Thanks Kevin, it makes sense. Appreciate your response. Philip
On Sat, Dec 5, 2015 at 12:56 PM, Kevin Holman <[email protected]> wrote: > Below: > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Philip George > *Sent:* Saturday, December 5, 2015 2:25 PM > *To:* [email protected] > *Subject:* [msmom] SCOM design inputs > > > > Hi All, > > looking for some SCOM design inputs. > > > > I have a forest ABC.com in that we have two domain region wise > test.ABC.com > <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftest.ABC.com&data=01%7c01%7ckevin.holman%40microsoft.com%7c673609578e2946ce0fcf08d2fdb29653%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LNlUOWKMbS3VtGBysS77y%2fkTOZDdtQydk5SRaQh2yh8%3d> > and test1.ABC,com and all of them have two way trust. > > > > My SCOM management server is in test.ABC.com > <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftest.ABC.com&data=01%7c01%7ckevin.holman%40microsoft.com%7c673609578e2946ce0fcf08d2fdb29653%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LNlUOWKMbS3VtGBysS77y%2fkTOZDdtQydk5SRaQh2yh8%3d>, > to manage clients in test1 domain will a management server work or I need > plan for a gateway server? > > *[KH] Agents only need to be in the same Kerberos realm. A forest is a > Kerberos realm. If the machines are in the same forest, then gateways (for > certificate purposes) are not required, nor are certs.* > > > > If I put a management server in test1 domain and I use a service account > which is in test.ABC.com > <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftest.ABC.com&data=01%7c01%7ckevin.holman%40microsoft.com%7c673609578e2946ce0fcf08d2fdb29653%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LNlUOWKMbS3VtGBysS77y%2fkTOZDdtQydk5SRaQh2yh8%3d> > the installation goes fine but in the SCOM management server I see that its > taking the service account in the test1 domain which it should not. > > Is there something I am missing? > > *[KH] I don’t recommend using service accounts from different domains for > your management servers in another domain. Why on earth would you want > cross domain authentication occurring constantly like that? Generally, I > place the management servers in the domain that has the highest monitored > agent count, and always use service accounts from the same domain.* > > > > > > > >
