that you have just created.

8. You can choose your own inclusion/exclusion criteria, but be sure that you manually configure failover for these systems to just failover to servers they are capable of communicating with directly.

One Point to note is that when the Health Service starts, you may see an event ID 7000 error logged that indicates the failure to log as your Windows Account. You can safely ignore this as the credentials are then extracted by the LDAP provider and used when the rule runs.

 Note: The workflows that handle the group memberships, and ultimately determine which management server is used by each agent, are run by the RMS and NOT by the Gateway server. This means that we require LDAP access (TCP and UDP port 389) from the RMS to the DCs in the untrusted domain.

Hope this helps!

Brian McDermott | Manageability Escalation Engineer