Below: From: [email protected] [mailto:[email protected]] On Behalf Of Philip George Sent: Saturday, December 5, 2015 2:25 PM To: [email protected] Subject: [msmom] SCOM design inputs
Hi All, looking for some SCOM design inputs. I have a forest ABC.com in that we have two domain region wise test.ABC.com<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftest.ABC.com&data=01%7c01%7ckevin.holman%40microsoft.com%7c673609578e2946ce0fcf08d2fdb29653%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LNlUOWKMbS3VtGBysS77y%2fkTOZDdtQydk5SRaQh2yh8%3d> and test1.ABC,com and all of them have two way trust. My SCOM management server is in test.ABC.com<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftest.ABC.com&data=01%7c01%7ckevin.holman%40microsoft.com%7c673609578e2946ce0fcf08d2fdb29653%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LNlUOWKMbS3VtGBysS77y%2fkTOZDdtQydk5SRaQh2yh8%3d>, to manage clients in test1 domain will a management server work or I need plan for a gateway server? [KH] Agents only need to be in the same Kerberos realm. A forest is a Kerberos realm. If the machines are in the same forest, then gateways (for certificate purposes) are not required, nor are certs. If I put a management server in test1 domain and I use a service account which is in test.ABC.com<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftest.ABC.com&data=01%7c01%7ckevin.holman%40microsoft.com%7c673609578e2946ce0fcf08d2fdb29653%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LNlUOWKMbS3VtGBysS77y%2fkTOZDdtQydk5SRaQh2yh8%3d> the installation goes fine but in the SCOM management server I see that its taking the service account in the test1 domain which it should not. Is there something I am missing? [KH] I don’t recommend using service accounts from different domains for your management servers in another domain. Why on earth would you want cross domain authentication occurring constantly like that? Generally, I place the management servers in the domain that has the highest monitored agent count, and always use service accounts from the same domain.
