Hi, is it possible to set up an AD Integration in an untrusted Domain/Forrest? The domain has a dedicated Gateway MS. I could not find any information about this... Thank you, Frank

AD integration requires a couple of things. The RMS must be able to set up the AD integration settings (modifies AD schema), and the agent must be able to access the directory. If either of these cannot be done (unlikely in an untrusted forest) then AD integration won't work. If each of the hosts in the untrusted domains has a credential with the forest that doesn't trust you, and if the agent is running with a credential that is in turn trusted (such as localsystem, via the machine account in the forest) then all you need is for the remote domain admin to assist in creating the AD settings. Of course, if they do not trust you, know you or .... Microsoft Corporation

Yes it is possible, supported, and a handful oif customers do it today. Here are the steps, at a high level: 1. Create a SG in the remote domain that will serve as a stand in for the Ops Mgr admins SG 2. Create a domain account in teh remote domain (or decide on an existing one) that will serve as the accoutn used to administer AD Integration 3. Run MOMAdAdmin.exe in the remote domain, specifying the SG you created, and the account you created (not the RMS computer name like usual) 4. Create a runas account matching the creds of your remote domain account 5. Create a runas profile pairing the RMS with above runas account 6. Finally, set up AD Integration for the remote domain, choosing the new runas profile for credentials. One thing to note is that although you will configure AD Integration so agents will report to the gateway, the actual AD Integration workflow that touches AD always runs on the RMS. The workflow remotely manages the AD containers from the RMS box. Thanks, -Lincoln

Hi, I am trying to setup an AD integration among untrusted domains. I have a question about the step 4 in your instruction: 4. Create a runas account matching the creds of your remote domain account During the RunAs account creation, does it make any difference if I select RunAs Account type of "Basic Authentication", "Simple Authentication", "Digest Authentication"? Other choices (Windows, Community String, Action Account, or Binary Authentication) didn't seem to make sense. As an example: If I created an account RD\SCOM_ADDevAdmin in step 2 above with password mypassword, should the runas account at step 4 be RD\SCOM_ADDevAdmin with a password mypassword and RunAs Account type of "Basic Authentication" or "Simple Authentication", or "Digest Authentication"? I can't see the RD domain from CORP domain so I won't have the RD\SCOM_ADDevAdmin if I select the RunAs Account type "Windows" or "Action Account". Thanks. YTZ